Every company has two attack surfaces: internal and external. Of the two, the external attack surface (EAS) is much harder to safeguard. Why? First, external surface vulnerabilities can take 10x longer to detect and mitigate. Additionally, dwell time — the period from breach to mitigation — averages three to four months, and can sometimes stretch to six.
Where the problem comes in is bad actors are well aware of security gaps and are constantly on the hunt for ways to access your valuable assets. Case in point: 80 percent of attacks aim at penetrating a company's external attack surface, according to Verizon.
As an industry, security leaders managed to bring down Mean Time to Detection (MTTD) and Mean Time to Remediation (MTTR) for internal attack surface vulnerabilities to just a couple of weeks or less. But why haven’t they succeeded in bringing these figures down on the external side?
The industry is recognizing external attack surfaces are vulnerable
Gartner describes external attack surfaces as “exposed surfaces outside of a set of controllable assets.” They include systems, applications, cloud instances, supply chains, IoT devices and data exposed to the Internet. The external attack surface sprawls across subsidiaries, multiple clouds, and assets managed by third parties. It also changes constantly, making it incredibly complex and difficult to protect.
There’s an additional “surface” to consider. Many organizations — even Fortune 100 banks — accidentally expose internal databases, DevOps instances, and applications which are exposed to the Internet and make ideal targets, even though security teams regard them as internal.
Companies have learned the hard way how quickly vulnerabilities can be exploited, and attackers are getting faster. Day 1 exploits often follow announcements and patch availability by just hours.
In 2022, Gartner called for a constantly updated “inventory of the expanding enterprise attack surface,” pointing out that “even small, seemingly inconsequential additions to the digital footprint can weaken an organization’s security controls and data protection efforts.”
Constantly updated discovery and continuous testing are key; external attack surface increases to 5 percent or more in a month. Exposures pop up as new web applications are launched, new services and machines are deployed, and new APIs are exposed. New configurations and newly released vulnerabilities put previously tested assets at risk. Does this impact cybersecurity? Indeed it does. Much of the external attack surface is elusive and some assets are never mapped, so vulnerabilities around them are never remediated.
Why external attack surface vulnerabilities take long to remediate
Fact: On external attack surfaces, both detection and mitigation of vulnerabilities take far too long. Unless the organization has ongoing, automated full-scale testing, it’s probably two to three months to discover a security gap. Then, another two weeks to three months to remediate, including prioritization delays. That is a total dwell time (MTTD + MTTR) of 75 to 180 days, radically longer than for internal surface vulnerabilities which are usually resolved in under 14 days.
The findings below are based on real-life metrics from 2,000 global companies. They show that dwell times for external vulnerabilities are 5x to 12x longer than internal vulnerabilities and have surprised some IT leaders.
|
MTTD |
MTTR for critical vulns |
Dwell Time / total |
Internal surface |
1-30 days |
1-14 days |
Usually < 14 days |
External surface |
60 to 90 days |
14-90 days |
Usually 75 - 180 days |
It’s no accident that detection and remediation take weeks and months for external surfaces. For starters, there are fundamental obstacles to detecting EAS vulnerabilities.
- Fast-changing external assets make discovery very difficult. Without getting too granular, it is technically complex to discover every external surface, let alone the fact that it shifts up to 9% in a given month. In practice, this can mean some assets are never security tested.
- Incomplete visibility. Most organizations lack the tools necessary to explore all attack surfaces. As a result, external surface visibility lags, such as in coverage of configuration management databases (CMDBs)—which has major gaps.
- Testing is limited in coverage. Pen testing and application security testing are infrequent and rarely cover the known external surface, let alone what goes undiscovered. PT and DAST cover 1% to 10% of a company's external web interfaces, for example.
- Testing is infrequent. New configurations and newly released vulnerabilities can expose assets that were tested recently and deemed safe. Few companies conduct ongoing (24/365) testing, the gold standard for reducing MTTD.
After detection comes MTTR. It can be just as slow. Once you find security gaps, timely and effective mitigation depends on accuration prioritization. Most discovery tools generate many false positives; only a minute percentage of the positives are truly high priority.
Taking action: Reducing risk posed by external attack surface vulnerabilities
Prevention via continuous testing and prioritization is the centerpiece of cutting exposure time. Preemptive discovery of direct attack paths will close many gaps before they are broadcast to the world, and makes quick “smash-and-grab” opportunities harder for bad actors to find.
Security testing pushes attackers away to more sophisticated, longer-path attacks where it could take weeks to dig their way to valuable assets. That gives threat detection more time to contain successful intrusions.
The steps to reducing MTTD and MTTR:
- Aim for full visibility with automated, end-to-end reconnaissance on both internal and external surfaces.
- Apply modern technologies like ML and NLP to understand the context and purpose of all exposed assets, and narrow down to the [one 1/10 of 1%] attack vectors that create the bulk of your cyber risk. Technically, the same processes also handle attribution — that is, figure out which subsidiary or entity owns the vulnerability.
- Test continuously, as well as comprehensively, pushing to cut MTTD down to [a few] days. Removing the excessive delay in detecting new vulnerabilities allows much faster identification of the true positives.
- Look at the attack paths that lead to important assets. Highest priority goes to direct attack paths (simpler, shorter sequences) that attackers could use to access the assets with higher business value.
- Finally, mitigation; attribution helps identify the business unit that is accountable for a vulnerability. Sharing strong and detailed evidence with them builds trust and often leads to faster investigation and a quicker solution. Aim for days rather than weeks.
External attack surface vulnerabilities can be conquered
Many organizations have done a great job protecting their internal attack surfaces that consist of networks, servers, laptops, etc. Cybersecurity professionals are surprised to learn that vulnerability dwell time on EAS is 5x to 12x longer. But in fact, external surface vulnerabilities are harder to find, scan, test, prioritize, attribute and remediate.
To reduce risk, having an effective strategy and mechanism to find and prioritize EAS vulnerabilities matters more than loading up on remediation resources. Establishing full discovery and determining context, value, and attribution make it dramatically easier to identify and remediate truly critical vulnerabilities in days, rather than months.