In this article:
- Vulnerability remediation can be hampered by lack of context and communication, with siloed teams scrambling across disconnected tools, fixing unaffected assets while failing to get clarity on ownership, priority, and real business impact.
- Exposure-management platforms provide a unified view by centralizing data, identifying attack paths and risk combinations, mapping relationships between assets, and highlighting points where fixing a single issue can break an entire attack chain.
- This approach improves efficiency, prioritization, and team coordination, reducing burnout by replacing long patch lists with focused remediation tied to critical assets, automating tracking and ticketing, and aligning security work with actual organizational risk.
When high-impact vulnerabilities are found in an organization's systems, translating the details into lasting fixes often breaks down. That's because remediation efforts may be spread across siloed teams, may waste time on unaffected assets, or may be tracked inefficiently.
The speed and breadth of mobilization strongly influence a new vulnerability's potential impact. It's not enough to understand the vulnerability. You need clarity on what needs to be fixed right away, what can be save for later, and who owns each remediation task, all before bad actors can exploit the flaw to attack your systems.
An exposure-management platform can provide the needed clarity and scope by centralizing data from across the organization, automatically determining potential attack paths and tracking remediation efforts.
It can also gauge the importance of affected assets, map the relationships among them, estimate the potential business impact of a successful exploit — and ease the burden on overworked IT and security teams.
For more information: "When remediation is done with an exposure-management platform, the focus is first on understanding exploitability," explains Pierre Coyne, Director of Product Marketing for Tenable One. "Is there code to exploit the CVE? Is a misconfiguration externally accessible?"
But just as importantly, the potential impact of a particular flaw must be determined, and the most efficient way to block potential exploits must be found.
"How do risks come together to form toxic combinations or viable attack paths leading to critical assets or admin level permissions, human or machine?" asks Coyne. "With this knowledge, remediation is not about fixing all things, it's about focusing on choke points — which is infinitely more scalable."
Not seeing the forest for the trees
Using traditional methods, the disclosure of a severe vulnerability would have IT and security personnel rushing to confirm whether the flaw affected their organizations, and if so, how. Different groups — the cloud team, the network team, the endpoint team — would focus on their particular areas and remediate what they could.
But the teams might not coordinate their efforts. Point solutions would provide only a narrow view into specific areas. These siloed teams might miss connections among small weaknesses in different sectors that could have devastating results if linked together in an attack chain.
"Today, siloed tools focus on fixing individual CVEs or misconfigurations, [with] every tool opening countless tickets," says Coyne. "There is little understanding of how it reduces overall risk for the organization."
In 2019, one of the largest banks in North America was
compromised by an attack that chained together a misconfiguration in a web application firewall, a cloud-server flaw that allowed server-side request forgery, over-permissioned temporary access credentials, and short-sighted encryption practices.
None of these weaknesses would have raised much alarm in their specific domains. But together, they led to the theft of information pertaining to 100 million bank customers, and to more than $250 million in fines and lawsuit settlements.
An automated exposure-management platform would have mapped out the potential attack path and made clear to the bank's security team how those weaknesses could have been chained together. Breaking any link in the chain could have prevented the attack from being successful — and saved the IT and security teams from having to fix them all.
"Picture a single CVE that has a massive blast radius," Coyne says. "There are many more CVEs downstream. If you fix the first one in the attack chain, the others are now not as critical because they are downstream."
Scramble and hope you get it right
Exposure management is a proactive process, not a reactive one. It does not respond to security incidents; rather, it reduces the number of vulnerabilities, misconfigurations and other weaknesses that make incidents possible.
But proactive security often consists of IT teams being given long lists of vulnerabilities to fix. The vulnerabilities are often arranged according to CVSS base score, which reflects severity but not whether a flaw can be exploited in a particular environment or the impact an exploit would have on business.
"Security teams [toss IT teams] laundry lists of things to patch or reconfigure," says Coyne. "This is a huge burden for IT teams and developers and builds bad blood between security and the lines of business. It also consumes many resources and can result in delays in patching and remediation."
Coyne provides the example of the flaw in the Log4j Java logging framework (CVE-2021-44228), which permitted remote code execution in web-facing servers and which was disclosed in December 2021 after having lain dormant for eight years. A patch was provided along with the disclosure.
Following the disclosure of the Log4j vulnerability, IT and security teams worldwide raced to patch their systems before attackers, who almost immediately began exploiting the flaw, could strike.
"When a new CVE comes out, security teams need to know as much as possible about it," Coyne says. "What information is available from different sources? Are there threat actors using it? What industries are they targeting? What assets have this vulnerability in their environment?"
The security teams, Coyne explains, need to be able to pinpoint where the flaws are, mobilize the IT teams to apply the fixes at those spots, and track the progress of the fixes.
"This can be difficult if you are using different tools to detect the CVE in different environments, IT, OT, cloud, etc.," he says.
An exposure-management platform, however, can collect data from across the organization and present it in a centralized format that all teams can view. It can quickly show which of the most important assets are vulnerable to a particular flaw, which known threat actors are exploiting the flaw, and if there are choke points that can close potential attack paths.
"Rather than fix every CVE or misconfiguration, we can see if it is part of an attack path leading to crown jewels," explains Coyne. "If it is, we can focus on fixing that one first, and circle back later on CVEs or misconfigurations that can't materially impact the organization."
Saving time and aggravation
Perhaps just as importantly, an automated exposure-management platform can cut down on security- and IT-team burnout. It tells you which important assets are not vulnerable and which fixes will have the widest effect, clarifying priorities and cutting down on less important tasks.
It can also speed the remediation process by connecting directly to ticketing systems, automating ticket creation and escalation, and track the progress of the remediation across the entire organization.
The payoff is faster fixes, less chaos, and smoother coordination between security and operations teams — unlike the situation that many organizations still find themselves in.
"Security teams are flooding IT teams with too many things to patch, and every Patch Tuesday, more are added. This creates resistance by IT to patch or fix CVEs or misconfigurations," says Coyne. "Both security and IT teams have little context on why you need to fix something. ... If you can't patch everything, what do you do?"
Please visit our exposure management topic page.