Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Enterprise ServicesLogical SecuritySecurity & Business Resilience

Vulnerabilities on external attack surfaces live far too long

By Rob Gurzeev
software on computer screens

Image via Unsplash

August 17, 2023

Every company has two attack surfaces: internal and external. Of the two, the external attack surface (EAS) is much harder to safeguard. Why? First, external surface vulnerabilities can take 10x longer to detect and mitigate. Additionally, dwell time — the period from breach to mitigation — averages three to four months, and can sometimes stretch to six. 

Where the problem comes in is bad actors are well aware of security gaps and are constantly on the hunt for ways to access your valuable assets. Case in point: 80 percent of attacks aim at penetrating a company's external attack surface, according to Verizon.  

As an industry, security leaders managed to bring down Mean Time to Detection (MTTD) and Mean Time to Remediation (MTTR) for internal attack surface vulnerabilities to just a couple of weeks or less. But why haven’t they succeeded in bringing these figures down on the external side?

The industry is recognizing external attack surfaces are vulnerable 

Gartner describes external attack surfaces as “exposed surfaces outside of a set of controllable assets.” They include systems, applications, cloud instances, supply chains, IoT devices and data exposed to the Internet. The external attack surface sprawls across subsidiaries, multiple clouds, and assets managed by third parties. It also changes constantly, making it incredibly complex and difficult to protect.

There’s an additional “surface” to consider. Many organizations — even Fortune 100 banks — accidentally expose internal databases, DevOps instances, and applications which are exposed to the Internet and make ideal targets, even though security teams regard them as internal.

Companies have learned the hard way how quickly vulnerabilities can be exploited, and attackers are getting faster. Day 1 exploits often follow announcements and patch availability by just hours. 

In 2022, Gartner called for a constantly updated “inventory of the expanding enterprise attack surface,” pointing out that “even small, seemingly inconsequential additions to the digital footprint can weaken an organization’s security controls and data protection efforts.” 

Constantly updated discovery and continuous testing are key; external attack surface increases to 5 percent or more in a month. Exposures pop up as new web applications are launched, new services and machines are deployed, and new APIs are exposed. New configurations and newly released vulnerabilities put previously tested assets at risk. Does this impact cybersecurity? Indeed it does. Much of the external attack surface is elusive and some assets are never mapped, so vulnerabilities around them are never remediated. 

Why external attack surface vulnerabilities take long to remediate 

Fact: On external attack surfaces, both detection and mitigation of vulnerabilities take far too long. Unless the organization has ongoing, automated full-scale testing, it’s probably two to three months to discover a security gap. Then, another two weeks to three months to remediate, including prioritization delays. That is a total dwell time (MTTD + MTTR) of 75 to 180 days, radically longer than for internal surface vulnerabilities which are usually resolved in under 14 days.

The findings below are based on real-life metrics from 2,000 global companies. They show that dwell times for external vulnerabilities are 5x to 12x longer than internal vulnerabilities and have surprised some IT leaders.

 

MTTD

MTTR for critical vulns

Dwell Time / total

Internal surface

1-30 days

1-14 days 

Usually < 14 days

External surface

60 to 90 days

14-90 days

Usually 75 - 180 days

 

It’s no accident that detection and remediation take weeks and months for external surfaces. For starters, there are fundamental obstacles to detecting EAS vulnerabilities.

  • Fast-changing external assets make discovery very difficult. Without getting too granular, it is technically complex to discover every external surface, let alone the fact that it shifts up to 9% in a given month. In practice, this can mean some assets are never security tested. 
  • Incomplete visibility. Most organizations lack the tools necessary to explore all attack surfaces. As a result, external surface visibility lags, such as in coverage of configuration management databases (CMDBs)—which has major gaps. 
  • Testing is limited in coverage. Pen testing and application security testing are infrequent and rarely cover the known external surface, let alone what goes undiscovered. PT and DAST cover 1% to 10% of a company's external web interfaces, for example. 
  • Testing is infrequent. New configurations and newly released vulnerabilities can expose assets that were tested recently and deemed safe. Few companies conduct ongoing (24/365) testing, the gold standard for reducing MTTD.

After detection comes MTTR. It can be just as slow. Once you find security gaps, timely and effective mitigation depends on accuration prioritization. Most discovery tools generate many false positives; only a minute percentage of the positives are truly high priority. 

Taking action: Reducing risk posed by external attack surface vulnerabilities

Prevention via continuous testing and prioritization is the centerpiece of cutting exposure time.  Preemptive discovery of direct attack paths will close many gaps before they are broadcast to the world, and makes quick “smash-and-grab” opportunities harder for bad actors to find.

Security testing pushes attackers away to more sophisticated, longer-path attacks where it could take weeks to dig their way to valuable assets. That gives threat detection more time to contain successful intrusions. 

The steps to reducing MTTD and MTTR: 

  1. Aim for full visibility with automated, end-to-end reconnaissance on both internal and external surfaces. 
  2. Apply modern technologies like ML and NLP to understand the context and purpose of all exposed assets, and narrow down to the [one 1/10 of 1%] attack vectors that create the bulk of your cyber risk. Technically, the same processes also handle attribution — that is, figure out which subsidiary or entity owns the vulnerability.
  3. Test continuously, as well as comprehensively, pushing to cut MTTD down to [a few] days. Removing the excessive delay in detecting new vulnerabilities allows much faster identification of the true positives.
  4. Look at the attack paths that lead to important assets. Highest priority goes to direct attack paths (simpler, shorter sequences) that attackers could use to access the assets with higher business value. 
  5. Finally, mitigation; attribution helps identify the business unit that is accountable for a vulnerability. Sharing strong and detailed evidence with them builds trust and often leads to faster investigation and a quicker solution. Aim for days rather than weeks. 

External attack surface vulnerabilities can be conquered

Many organizations have done a great job protecting their internal attack surfaces that consist of networks, servers, laptops, etc. Cybersecurity professionals are surprised to learn that vulnerability dwell time on EAS is 5x to 12x longer. But in fact, external surface vulnerabilities are harder to find, scan, test, prioritize, attribute and remediate. 

To reduce risk, having an effective strategy and mechanism to find and prioritize EAS vulnerabilities matters more than loading up on remediation resources. Establishing full discovery and determining context, value, and attribution make it dramatically easier to identify and remediate truly critical vulnerabilities in days, rather than months. 

KEYWORDS: asset management detection EAS mitigating risk in real time mitigation vulnerability management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Rob Gurzeev, CEO and Co-Founder of CyCognito, has led the development of offensive security solutions for both the private sector and intelligence agencies.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • cybersecurity-screen.jpg

    Cyber hygiene: Building blocks to protect attack surfaces

    See More
  • Hand in front of binary code

    Unveiling the power of external attack surface management

    See More
  • network-security-freepik1170.jpg

    Attack surfaces are mushrooming. Are you prepared?

    See More
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing