Exposure management, Vulnerability Management, Threat Management

What you should need and want from exposure management

An enterprise cybersecurity team analyzing monitoring logs.

In this article:

  • Adoption and challenges: Nearly all surveyed organizations practice exposure management. Yet many still use manual processes and siloed tools, and risk reduction seems to be getting harder. Only 26% use automated exposure-management platforms.
  • Automation and integration matter: Exposure-management platforms can unify data, reduce tool sprawl, assess cloud and identity risks, and enable continuous discovery and analysis.
  • The path forward: Organizations need centralized, automated platforms that integrate IT and security operations, apply business context to risk prioritization, and use AI for faster remediation.

 

Organizations broadly see the need for exposure management, according to a recent survey of 400 information-technology and cybersecurity managers and decision-makers in North America.

Nearly all survey respondents (99%) said they already had some sort of exposure-management program in place. Almost as many (88%) said their organization had either increased spending on their programs in the past year or planned to in the coming year.

Yet that's where the good news ends. Slightly more than half of respondents believed that managing exposures and threats is tougher than it was just two years ago.

Nearly half still prioritized remediation based solely on exploitability or severity scores, without considering business goals or exposure context. And only 26% said they had implemented an automated exposure-management platform, a step that would make the process much easier and more efficient.

For more information:

Why an exposure management platform?

Traditional vulnerability management cannot keep up with the volume of threats, weaknesses and potential exposures organizations face. Risk-based vulnerability management attempts to get ahead of the issue by anticipating vulnerabilities and potential exploits, but it has proven too limited in today's "everywhere and nowhere" digital workplace.

"Threats, exposures and assets are multiplying at a pace that traditional methods simply can't match, leaving organizations exposed to growing risk," writes Tenable's Hadar Landau in a company blog post. "It's time to shift from reactive, siloed efforts to a more unified, proactive approach that delivers real, measurable risk reduction."

Exposure management widens the scope of proactive risk assessment to include cloud misconfigurations, identity compromise, potential attack paths and other issues that range far beyond software vulnerabilities.

Yet home-grown exposure-management programs tend to fall victim to the same issues that plague cybersecurity operations in general: too much data, too many alerts, siloed tools and data, and the persistence of manual processes, all of which lead to inefficiencies and severe knowledge gaps.

The upside of this dreary scenario is that many of these issues are operational, implying that there's an operational solution. That solution can take the form of an automated exposure-management platform, which can assess cloud and identity security postures, discover potential attack paths, and perform formerly manual tasks like analyzing log data analysis and writing reports.

The state of exposure management today

The survey, conducted by Enterprise Strategy Group (ESG) on behalf of Tenable, is overall gloomy. Fifty-one percent of respondents said that reducing risk and exposures was slightly or significantly more difficult than it had been two years earlier. Only 30% said it had gotten easier; about 20% said it had stayed the same.

Asked why it had become more difficult, 45% cited "increased use of public cloud services," upon which many on-premises security strategies and tools are ineffective. Forty percent of respondents blamed reliance upon manual processes and resulting scalability issues. Another 40% cited "disconnected tools and data" spread among different teams.

"Modern cloud-native infrastructure and applications are a primary driver of complexity in threat and exposure management," said the ESG report. "Inadequate, disconnected, or nonexistent tools and data are common causes of difficulty in risk reduction."

Many of these are self-inflicted issues. Forty-one percent of responding organizations said their exposure-management programs were partly or entirely reliant on manual processes.

Eighteen percent said they relied on point solutions such as vulnerability scanners or SIEM tools to assess exposure and threats. Fifteen percent said they used platforms, such as EDR, XDR, and attack surface management, that were designed for other purposes. Again, only 26% said they used a dedicated exposure-management platform.

"As long as manual processes and tool sprawl persist," the ESG report noted, "threat and exposure management will remain an uphill battle."

Over-reliance on point solutions hints at the real problem, which is the persistence of siloes. Asked which single factor was the top impediment to communication and collaboration among teams handling threat and exposure management, 27% cited the different tools used by different teams.

Another 20% cited a "lack of clear and well-defined communication channels," with 19% citing a "lack of formalized processes and escalation paths." Almost as important were a lack of common goals or priorities among teams, and siloed organizational structures overall.

Those siloes are often baked in. Asset discovery and assessment, a key part of exposure management, is for the most part not led by security teams. The survey found that in 76% of responding organizations, IT teams had the job of discovering and managing threats and exposures.

The IT team often didn't do it alone. In 62% of organizations, the cloud security team helped, and 61% had the security operations center involved. But strangely, only 45% of responding organizations gave any part of the job to the threat intelligence team, and even fewer (41%) to the vulnerability or exposure management team.

"Threat and exposure management is often perceived as an IT operations team issue," notes the report. "Ironically, teams responsible for vulnerability or exposure management are less common than the general IT team in terms of ownership of threat and exposure management."

