Full Report
Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable security engineer Aaron Roy shares how he led the integration of attack surface management with exposure management. You can read the entire Exposure Management Academy series here.Knowing your attack surface is fundamental to cybersecurity today. But many questions come to mind:What exactly is the attack surface?Why does it matter?How do you even go about figuring it all out?I’ll try to answer those questions in this post. In my short time as an information security engineer at Tenable, our shift to exposure management has really brought home just how critical cyber asset attack surface management (CAASM) is.Understanding the attack surfaceI think of the attack surface as the perimeter of a house. Every door, window and maybe even a loose brick is a potential entry point. The larger the house, the more points of entry.Now, although it’s not as tangible as your house — in fact, it’s amorphous — the same goes for your digital environment. Every application, server, cloud instance and endpoint connected to the internet is part of your attack surface. If you don't know all those entry points, how can you possibly secure them?Moving beyond vulnerability scansYou might be thinking, "We've got vulnerability scans. Isn't that enough?"Well, sure, they’re important and we’d be lost without them. But traditional vulnerability management is just a piece of the puzzle. Exposure management gives you a broader perspective. In addition to identifying known vulnerabilities, exposure management gives you an understanding of the entire landscape of potential risk. This includes external attack surface management and the assets you might not even know you have.How our ASM integration workedLet me give you an example from my recent work on integrating Tenable Attack Surface Management with the Tenable One Exposure Management Platform.Tenable Attack Surface Management helps you discover all the external domains and subdomains related to your organization. It's like finding all the hidden entrances to your digital house. One really good feature is that you can integrate this data with your vulnerability management and web application scanning tools.Suddenly, you’ll see the big picture.By integrating Tenable Attack Surface Management with Tenable Vulnerability Management, from which we can now launch scans, we gained enhanced visibility into external assets and web applications. The attack surface management data is then automatically integrated into the Tenable One platform, which gives us the additional ability to manipulate it in context with other Tenable One findings.Although it was a great help for discovering previously unknown external assets and initiating scans, a more significant aspect of the Tenable Attack Surface Management integration was its synergy with Tenable Web App Scanning. Because Tenable Web App Scanning is dedicated to identifying vulnerabilities within web applications, often customer-facing external sites, the Tenable Attack Surface Management integration proved highly valuable. It enabled the review of discovered domains and subdomains from Tenable Attack Surface Management directly within Tenable Web App Scanning, adding these to existing scans and schedules without leaving the application. Integrating Tenable Attack Surface Management with Tenable Web Application Scanning lets us automatically identify and add newly discovered domains to our scanning schedules, which is a real game-changer.This streamlined the process of identifying new web applications within our domains, automatically reporting them and eliminating the need to manually ask application owners for updates. This integration made reviews more efficient and enabled the addition of new scans and the elimination of irrelevant domains, such as 404 pages, that Tenable Attack Surface Management found.Instead of relying on application owners to tell you about new sites (which, in reality, doesn't always happen), you can proactively discover them. And you might even find some old ones you’ve forgotten about.My move from engineer to detectiveOne thing I've learned is that data from various sources can sometimes disagree. That conflict often requires a bit of detective work.A tool might report something as XYZ, but is it really? You have to dig deeper and double-check the data. Think of it like checking your calculations during a test. Some might blindly trust a calculator without a second look. But it’s better to check, right?The shift to a broader exposure management approach, facilitated by these integrations, involved a significant increase in data sources. Our team moved from managing data from 10-15 applications to potentially double or triple that number. This necessitated a rigorous process of detective work and data refinement to ensure accuracy and actionability. Moving from just a few data sources to many can seem daunting. But it's not about complicating things. It's about getting a clearer picture.The core challenge was verifying that the ingested data from various sources was correct and consistent. My team had to meticulously work