About Metrics in Attack Surface Management
Understanding metrics—Attack Surface Size, Total Active Risks, and Average Length of Exposure—and their implications helps you understand your larger cybersecurity initiatives.
The Attack Surface Size metric is the total number of assets exposed to potential threats. This includes all accessible assets and services, such as domains, hosts, web entities, storage buckets, and tls certificates.
Calculation: SUM asset type (hosts + domains + web entities + storage buckets + certificates)
Note
In our pricing and packaging of Attack Surface Management, we use Assets Under Management (AUM) as a metric. The AUM count that you see on your quote is less than the Attack Surface Size metric.
-
Resource Allocation: A bloated attack surface can strain security resources. Security leaders need to allocate resources efficiently to focus on the most critical assets and risks. By addressing attack surface sprawl and hygiene, they can prioritize efforts and investments where they are needed most.
-
Incident Response Efficiency: A smaller, well-maintained attack surface allows security teams to respond more efficiently to potential cyber incidents. Attack surface hygiene reduces the complexity of investigations and helps teams focus on critical assets and potential threats, leading to faster incident response times.
-
Proactive Security Posture: Companies that strategically and proactively monitor the growth and hygiene of their attack surface are more agile in their defense, enabling them to stay ahead of emerging threats.
We recommend reviewing the following checklists to guide next steps:
Growing Attack Surface Checklist
-
Are these assets managed well?
-
Are the assets leveraging sanctioned vendors, such as cloud service providers, domain registrars, and cert issuers?
-
Do we know who the asset owners or responsible parties are?
-
What kind of risks do these new assets have?
-
Can our team operate at the speed at which our attack surface is expanding?
Shrinking Attack Surface Checklist
-
Can we identify the steps taken to shrink our attack surface?
-
Have we documented processes and strategies effectively to ensure best practices are captured?
-
Have we provided comprehensive reports to our senior leadership detailing the progress made in reducing our attack surface?
The Total Active Risks metric counts the number of active risk instances Censys observes within your attack surface. Active risks on assets that are exposed to the internet reflect the holes in an organization's perimeter that can be exploited by an attacker.
Calculation: SUM (risk instances where status = active)
Resource Allocation: Understanding the total active risks is crucial for allocating security resources. Organizations face the challenge of managing many vulnerabilities. By quantifying these vulnerabilities, security leaders can allocate resources more effectively. This allows them to focus on the most critical risks that have the potential to cause significant damage.
Risk Coverage: Identifying and cataloging risks and vulnerabilities within the organization's environment is essential. It provides visibility into various attack vectors that have the potential to threaten the business.
Prioritized Remediation: By addressing the total active risks, security teams can prioritize risk mitigation efforts. Not all vulnerabilities are equal in terms of their potential impact. Some vulnerabilities can be more likely to be exploited or have a higher potential for harm. Accurate metrics help to create a systematic approach for remediation based on risk severity.
We recommend reviewing the following checklists to guide next steps:
-
Determine the category, severity, and organizational importance of the new risks. Use this to effectively triage and make plans for remediation.
-
Ensure that new high priority risks have a clear organizational owner responsible for remediation.
-
Identify if risks are coming from a certain part of the organization. Do these teams need more enablement or resources?
-
Consider whether the increase in risks is related to external partners or vendors. Are they adhering to the security standards your organization requires?
-
Assess whether your organization has the sufficient preparedness to address the increasing variety of risks. Are playbooks up-to-date? Are there processes that need to be defined?
-
Assess whether the decline is a result of effective remediation efforts or reduced exposure due to asset removal or modification.
-
Identify which risk mitigation strategies are successful and determine whether they can be replicated for continuous improvement.
-
Have we prepared reports for senior leadership to show the current risk landscape and the effectiveness of mitigation strategies?
The Average Length of Exposure metric measures the average number of days that Censys observed risks within your attack surface. This metric quantifies the duration during which an attacker could potentially observe and attempt to exploit these risks.
Calculation: (Number of days risk instance - active)/total risks
Note
This metric is in Beta! We're interested in feedback. Email us at support@censys.com.
Timely Risk Mitigation: The Average Length of Exposure metric helps quantify how promptly identified risks are being addressed. A shorter exposure duration means swift remediation, reducing the window of opportunity for potential attackers.
Reduced Vulnerability Window: By minimizing the average length of exposure, security teams decrease the duration in which vulnerabilities remain exploitable. This directly contributes to lowering the likelihood of successful cyberattacks.
Operational Continuity: Shorter exposure durations translate to reduced periods of vulnerability, enhancing operational continuity and minimizing potential disruptions caused by security incidents.
We recommend reviewing the following checklists to guide next steps:
-
Assess the efficiency of the risk mitigation process. Are there bottlenecks or delays that need to be addressed?
-
Allocate resources to the most critical risks with the longest exposure durations. Swiftly mitigate vulnerabilities with the potential for immediate impact.
-
Evaluate the potential of automating aspects of the risk mitigation process to accelerate response times.
-
Re-examine risk configurations. Are risk types set at the severities that match your organization’s tolerance? Are there risk types that should be muted?
-
Understand the factors contributing to the decrease. Is it a result of improved processes, increased automation, or enhanced collaboration within the security team?
-
Identify the successful strategies and practices that led to shorter exposure durations. Document and replicate these practices across other risk mitigation efforts.
-
Are findings and insights on the effective strategies and processes being comprehensively reported to senior leadership?
Comments
0 comments
Please sign in to leave a comment.