What it Takes to Start the Exposure Management Journey

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to make the shift from vulnerability management to exposure management. In this blog, Tenable Senior Staff Information Security Engineer Arnie Cabral, who is leading the company's internal exposure management journey, shares his experiences. You can read the entire Exposure Management Academy series here.

In my role as an information security engineer at Tenable, I am directly involved in transitioning our own security infrastructure from traditional vulnerability management to a more proactive exposure management approach. The first steps required strategic planning, policy realignment and resource allocation.

The need to move beyond simply identifying vulnerabilities drove Tenable's transition. We needed to focus on managing real-world exposures that pose significant risk to our security posture.

The starting point: Recognizing the need for change

They say a journey of a thousand miles begins with a single step. At Tenable, our shift to exposure management in our internal infrastructure began with a simple realization. We knew that, although it is critical to modern cybersecurity, vulnerability management alone doesn't provide a complete picture of cyber risk.

Traditional vulnerability management typically involves scanning assets for known vulnerabilities and remediating them based on severity scores. However, true security risk management requires a broader view that includes misconfigurations, attack surface visibility and real-time threat intelligence.

To start our move to cyber exposure management, we reframed our existing policies to align with the new approach. This was not just a simple editing exercise, although there was some carry-over from the current policies.

Instead, we redefined our objectives and transformed our policies to ensure alignment with emerging risk-based exposure management frameworks.

Establishing a policy framework

With our new exposure management policy in place, we created a foundation to ensure our security teams have clear guidelines on how to assess, prioritize and remediate exposures beyond just addressing common vulnerabilities and exposures (CVEs).

As we completed the policy, we understood the new approach would need to incorporate:

• A broader vulnerability assessment of risk, beyond the Common Vulnerability Scoring System (CVSS) scores
• Vulnerability prioritization frameworks that account for asset criticality, attack paths and real-world exploitability
• The integration of multiple security tools to gain comprehensive visibility for more actionable attack surface management
• Alignment with a broader set of stakeholders to match the expanded scope of assets and detections

Building a project plan

Alongside the policy we developed, our team drafted a project plan to operationalize security exposure management. This plan included:

• Identifying gaps between the existing risk-based vulnerability management program and the desired state of the exposure management program
• Mapping inputs (i.e., the sources of vulnerability and exposure data) and outputs (i.e., the teams responsible for remediation)
• Defining key milestones and deliverables
• Assigning responsibilities and estimating resource needs

Smaller organizations could manage this process with common tools like spreadsheets. But larger enterprises, like ours, usually turn to platforms like Jira and Confluence to help the process. Of course, no plan would be complete without Gantt charts that provide a visual understanding of the project structure and timeline.

My advice is to use tools that help you reach your goals without adding unnecessary process overhead. For example, a platform that integrates data from multiple siloed security tools from multiple vendors gives you a continuous and complete view of your environment and an accurate risk profile.

Addressing operational challenges

One of the key challenges in this transition was the complexity of security operations. Traditional vulnerability management mostly relies on vulnerability scanning assets with Nessus scanners and agents, but the move to exposure management required incorporating other elements, including:

• Cloud environments and ephemeral assets
• Configuration management across various asset types (i.e., SaaS, PaaS, IaaS and hardware) as well as identity exposure risks
• Application security and software development lifecycle (SDLC) vulnerabilities

Third-party security risks

Our teams had to ensure remediation workflows could handle this broader scope while maintaining efficiency. This led to discussions about automation and orchestration - essentially, we wanted to understand how we could centralize the triage and response process without overloading security teams.

How to implement an exposure management program

If your organization is embarking on, or considering starting, your own exposure management journey, here are exposure management best practices and key takeaways from Tenable's experience:

• Don't neglect traditional vulnerability management: Continuous threat exposure management expands the scope but does not replace foundational vulnerability management practices. CVE-based remediation remains a critical component.
• Start with policy and governance: Establish a clear exposure management policy to provide structure, establish service level agreements (SLAs) and ensure accountability.
• Align teams: Organize teams and resources to ensure they're working in support of your exposure management policy.
• Prioritize based on real-world risk: Not all vulnerabilities pose immediate threats. Focus on threat exposures that present actual risk based on attack feasibility.
• Optimize workflows for scale: Exposure management introduces a higher volume of security issues. Automation and orchestration are essential.
• Expect a continuous evolution: Exposure management is not a one-time project but an ongoing program that adapts to new threat detection and business changes.

Takeaways

The transition from vulnerability management to exposure management is a necessary evolution in cybersecurity strategy.

As attack surfaces expand and threats become more sophisticated, your organization needs to adopt a more holistic approach to cyber risk reduction. Although the journey can be complex and resource-intensive, the benefits - increased visibility, better risk prioritization and improved security outcomes - make it a worthwhile investment. I'm excited about what lies ahead and look forward to sharing more about our journey.