Web application exploits are the biggest cybersecurity risk facing organizations today, according to new research by The Cyentia Institute. The conclusion forms part of a new—and first of its kind—F5 Labs-sponsored report entitled The State of the State of Application Exploits in Security Incidents.
Drawing heavily on the Cyentia Research Library as well as input from a range of other datasets, the report is the industry’s most comprehensive multi-source analysis yet of both the frequency and role of application exploits. A key driver behind the report’s publication is to progress how the cybersecurity industry as a whole uses disparate pieces of research to piece together the bigger picture.
In the report, The Cyentia Institute found that 56% of the biggest cybersecurity incidents from the past five years tie back to some form of web application issue. Responding to these incidents cost more than $7,6bn, which represents 42% of all financial losses recorded for “extreme cyber loss events”. Web application attacks were also the leading incident pattern among data breaches for six of the last eight years.
In addition, The Cyentia Institute discovered that the average time-to-discovery for incidents involving web application exploits was 254 days – significantly higher than the 71-day average for other extreme loss events that were studied.
56% of all known losses for the largest web application incidents over the last five years were attributed to state-affiliated threat actors
However, one of report’s most eye-catching discoveries was that 57% of all known losses for the largest web application incidents over the last five years were attributed to state-affiliated threat actors. This alone caused $4,3bn in damages.
The data and reports analyzed by The Cyentia Institute also revealed a consensus on key recommendations for security measures, which The Cyentia Institute summarizes as “Fix your code, patch your systems, double up your creds and watch your back(door).”
“All CISOs probably view vulnerability management, access control, and situational awareness as critical aspects of security operations, but in practice these strategies reveal themselves as moving targets,” said Raymond Pompon, Director of F5 Labs.
“We were surprised to see that underneath the surface, ‘the state of the state’ of is not one of discontinuity and fragmentation, but one of consensus about the difficulty of execution. It appears that many security teams know what they need to do, in theory. Putting that theory into practice over time is the real problem here. This is, in reality, quite an eye-opening conclusion. Security teams don’t, in fact, need help figuring out what to do, but rather how to do it.”