Prevention and Detection Performance in Security Control Effectiveness

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

The power of your organization’s security strategy lies not just in the tools you deploy but in how well you wield them. It's crucial to understand that the most significant security weaknesses might not stem from the quality of your security controls but rather from how effectively they are used. We are repeatedly witnessing that even with substantial investments in high-end cybersecurity solutions, organizations can still suffer significant breaches if these tools are not properly managed. This highlights a common issue where the potential of these security tools is misconfigured, non-optimized, or even non-functioning, leading to gaps in defense that could have been avoided with better usage and management practices.

In this blog, we will talk about how ensuring that your existing tools are properly validated can significantly enhance your organization’s defense against increasingly complex cyber threats.

Understanding the Picus Blue Report 2024

To fully appreciate the findings we’re about to introduce, it’s important to first understand the significance of the Blue Report 2024.

So, What Exactly Is the Blue Report 2024?

The Blue Report, an annual study by Picus Labs, provides insights based on over 136 million attack simulations conducted by Picus Security customers from January to June 2024. These simulations, carried out on The Security Validation Platform, evaluate the real-world effectiveness of top security products. Covering a wide range of attack vectors, threat groups, ransomware, and vulnerabilities, the report highlights both the advancements made and the challenges that remain in detecting and preventing cyber threats.

Why Focus on Prevention & Detection Effectiveness Performance? 

While the Blue Report covers a broad spectrum of security simulations, we wanted to specifically highlight the effectiveness of preventative and detective security measures within organizations. This focus is crucial, as it reveals a widespread issue across various organizations from different sectors and regions: their heavily-invested security solutions are often not functioning as intended. Therefore, our aim is to emphasize the importance of validating the effectiveness of implemented security measures—both preventative and detective—against known and emerging threats, in order to eliminate the dangerous false sense of security.

Preventative Security Control Effectiveness in 2024

Building on the insights from the Blue Report 2024, it's clear that the effectiveness of preventative security controls has seen some progress. The average prevention effectiveness score climbed from 59% in 2023 to 69% this year.

blue-report

Figure 1. Gauge chart showing 69% of attacks prevented in 2024, up from 59% in 2023. Blue Report 2024.

This indicates that preventive security controls, such as IPS, NGFW, and WAF solutions are now preventing nearly seven out of every ten simulated attacks. 

This positive trend means that organizations are successfully refining their preventive measures, and improving their overall threat exposure management. To sustain and build on this progress, we strongly recommend organizations to continually identify and address any remaining gaps in their security controls.

Detective Security Control Effectiveness in 2024

In 2024, the state of detection effectiveness among security organizations exhibited both progress and setbacks across the various levels of threat exposure management. 

Logging Score

On a positive note, 2024 saw a significant improvement in the logging of attacks, with the average log score rising from 37% in 2023 to 54%

Figure 1. Gauges showing 54% of attacks logged in 2024. Blue Report 2024.

This improvement suggests that over half of the simulated attacks are now being successfully logged after infiltrating environments, moving many organizations from the "basic" level into the "moderate" category of detection effectiveness.

Alert Score

However, this advancement in logging capabilities was accompanied by a decline in alerting effectiveness. The alert score fell to a concerning 12%, down from 16% in 2023. 

Figure 2: Gauges showing 12% of attacks triggered alerts in 2024. Blue Report 2024.

This means that less than 1 in 8 attacks successfully trigger alerts, which significantly decreases security teams’ ability to identify and respond promptly to potential threats. 

This drop off points to a significant lag in detective security controls to manage the increased log volume and sheer number of attacks detected.

Despite the improved logging capabilities, the failure to convert these logs into actionable alerts is a glaring issue that requires immediate attention. Enhancing alert mechanisms is crucial to ensure that security teams are adequately informed of potential threats, enabling them to quickly and effectively respond. 

Conclusion

In conclusion, based on our experience with security validation, we feel many organizations might be driven by a false sense of security. Despite improvements in logging attacks, the significant decline in alerting effectiveness underscores a critical gap:

More logs do not necessarily equate to more visibility or better security outcomes.

While organizations have improved the data layer, detection engineering remains deficient, highlighting the urgency for security teams to enhance alert mechanisms to ensure they’re quickly identifying and responding to potential threats.

Thus, we highly recommend that organizations adopt an "assume breach" mindset to bridge these gaps in their cybersecurity strategy. This approach emphasizes the importance of not only relying on your organization's preventive controls but also ensuring that your detection and response mechanisms are strong enough to manage breaches when they occur. Proactive measures, continuous monitoring, and regular evaluations of both logging and alerting systems are vital to achieving higher levels of threat exposure management and solidifying your security posture.