With myriad threats facing organizations, eliminating all avenues for attack is impossible. Accepting this reality means organizations need to focus resources where they are most likely to be impactful. But this begs many questions: What types of hosts are most likely to have vulnerabilities? Are those same hosts critical parts of the business? What about cloud infrastructure that isn’t fully controlled? Are hosts on foreign soil in compliance with local laws?
We could tap into prevailing FUD and personal opinions to answer these questions, but haven’t we all had enough of that? We’d prefer to know what the data says. In this talk we introduce the concept of risk surface and explore its shape by tapping into a fascinating data set spanning millions of internet-facing hosts from tens of thousands of firms and major hosting providers around the world. We find that for most organizations risk is global with more than half locating infrastructure in multiple countries. Not only are hosts spread far and wide, but vulnerabilities are too: more than half of organizations have high or critical vulnerabilities on external infrastructure. Armed with this new perspective, we can make recommendations to organizations on where their resources are best deployed.