Organizations are increasingly taking to the offensive to foil threats before they become attacks, according to a report released Wednesday by a breach and attack simulation company.
In its 2024 State of Exposure Management & Security Validation report, Cymulate maintained that security leaders are recognizing that the pattern of buying new tech and the frantic state of find-fix vulnerability management is not working.
Rather than waiting for the next big cyberattack and hoping they have the right defenses in place, the report continued, security leaders are now more than ever implementing a proactive approach to cybersecurity by identifying and addressing security gaps before attackers find and exploit them.
The report, which aggregates anonymized data from attack surface assessments, simulated attack scenarios and campaigns, and automated red teaming activities across more than 500 Cymulate customers, highlights the proactive approach that takes an attacker’s view to identify and address security gaps before attackers find and exploit them.
“As new attack tactics emerge and adversaries continue to make use of existing vulnerabilities, businesses cannot afford to be reactive,” Cymulate Co-founder and CTO Avihai Ben Yossef said in a statement.
“They need to proactively gauge the effectiveness of their security solutions, identify where gaps exist, and take the necessary action to limit their risk and mitigate their exposure,” he continued. “We are encouraged to see a growing number of organizations adopting the exposure management and security validation tools needed to improve their security posture.”
Traditional Security Methods Obsolete
Traditionally, security controls were tested in a very limited way on an annual red team assessment or penetration testing basis, explained Cymulate Field CTO David Kellerman.
“In this era of DevOps and cloud, traditional methods of security assessment are obsolete,” he told TechNewsWorld.
“Defensive security controls need to be continuously validated,” he said. “The approach that organizations need to take is targeting themselves with thousands of attack scenarios across all their security controls to make sure that all the security controls in place are capable of doing what they’re meant for and at a maximum level.”
Matt Quinn, technical director for Northern Europe for XM Cyber, a hybrid cloud security company headquartered in Herzliya, Israel, agreed that the proactive approach is being looked at more and more as the focus on detecting attacks as they happen is simply not effective on its own.
“Organizations are drowning in trying to defend against millions of attacks and have put all of their eggs in compensating controls,” he told TechNewsWorld.
“Organizations are now being more proactive by looking at what is underneath the compensating controls and looking to fix what they are compensating for,” he said. “This is a far more effective method against any type of attacker.”
Fast-Evolving Threat Landscape
Security leaders are increasingly adopting a proactive approach to cybersecurity, noted Callie Guenther, a cyber threat research senior manager at Critical Start, a national cybersecurity services company.
“This shift is largely driven by the recognition that waiting for attacks to occur before responding is no longer sufficient in today’s fast-evolving threat landscape,” she told TechNewsWorld. “A proactive approach involves anticipating potential threats and vulnerabilities and addressing them before they can be exploited by attackers.”
“Waiting to take a reactive stance always leads to a greater impact and more post-attack mitigation that is handled as an emergency,” added Luciano Allegro, co-founder and CMO of BforeAi, a threat intelligence company, in Montpellier, France.
“It wastes employee time and causes undue stress for problems that could have been resolved promptly and orderly,” he told TechNewsWorld.
Rob T. Lee, curriculum director and head of faculty at the SANS Institute, a global cybersecurity training, education, and certification organization, cited several proactive measures organizations are now deploying.
These strategies include adopting threat intelligence services to anticipate potential attacks, conducting regular penetration testing to identify vulnerabilities, and implementing “Zero Trust” frameworks that do not automatically trust anything inside or outside the organization.
“Security awareness training for employees is essential to recognize phishing attempts and other social engineering tactics,” he added.
“Advanced security solutions like Endpoint Detection and Response [EDR] and Security Orchestration, Automation and Response [SOAR] platforms are also vital,” he told TechNewsWorld. “Moreover, cyber security workforce training and management are crucial in creating a resilient human firewall.”
“Recent SEC rules also push for a cybersecurity mindset at the upper management and board levels, emphasizing the strategic role of cybersecurity in corporate governance,” he said.
Proactive AI
Artificial intelligence can be another tool in an enterprise’s proactive strategy, maintained Matt Hillary, vice president of security and CISO of Drata, a security and compliance automation company in San Diego.
“AI can help companies identify and address security gaps by proactively identifying critical vulnerabilities and supporting remediation,” he told TechNewsWorld.
For example, Hillary explained that AI can be used to crawl a company’s network perimeter to explore which systems or applications are internet-facing and what risks they may carry.
“With its ability to analyze massive quantities of data quickly, well-trained large language models can augment manual security processes to find and fix issues at a speed that was previously impossible,” he said.
Elisha Riedlinger, COO of NeuShield, a data protection company in Fremont, Calif., added that there has always been a certain percentage of organizations who take security seriously and work on implementing proactive security solutions.
“However,” he told TechNewsWorld, “many organizations are still not able to be proactive. These organizations may not have the resources or time to proactively evaluate and implement these solutions.”
Culture of Control Evasion
The Cymulate report also found that organizations face an increasing risk of data exfiltration due to the diminishing effectiveness of their data loss prevention (DLP) controls. It found data exfiltration risk scores have increased from 33 in 2021 to 46 in 2024.
“Unfortunately, not every organization has built security around data,” said Gopi Ramamoorthy, head of security and governance, risk and compliance engineering at Symmetry Systems, a data security posture management company in San Francisco.
“The organizations mostly have prioritized the security around network, endpoints, applications, and identities,” he told TechNewsWorld.
“In addition,” he continued, “traditional DLP tools have not provided adequate visibility and security controls over data in the cloud. The adoption of the latest data security platform — data security posture management — has been slow as well. Because of less visibility of data security posture and controls, the data exfiltration continues to happen.”
John Bambenek, president of Bambenek Consulting, a cybersecurity and threat intelligence consulting firm in Schaumburg, Ill., pointed out that organizations have also fertilized data exfiltration in other ways.
“In the rush towards agile development — which inherently instills a culture of control evasion — and cloud-first, where every engineer with a credit card can spin up services, we’ve created a world where data can leave easily,” he told TechNewsWorld.
