Full Report
How the Kenna sunset is giving security leaders the opportunity to outgrow vulnerability silos and adopt a unified exposure management model.
Analysis Summary
# Best Practices: Transitioning from RBVM to Unified Exposure Management
## Overview
These practices outline the strategic shift required for security leaders moving away from siloed, Risk-Based Vulnerability Management (RBVM) approaches (like legacy Kenna implementations) toward a holistic, context-aware Unified Exposure Management model. The goal is to prioritize security efforts based on **actual, measurable exposure and business impact** rather than solely on CVE severity.
## Key Recommendations
### Immediate Actions
1. **Inventory Current RBVM Dependencies:** Document all existing integrations, reporting structures, and business intelligence streams relying on the legacy vulnerability aggregation tool being sunset (Kenna/Cisco VM).
2. **Initiate Context Mapping Assessment:** Begin mapping critical assets and their associated business criticality levels against existing vulnerability findings to understand context gaps immediately.
3. **Validate External Reachability (ASM):** For all high-severity vulnerabilities identified by current scanners, initiate external attack surface validation tests to determine real-world exploitability from the internet.
### Short-term Improvements (1-3 months)
1. **Adopt a Security Graph Approach:** Select and deploy a platform that unifies data (vulnerabilities, configurations, identities, code) into a centralized graph structure to enable relationship mapping.
2. **Enrich Vulnerability Data with Cloud Context:** Integrate scanning results (e.g., from scanners) directly into the unified platform to automatically enrich every finding with environmental context:
* **Permissions:** What access roles does the affected workload possess?
* **Data Sensitivity:** Does the workload access sensitive data (PII, financial records)?
* **Lateral Movement Path:** Can the exploit allow movement to other critical zones?
3. **Establish Cross-Functional Ownership (Code to Cloud):** For prioritized exposures, identify the originating point (e.g., faulty deployment pipeline, specific repository) and assign remediation responsibility to the development or infrastructure team responsible for the code/deployment source.
### Long-term Strategy (3+ months)
1. **Implement Unified Prioritization Logic:** Define and enforce remediation policies based on the confluence of: **Vulnerability Severity + Exploitability + Business Impact/Blast Radius**, prioritizing those that are publicly reachable and impact crown jewels.
2. **Institutionalize Horizontal Security Visibility:** Decommission siloed security processes (vertical security) and mandate that all security reporting (especially vulnerability remediation SLAs) must reflect the unified exposure score, ensuring vulnerability management is integrated with cloud security posture management (CSPM) and attack surface management (ASM).
3. **Automate Risk Context Feedback Loops:** Configure automated workflows to feed necessary context (e.g., asset tag changes, new deployment environments) back into the exposure management system to maintain graph accuracy without constant manual curation.
4. **Refactor Remediation Workflows:** Retire ticket queues based purely on CVSS score. Instead, structure remediation sprints around contextualized "Top N Exposures" where the tickets contain the necessary environmental context (exploitability details, impacted data) needed by the engineering owners for direct action.
## Implementation Guidance
### For Small Organizations
* **Prioritize Cloud-Native Tools:** Focus procurement on platforms that offer integrated vulnerability management embedded within broader cloud-native security posture assessment (e.g., CSPM/CWPP integration) to avoid needing separate aggregation tools.
* **Focus on Critical Assets First:** Since context gathering can be resource-intensive, immediately map 80/20 rule: identify the 20% of assets holding the most sensitive data or facing the most direct external exposure, and prioritize context enrichment for those first.
### For Medium Organizations
* **Phased Integration:** If using multiple scanners (on-prem, code), prioritize the ingestion and normalization of findings into the new exposure management platform first, before fully relying on its contextual enrichment.
* **Developer Buy-in:** Target developer remediation groups with high-context, low-noise prioritized lists, directly linking the vulnerability to the relevant code repository or CI/CD artifact to facilitate faster adoption of the new prioritization method.
### For Large Enterprises
* **Data Normalization Strategy:** Develop a rigorous data pipeline for normalizing inputs from disparate, legacy scanners into the unified platform’s graph structure to ensure consistent context application across the enterprise footprint.
* **Dedicated Ownership Transition Team:** Establish a cross-functional task force (comprising VM, Cloud Security, and Application Security leads) dedicated to decommissioning old RBVM workflows and driving adoption of the new horizontal exposure workflows across all business units.
* **Integrate Identity and Access Management (IAM):** Ensure the chosen platform deeply integrates context about workload identities and associated permissions, as this is critical for calculating the true blast radius of an exploited vulnerability.
## Configuration Examples
*The provided context describes the *need* for configuration examples (like mapping findings to the Wiz Security Graph) but does not list specific configuration steps for changing tools.*
**Conceptual Configuration Goal:**
Configure the new exposure management platform to automatically tag any externally reachable asset containing a critical (CVSS > 9.0) vulnerability that has access to PII data with a **"Critical Exposure Priority"** tag, bypassing standard triage queues.
## Compliance Alignment
The shift to Exposure Management aligns with modern security compliance goals by focusing resources where risk reduction is demonstrably highest:
- **NIST CSF:** Directly supports the **Identify (ID.RA - Risk Assessment)** and **Protect (PR.IP - Protective Measures)** functions by contextualizing data to inform risk response.
- **ISO 27001/27002:** Supports demonstrating effective management of risks associated with vulnerabilities in information systems by prioritizing remediation based on organizational risk acceptance criteria (moving beyond generic technical ratings).
- **CIS Critical Security Controls:** Enhances Control 7 (Vulnerability Management) by adding external exploitability checks and Control 12 (Network Monitoring and Defense) by focusing monitoring on exposed attack surfaces.
## Common Pitfalls to Avoid
- **"Lift and Shift" Mentality:** Do not simply replace the old RBVM tool with a new platform and continue using the old, siloed prioritization lists. The entire prioritization methodology must change.
- **Ignoring Exploitability:** Continuing to prioritize based on high CVSS scores without validating external path access leads to wasted effort on "dark" vulnerabilities that attackers cannot reach.
- **Dismissing Internal Context:** Focusing only on external access while ignoring sensitive data exposure or lateral movement potential ensures the "blast radius" calculation remains incomplete.
- **Leaving Ownership Ambiguous:** Failure to assign remediation tasks back to the development/infrastructure team responsible for the source of the deployed code will result in remediation delays measured in weeks or months.
## Resources
- **Framework Transition Document:** Develop a formal internal document detailing the security objectives shifting from "Vulnerability Aggregation" to "Unified Risk Exposure Reduction."
- **Vendor Documentation:** Consult documentation for modern Exposure Management or Unified Vulnerability Management platforms concerning Security Graph ingestion and context enrichment capabilities.
- **Contextual Prioritization Matrix:** Create a simple matrix scoring assets based on: External Reachability (Yes/No), Data Sensitivity (Low/Med/High), and Workload Criticality (Low/Med/High) to formalize the new prioritization model.