As organizations diversify their digital assets, as data and applications move into the cloud, and as fully provisioned workplace devices connect from remote locations, the existing concept of
vulnerability management looks more and more out of date.
It’s impossible to track down and fix every software flaw when the attack surface keeps expanding, and when points of entry move beyond traditional vulnerabilities to less-obvious weaknesses like cloud misconfigurations and compromised identities.
“We spend our lives chasing down vulnerabilities and issuing (or responding to) mandates like, ‘Patch within 30 days’ or ‘Code red, patch now!'” writes
Jorge Orchilles, Senior Director of Readiness and Proactive Security at Verizon, in a recent blog post on the Tenable website. “But as attack surfaces grow and threat actors become more sophisticated, this reactive approach has become inadequate.”
This is why organizations need to expand their concepts about digital protection and move to a broader overview that proactively protects the entire attack surface — and, even more radically, no longer tries to patch each vulnerability.
This holistic, risk-based concept is
exposure management. It’s not always easy to move from vulnerability management to exposure management, because it may involve some drastic organizational changes and also requires adopting a new mindset about digital defense.
We’ll explore how Verizon, a leading American telecommunications company, made the transition. But first we’ll explain how exposure management differs from its predecessor.
What is exposure management, anyway?
In its most basic sense, exposure management is a widening of vulnerability management to cover weak spots that wouldn’t be considered traditional vulnerabilities, such as cloud misconfigurations, excessive account permissions, and compromised credentials.
But more importantly, exposure management is proactive as well as reactive. It involves cataloguing and categorizing assets according to potential risk before attacks happen or vulnerabilities are even known.
It’s not just waiting for critical or severe flaws to appear on CVE lists. It’s going out and finding vulnerabilities before they’re publicly disclosed.
There’s also a counterintuitive notion: Not all vulnerabilities or misconfigurations can or should be patched. Instead, the exposure-management process involves a form of triage, in which each identified weakness is assessed in terms of likeliness to occur, potential impact on the business, and the cost to mitigate it — and whether the weakness is realistically exploitable at all.
“The key is prioritization based on real-world attack scenarios, not arbitrary severity scores,” writes Verizon’s Orchilles. “Stop trying to fix everything.”
Exposure management shares this approach with risk-based vulnerability management (RBVM), but the latter concept is focused mainly on traditional vulnerabilities. As Tenable explains in a
primer about exposure management RBVM “can fall short at times when it comes to continuous threat visibility and intelligence.”
It’s also closely related to
continuous threat exposure management (CTEM), a cyclical process that involves taking many of the same steps and incorporating them into a cyclical, repeating framework.
Like CTEM, exposure management is a cross-team effort that reaches far beyond the security operations center. IT managers, compliance teams, and C-suite executives must all get involved, as the asset-discovery and risk-assessment processes need their input and cooperation.
Because the move from traditional vulnerability management to exposure management is a company-wide initiative that will likely require policy changes and organizational restructuring, it must be led by the top brass.
As Tenable itself states, effective exposure management “requires a deep, ongoing partnership between IT and security leaders where the CIO and CISO must operate in lockstep to share responsibility for your organization’s digital resilience and risk posture.”
How Verizon went from vulnerability management to exposure management
In Orchilles’ telling, Verizon’s traditional security approach was no longer working well as the company’s attack surface expanded and threat actors got smarter.
Like many organizations, Verizon’s security teams had been made up of specialists who handled separate issues and used “a patchwork of tools,” such as vulnerability scanners, identity-management platforms, cloud security tools and attack surface management tools.
Orchilles admits that there was a rational method behind this division of labor: “The intent of the fragmentation is to ensure you have people with the right skills remediating the right problems.”
The downside, however, was Balkanization and gaps in coverage that adversaries might exploit.
“The siloed approach slows response times and creates blind spots that can leave critical vulnerabilities unaddressed simply because they fall outside a team’s area of expertise,” says Orchilles. “You cannot do
attack path analysis in silos!”
As a huge nationwide enterprise with a wide and digitally diverse attack surface, and which also provisions tens of millions of internet-facing consumer devices, Orchilles says Verizon recognized that “the best solution was not another collection of disparate tech.”
“We needed a single, consolidated exposure management platform that could cover every corner of our enterprise,” he writes, adding that the best solution would be one that “prioritizes real-world risks rather than every vulnerability.”
Getting different teams on the same page
But “before we even considered new technology,” Orchilles adds, “we needed to align multiple teams, each with their own tools and priorities, behind a shared strategy.”
Key to that effort was showing various teams across the company how the new exposure-management-based approach, which required them to work closely together or even consolidate into merged teams, would make their jobs easier and more efficient.
Different groups were given shared goals instead of direct orders. Policy and organizational changes were communicated clearly and transparently. And team members were asked to give input and take part in decisions.
“By involving stakeholders from the start, in areas like identity security, IT operations and cloud security, we’re ensuring that change isn’t something done to them, but something they actively shape and support,” Orchilles writes.
Now, he says, the operational technology (OT) and Internet of Things (IoT) specialists use the same framework instead of different tools. The attack-surface-management team was folded into Orchilles’ readiness-and-proactive-security group.
The Active Directory team has stayed independent, but he points out that its collaboration with his own team means that now “they see the security insights as valuable rather than punitive.”
Furthermore, Orchilles says, exposure management refocused Verizon’s patching efforts to flaws “that are actually exploitable and part of a realistic attack path.”
“If there’s a critical vulnerability in an application but no feasible way for an attacker to reach it, should it really be the top priority?” he asks. “On the other hand, if a vulnerability provides a direct path to a crown jewel asset, we need to address it immediately.”
On a higher organizational level, Orchilles says, the holistic company-wide view provided by exposure management made it easier to communicate issues with the C-suite.
“Instead of delivering long lists of vulnerabilities that mean little to non-technical leaders, we can present a clear picture in a few key points,” he says. “What’s at risk? How could an attacker get in? What are the most urgent priorities to fix?”
An ongoing process
Exposure management will continue to evolve, Orchilles says, as more organizations reduce their numbers of vendors and security tools and unified platforms like Tenable One become the norm.
Understanding security risks, and the impact of implementing security fixes, will also become more tied in with overall business goals rather than ideas kept only to the security team.
“At its core, exposure management is about shifting from reactive security to proactive security,” writes Orchilles. “It’s not just about fixing vulnerabilities anymore. It’s about understanding risk in the context of the business.”
