3 Major Exposure Risks — and How to Solve Them

Like thieves pulling off a jewel heist, cyberattackers explore every angle searching for security weaknesses to exploit. Their approach is creative, relentless, and arguably successful. It's also a major challenge for defenders, who often run through a rote list of defense tasks, whereas their attackers are thinking in graphs. But effective exposure management requires a different approach, one that can get ahead of threats.

With cybersecurity threats continuously evolving, defenders require advanced strategies to defeat them. Exposure management today is fragmented across silos — cloud, endpoint, identity, app, network, and data, covered by myriad tools and solutions. As a result, security teams find it hard or even impossible to answer basic questions such as: "How exposed am I to the latest security threat?" "What are my critical assets?" or "Which security controls should I invest in to reduce risk?" The ever-growing volume and complexity of attacks further increases this problem, confronting security teams with need to correlate data and insights across tools.

According to Gartner®, "By 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach."

As defined by Gartner, "Continuous Threat Exposure Management is a pragmatic and effective systemic approach to continuously refine priorities and walk the tightrope between those two impossible extremes." Gartner also notes that, "previous approaches to managing the attack surface are no longer keeping up with digital velocity — in an age where organizations can't fix everything, nor can they be completely sure what vulnerability remediation they can safely postpone."

Exploitable Attack Paths Are Surprisingly Common

Supporting this statement, a whopping 80% of organizations using Microsoft's security posture and exposure management solutions have at least one exploitable attack path leading to critical assets, according to internal Microsoft research of exposures across a sample of 100,000 organizations in August 2024. And 3% of these organizations have more than 1,000 of these attack paths.

Given these findings, it's clear that there's much progress to be made to protect organizations from potential exposures. Here's what the numbers tell us about organizations and exposure risk.

1. Even Your Most Critical Assets Are at Risk

Just as jewel thieves in heist movies are eager to capture the humongous gem locked away in a glass case behind multiple levels of security, attackers want your most valuable assets. Many organizations recognize that security risks exist and they must take action to protect their valuable assets. But some may be surprised when they discover the sensitivity level of the data or asset exposed. And how do defenders prioritize which assets receive the most protections?

While large organizations typically have tens or even hundreds of thousands of assets in their estate, Microsoft research shows that about 1% of those assets are lucrative attack targets ("crown jewels"). It can be convenient to assume your most sensitive assets are safe and protected by deep layers of protection that attackers can't assess. Focusing on attack paths that lead to those crown jewels can dramatically improve defender efficacy.

Before you can protect your critical assets, you must have a comprehensive understanding of what they are. With unified exposure management tools, you can discover visible, hidden, and unknown assets and tag them automatically based on their risk profiles. Gaining insights on the cybersecurity risk and potential impact of each of your assets lets you prioritize those that are most critical and put protections in place against the most serious threats.

2. Assets in the Cloud Are Risky Too

Security between on-premises infrastructure and the cloud can be tenuous. And just as thieves are attracted to both individual gems and jewelry, assets in the cloud and on premises are equally tempting for attackers. Of 8.7 million discovered critical assets, 907,000 were critical cloud resources and 429,000 were critical cloud virtual machines, according to Microsoft's internal research.

3. Unaddressed Attack Paths Can Cause Major Damage

Returning to that jewel heist analogy, if vault security isn't thorough and doesn't put multiple protection measures in place, it's easier for thieves' nefarious activities to succeed. In the same way, undiscovered attack paths pose a threat to cybersecurity.

Just how immediate the threat is may be unclear initially. However, major damage can occur when you don't address attack paths across your hybrid and multicloud environment. Attackers can exploit these attack paths to breach your environment, resulting in potential risks like the following, based on data from Microsoft's research:

This is where a CTEM program with unified exposure management tools can help mitigate risks before they cause significant damage. Use it to scope your exposures, which could include devices, apps, applications, identities, and supply chain systems. Such a solution also is agile enough to discover and address new attack vectors and vulnerabilities.

Limit Your Exposure to Security Risks

Like many organizations, the extent of your exposure to risk may surprise you. You've likely invested in cybersecurity tools to strengthen your defenses. But as Microsoft research shows, even your most critical assets are at risk, and threat actors are looking to exploit vulnerabilities in both on-premises and cloud environments. The damage from a successful exploit can be extreme. To prevent this, consider implementing a CTEM program and adopting a unified exposure management tool.

Gartner, Implement a Continuous Threat Exposure Management (CTEM) Program, Jeremy D'Hoinne, Pete Shoard, et al., 11 October 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

By Rob Lefferts, Corporate Vice President, Microsoft Threat Protection

About the Author

Rob Lefferts is corporate vice president of Microsoft Threat Protection. His org is responsible for Microsoft Defender and Sentinel products, which ensure end-to-end, comprehensive, and cohesive Microsoft security protection for all of our customers.

Since joining Microsoft in 1997, Rob has been instrumental in shaping key products and technologies, from helping develop the original SharePoint Portal Server, to hardening the Windows platform and driving commercial adoption of Windows 10, to leading extensibility efforts for the Office platform and championing the vision for Microsoft 365.

Rob began his career at Claritech, a startup that was born from a Carnegie Mellon research project. He then consulted with the Government of Namibia. He earned a bachelor's degree in logic and computation, as well as a master's degree in computation linguistics, from Carnegie Mellon University.