Home About Contribute Sponsorship Contact Sign In


Technology Industry News

Latest Orca research shows enterprises continue to be breached by weakest links

Orca Security release their 2020 State of Public Cloud Security Report showing that enterprises continue to be breached by neglected workloads, authentication issues and discoverable credentials.

Latest Orca research shows enterprises continue to be breached by weakest links

"If you have an estate of thousands of services and you maintain 97% of them then you might think that you are doing a good job but the problem is that it's the 3% that the attacker will exploit."
Avi Shua, Orca Security CEO

Today - July 28th 2020 - Orca Security have released their 2020 State of Public Cloud Security Report. The report has been compiled by Orca through their cross-industry research into public cloud security deployments based on data from more than 2 million scans of 300,000 public cloud assets.

Their research shows that enterprises continue to be breached by the weakest links in their security caused by neglected workloads, authentication issues, discoverable credentials, and misconfigured storage buckets. Some of the key findings contained in Orca’s report include:

·         80% have at least one neglected, internet-facing workload

·         60% have workloads that has reached “end-of-life” and will no longer be supported by manufacturer security updates.

·         49% even have at least one publicly accessible unpatched web server despite awareness of how that could result in large data breaches

·         Authentication and credential issues are also widespread, with 25% having cloud accounts without multi-factor authentication

·         When it comes to lateral movement risk, the security posture of internal machines is much worse than internet-facing servers, with 77% of organizations having at least 10% of their internal workloads in a neglected security state.


Insecure IT systems can lead to catastrophe. Privately, security flaws allow hackers to corrupt or steal your data; a very public breach, however, has the potential to permanently damage an organizations’ reputation. So why, when organizations are fully aware of the risks, did Orca discover such a high number of vulnerabilities? To find out the answers to this question and more we spoke to Orca Security CEO Avi Shua.

“When you are expected to deliver IT solutions quickly, sometimes security is put on the back seat and so security teams are left to understand the risks and to convince people to fix them. Of course, it is much harder to fix something when it is already live in production.” explained Avi. “Today, in the cloud, the power has shifted to development teams and security often comes second as there’s always something more important to do.”


Despite many alarming statistics contained in the report, their research does show that the vast majority of workloads in organizations’ cloud environments are well maintained. In most areas of business, a 90%+ success rate would be seen as a great victory yet, unfortunately, this does not translate so well into the cybersecurity world.

“If you have an estate of thousands of services and you maintain 97% of them then you might think that you are doing a good job but the problem is that it’s the 3% that the attacker will exploit. This is why security is hard and unfair – you need to secure everything, but an attacker only needs to find one weak spot.” explained Avi.

Weak security authentication is one of the key problem areas identified in the report where 23.5% of organizations had at least one cloud account that didn’t use Multi-factor Authentication. Multi-factor Authentication (MFA) is where a user is granted access to a system after successfully presenting two or more pieces of evidence and provides much greater security than traditional username/password log ins. What makes this statistic surprising is that MFA functionality is a standard feature in all modern cloud platforms.

“The problem is that the path of least resistance is often taken and so just putting in a password is easier than using MFA and this highlights the fact that you need security governance with good coverage across the board.” explains Avi.

Identifying problems in technology is always the easy part, coming up with viable solutions is much more difficult. Orca’s report concludes with the following key recommendations:

·         Security is only as good as its coverage. Make sure you cover 100% of your cloud assets as attackers will always sneak through the weakest links.

·         Get your basics straight before progressing to more advanced capabilities. Breaches mostly stem from simple things such as an unpatched, neglected service or a stolen root account password with no MFA. Invest in IT hygiene and monitor it on a daily basis.

·         Look for lateral movement risk. Assume that internet-facing workloads may be breached and make sure it doesn’t lead to uncontained damage via less secure internal servers.

·         Mistakes will happen. This is human nature. Embrace it while implementing tools that will allow you to react quickly.


The reasons for vulnerabilities vary across organizations and appear to be largely rooted in a lack of awareness, a lack of skill, a lack of correct tooling and/or a lack of time. An obvious solution is to simply bring in third party support and yet complexities remain around the use of traditional invasive on-premise style technologies. This is where Orca’s SideScanning technology is potentially game-changing as it only requires read only access to an organizations cloud environment – Avi uses the analogy of the difference between an MRI scan versus using an invasive needle to explain this.

“The unique capability of our SideScanning technology is that it only requires read-only access to the environment and we are able to see deep and wide. We can see all of the workloads for 100% of the environment and this is how we are able to pinpoint the neglected workloads. Instead of a cloud security practitioner asking the development team to install agents to see if there are any risks, we examine the environment and identify the cases where there is a critical vulnerability. This is much more ‘fact’ based which allows you to build better relationships and push people to fix the issues because they now know about them.”

Cloud security features and tools continue to evolve at a pace quicker than many organizations can adopt them. We took the opportunity to ask Avi for his expert opinion on where he thinks cyber security in the cloud is heading next.

“The future of cybersecurity is in reducing the engineering work. Engineering of security should be embedded as much possible into the platform. So, more automation and more built-in visibility that leaves the security practitioner to focus on issues inherent in solutions that cannot fixed be fixed automatically by the platform” said Avi.

Security has always been a game of coverage. Ultimately, it’s not enough to secure 99% of your environment if attackers can exploit the other 1% and penetrate your systems. The cloud is here to stay but is a very different world to on-premises environments and requires different methodologies and new tools. In order to win at cyber security, organizations can no longer limit themselves to the limitations of the on-premises environment. The cloud has its challenges, but it also has tools that facilitate better security that makes it possible to reach the 100% that wasn’t always possible before.

“Most issues can be fixed within a matter of hours from the time we identified them but it’s the manner of knowing them without requiring you to change the way you work. The solution is in creating visibility and knowing what problems you have – ignorance is bliss until you are breached. We’ve seen organizations that are able to reduce issues to zero within the space of a few months simply because of the new visibility we provide.” Avi concluded.


Technology Business News - LOS ANGELES 23rd March 2021 - Cloud security innovation leader, Orca Security, has today announced a successful 210 million Series C funding round.

Orca Security announce $210m Series C round led by CapitalG and Redpoint Ventures

Technology Business News - As the finance industry increasingly adopts digital onboarding technologies, they are utilizing and storing more of our biometric data and personal identification information.

Regulation needed to ensure Finance Industry use compliant Digital Identity technologies

Technology Business News - If you don t work in the Finance industry, you naturally aren t too concerned with financial services industry regulations. Yet some regulations don t just affect the people who work in the finance industry they affect everyone.

Global Finance Industry faces further regulation after pandemic exposes weaknesses

Technology Business News - Global healthcare leader Abbott have announced the release of their first Virtual Reality training program, powered by Oculus Go , aiming to fundamentally change how cardiologists are trained in using Optical Coherence Tomography OCT imaging technology.

Abbott launches flagship Imaging Technology VR Training Program for Cardiologists

Technology Business News - Next year will be the 40th anniversary of the launch of MTV. Launched in August 1981, MTV aptly chose Video Killed The Radio Star by The Buggles as their first featured music video. Video never did kill the radio star, online radio stations and music streaming services have never been more popular.

YouTube creator brings electronic music to life with visionary video productions

Technology Business News - Organizations invest heavily in security and compliance. They secure and monitor emails, networks and devices to help protect their data, employees and reputation.

Theta Lake's rapid rise to prominence from the need to protect the collaborative workplace

Ten Times Ten

Analytics, Modelling & Business Intelligence Specialists