{"id":157,"date":"2023-04-18T23:06:24","date_gmt":"2023-04-18T23:06:24","guid":{"rendered":"https:\/\/www.cycognito.com\/blog\/?p=157"},"modified":"2024-01-22T08:44:14","modified_gmt":"2024-01-22T16:44:14","slug":"mind-the-gaps-in-the-external-attack-surface","status":"publish","type":"post","link":"https:\/\/www.cycognito.com\/blog\/mind-the-gaps-in-the-external-attack-surface\/","title":{"rendered":"External Risk Insights: Mind the Gaps in the External Attack Surface"},"content":{"rendered":"\n

External Risk Insights Brief from CyCognito <\/h2>\n\n\n\n

The attack surface is often larger than security teams realize. Internet exposed assets hide in plain sight, not only on primary corporate networks, but also on infrastructure belonging to subsidiaries that isn\u2019t directly managed by corporate IT security teams. This is a common issue that isn\u2019t going away soon.<\/p>\n\n\n\n

At CyCognito, we believe that sharing what we learn in managing attack surfaces can help progress the security community as a whole. Data we observed is a normalized aggregate of the attack surfaces of our customers, primarily Fortune 500 global organizations. Through this External Risk Insights report<\/a>, we track insightful trends over time and aim to share our findings with the community on a semi-annual basis.<\/p>\n\n\n\n

External risks aren\u2019t distributed equally<\/h2>\n\n\n\n

We found interesting, and even sometimes surprising, insight. Let’s consider a stat: the average organization has 104 subsidiaries and the core security team is unaware of 10 to 31 of them \u2013 that is, until they started using CyCognito. For context, we use subsidiaries to mean any entity owned by the parent company, which can be a business unit, brand, standalone company or something similar. Those unknown subsidiaries contain assets and issues that can cause major issues for the rest of the organization. <\/p>\n\n\n\n

Subsidiaries contained an average of 56% of the critical and high vulnerabilities affecting customer assets. Tracking these assets and issues is not a one-and-done process \u2014 once issues are found and traced back to the owners, they must be fixed and validated. For organizations with unknown and under-managed subsidiaries, this process is even more difficult for parent IT security teams, particularly when it comes to ensuring vulnerabilities are successfully remediated. Issues among the subsidiaries can affect the larger organization, but without a comprehensive mapping and monitoring system, security teams in the parent org have limited visibility into these issues.<\/p>\n\n\n\n

Making a fix and checking it twice for attack surface analysis<\/h2>\n\n\n\n

A goal of many security teams is to reduce the average amount of time between a vulnerability being discovered and the moment that issue is fixed \u2014 called the mean time to remediation (MTTR) \u2014 across their organization. A critical, but sometimes overlooked step of that process is after a fix is applied, validating that it’s been fixed correctly.<\/p>\n\n\n\n

CyCognito offers an in-platform remediation validation function that verifies if issues marked as remediated are actually fixed and in this report we looked to see how customers were using this feature. When users did revalidate, we found that the issue still existed 54% of the time. While some users could be simply testing the feature on issues they know haven\u2019t been resolved, there are several other reasons that issues may go unresolved: <\/p>\n\n\n\n