Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

October 5, 2021

12 Attack Surface Metrics Every CISO Should Be Tracking

By: Keegan Henckel-Miller

Share on facebook
Share on twitter
Share on linkedin

As business dependence on digital technology has increased during the pandemic, CISOs and their teams are working overtime. Recent studies suggest the majority of security professionals lose sleep at night and 80% are more stressed today than they were a year ago. A big contributor to this stress is the ambiguous nature of security and the underlying fear of the unknown. Security teams need new attack surface metrics to fully understand their networks.

A solid attack surface management program can reduce the fear of these unknowns, by providing a continuous and ongoing assessment of your attack surface – from an external perspective – validating the hard work and long hours your team are putting in. In this blog, we’ll break down 12 attack surface metrics the most forward leaning security organizations are adopting to effectively manage the risk of unknown exposures, measure team performance, and demonstrate the value of the security posture to the board.  

It’s often said, companies measure what matters. Your attack surface is your first line of defense, having effective metrics to monitor and manage it should be a key element of any CISO’s reporting. 

Exposures

  • Number of Exposed Assets
    • You can’t manage your attack surface until you understand it. Knowing how many assets are exposed and what they are is foundational to effective decision making. One of the easiest steps any CISO can take to reduce their risk is to reduce the size of their attack surface. A lean attack surface makes an attacker’s job much harder from jump street. By tracking the size of your attack surface over time you can set goals for attack surface reduction and demonstrate improvement to the board. The most highly advanced organizations track exposed assets by business units, enabling them to have relevant conversations with underperforming business units about risk.  
  • Percentage of New Assets Unknown to Security (Shadow IT) 
    • Hand-in-hand with knowing the size of your attack surface is understanding how well your team is at tracking what’s changing. As IT has become decentralized, this is an increasingly hard task for security teams who often relied on IT to keep an inventory of known assets. To effectively manage risk, your team must understand how things are changing and if that rate is increasing or decreasing over time. 
  • MTTI (Mean Time To Identification) 
    • Once you have an understanding of the size of the program, it’s time to turn your sights on how effectively your team is at reducing the window of opportunity provided to attackers. Understanding how well your team is at identifying what’s exposed. Things will slip through the cracks, but when they do one key metric leading security teams look at is Mean Time to Identification. This, in combination with MTTA and MMTR – which will discuss later, can be an effective set of metrics for helping align teams on the actions that have the highest ROI.  

Risks

  • Number of High Priority Targets
    • Not all assets are created equal. Having visibility on what’s exposed is great, but if you have more problems than your team can address you’ll need a way to prioritize. Leveraging a risk-based approach to attack surface management, EASM solutions, such as Randori Recon, enable you to understand which of your assets are most “attackable” and provide workflows to help your team take action faster. Snuffing out your highest-risk assets first will drastically decrease your exposure, reducing your overall risk. 
  • Number of New High Priority Targets (Avg Age) 
    • Much like the exposure measuring process, your prioritization process needs to be continuous as well. The faster new high-risk assets appear on your attack surface, the faster your blue team will have to respond to keep up. Use this metric to push for policy changes or increased investment.
  • Percentage of Top Targets vs Peers (Ratio) 
    • Knowing how your process measures up to those around you is critical to assessing risk. Risk is always relative and having an understanding of what is “normal” will help you identify areas of improvement, areas of strength and advocate for additional security budget. If you have far more high-risk exposed assets than your closest 5 competitors, having that information can be imperative to building the institutional will to take action.  

Operations

  • MTTA (Mean Time To Action)
    • Mean Time To Identification is good to know, but only useful if your team acts on the information in a timely manner. While there is a lot as a security team that is outside your control, this metric is fully within your control.  If an asset takes 48 hours to discover, but 3 weeks to action – you know you have a resourcing problem. Tracking this metric is critical to measuring the operational effectiveness of your security program and helpful when advocating for additional headcount or tools. 
  • Number of Targets Awaiting Investigation
    • Unknowns are not a security professional’s friend. Knowledge is power, and that means the more assets you have investigated, the better and faster you will be armed against nosy adversaries. How long is your queue of targets awaiting investigation? If it’s too long or getting longer, you might need to shift around resources to prioritize that part of the process. 
  • Number of New Tickets Created
    • When exposed assets are discovered and reported, a queue builds up. Understanding the rate at which new tickets are being submitted will help you plan and resource appropriately. 
  • Number of Active Tickets
    • Once a ticket is picked up, someone is thinking about it. Having a large number of active tickets can represent inefficient operations or hide process failures that leave tickets in limbo. If your team has too many active tickets at any given time, it may indicate your Mean Time to Action is not accurately reflecting your team’s capacity and additional investments are needed.

Impact

  • MTTR (Mean Time To Remediation) 
    • No system can be completely secure and there will always be issues to remediate. The biggest way to reduce the risk from your attack surface is to limit the window of time attackers have to take advantage of issues. Quick and effective vulnerability management, security operations and  incident response and remediation is key to a successful security program. If MTTI and MTTA are low but MTTR is long, while your team is jumping quickly they are still offering attackers a generous window through which to climb into your network. You need to know what your mean time is between the moment an asset pops up on your perimeter to the moment it has been remediated or a compensating control put in place. 
  • Number of High Priority Issues Resolved
    • As important as knowing how often your security program fails is knowing how often it succeeds. High priority exposures don’t always get exploited, but measuring how many you managed to plug without incident will prove the effectiveness of your program to your team and your board. It will also help you gauge when you need to reprioritize a different part of the process to reduce Mean Time to Action and move those tickets along the line to the finished pile.

 

Discover how Randori can help you discover unknowns, regain control of your attack surface and begin reporting on these 12 key metrics today. 

Sign up for a free attack surface audit to get started 

and

Follow Us On LinkedIn

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.