Cyberpion recently published a report of public and internet-facing assets of 471 of the Fortune 500, which discovered more than 148,000 critical vulnerabilities, with an average of 476 per organization. In the context of this report, a critical vulnerability is an exploit that is publicly available and actively targeted.
We sat down with Michael Groskop, Chief Product Officer of Cyberpion, to discuss the company's recent findings, what makes external attack surface management (ESAM) challenging for organizations, and how companies should approach mitigating the security risks of a sprawling attack surface. Tell us about your latest report. How was it conducted and what was most surprising about the findings?
Cyberpion’s research team analyzed the attack surface of 471 Fortune 500 companies across 21 industries over several months in 2022. As part of the research, Cyberpion discovered and exposed the cyber risks of these companies’ internet-facing assets, their connections and dependencies – across hybrid IT environments on-premises, in the Public Cloud, and managed services.
For obvious reasons, the deep pockets of Fortune 500 companies are lucrative targets for cybercriminals. With growing reliance on SaaS, Cloud, APIs, and third party services, the Fortune 500 IT environment is increasingly complex and tough to control and secure.
Surprising (or alarming) findings:
Fortune 500 companies are dealing with hundreds of critical vulnerabilities at any given time. We found an average number of 476 critical vulnerabilities.
Simple math puts the problem into perspective. In 2022 alone, over 3,800 critical CVE’s have been documented. When that is multiplied by the average of 10,000 domain assets a Fortune 500 company has, the scale is overwhelming.
We also found that 100% of these companies had at least 1 externally connected asset with a critical vulnerability. These externally connected assets are totally invisible to most cybersecurity systems.
A more imminent threat is critical risky connections, which present an attack vector into the organization through an asset that is susceptible to immediate exploitation. We found 3,752 in total across 62%.
What makes external attack surface management (EASM) challenging for organizations?
Without an EASM platform, security team don’t have visibility or context. Today, virtually every business initiative stretches the expanding enterprise attack surface in unpredictable ways. With a growing reliance on SaaS, Cloud, APIs, and third party services complexity presents the fastest growing and most serious cyber risk to enterprises. Without Attack Surface Management Platform, discovering the entire attack surface, assessing assets to expose vulnerabilities is virtually impossible for enterprise security teams.
How should organizations approach mitigating these risks?
Due to the scale of the enterprise attack surface and the dynamic threat landscape, an EASM platform must effectively prioritize the actions based on urgency and importance.
This requires threat intelligence to identify exploitable assets and address them first.
Next, comes the importance of the asset to the business:
Is there sensitive data at risk?
Is the brand reputation at risk?
How central is this asset to my business and operation?
By combining effective prioritization with workflow automation, organizations can accelerate remediation and reduce cyber risk.
How do you see external attack surface management (EASM) evolving in 2023?
Moving forward, the Attack Surface Management platform will extend beyond external facing assets to discover and expose risks across all organizational assets. This unified approach will provide security teams the comprehensive visibility they need across their hybrid landscape as well as the actional focus of prioritized action items. Automated remediation will also be increasingly important in controlling attack surface risk. ###