The power of your organization’s security strategy lies not just in the tools you deploy but in how well you wield them. It's crucial to understand that the most significant security weaknesses might not stem from the quality of your security controls but rather from how effectively they are used. We are repeatedly witnessing that even with substantial investments in high-end cybersecurity solutions, organizations can still suffer significant breaches if these tools are not properly managed. This highlights a common issue where the potential of these security tools is misconfigured, non-optimized, or even non-functioning, leading to gaps in defense that could have been avoided with better usage and management practices.
In this blog, we will talk about how ensuring that your existing tools are properly validated can significantly enhance your organization’s defense against increasingly complex cyber threats.
To fully appreciate the findings we’re about to introduce, it’s important to first understand the significance of the Blue Report 2024.
The Blue Report, an annual study by Picus Labs, provides insights based on over 136 million attack simulations conducted by Picus Security customers from January to June 2024. These simulations, carried out on The Security Validation Platform, evaluate the real-world effectiveness of top security products. Covering a wide range of attack vectors, threat groups, ransomware, and vulnerabilities, the report highlights both the advancements made and the challenges that remain in detecting and preventing cyber threats.
While the Blue Report covers a broad spectrum of security simulations, we wanted to specifically highlight the effectiveness of preventative and detective security measures within organizations. This focus is crucial, as it reveals a widespread issue across various organizations from different sectors and regions: their heavily-invested security solutions are often not functioning as intended. Therefore, our aim is to emphasize the importance of validating the effectiveness of implemented security measures—both preventative and detective—against known and emerging threats, in order to eliminate the dangerous false sense of security.
Building on the insights from the Blue Report 2024, it's clear that the effectiveness of preventative security controls has seen some progress. The average prevention effectiveness score climbed from 59% in 2023 to 69% this year.
Figure 1. Gauge chart showing 69% of attacks prevented in 2024, up from 59% in 2023. Blue Report 2024.
|
This indicates that preventive security controls, such as IPS, NGFW, and WAF solutions are now preventing nearly seven out of every ten simulated attacks. |
This positive trend means that organizations are successfully refining their preventive measures, and improving their overall threat exposure management. To sustain and build on this progress, we strongly recommend organizations to continually identify and address any remaining gaps in their security controls.
In 2024, the state of detection effectiveness among security organizations exhibited both progress and setbacks across the various levels of threat exposure management.
On a positive note, 2024 saw a significant improvement in the logging of attacks, with the average log score rising from 37% in 2023 to 54%.
Figure 1. Gauges showing 54% of attacks logged in 2024. Blue Report 2024.
|
This improvement suggests that over half of the simulated attacks are now being successfully logged after infiltrating environments, moving many organizations from the "basic" level into the "moderate" category of detection effectiveness. |
However, this advancement in logging capabilities was accompanied by a decline in alerting effectiveness. The alert score fell to a concerning 12%, down from 16% in 2023.
Figure 2: Gauges showing 12% of attacks triggered alerts in 2024. Blue Report 2024.
|
This means that less than 1 in 8 attacks successfully trigger alerts, which significantly decreases security teams’ ability to identify and respond promptly to potential threats. |
This drop off points to a significant lag in detective security controls to manage the increased log volume and sheer number of attacks detected.
Despite the improved logging capabilities, the failure to convert these logs into actionable alerts is a glaring issue that requires immediate attention. Enhancing alert mechanisms is crucial to ensure that security teams are adequately informed of potential threats, enabling them to quickly and effectively respond.
In conclusion, based on our experience with security validation, we feel many organizations might be driven by a false sense of security. Despite improvements in logging attacks, the significant decline in alerting effectiveness underscores a critical gap:
|
More logs do not necessarily equate to more visibility or better security outcomes. |
While organizations have improved the data layer, detection engineering remains deficient, highlighting the urgency for security teams to enhance alert mechanisms to ensure they’re quickly identifying and responding to potential threats.
Thus, we highly recommend that organizations adopt an "assume breach" mindset to bridge these gaps in their cybersecurity strategy. This approach emphasizes the importance of not only relying on your organization's preventive controls but also ensuring that your detection and response mechanisms are strong enough to manage breaches when they occur. Proactive measures, continuous monitoring, and regular evaluations of both logging and alerting systems are vital to achieving higher levels of threat exposure management and solidifying your security posture.