through processes previously owned by other resources or teams, constantly iterating and refining them to optimize their effectiveness.Moving from just a few data sources to many can seem daunting. But it's not about complicating things. It's about getting a clearer picture. Sure, there’s work involved in checking and refining data from diverse sources, especially if that data was previously owned by another team with unique processes.But in the long run, having all this information at your fingertips clarifies things. You’ll see the full scope of potential exposures.The future of exposure managementLooking ahead, the goal of the exposure management team is to further streamline this process by ingesting all these disparate data sources and making them actionable in the simplest way possible for different teams, including the software development lifecycle. A key element of this ongoing shift involves integrating tools like those from Tenable’s recent acquisition Vulcan for security orchestration and ticketing. The ultimate aim is to automate most of our currently manual processes, enabling frequent reporting of accurate and actionable information to stakeholders. This comprehensive approach ensures that we report all findings and vulnerabilities and that we monitor and adhere to SLAs for all products.TakeawaysHaving a clear plan of attack, pun intended, is vital. You can’t just wing it. In our team, we’re working to inventory all the information from these new sources, understand how they worked before we took over and figure out how to make it even better. This involves refining processes, adding security orchestration and ensuring all our data is accurate and actionable. Plus, we can use Tenable One to analyze the data in context. Ultimately, it's about knowing our attack surface, scanning it thoroughly, and making sure we can report on everything. That's how you manage exposure effectively. It’s not just about ticking boxes. It's about truly understanding what’s out there and taking the necessary steps to protect it.Exposure management is an ongoing process. It's about evolving, adapting and always striving for better visibility. For me, that's what makes it so interesting.Learn moreCheck out the Tenable exposure management resource center to discover the value of exposure management and explore resources to help you stand up a continuous threat exposure management program.
Analysis Summary
# Best Practices: Exposure Management as Attack Surface Management
## Overview
These practices focus on establishing a proactive, consolidated approach to cybersecurity by treating Exposure Management (EM) as a continuous process of Attack Surface Management (ASM). The goal is to gain holistic visibility across all assets, prioritize risks based on exploitability context, and streamline remediation workflows.
## Key Recommendations
### Immediate Actions
1. **Initiate Comprehensive Asset Inventory:** Immediately begin the process of surveying and cataloging all assets across the environment (including IT, Cloud, OT/IoT, and Identities) to establish a baseline understanding of the total attack surface.
2. **Establish Data Ingestion Strategy:** Identify all existing security data sources (vulnerability scanners, cloud posture tools, identity management systems) and prioritize connecting them to a central platform for unified analysis.
3. **Define Initial SLAs:** Document and communicate initial Service Level Agreements (SLAs) for vulnerability remediation, ensuring accountability for critical findings across product teams.
### Short-term Improvements (1-3 months)
1. **Integrate Security Orchestration Tools:** Integrate security orchestration and ticketing systems (e.g., leveraging tools like Vulcan) to automate the creation and assignment of remediation tasks based on identified exposures.
2. **Refine Data Accuracy Processes:** Implement a process to regularly audit and refine the accuracy of aggregated data sources, correcting misconfigurations or stale asset entries.
3. **Prioritize Exposures Contextually:** Move beyond raw vulnerability severity by incorporating threat intelligence and exploitability context to focus remediation efforts on the exposures that present the highest immediate risk.
### Long-term Strategy (3+ months)
1. **Automate Manual Processes:** Systematically identify and automate currently manual security workflow steps, particularly around data aggregation, analysis, and ticket routing.
2. **Enable Continuous Threat Exposure Monitoring:** Embed exposure management into a continuous monitoring cycle that evolves alongside the environment, ensuring ongoing visibility and adaptation to new risks.
3. **Develop Stakeholder Reporting Cadence:** Formalize the reporting structure for actionable exposure metrics and risk posture updates tailored for executive leadership, engineering teams, and compliance officers.
## Implementation Guidance
### For Small Organizations
- **Focus on Core Tool Consolidation:** Select one primary platform capable of ingesting data from your existing scanner and cloud provider to immediately improve visibility without significant infrastructure overhaul.
- **Manual Prioritization Review:** Since full automation may be resource-intensive, establish a weekly mandatory review session where security personnel manually prioritize the top 10 critical exposures across the environment.
- **Direct Developer Feedback:** Maintain lightweight communication channels (e.g., dedicated Slack channel) to provide prompt, direct feedback to developers regarding critical findings introduced in code commits or deployments.
### For Medium Organizations
- **Implement Connector Framework:** Utilize comprehensive data connectors to automate the ingestion of data from 80% of known security tools (vulnerability, cloud, identity) into a central EM/ASM platform.
- **Pilot Orchestration:** Implement a pilot program for security orchestration, routing tickets for high-risk vulnerabilities identified in known critical applications directly into the appropriate development backlog system (e.g., Jira).
- **Establish Hygiene Metrics:** Define and track baseline metrics for security hygiene (e.g., percentage of assets scanned monthly, average time-to-remediate for criticals) to measure program effectiveness.
### For Large Enterprises
- **Full Data Source Ingestion:** Achieve comprehensive data aggregation across all security silos using native or third-party connectors to build a complete attack surface graph.
- **Advanced Prioritization Engine:** Deploy advanced exposure prioritization capabilities that contextualize findings by combining vulnerability scores with asset criticality, external threat signals, and identity context.
- **Automated Remediation Workflow Backbone:** Leverage security orchestration capabilities to fully automate the lifecycle of common findings—from detection and contextualization to ticket creation, SLA tracking, escalation, and eventual verification of closure.
## Configuration Examples
*(The source material is high-level and does not contain specific technical configurations; the guidance below reflects the capabilities mentioned.)*
| Capability | Actionable Configuration Goal |
| :--- | :--- |
| **Data Integration** | Configure Tenable One Connectors (or similar platform) to pull data streams from Vulnerability Management, Cloud Security Posture Management (CSPM), and Identity Exposure tools. |
| **Risk Prioritization** | Configure the prioritization engine to weight findings based on the existence of active exploit patterns (e.g., recent CISA KEV entry) on internet-facing assets, suppressing low-context findings until context is added. |
| **Workflow Automation** | Define workflow rules to automatically transition a vulnerability ticket from "Detected" to "Assigned" status in the ticketing system once it meets criteria (e.g., CVSS $\geq$ 9.0 on a production server). |
## Compliance Alignment
- **NIST Cybersecurity Framework (CSF):** Directly supports the **Identify** (Asset Management, Risk Assessment) and **Respond** (Incident Response) functions by providing comprehensive visibility and actionable context.
- **ISO/IEC 27001:** Addresses Annex A controls pertaining to asset management (A.8) and vulnerability management (A.12.6) through continuous monitoring and systematic exposure assessment.
- **CIS Critical Security Controls (CIS Controls):** Aligns strongly with Control 1 (Inventory and Control of Enterprise Assets) and Control 7 (Vulnerability Management) by mandating thorough discovery and prioritized remediation.
## Common Pitfalls to Avoid
- **"Ticking Boxes" Mentality:** Do not treat exposure management solely as a compliance checklist exercise. The focus must remain on reducing actual exploitable risk, not just reporting on discovered vulnerabilities.
- **Data Silo Reliance:** Avoid relying on siloed reports from individual security tools. True exposure management requires consolidating and converging data for contextual analysis.
- **Ignoring Asset Lifecycle:** Failing to constantly re-scan and update the asset inventory as assets are deployed, decommissioned, or reconfigured, leading to blind spots in the perceived attack surface.
- **Manual Escalation Lag:** Allowing remediation follow-up to become bottlenecked by manual ticketing and status chasing; utilize automation to enforce SLAs continuously.
## Resources
- Tenable Exposure Management Resource Center (for general program development)
- Documentation for implementing Security Orchestration and Ticketing Integration (specific platform documentation required).
- Internal documentation outlining current asset inventory standards and classification schemes.