Threat exposure management is explained and illustrated in the context of its component processes, and how it supports continuous monitoring and assessment of cyber threats in the context of existing security platforms and tools.
Introduction
The enterprise security community is always seeking new ways to improve how it addresses cyber risk, especially in the context of real-time posture management. A major component of the best modern strategies involves so-called continuity. That is, whereas many prior methods involved reviewing security at a given time, usually resulting in a status report, practitioners are more interested in having a continuous view, one that maintains an on-going current view.
This is certainly not a new idea, as breach and attack simulation (BAS), automated penetration testing, attack surface management (ASM), and crowdsourced bug bounty testing are all modern versions of early scanning solutions. These methods are consistent with this idea of on-going checks, but they are point solutions, and enterprise teams tend to prefer integrated platforms that combine siloed methods into a unified approach.
To that end, a new model has emerged in the community known as threat exposure management. This paper outlines the salient aspects of implementing an exposure management program and shows how it supports the goal of continuous monitoring and on-going assessment of cyber threats. We hope the discussion is useful, since many modern commercial security platforms are now beginning to emerge that describe their functionality in terms of this model.
Overview of Threat Exposure Management
Exposure management is a security practice focused on the reduction of threat exposure via a structured and iterative approach to prioritizing safeguards and improving security posture. Traditional approaches to scanning, testing, and vulnerability management are often somewhat less effective due to the rapidly expanding attack surface. Exposure management goes beyond common vulnerability management by integrating known and unknown vulnerabilities, as well as control gaps.
Exposure management programs focus on the continuous cycles of security posture improvement by:
- Discovering your attack surface, its vulnerabilities, control weaknesses, and changes over time
- Validating controls, threats, and attack paths
- Prioritizing remediation for the validated exposure risks
- Remediating and mitigating risks with the best option that balances risk reduction and business disruption
Many organizations can build exposure management programs by simply expanding existing functions, adding new capabilities, and integrating the results for a common purpose of seeking out threats and mitigating them before they endanger your environment.
Discovery naturally includes vulnerabilities and configuration risks and should expand to build asset inventories with details of exposure risk and business context – i.e. the role that asset plays in business operations. The challenge is that the attack surface for most organizations continues to expand, so this is not a trivial step.
The inclusion of validation is one of the biggest advantages of exposure management over traditional vulnerability management. Validation provides the confirmation of exposure risk by assessing the likelihood of attack success and identifying the potential impact of successful attacks. Security programs that already include controls testing and red teaming should connect those practices to the results from discovery to accomplish the goal of exposure validation.
Prioritization is nothing new, but the need has never been greater as the number of vulnerabilities and potential threat grows exponentially. Prioritization in an exposure management program aims to focus your remediation on the threats that your organization is most likely to face. Security teams are learning now how important it is to connect controls with actual business risk.
The final step in exposure management is to mitigate the risk – and then retest to confirm and validate that the patch, configuration update, new control, or other remediation effectively addresses the risk.
Practitioners are advised to certainly make use of this exposure management model but will find that platforms will include (and often not include) aspects of the model. In addition, cost and implementation constraints will dictate that integration of exposure management platforms be done for legacy and existing tools and platforms. This is usually done via application programming interfaces (APIs) or data sharing connectors.
Continuous Monitoring and Assessment
Exposure management is not just about implementing a set of new security tools, but rather represents a more continuous monitoring and assessment program that requires cross-team collaboration and organizational-level remediation of vulnerabilities and gaps. Exposure management helps organizations plan optimization of their security posture, while also providing a framework for continuous improvement.
Of course, exposure management does complement vulnerability management investment and can be integrated with other security initiatives. It requires a phased approach to deployment, starting with familiarization and gradually expanding to cover areas like attack surface management and security posture validation. By implementing exposure management programs, organizations can better manage their exposures and make informed decisions to enhance their overall security resilience.
Next Steps
Enterprise teams are well-served to absorb the exposure management model into their source selection process for new continuous security platforms. As suggested above, the integration of such new tools into existing programs (e.g., an on-going bug bounty program, a deployed vulnerability management process) must be a requirement, since no enterprise team has the budget to rip and replace their protection infrastructure – even if it represents an improvement.
About Tag
TAG is a trusted next generation research and advisory company that utilizes an AI-powered SaaS platform to deliver on-demand insights, guidance, and recommendations to enterprise teams, government agencies, and commercial vendors in cybersecurity, artificial intelligence, and climate science/sustainability.
To learn more about threat exposure management, read the full Threat Exposure Management eBook written by TAG’s senior Analysts:
