Are You Being Measured Against Your Real Attack Surface?
Security teams are overwhelmed. An ongoing talent shortage in the industry makes it difficult to hire when help is desperately needed. In fact, a survey of security professionals conducted by Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) finds 38% think a talent shortage has led to overwork and burnout at their organizations — a 12% increase since 2020.
For those on the job, finding meaningful signals amid all of the noise from numerous security tools is a constant challenge. Vulnerability scanners – automated tools that allow organizations to check for weaknesses in their networks, systems, and applications – add to this environment of feeling overwhelmed, overworked, and always behind.
Make no mistake: scanners are essential. Industry standards and government regulations often mandate vulnerability scanning, and there is little debate that scanners are part of best practices for security defense today. And scanners have improved over the years since they were first introduced into common practice. They are now used in multiple places along the Software Development Lifecycle (SLDC), which means they’re finding more and more vulnerabilities and helping with overall security efforts.
But when scanners identify a vulnerability – often hundreds or thousands daily – those bugs are identified, prioritized, and added to a backlog, creating a massive amount of work for security teams who must investigate whether they pose a real threat and then patch accordingly. This mass of vulnerabilities that scanners identify is referred to as the “Perceived Attack Surface.” Most organizations measure themselves against this attack surface because they don’t have anything else to refer to for context when it comes to risk.
It’s time to focus on your actual attack surface rather than perceived risks
The reality is, not all vulnerabilities require patching. The vast majority of deployed code is never actually used in runtime. Only vulnerabilities running in memory are exploitable. Your real attack surface – the one that matters for patching – is your exploitable attack surface. Most vulnerabilities identified by scanners are in code and components that are never run in memory and therefore pose no risk.
What’s your actual attack surface? It varies, of course, but Rezilion data reveals that, on average, the real attack surface for most organizations is less than 30% of the identified or perceived attack surface. That means more than half of vulnerabilities do not require patching. The potential for time savings through patching is massive.
The benefits of designing security around the real attack surface
Vulnerability Management (VM) programs, and the CISOs that run them, are judged on their ability to reduce risk. Vulnerability backlog reduction – in periods such as week over week, month over month, and year over year – is one of the most critical, measurable, and reportable statistics that CISOs can use to convey the performance of their VM programs to their teams, to executive management, and their Boards.
But by focusing on identified/perceived vulnerabilities, CISOs are at a distinct disadvantage because their programs and efforts are judged on the ability to patch vulnerabilities that don’t actually pose any risk. It’s time wasted in an environment where every minute is precious.
A focus on an organization’s actual attack surface means CISOs now have a fair and accurate measure of their program’s effectiveness. It allows them to focus resources on areas of greatest risk and importance to the business and reduces wasted time and efforts. By concentrating efforts on the actual attack surface, vulnerability patching efforts are reduced, teams are able to work on mission-critical tasks, and overall security is enhanced. Rezilion uses the vulnerabilities identified by your existing scanning tools as an input to create your actual attack surface. Click here to see a demo and finally get a glimpse of your actual attack surface.