Documentation
Start typing to search…

Metrics

Understanding metrics—Attack Surface Size, Total Active Risks, and Average Length of Exposure—and their implications helps you understand your larger cybersecurity initiatives.

Attack Surface Size

Definition and calculation

The Attack Surface Size metric is the total number of assets exposed to potential threats. This includes all accessible assets and services, such as domains, hosts, web entities, storage buckets, and certificates.

Calculation: SUM asset type (hosts + domains + web entities + storage buckets + certificates)

📘

Note

In Censys pricing and packaging of Attack Surface Management, Censys uses Assets Under Management (AUM) as a metric. The AUM count that you see on your quote is less than the Attack Surface Size metric.

Importance

  • Resource Allocation: A bloated attack surface can strain security resources. Security leaders need to allocate resources efficiently to focus on the most critical assets and risks. By addressing attack surface sprawl and hygiene, they can prioritize efforts and investments where they are needed most.
  • Incident Response Efficiency: A smaller, well-maintained attack surface allows security teams to respond more efficiently to potential cyber incidents. Attack surface hygiene reduces the complexity of investigations and helps teams focus on critical assets and potential threats, leading to faster incident response times.
  • Proactive Security Posture: Companies that strategically and proactively monitor the growth and hygiene of their attack surface are more agile in their defense, enabling them to stay ahead of emerging threats.

Actionable insights

Censys recommends reviewing the following checklists to guide next steps.

If your attack surface size increases

  1. Are these assets managed well?
  2. Are the assets leveraging sanctioned vendors, such as cloud service providers, domain registrars, and cert issuers?
  3. Do we know who the asset owners or responsible parties are?
  4. What kind of risks do these new assets have?
  5. Can our team operate at the speed at which our attack surface is expanding?

If your attack surface size decreases

  1. Can we identify the steps taken to shrink our attack surface?
  2. Have we documented processes and strategies effectively to ensure best practices are captured?
  3. Have we provided comprehensive reports to our senior leadership detailing the progress made in reducing our attack surface?

Active Risks

Definition and calculation

The Active Risks metric counts the number of active risk instances Censys observes within your attack surface. Active risks on assets exposed to the Internet reflect the holes in an organization's perimeter that an attacker can exploit.

Calculation: SUM (risk instances where status = active)

Importance

  • Resource Allocation: Understanding the total active risks is crucial for allocating security resources. Organizations face the challenge of managing many vulnerabilities. By quantifying these vulnerabilities, security leaders can allocate resources more effectively. This allows them to focus on the most critical risks that have the potential to cause significant damage.
  • Risk Coverage: Identifying and cataloging risks and vulnerabilities within the organization's environment is essential. It provides visibility into various attack vectors that have the potential to threaten the business.
  • Prioritized Remediation: By addressing the total active risks, security teams can prioritize risk mitigation efforts. Not all vulnerabilities are equal in terms of their potential impact. Some vulnerabilities are more likely to be exploited or have a higher potential for harm. Accurate metrics help create a systematic approach to remediation based on risk severity.

Actionable insights

Censys recommends reviewing the following checklists to guide next steps.

If your risk instances count increases

  1. Determine the category, severity, and organizational importance of the new risks. Use this information to triage and make effective remediation plans.
  2. Ensure that new high-priority risks have a clear organizational owner responsible for remediation.
  3. Identify if risks are coming from a certain part of the organization. Do these teams need more enablement or resources?
  4. Consider whether the increase in risks is related to external partners or vendors. Are they adhering to the security standards your organization requires?
  5. Assess whether your organization is sufficiently prepared to address the increasing variety of risks. Are playbooks up to date? Do processes need to be defined?

If your risk instances count decreases

  1. Assess whether the decline is due to effective remediation efforts or reduced exposure due to asset removal or modification.
  2. Identify which risk mitigation strategies are successful and determine whether they can be replicated for continuous improvement.
  3. Have we prepared reports for senior leadership to show the current risk landscape and the effectiveness of mitigation strategies?

Average Length of Exposure

Definition and calculation

The Average Length of Exposure metric measures the average number of days that Censys observed risks within your attack surface. This metric quantifies the duration during which an attacker could potentially observe and attempt to exploit these risks.

Calculation: (Number of days risk instance - active)/total risks

Importance

  • Timely Risk Mitigation: The Average Length of Exposure metric helps quantify how promptly identified risks are being addressed. A shorter exposure duration means swift remediation, reducing the window of opportunity for potential attackers.
  • Reduced Vulnerability Window: By minimizing the average length of exposure, security teams decrease the duration in which vulnerabilities remain exploitable. This directly contributes to lowering the likelihood of successful cyberattacks.
  • Operational Continuity: Shorter exposure durations translate to reduced periods of vulnerability, enhancing operational continuity and minimizing potential disruptions caused by security incidents.

Actionable insights

Censys recommends reviewing the following checklists to guide next steps.

If your average length of exposure increases

  1. Assess the efficiency of the risk mitigation process. Are there bottlenecks or delays that need to be addressed?
  2. Allocate resources to the most critical risks with the most prolonged exposure durations. Swiftly mitigate vulnerabilities with the potential for immediate impact.
  3. Evaluate the potential of automating aspects of the risk mitigation process to accelerate response times.
  4. Re-examine risk configurations. Are risk types set at the severities that match your organization’s tolerance? Are there risk types that should be muted?

If your average length of exposure decreases

  1. Understand the factors contributing to the decrease. Is it due to improved processes, increased automation, or enhanced collaboration within the security team?
  2. Identify the successful strategies and practices that reduced exposure durations. Document and replicate these practices across other risk mitigation efforts.
  3. Are findings and insights on the effective strategies and processes being comprehensively reported to senior leadership?

Updated 20 days ago