Exposure Management

What is exposure management?

Exposure management is the practice of proactively and selectively identifying, assessing and mitigating exposures across an organization's digital attack surface. It involves understanding possible access points and attack vectors, prioritizing the risks they present and implementing measures to protect against the most critical threats. The ultimate goal is to maintain actual exposures at an acceptable risk level.

How is exposure management different from vulnerability management?

Exposure management is more holistic, leveraging risk-based prioritization of exposures and validation of identified, prioritized exposures to deliver a comprehensive view of an organization's entire digital attack surface. It provides full visibility of assets like servers, endpoints, mobile devices, Internet of Things (IoT) devices and websites and the exposures those can create. Those include software exposures, missing patches, misconfigurations, weak or compromised credentials and more.

It also deals with the human risk involved through regular security awareness training to educate employees about potential threats and best practices, by setting out clear protocols for them to follow in case of a security incident, by asking employee input about potential vulnerabilities and security measures, and by designing user-friendly security tools to reduce human error.

Beyond traditional vulnerability management

Vulnerability management has been the bedrock upon which many cybersecurity programs have been built. Traditionally, its focus was on identifying and prioritizing exposures and weaknesses in software based on standardized scoring systems like the Common Vulnerability Scoring System (CVSS).

But this only gives IT and cybersecurity teams a narrow perspective on risk, so they might be investing a great deal of effort but achieving far from nominal protection. The inherent limitations of vulnerability management include:

• Limited scope: It primarily targets exposures in operating systems and third-party software while neglecting other types in other types of assets. This results in blind spots that leave modern organizations exposed to a wider range of threats.
• Focus on wrong exposures: Relying on CVSS can lead teams to focus on the wrong exposures, since it measures vulnerability severity (how easily a vulnerability could be exploited) but not risk (the potential impact of an exploit). This means organizations might prioritize remediating exposures with high severity levels even if they pose little or no real risk while ignoring others with low severity levels that pose high risk.
• Too many exposures: Also, CVSS often rates many exposures as critical, unlike risk-based scoring systems, leading teams to expend much effort for minimal results. Many exposures could be exploited, but never happens in practice. CVSS also only scores Common Vulnerabilities and Exposures (CVEs), while organizations also need to address other types such as misconfigurations; over-reliance on CVSS might mean they overlook these. With hundreds of thousands of CVEs and dozens — sometimes hundreds — more published every day to the National Vulnerability Database, it’s easy to see how vulnerability management may not be able to cope with many of them.
• Activity-based metrics: Traditional vulnerability management often gauges success based on metrics like mean time to resolve (MTTR) and service-level agreement (SLA) adherence. These show whether a mitigation or remediation was carried out in a timely manner but not whether it had any impact on security posture.

Problems with outmoded approaches

Many costly breaches happen because of the gaps in vulnerability management we’ve already touched on. When hackers broke into Target’s network in 2013, it was due to network credentials stolen from a third-party vendor resulting in the exposure of 40 million credit and debit card accounts. More recently, hackers targeted U.S. water utility and wastewater treatment systems by exploiting a vulnerability in programmable logic controllers, a type of operational technology system.

According to Verizon, use of exposures as an initial point of entry nearly tripled from 2023 to 2024, accounting for 14% of all breaches and driven by more attacks targeting unpatched, zero-day exposures.

The same research found that 95% of IT and Security professionals think AI will make security threats more dangerous. Yet nearly one in three have no strategy in place to address the risks presented by generative AI.

Still, many in corporate management aren’t aware of how vulnerable their organizations are. Research by Ivanti found 55% of IT and Security professionals feel non‑IT leaders don’t understand vulnerability management, and 47% of those leaders agreed.

And nearly two in three organizations surveyed are not yet investing in critical areas like external attack surface management (EASM). EASM is crucial for effective exposure management because it involves continuously discovering, assessing and prioritizing exposures, providing the visibility needed to protect against cyberattacks. By identifying and assessing internet-facing assets, EASM helps an organization comprehend its exposure landscape. For instance, EASM tools can uncover shadow IT applications and devices operating outside a security perimeter, creating possible attack vectors, or reveal exposures among third-party vendors and suppliers.

A more comprehensive approach

In 2022, Gartner published a report stressing the need to Implement what it called a Continuous Threat Exposure Management (CTEM) program. That report set out an integrated, iterative and proactive approach to prioritizing and fixing exposures and continuously improving security posture.

It broached the concept that “good enough” cybersecurity is more pragmatic and attainable than trying to achieve “perfect” cybersecurity. This is accomplished by constantly identifying and prioritizing the exposures most likely to present threats to an organization.

CTEM is a structure for managing cyber risk — think of it as a framework like the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 or the Center for Internet Security (CIS) Controls version 8.1. It's a defined process for continuously identifying, assessing, validating and mitigating exposures. Exposure management is a broader term that refers to the overall practice of managing exposures across an organization's assets.

Many vendors are aligning their exposure management tools to CTEM, offering specific modules for each stage of the process.

