Full Report
Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable security engineers Arnie Cabral and Jason Schavel share how you can use risk-based metrics. You can read the entire Exposure Management Academy series here.We’re information security engineers at Tenable. If you’re anything like us, you spend your days on the front lines of the battle against a constantly changing set of cybersecurity threats. No matter your role, you probably face any number of complex challenges to stay one step ahead of the bad guys. To be most effective, you need to move beyond operating across silos toward bringing all of the data together. Exposure management helps bring this all together. Maybe you’re contemplating a move to exposure management or maybe you’ve already started the shift. (Not sure how mature your program is? Check out the Tenable exposure management security assessment.) No matter where you are, exposure management represents a fundamental shift toward a unified view of exposures across the attack surface. It involves continuously discovering, assessing, prioritizing and remediating all types of security exposures, including vulnerabilities, misconfigurations and excessive permissions across various assets. As we like to say, “give us all the things.”In our roles, we are helping Tenable move in this direction. So we thought we’d share some of our experiences. If you have any questions or you’d like to share your exposure management experiences with us, please use the form at the bottom of the page. Managing exposuresExposure management is about more than just finding flaws. It's about understanding business risk and prioritizing actions that reduce the potential for attack. If you react to every alert or finding, you’ll soon end up draining your resources, burning out the staff and wasting tons of valuable time.So, with limited resources, how can security teams effectively manage the vast threat landscape and focus on what truly matters? Robust, risk-based metrics are the key to guiding the exposure management lifecycle, which begins with comprehensive and continuous discovery of all assets, identities and applications. Then, by prioritizing risks based on business impact and technical context, and by proactively mitigating the highest-risk exposures through remediation, you’ll have an ongoing exposure management process. Exposure management builds upon vulnerability management to deliver results based on severity and adds the context and prioritization that comes with risk-based vulnerability management (RBVM). In addition, it ingests a wide array of security data sources across the enterprise. Exposure management provides critical context for those assets and we’re able to look at more than just the usual data points.This approach can transform raw data into actionable intelligence so your organization has a focused, proactive defense.Tracking progress with exposure managementA fundamental part of effective exposure management is consistent, clear communication about the organization's risk posture. Exposure management helps us paint a more holistic picture of our environment. For example, we monitor our cloud accounts and we have several different sensors there. Exposure management unites all those sources and shows us everything in a consolidated view, in contrast to the old way of looking at the data via multiple point products and having to put that all together manually.These metrics provide a snapshot comparing the current exposure landscape to previous periods. They offer an overview of quantifiable risk across different business units and asset groups. Frequent assessments are essential for tracking progress, identifying emerging risk areas, and informing strategic decisions within a continuous exposure management framework.Considerations that drive exposure prioritizationOur exposure management program relies on metrics that facilitate effective prioritization. It’s about understanding which exposures represent the most significant threat right now and communicating those threats to the right asset owners to ensure effective remediation of findings:Exploitability and threat context: Is there a known exploit for this exposure? Is it being actively used by threat actors? Prioritizing exposures based on real-world threat intelligence ensures remediations target the most likely attack vectors.Asset criticality and business context: How critical is the affected asset to the business? Understanding the potential impact of an exploit guides prioritization beyond technical severity alone.Actual impact vs. theoretical risk: A high-severity vulnerability might pose little actual risk in your specific environment due to mitigating controls or specific configurations. Assessing actual impact helps filter out less critical issues, though investigating every exposure's context remains challenging.Remediation service level agreements (SLAs): Tracking remediation timeliness against SLAs provides a crucial performance indicator for the exposure management program. Deviations often point to bottlenecks or systemic issues in remediation workflows, patching processes, or asset visibility that need addressing.Exposure trends: Monitoring trends over time so you can understand whether exposures are increasing or decreasing (overall and in specific areas) is vital. Upward trends signal potential breakdowns or emerging risks requiring investigation and potentially resource reallocation.Getting to informed decisions Risk-based metrics are fundamental to each stage of the exposure management lifecycle. We look at it like this: Discovery and assessment: Metrics give us the context we need to understand the raw data we gather from scanning and assessment tools.Prioritization: These metrics provide an objective basis to help us decide which exposures we should tackle first.Validation: Often, it can be hard to validate our remediation efforts. We can use metrics to understand whether we succeeded and if we reduced risk.Mobilization: Clear reporting based on these metrics helps mobilize the right teams and secure necessary resources.By using metrics to connect technical findings with business risk, we have been able to communicate more effectively with our leadership. In turn, we have data that justifies the resources we need for targeted remediations and we’ve demonstrated the value of our exposure management program.TakeawaysIncorporating risk-based metrics as part of an exposure management program requires addressing challenges like managing diverse asset types (including user workstations, mobile devices, cloud, IoT, etc.) so you can ensure accurate data across disparate tools and maintain visibility across the changing attack surface.But an effective exposure management program requires more than just tools. Your metrics-driven approach should help you to continuously understand and reduce risk across the entire attack surface. With risk-based metrics focused on exploitability, impact, SLAs and trends, you’ll start to move beyond reactive prioritization. You and your team will proactively prioritize efforts, make smarter remediation decisions and optimize resource allocation. Ultimately, you’ll build a more resilient defense.Have a question about exposure management you’d like us to tackle?We’re all ears. Share your question and maybe we’ll feature it in a future post. MktoForms2.loadForm("//info.tenable.com", "934-XQB-568", 14070);
Analysis Summary
# Best Practices: Implementing Risk-Based Metrics in Exposure Management
## Overview
These practices focus on moving an organization beyond reactive vulnerability prioritization to a proactive, risk-based approach within an Exposure Management Program. The goal is to continuously understand and reduce risk across the entire attack surface by focusing remediation efforts based on exploitability, impact, service level agreements (SLAs), and historical trends.
