Picus Security simulation analysis shows only 6/10 cyber attacks prevented

SAN FRANCISCO – Picus Security has used its pioneering Breach and Attack Simulation (BAS) technology to run over 14 million simulated attacks, and in a published report has noted four “impossible tradeoffs” for security teams.

According to the analysis performed by Picus Security, only 6 out of every 10 cyber attacks are prevented statistically by organizations. Trying to shore up defenses against these kinds of attacks put cybersecurity teams in a situation where they must make impossible choices in order to protect against potential breaches.

“Like a short blanket that covers either someone’s head or feet, not both, security teams can only dedicate their time, money, and resources to so many problems at once,” said Picus co-founder and VP of Picus Labs, Dr. Suleyman Ozarslan, in a release by the company. “They deploy their budgets and resources to cover one exposed spot, but this leaves other areas out in the cold. The Blue Report shines a light on these impossible trade-offs and how they hinder organizations’ readiness to defend themselves against the latest threats.”

The type of attack also affects how effective it is versus typical security measures. Picus Security states as an example that organizations typically prevent around 73% of malware attacks, but only 18% of data exfiltration attacks. Another sore spot to cover are complex, multi-stage attacks which are prevented only about half of the time. This is especially concerning to Picus due to a previous study by the company which found that over a third of malware samples exhibit 20 or more attacker tactics, techniques and procedures (TTPs).

Picus’ Blue Report focuses on these concerns in a set of four impossible tradeoffs they describe as: 

• Choosing between prevention efficacy and detection efficacy
• The trade-off between logging and alerting
• Prioritizing which attacks to prevent
• Vulnerability management.

As a result the Blue Report suggests practicing continuous threat exposure management (CTEM) to approach shortcomings in cybersecurity.

“Since preventing and detecting every threat is practically impossible, security teams will always have to prioritize some aspects of security more than others,” said Dr. Ozarslan. “Fortunately, there is an approach that can help them improve their performance. By adopting a more unified approach that incorporates insights from attack simulations combined with attack surface and vulnerability data, security teams can allocate resources efficiently and effectively to address their most critical exposures. As a result, they can simultaneously improve their ability to prevent and detect attacks, rather than making trade-offs between them, and sleep better at night.”

Picus Security will be discussing its findings from The Blue Report at Black Hat USA 2023 in Las Vegas on Aug. 9-10. Interested readers can visit booth #2700 to learn more and discover the benefits of using attack simulations to reduce threat exposure.

For more information about Picus Security or to access the Blue Report please visit www.picussecurity.com.