Five Steps to Move to Exposure Management

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, we explore the five steps to take on your journey to exposure management. You can read the entire Exposure Management Academy series here.

Chances are, you’re buried in vulnerabilities and other cyber risks and there’s simply no way to address them all. But they keep on coming. You could work day and night and never hope to close them all. Of course, hope is not a strategy — especially with breaches like those that impacted SolarWinds and Colonial Pipeline, which cost millions to mitigate. And even after those companies cleaned up their issues, the damage was done — to their brands, to customer loyalty and to stakeholder confidence. 

So, faced with building threats, what can you do? 

In the cyber world, the key to getting ahead of your exposures is focus. That doesn’t mean trying to boil the ocean of threats you face. In fact, it might mean doing less. Pour that ocean into a paper cup. 

Economist Michael E. Porter wrote in a seminal Harvard Business Review article: "The essence of strategy is choosing what not to do." The upshot here: How can you be strategic if you have to do everything? Or, as the great philosopher Bob Seger once sang in “Against The Wind”: 

Deadlines and commitments
What to leave in, what to leave out

So, what should you leave in and what should you leave out? 

Let’s think about it: Many organizations have to address hundreds of new vulnerabilities across thousands of assets each week. Then there are the daily software vulnerabilities that application development introduces, myriad cloud misconfigurations and vast amounts of overprivileged service accounts that often lead to breaches.

An exposure management program can help you move beyond noisy findings like misconfigurations, CVEs and excessive permissions so you can focus on your organization’s riskiest exposures. To help you start your journey, we’ve crafted five steps that will get you moving from vulnerability management toward exposure management. You may have noticed a mention of these steps in a recent post, What Is Exposure Management and Why Does It Matter? We expand on them here. 

Start your exposure management journey with five steps

If you think about risk-based exposure management as a journey, with steps and mileposts along the way, you’ll be in good shape for the coming months and years. Let’s get started. 

Step 1: Know your attack surface

Attackers usually gain an initial foothold by compromising an asset or identity that gives them machine or human privileges. 

With cloud, IoT and remote work proliferating in recent years, perimeters are a relic of that past. So the attack surface, which used to be a fixed IT infrastructure footprint, is now amorphous and expanding constantly. Alongside that expansion, the number of potential entry points for attackers grows in lockstep. 

But there are always gaps. And a single unsecured device, unpatched laptop, misconfigured cloud storage bucket or weak password can provide sufficient privileges to serve as a launchpad for a successful attack. 

So the first step in the exposure management journey has to focus on attack surface management, which gives you comprehensive visibility into your entire attack surface — both external and internal. This requires bringing together asset and identity information distributed over multiple tools. 

Must have: An exposure management platform will enable the discovery and aggregation of asset data across your entire external and internal attack surface. Seemingly elusive assets in cloud, IT, operational technology (OT), internet of things (IoT), identities and applications will show up in a holistic view of the attack surface. 

Step 2: Identify preventable risk

Just about every attack aims to exploit weaknesses to escalate privileges and move laterally. Figuring out all preventable risks can be a challenge because it requires a mix of techniques and tools across network scanners, agents, passive monitoring and agentless approaches. 

Even if you manage to bring all of that together, the findings are usually locked in individual tools — each with unique risk prioritization scores. 

To effectively measure and manage risk requires a complete and normalized view of all preventable risk, including an inventory of misconfigurations, vulnerabilities and excessive privileges for each asset or identity. This is essential to understanding total exposure. 

Must have: An exposure management platform will detect the three preventable forms of risk attackers use to gain initial access and move laterally: vulnerabilities, misconfiguration and excessive privileges. The platform will aggregate findings by asset then normalize them to calculate an overall risk score that enables security teams to quickly identify the assets that pose the greatest potential risk to your organization. 

Step 3: Align with business context

News Flash: Most security teams are understaffed. Why is that? Although there’s a limited talent pool, the primary reason stems from limited budgets. So, it’s no surprise that, with an overwhelming number of assets and findings streaming in every day, many security teams struggle to keep pace. The result is alert fatigue.

Overcoming alert fatigue and scaling security requires visibility into what matters most — the critical services, processes and data that support the mission of your organization. It could be a digital commerce service that generates revenue, client data that stores personally identifiable information or the processes that run a manufacturing line.

By aligning assets to these mission-critical functions, you can prioritize crown jewel assets, and push everything else to the back of the line. 

Must have: An exposure management solution features asset tagging that enables security staff to logically group assets across technology domains and align them with an important business function, service or process. 

Step 4: Remediate true exposure

If there’s one goal every attacker has it’s this: identifying viable attack paths. 

From those attack paths, they’ll try a few things, including exfiltrating data, disrupting operations or demanding ransom. 

Because even a single open port on an asset can provide an initial foothold that leads to any number of potential attack paths, understanding the relationships between assets, identities and risk is critical. If you look into these toxic relationships, you’ll see the attack paths that lead to crown jewels and you can prioritize remediation accordingly. 

Another benefit of attack path analysis is that you can see your choke points — the specific risks that enable multiple attack paths. As a result, when you remediate one issue, you can resolve dozens, if not hundreds, of attack paths to help close exposures fast. 

Must have: An exposure management system shares detailed asset, identity and risk relationship information it discovers and maintains in its asset inventory. You’ll be able to see high-risk assets, including crown jewels. But more importantly, you’ll be able to see all related attack paths that lead to that asset.

Step 5: Continuously optimize investments

Companies have made incalculable investments in security tools that produced trillions of data points and telemetry details about every potential risk. On the surface, that might seem impressive. But the reality is, even with all of that data (or maybe because of it), most security leaders struggle to answer a fundamental question: “How secure are we?” 

If you can’t answer that question, you’ll have trouble when your board of directors comes calling. Or maybe you’ll get tripped up when it’s time to report to the C-suite and lines of business. With tight budgets and staffing constraints, understanding where investments can make the biggest impact is vital. 

Measuring, managing and communicating exposure in multiple ways should be at the core of your responsibilities. That includes overall cyber exposure for an organization, exposure by business function or line of business, by technology domain, by administrator, or even compliance aligned to specific regulatory mandates. 

Must have: An exposure management software provides real-time and historical visibility into key performance and risk indicators, including trend, service-level agreement and remediation insights. This will help you understand where you are in relation to your peers. 

Takeaways

The frenetic nature of today’s threat landscape shows no signs of abating. As a result, siloed security is ill-equipped to address today's sophisticated threat attackers. 

There is a new way: a holistic exposure management program that provides comprehensive visibility into assets, identities and risks. Exposure management aligns security to the things that matter most, prioritizing remediation of true exposures that can have a material impact on your organization.