## Key Recommendations
### Immediate Actions
1. **Establish Baseline Asset Inventory:** Immediately begin or verify the completeness of your critical asset inventory to serve as the foundation for risk calculations.
2. **Integrate Core Data Sources:** Connect primary security tools (vulnerability scanners, cloud configuration checkers) to a central platform to aggregate raw exposure data.
3. **Identify Critical Business Context:** Document and tag assets based on their business criticality (e.g., Production Database, Customer-Facing Web Server) to enable impact assessment.
### Short-term Improvements (1-3 months)
1. **Implement Exploitability Scoring:** Integrate threat intelligence feeds that indicate active exploitation or high exploitability potential (e.g., EPSS, trending exploits) into existing vulnerability scores.
2. **Define Remediation SLAs by Risk Tier:** Establish and document time-bound remediation targets for vulnerabilities based on their calculated risk score (e.g., Critical Risk = 7-day SLA, High Risk = 30-day SLA).
3. **Begin Trend Analysis:** Start tracking metrics related to remediation velocity and the backlog of identified exposures to establish performance baselines.
### Long-term Strategy (3+ months)
1. **Operationalize Risk Prioritization:** Fully embed risk-based metrics (combining asset criticality, exploitability, and existing controls) into daily ticketing and remediation workflows to drive decision-making.
2. **Align with Business Reporting:** Develop executive-level dashboards that translate technical exposure metrics into clear business risk language (e.g., "Risk reduction achieved this quarter").
3. **Continuous Exposure Review Cycle:** Institute a recurring process where the calculated risk exposure is reviewed quarterly against defined risk appetite thresholds, ensuring continuous optimization of resource allocation.
## Implementation Guidance
### For Small Organizations
- Focus on integrating your primary vulnerability scanner with a Configuration Management Database (CMDB) or manual asset register to ensure *all* assets are accounted for before scoring.
- Start with focusing only on the top 10 most exploited vulnerabilities (or those with available CISA KEV entries) that intersect with your highest-criticality assets.
### For Medium Organizations
- Leverage built-in connectors within an Exposure Management Platform to automatically pull data from cloud environments (IaaS/PaaS) and OT/IoT infrastructure alongside traditional IT assets.
- Pilot risk-based remediation with one security team before rolling out organizational-wide change management.
### For Large Enterprises
- Utilize platform capabilities to seamlessly combine data from multiple disparate security tools (e.g., multiple scanners, cloud posture management, identity risk data) into a unified risk view.
- Formalize and automate the process of mapping technical findings to specific business units or application owners to enforce accountability for remediation SLAs.
- Implement GenAI analytics (if available within the platform) to enhance threat investigation speed based on prioritized risk vectors.
## Configuration Examples
*Specific configuration examples were not detailed in the source text, however, the underlying principle requires the configuration of a system (like Tenable One) to receive and combine the following data points for calculation:*
* **Asset Attribute Configuration:** Define and map assets to tiers (e.g., Tier 1: External-facing production, Tier 3: Internal Development).
* **Metric Weighting Configuration:** Assign multipliers or weights to different risk factors, such as giving higher weight to findings on Tier 1 assets, or findings actively being exploited in the wild.
## Compliance Alignment
*While the primary goal is risk reduction, the process inherently supports compliance monitoring:*
- **NIST Cybersecurity Framework (CSF):** Directly supports the **Identify** (Asset Management) and **Detect/Respond** (Prioritization and Remediation Velocity) functions.
- **ISO/IEC 27001:** Aligns with procedures for managing information security risks (A.12 - Operations security).
- **CIS Critical Security Controls (CSC):** Supports CSC 4 (Inventory and Control of Software Assets) and CSC 7 (Vulnerability Management) by prioritizing which findings to address based on risk context.
## Common Pitfalls to Avoid
- **Tool-Only Focus:** Do not rely solely on the scores provided by an individual tool; ensure the risk score integrates context from asset criticality and current threat intelligence.
- **Ignoring Asset Context:** Scoring a low-impact development laptop vulnerability the same as a critical flaw on an internet-facing payment server leads to wasted effort and increased true risk exposure.
- **Stale Data:** Failing to implement regular data ingestion or update asset tagging means your risk calculations will quickly become inaccurate and irrelevant to the current environment.
- **Treating SLAs as Targets, Not Requirements:** If remediation SLAs are ignored or frequently missed without corrective action, the entire risk-based system loses credibility.
## Resources
- **Platform Focus:** Utilize an Exposure Management Platform capable of integrating data across Cloud Exposure, Vulnerability Exposure, OT/IoT Exposure, and Identity Exposure.
- **Key Capabilities to Seek:** Exposure Prioritization, Asset Inventory integration, and Exposure Analytics.
- **Threat Intelligence Integration:** Ensure the platform can ingest and apply external threat data (e.g., exploitability indicators) to raw findings.