Security Hygiene, Posture Management Remain Challenging

Posture management is still one of the least mature areas in security, even though 86% of organizations believe they follow best practices for security hygiene and posture management.

These were among the results from a study commissioned by JupiterOne and carried out by Enterprise Strategy Group (ESG), which surveyed nearly 400 IT and cybersecurity professionals from private- and public-sector organizations across North America.

The survey exposed many dangerous vulnerabilities, as nearly one-third of respondents (31%) said they discovered sensitive data in previously unknown locations and 30% found websites with a path to their organizations.

In addition, 29% uncovered employee corporate credentials or misconfigured user permissions while 28% exposed previously unknown SaaS applications.

“The purpose of cybersecurity hygiene is primarily to protect an organization’s data. However, once in place, many organizations will find that it goes further than just protecting the organization,” said Erkang Zheng, CEO of JupiterOne. “Those who implement strong cybersecurity hygiene will see that it will also drive improvements and efficiencies across their organization’s entire technology landscape.”

He explained that the core building blocks to cybersecurity hygiene are knowing your estate and knowing your identities—this is the critical, as it ultimately drives the controls you operate and provides a mechanism to understand how effective these controls are within your environment.

“Once you have an accurate understanding of your estate and identities, you can measure their security posture across your environment, which enables you to drive cybersecurity hygiene, controls adoption and embeds secure practices into daily routines,” Zheng said.

Continued Complexity

Meanwhile, complexity has grown as companies have scaled up with cloud-native, multi-cloud and API-first initiatives.
That means that the number of digital assets (e.g., cloud workloads, devices, users, code repos, ephemeral devices and more) have, essentially, scaled up exponentially.

“Often these assets are run by different groups and these groups may not know what they have,” Zheng said. “As complexity and scale rise, so does the need for automation to track the state of your digital asset hygiene.”

He pointed out that when your organization is attacked, it’s through these assets—in other words, your users, cloud assets, devices, code repositories or any other elements of your digital environment.

Therefore, any attempt to strengthen your security posture has to begin with better visibility, understanding and management of this landscape: What you have, what it’s connected to and who owns it.

“Cyber asset management tools provide the context required to implement a strong security program,” Zheng said. “Context is security.”

From that perspective, he explained, visibility and context improve the state of your hygiene and posture, and context can be provided by tools such as cyber asset attack surface management (CAASM), cloud security, endpoint security, application security, compliance and others.

Safeguarding Internet-Facing Assets

When it comes to safeguarding internet-facing assets and reducing their attack surface, Zheng said companies must gain visibility across their entire digital asset inventory.

“Cyber assets have grown and continue to change constantly,” he said. “This means that visibility becomes less viable as you expand your technology and security infrastructure. Integrating your cloud environment, DevOps, security and operations tooling and data into a single cyber asset security solution gives you the context to take action and improve your security hygiene.”

Seeing the full picture means the organization can effectively identify and prioritize critical security issues across cloud assets, identities, code repos, devices and more.

It’s also critical for organizations to understand their attack surface, both internal and external.

“It’s not just the cyber assets themselves that matter,” Zheng said. “Companies also have to consider the relationships between them. If a cyber asset is compromised, it’s critically urgent to understand the full scope of the blast radius.”

For that, a continuous view from a single source of truth empowers organizations with an in-depth understanding of every relationship surrounding their critical cyber assets and the ability to continuously track, monitor and govern cyber assets allows teams to increase security hygiene.

Lastly, Zheng said it’s important to continuously find and fix unsecured or misconfigured digital assets.

“With the right tooling and processes in place, you can automate alerting and actions across your entire cyber asset universe when compliance drift or security gaps happen to reduce your overall security risk,” he said. “You can’t protect what you don’t know about.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 243 posts and counting.See all posts by nathan-eddy