Here are the approaches exposure management leverages that distinguish it from vulnerability management:

• Expanded scope: Exposure management casts a wider net, encompassing a broader range of exposures than just software exposures; it also hunts down others such as weak credentials or ineffective data loss prevention implementations. It also encompasses assets that might be at risk, including misconfigured assets, insecure cloud environments and IoT devices. By monitoring and analyzing them all, an organization gains a clearer and more realistic picture of its overall risk posture.
• Risk-based prioritization: Exposure management prioritizes exposures based on their potential impact on the organization, evaluating factors like business criticality, exploitability and the likelihood of an attack. This ensures resources are assigned so they’re mitigating the most critical risks first.
• Outcome-based measurement: Exposure management shifts the focus from activity-based to outcome-based metrics. It measures the actual effectiveness of cybersecurity measures in improving an organization's risk posture, providing actionable insights for optimizing resources and defenses.

A toolkit for effective exposure management

Exposure management requires a multi-layered approach that puts a variety of tools and techniques to work. The specific ones an organization uses will depend on its size, industry and risk tolerance.

They're grouped into two main categories: exposure assessment and exposure validation.

Exposure assessment tools

• External attack surface management (EASM): These are specifically focused on the external attack surface:
  • External asset identification: They identify all internet-facing assets, including websites, applications and cloud resources.
  • Exposure detection: They locate a variety of exposures in external assets that might be exploited.
  • Attack path analysis: Some advanced solutions can simulate potential attack paths to illuminate how attackers might exploit exposures.
  • Deep web monitoring: To scan the deep web and dark web to identify exposed assets or leaked credentials that could be used in attacks.
• Cyber asset attack surface management (CAASM): In the past, CAASM tools have provided a unified view of an entire IT ecosystem – the “single source of truth” about all internal and external assets, providing a unified view of the entire attack surface. Today, CAASM capabilities are increasingly a part of EASM solutions, removing the need for separate CAASM tools.
• Risk-based vulnerability management (RBVM): RBVM tools go beyond traditional vulnerability management by prioritizing exposures based on:
  • Exploitability: Whether they are already being actively exploited.
  • Business impact: What the impact on the organization would be if this vulnerability were exploited.

Exposure validation platforms

These are crucial in ensuring the accuracy of exposure prioritization:

• Breach and attack simulation: These simulate real-world attack scenarios to test security controls' effectiveness and spot potential weaknesses.
• Continuous automated red teaming: These provide ongoing red teaming exercises that simulate attacker behavior to continuously test defenses.
• Penetration testing as a service (PTaaS): PTaaS lets an organization engage external penetration testers to conduct in-depth assessments of its security posture.

Implementing exposure management

Transitioning from vulnerability management to exposure management requires a detailed strategy. Here are key steps to include:

• Build a framework for collaboration: Traditional vulnerability management often operates in a silo, with security teams solely responsible for identification, prioritization and then throwing the problem over the fence to IT for patching. But exposure management thrives on collaboration, so it’s important to start by building that in three areas:
  • Cross-functional collaboration: Your security team should work with different business units to know their critical systems and data. Understanding the needs of e-commerce, for example, helps prioritize exposures that might affect it, making risk assessment more precise by factoring in business impact.
  • Enhanced communication: Establish good communication with IT operations and developers who’ll be remediating exposures via patching and code changes. Justifying the need for a fix gets easier when they can see the business impact.
  • Board-level engagement: Metrics beyond basic activity levels (SLAs and MTTR) are necessary. Advanced metrics visualized on dashboards paint a clear picture of risk posture so board members, even without security expertise, can see the effectiveness and ROI of security efforts.
• Setting risk tolerance: An organization must first decide its risk tolerance. It’s a business decision balancing the investment in security controls against the acceptable level of residual risk. It must include the cost of patching exposures, revising code, fixing misconfigurations, implementing other security measures and potential business disruptions. These must be weighted against the possible financial and reputational damage caused by a security breach. There are no standardized calculators for determining risk tolerance. It's a dynamic but necessary job that involves both security — who’ll provide data to inform the decision — and management.
• Scoping: Define the assets and exposures that have to be assessed. This may involve collaborating with different business units to understand their critical systems and data.
• Assessment tools: Leverage existing vulnerability scanners you might already have. But to get a more comprehensive view, consider incorporating additional tools like EASM solutions that identify internet-facing assets and potential exposures.
• Prioritization: Integrate RBVM to prioritize exposures based on a combination of vulnerability severity, exploitability and potential business impact. This ensures you're addressing the most critical risks first.
• Validation: Due to potential biases, consider separate validation tools or practices to ensure the accuracy of prioritization from RBVM.
• Continuous improvement: Exposure management is ongoing, not a one-time fix. Regularly assess and refine your efforts to stay ahead of evolving threats.

The future of exposure management

A shift from reactive to proactive strategies will typify the future of exposure management. AI and automation will be crucial tools for predicting vulnerabilities, automating remediation efforts and integrating seamlessly with threat intelligence platforms. Internally, organizations will build collaboration and implement new tools and processes allowing them to make smarter, more effective and efficient decisions.

This holistic approach will extend to supply-chain security, which is already proving essential. Plus, exposure management will become even more pivotal in complying with evolving regulatory landscapes.

By integrating all these elements into a cohesive exposure management program, organizations will significantly improve their security posture at the time when it’s needed most.