Full Report
Each Monday, the Tenable Exposure Management Academy will provide the practical, real-world guidance you need to make the shift from vulnerability management to exposure management. In this blog, Tenable Senior Staff Information Security Engineer Arnie Cabral, who is leading the company's internal exposure management journey, shares his experiences. You can read the entire Exposure Management Academy series here. In my role as an information security engineer at Tenable, I am directly involved in transitioning our own security infrastructure from traditional vulnerability management to a more proactive exposure management approach. The first steps required strategic planning, policy realignment and resource allocation.The need to move beyond simply identifying vulnerabilities drove Tenable’s transition. We needed to focus on managing real-world exposures that pose significant risk to our security posture.The starting point: Recognizing the need for changeThey say a journey of a thousand miles begins with a single step. At Tenable, our shift to exposure management in our internal infrastructure began with a simple realization. We knew that, although it is critical to modern cybersecurity, vulnerability management alone doesn’t provide a complete picture of cyber risk. Traditional vulnerability management typically involves scanning assets for known vulnerabilities and remediating them based on severity scores. However, true security risk management requires a broader view that includes misconfigurations, attack surface visibility and real-time threat intelligence.To start our move to cyber exposure management, we reframed our existing policies to align with the new approach. This was not just a simple editing exercise, although there was some carry-over from the current policies. Instead, we redefined our objectives and transformed our policies to ensure alignment with emerging risk-based exposure management frameworks.Establishing a policy frameworkWith our new exposure management policy in place, we created a foundation to ensure our security teams have clear guidelines on how to assess, prioritize and remediate exposures beyond just addressing common vulnerabilities and exposures (CVEs).As we completed the policy, we understood the new approach would need to incorporate:A broader vulnerability assessment of risk, beyond the Common Vulnerability Scoring System (CVSS) scoresVulnerability prioritization frameworks that account for asset criticality, attack paths and real-world exploitabilityThe integration of multiple security tools to gain comprehensive visibility for more actionable attack surface managementAlignment with a broader set of stakeholders to match the expanded scope of assets and detectionsBuilding a project planAlongside the policy we developed, our team drafted a project plan to operationalize security exposure management. This plan included:Identifying gaps between the existing risk-based vulnerability management program and the desired state of the exposure management programMapping inputs (i.e., the sources of vulnerability and exposure data) and outputs (i.e., the teams responsible for remediation)Defining key milestones and deliverablesAssigning responsibilities and estimating resource needsSmaller organizations could manage this process with common tools like spreadsheets. But larger enterprises, like ours, usually turn to platforms like Jira and Confluence to help the process. Of course, no plan would be complete without Gantt charts that provide a visual understanding of the project structure and timeline. My advice is to use tools that help you reach your goals without adding unnecessary process overhead. For example, a platform that integrates data from multiple siloed security tools from multiple vendors gives you a continuous and complete view of your environment and an accurate risk profile. Addressing operational challengesOne of the key challenges in this transition was the complexity of security operations. Traditional vulnerability management mostly relies on vulnerability scanning assets with Nessus scanners and agents, but the move to exposure management required incorporating other elements, including:Cloud environments and ephemeral assetsConfiguration management across various asset types (i.e., SaaS, PaaS, IaaS and hardware) as well as identity exposure risksApplication security and software development lifecycle (SDLC) vulnerabilitiesThird-party security risksOur teams had to ensure remediation workflows could handle this broader scope while maintaining efficiency. This led to discussions about automation and orchestration — essentially, we wanted to understand how we could centralize the triage and response process without overloading security teams.How to implement an exposure management programIf your organization is embarking on, or considering starting, your own exposure management journey, here are exposure management best practices and key takeaways from Tenable’s experience:Don’t neglect traditional vulnerability management: Continuous threat exposure management expands the scope but does not replace foundational vulnerability management practices. CVE-based remediation remains a critical component.Start with policy and governance: Establish a clear exposure management policy to provide structure, establish service level agreements (SLAs) and ensure accountability. Align teams: Organize teams and resources to ensure they’re working in support of your exposure management policy.Prioritize based on real-world risk: Not all vulnerabilities pose immediate threats. Focus on threat exposures that present actual risk based on attack feasibility.Optimize workflows for scale: Exposure management introduces a higher volume of security issues. Automation and orchestration are essential.Expect a continuous evolution: Exposure management is not a one-time project but an ongoing program that adapts to new threat detection and business changes.TakeawaysThe transition from vulnerability management to exposure management is a necessary evolution in cybersecurity strategy. As attack surfaces expand and threats become more sophisticated, your organization needs to adopt a more holistic approach to cyber risk reduction. Although the journey can be complex and resource-intensive, the benefits — increased visibility, better risk prioritization and improved security outcomes — make it a worthwhile investment. I’m excited about what lies ahead and look forward to sharing more about our journey.
Analysis Summary
# Best Practices: Starting the Exposure Management Journey
## Overview
These practices outline the necessary steps and strategic shift required for organizations transitioning from traditional vulnerability management to a comprehensive Continuous Threat Exposure Management (CTEM) or Exposure Management program. The goal is to gain holistic visibility, prioritize risk based on real-world threat context, and optimize response workflows for scale.
## Key Recommendations
### Immediate Actions
1. **Do Not Neglect Foundational Vulnerability Management (VM):** Immediately reaffirm and maintain robust, existing CVE-based remediation processes, as exposure management expands upon, but does not replace, foundational VM.
2. **Establish Policy and Governance Baseline:** Initiate the process of defining a clear, written exposure management policy that includes definitions, scope, and initial Service Level Agreements (SLAs) for remediation and triage.
### Short-term Improvements (1-3 months)
1. **Align Teams and Resources:** Organize security teams and operational resources to explicitly support the directives outlined in the newly established exposure management policy, ensuring clear lines of accountability.
2. **Implement Risk-Based Prioritization:** Begin shifting focus in remediation efforts towards threat exposures that present **actual, quantifiable risk** based on attack feasibility, rather than treating all vulnerabilities equally.
3. **Assess Automation Needs:** Evaluate current workflows to identify bottlenecks where triaging and response processes risk being overloaded by the increased volume of issues generated by a broader exposure management scope.
### Long-term Strategy (3+ months)
1. **Develop and Implement Automation/Orchestration:** Design and deploy automation and orchestration solutions to centralize the triage and response processes, ensuring the program can scale effectively without overwhelming the security team.
2. **Embed Exposure Management as an Ongoing Program:** Formalize exposure management as a continuous, iterative program that routinely adapts to incorporate new threat intelligence, evolving detection methods, and ongoing business changes.
3. **Integrate Comprehensive Attack Surface Visibility:** Work toward gaining full visibility across the entire, expanding attack surface (including Cloud, OT/IoT, Identity, etc.) to feed the risk prioritization models.
## Implementation Guidance
### For Small Organizations
* **Policy Focus:** Keep the initial exposure management policy lean and focused on critical asset identification and remediation SLAs for high-risk findings only.
* **Resource Alignment:** Dedicate specific individuals (even part-time) to own the transition process, ensuring VM activities don't stall while exploring new context layers.
* **Prioritization:** Focus initially on vulnerabilities impacting externally facing assets or those associated with known, active exploit techniques (threat intelligence feeds).
### For Medium Organizations
* **Governance Structure:** Formalize review boards or governance checkpoints to manage the complexity increase as new scopes (e.g., Cloud, OT) are brought into the program.
* **Pilot Automation:** Select one high-volume remediation area (e.g., patching for standard endpoints) to pilot orchestration workflows before rolling out broader automation.
* **Risk Communication:** Start developing standardized reports using risk metrics (not just vulnerability counts) to communicate progress upward to management.
### For Large Enterprises
* **Centralized Platform Adoption:** Investigate and implement a unified platform capable of consolidating data from disparate scanning tools (Vulnerability, Cloud, OT, Identity) to enable unified attack path analysis.
* **Service Level Agreement (SLA) Matrix:** Develop a complex SLA matrix based on asset criticality, exposure context, and identity risk, ensuring accountability across multiple operational teams.
* **Continuous Program Maturity:** Establish a dedicated CTEM steering committee responsible for quarterly reviews of program effectiveness, technology stack optimization, and adaptation to new business unit requirements.
## Configuration Examples
*No specific technical configurations were provided in the source text. Implementation should focus on leveraging attack path analysis features within dedicated Exposure Management platforms.*
## Compliance Alignment
* **NIST Cybersecurity Framework (CSF):** Exposure management strongly aligns with the Identify (ID.RA - Risk Assessment), Protect (PR.IP - Protective Measures), and Detect (DE.CM - Continuous Monitoring) functions.
* **ISO/IEC 27001:** Supports the objectives related to Information Security Risk Management (A.5, A.6) by providing continuous, contextualized risk assessment.
* **CIS Controls:** Directly supports controls related to Inventory of Assets, Vulnerability Management, and Continuous Active Monitoring.
## Common Pitfalls to Avoid
* **Treating Exposure Management as a One-Time Project:** Avoid launching the program with the expectation that it will be completed; it must be institutionalized as an ongoing, evolving program.
* **Abandoning Core VM:** Do not stop or de-prioritize essential, context-free patching and CVE remediation just because contextual risk prioritization is now available.
* **Ignoring Workflow Overload:** Failing to integrate automation and orchestration early, leading to remediation teams being swamped by the sheer volume of contextually prioritized issues.
* **Lack of Clear Governance:** Not establishing clear policies and SLAs upfront, resulting in inconsistent prioritization and lack of accountability across different teams.
## Resources
* **Threat Context Data:** Feeds for exploit intelligence and active threat detection (to determine "attack feasibility").
* **Exposure Management Platforms:** Tools capable of integrating data from multiple security domains (Vulnerability, Cloud, OT, Identity) to perform attack path analysis.
* **CTEM Framework Documentation:** Reference materials detailing the Continuous Threat Exposure Management maturity model.