Freely subscribe to our NEWSLETTER

Toxic combinations of control failures refer to the interconnected risks spanning multiple inventories and asset relationships, that compound to create a pathway for attackers to compromise a business. Now attackers have AI at their disposal, security leaders are increasingly concerned that attackers will exploit these combinations as Marc Möesse, Chief Product Officer from Panaseer explains:

"The term ’toxic combinations’ originates from pharmacology, where mixing certain drugs can have deadly effects. In cybersecurity, it describes the compounded risks when multiple security weaknesses overlap, creating layer upon layer of risk. Almost all breaches
result from some form of toxic combination. For example, a user who has failed multiple phishing tests might have access to critical systems and an exploitable vulnerability on their device. Individually, each risk is relatively minor, but combined, the risk increases considerably. The whole is markedly greater than the sum of its parts. Now with AI, attackers can create more sophisticated attacks with minimal effort, so there is a greater chance that attackers will uncover and exploit toxic combinations."

Panaseer warns that because toxic combinations span multiple security domains, they don’t always take the same form and are very hard to detect and prioritize. Security teams often lack the time and tools needed to see how different combinations of risk overlap within their environments, and are therefore ill-equipped to address areas of vulnerability or prioritize remediation effectively.

"Security incidents stem from a convergence of multiple control failures," explains Simon Goldsmith, CISO at OVO Energy. "These failures have often been spotted before by security teams, either in security monitoring or controls testing, but it’s only when they interact in a toxic combination with the wrong threat actor as an accelerant, that we see truly damaging consequences. This is why an information security management system needs to be wired to do much more than detect missing and misconfigured controls."

To tackle this challenge and help shine a light on toxic combinations, Panaseer has launched a new Compound Risk Metrics (CRMs) feature. These CRMs deliver actionable insights into the specific assets and relationships driving toxic combinations. This helps eliminate manual effort while ensuring consistent, reliable access to validated and verified data from across the business – far more than just a number or single line of data. Designed to address toxic combinations of risks across security domains, CRMs enable organizations to create complex, threat-driven risk profiles by identifying previously hidden or unknown vulnerabilities, prioritizing response and mitigating risk.

"It’s very difficult for security teams to identify toxic combinations, as it requires piecing together information from multiple security tools, attack chain analysis, vulnerability scans. Even then, you’re working blind because there’s no clear view of how different assets connect," explains Möesse.

"Cybersecurity leaders are already feeling the pain of toxic combinations, as identifying them requires combining data from multiple security tools, security domains and across asset relationships, to uncover hidden risks, which is difficult with a typical security stack," says Möesse. "Our new Compound Risk Metrics help teams save time and resources with reliable data, giving them a clear, continuous view of threats, and where they are overlapping."

This is a unique solution available today that integrates data from multiple sources, including vulnerability, endpoint, Configuration Management Database (CMDB), user awareness, and Privileged Access Management (PAM) tooling, to spotlight hidden attack paths and devices at risk. Panaseer’s CRMs are uniquely automated and ready to deploy within hours, making it easy for users to start creating dashboards and getting insights from their data.