This leads to problems, of course, because as the report says, "the team that manages threats and exposures often oversees the entire security stack."

Misconceptions and misguided priorities

What security teams do with the exposure data they collect is also outdated, as the responses to a question about the primary factor in prioritizing remediation indicated.

"Nearly half of organizations still rely on basic exploitability (26%) and severity scores (21%)," writes Landau.

To be fair, 15% of respondents cited reachability as the top criterion, 15% business impact and 11% asset-specific context. Only 14% chose the most desirable answer: a risk-based approach that incorporates all these factors.

Yet the most startling revelation from the survey had to do with how frequently organizations assessed their own environments for exposures, vulnerabilities, misconfigurations, threats, potential compromises and other weaknesses.

Thirty-eight percent said they performed exposure assessments quarterly; 36% did so monthly; six percent yearly. In other words, 80% of respondents waited least a month between each snapshot assessment, even when attackers using automated penetration tools can be in and out of an organization's systems in a matter of hours.

As the ESG report notes, "risk-reduction processes cannot rely on one-off snapshots of risk with a long time to remediation for security exposures."

The relative winners here were those few respondents who said they conducted threat and exposure assessments weekly (12%), daily (6%) or continuously (3%). For the rest, there's clearly a lot of room for improvement, which an automated exposure-management platform would provide.

Perhaps a period of education would also be in order, because there seemed to be a fundamental misunderstanding among the respondents about the continuous-scanning capabilities of exposure-management platforms. Most expected only "minimal improvement in threat and exposure management processes with the deployment of a platform," with 38% still expecting quarterly assessments, and 34% monthly ones.

That's far from what the ESG report cites as a primary goal of exposure management: "Security teams must focus on decreasing the time that risk exists in their environments by moving toward a programmatic model in which security data collection, analysis, and automated remediation happen continuously."

What organizations need to do

Surprisingly, the most common action taken by organizations after they realize they need an exposure-management program is to try to build their own from scratch. Some 72% of respondents did so, but it's often a false start.

"Organizations today are looking to manage the deluge of cybersecurity data required to make informed security operations decisions and are willing to build something themselves if they must," the ESG report observes.

Even Tenable's own security team tried to build its own until its leaders saw how much time was being devoted to developing the tools and turned instead to Tenable One, the company's exposure-management platform offering.

Any platform chose to manage threats and exposures needs to automate as many processes as possible, and to use AI when possible, to efficiently and speedily discover, assess and prioritize weaknesses.

Beyond selecting and implementing an exposure-management platform, organizations need to centralize their data and workflows and eliminate siloes. IT and cybersecurity teams need to see the same data, use the same tools, and work together to achieve the same goals.

"Detection, response, remediation, monitoring, security control implementation, prioritization, and reporting must be consolidated under one management umbrella if security teams are to maximize efficiency," says the ESG report.

Finally, security and IT teams need to incorporate business context and priorities into risk assessments. When there's a seemingly endless number of vulnerabilities, weaknesses and misconfigurations to tackle, there's no point in fixing a flaw that's impossible to reach or which has minimal impact on the business.

What security teams want from exposure-management platforms

The ESG survey reveals that organizations want almost everything from exposure-management platforms. The prime objectives remain discovering exposures and weaknesses, but most respondents said they would like to see remediation abilities added so that problems can be fixed as well as discovered.

"Organizations are shifting their focus from simply finding weaknesses to effectively remediating them," noted Tenable's Landau. "Success is now measured by incidents prevented (59%), vulnerabilities eliminated (55%) and reduction in total risk (51%), demanding platforms that drive effective risk reduction."

Asked to categorize various exposure-management-platform capabilities in order of importance, respondents led with attack path analysis and visualization (93% "very important" or "important"), advanced vulnerability discovery (also 93%) and real-time threat intelligence data (89%), all of which are already part of many exposure-management platforms.

But 91% also considered fully automated remediation to be an important feature. The highest "not important" ranking was 15% for "workflow orchestration capabilities."

There was also a greater role desired for AI and automation, already essential aspects of most exposure-management platforms. The survey found wide acceptance for letting AI agents run autonomously at least some of the time.

Thirty-seven percent of respondents said they would be happy to let AI-powered remediation go fully off the leash; 34% said they would let it do so "only on certain devices and systems for now." Only 29% wanted to review each proposed fix before the AI implemented it.

Ultimately, the survey respondents said they would like to see as many abilities and features as possible built into exposure-management platforms. These included the ability to discover, assess, prioritize and remediate data-security exposures, network vulnerabilities, AI security vulnerabilities, cloud-infrastructure exposures and identity exposures.

"Organizations are seeking a threat and exposure management platform that offers comprehensive coverage of various exposure and threat classes, including those not supported by legacy vulnerability management technologies," says the survey report.

That brings it back to the entire purpose of exposure management: The understanding that although you can't fix everything, you can do a better job of quickly fixing what needs fixing most.

Please visit our exposure management topic page.

Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds