This Metrics Guide is designed to provide you with comprehensive guidance on how to effectively interpret and utilize the core metrics offered within the Exposure Management Trends and Benchmarking Dashboard. This guide aims to help you understand the metrics—Attack Surface Size, Total Active Risks, and Average Length of Exposure—and their implications on your larger cybersecurity initiatives.

Attack Surface Size

Definition & Calculation

The Attack Surface Size metric represents the total number of assets exposed to potential threats. This encompasses all accessible assets and services, such as domains, hosts, web entities, storage buckets, and tls certificates.

Calculation: SUM asset type (hosts + domains + web entities + storage buckets + certificates)

NOTE: In our pricing and packaging of exposure management, we use Assets Under Management (AUM) as a metric.  Your AUM count that you see on your quote will be less than the Attack Surface Size metric.  

Importance

• Resource Allocation: A bloated attack surface can strain security resources. Security leaders need to allocate resources efficiently to focus on the most critical assets and risks. By addressing attack surface sprawl and hygiene, they can prioritize efforts and investments where they are needed most.
• Incident Response Efficiency: A smaller, well-maintained attack surface allows security teams to respond more efficiently to potential cyber incidents. Attack surface hygiene reduces the complexity of investigations and helps teams focus on critical assets and potential threats, leading to faster incident response times.
• Proactive Security Posture: Companies that strategically and proactively monitor the growth and hygiene of their attack surface can be more agile in their defense, enabling them to stay ahead of emerging threats.

Actionable Insights

We recommend reviewing the following checklists to guide next steps:

If attack surface size is increasing

Growing Attack Surface Checklist

1. Are these assets managed well? 
2. Are the assets leveraging sanctioned vendors (such as cloud service providers, domain registrars, and cert issuers)
3. Do we know who the asset owners or responsible parties are?
4. What kind of risks do these new assets have?
5. Is our team able to operate at the speed at which our attack surface is expanding?

If attack surface size is decreasing

Shrinking Attack Surface Checklist

1. Are we able to identify the steps taken to shrink our attack surface? 
2. Have we documented processes and strategies effectively to ensure best practices are captured?
3. Have we provided comprehensive reports to our senior leadership detailing the progress made in reducing our attack surface?

Total Active Risks

Definition & Calculation

The Total Active Risks metric counts the number of active risk instances Censys observes within your attack surface.  Active risks on assets that are exposed to the internet reflect the holes in an organization's perimeter that could be exploited by an attacker.  

Calculation: SUM (risk instances where status = active)

Importance

Resource Allocation: Understanding the total active risks is crucial for wisely allocating security resources. Organizations face the challenge of managing a multitude of vulnerabilities, and by quantifying them, security leaders can allocate resources more effectively. This allows them to focus on the most critical risks that have the potential to cause significant damage.

Risk Coverage: Identifying and cataloging risks and vulnerabilities within the organization's environment is essential as it provides visibility into various attack vectors that have the potential to threaten the business.

Prioritized Remediation: By addressing the total active risks, security teams can prioritize risk mitigation efforts. Not all vulnerabilities are equal in terms of their potential impact; some may be more likely to be exploited or have a higher potential for harm. Accurate metrics help to create a systematic approach for remediation based on risk severity.

Actionable Insights

We recommend reviewing the following checklists to guide next steps:

Growing Risk Instances Checklist:

1. Determine the category, severity, and organizational importance of the new risks. Use this to effectively triage and make plans for remediation.
2. Ensure that new high priority risks have a clear organizational owner responsible for remediation.
3. Identify if risks are coming from a certain part of the organization. Do these teams need more enablement or resources?
4. Consider whether the increase in risks is related to external partners or vendors. Are they adhering to the security standards your organization requires?
5. Assess whether your organization has the sufficient preparedness to address the increasing variety of risks. Are playbooks up-to-date? Are there processes that need to be defined?

Shrinking Risk Instances Checklist:

1. Assess whether the decline is a result of effective remediation efforts or reduced exposure due to asset removal or modification.
2. Identify which risk mitigation strategies have been successful and determine whether they can be replicated for continuous improvement.
3. Have we prepared reports for senior leadership to illustrate the current risk landscape and the effectiveness of mitigation strategies?

Average Length of Exposure for Risks

Definition & Calculation

The Average Length of Exposure metric measures the average number of days that Censys observed risks within your attack surface. This metric quantifies the duration during which an attacker could potentially observe and attempt to exploit these risks.

Calculation: (Number of days risk instance:  active)/total risks 

NOTE - this metric is in Beta! We're interested in feedback. Email us at support@censys.com.

Importance

Timely Risk Mitigation: The Average Length of Exposure metric helps quantify how promptly identified risks are being addressed. A shorter exposure duration signifies swift remediation, reducing the window of opportunity for potential attackers.

Reduced Vulnerability Window: By minimizing the average length of exposure, security teams decrease the duration in which vulnerabilities remain exploitable. This directly contributes to lowering the likelihood of successful cyberattacks.

Operational Continuity: Shorter exposure durations translate to reduced periods of vulnerability, enhancing operational continuity and minimizing potential disruptions caused by security incidents.

Actionable Insights

We recommend reviewing the following checklists to guide next steps:

Increasing Length of Exposure Checklist:

1. Assess the efficiency of the risk mitigation process. Are there bottlenecks or delays that need to be addressed?
2. Allocate resources to the most critical risks with the longest exposure durations. Swiftly mitigate vulnerabilities that have the potential for immediate impact.
3. Evaluate the potential of automating aspects of the risk mitigation process to accelerate response times.
4. Re-examine risk configurations: are risk types set at the severities that match your organization’s tolerance?. Are there risk types that should be muted? 

Reducing Length of Exposure Checklist:

1. Understand the factors contributing to the decrease. Is it a result of improved processes, increased automation, or enhanced collaboration within the security team?
2. Identify the successful strategies and practices that have led to shorter exposure durations. Document and replicate these practices across other risk mitigation efforts.
3. Are findings and insights on the effective strategies and processes being comprehensively reported to senior leadership?