Full Report
Part two of our Exposure Management Academy series on exposure management maturity explores how organizations like Drogaria Araujo, Tenable and Verizon have applied exposure management to strengthen their security postures. Key takeaways:Case studies of Drogaria Araujo, Tenable and Verizon illustrate how exposure management provides tangible benefits to organizations of different sizes and security maturity levels. The companies improved visibility, unified siloed data and prioritized risks that create attack paths leading to their organizations’ most critical assets. Implementing exposure management principles is a crucial step for organizations aiming to enhance their security posture and mitigate cyber threats effectively.In the first post in this series, we explored the five stages of the Exposure Management Maturity Model: Ad Hoc, Defined, Standardized, Advanced and Optimized. In this post, we explore three case studies to understand how an exposure management platform can help organizations advance their cybersecurity programs. We look at how the core principles of exposure management, supported via the implementation of an exposure management platform, helped these companies achieve better cybersecurity and compliance outcomes.Drogaria Araujo uses exposure management to improve attack surface visibility Drogaria Araujo, a leading Brazilian pharmacy chain, turned to exposure management to improve attack surface visibility and gain the context the CISO needed to report on his company’s highest-risk exposures and demonstrate compliance with Brazil’s General Data Protection Law (LGPD). Drogaria Araujo relies on a geographically dispersed, hybrid infrastructure consisting of traditional IT systems and a rapidly growing cloud footprint. Prior to embracing exposure management, the company’s initial security practices depended on basic vulnerability assessment of their IT infrastructure. This resulted in a storm of noisy findings — and a lot of remediation tickets — which strained security and IT teams, despite the fact that these assessments didn’t pull in findings from cloud, identity or OT systems.Typically, most organizations would look to evolve vulnerability assessment to a vulnerability management program, or maybe a more robust risk-based vulnerability management program. But the firm’s team set its sights on a holistic exposure management program that could better satisfy its needs, one that accounted for the expanding attack surface and encompassed all cybersecurity risks that lead to exposure. The company said it selected the Tenable One Exposure Management platform because it provides a unified view of the attack surface across on-premises, cloud, identity and OT environments. This enables the security team to spot cloud misconfigurations and identity-related weaknesses, in addition to traditional software vulnerabilities, that, when combined, create attack paths for threat actors.Drogaria Araujo’s experience demonstrates how an organization can quickly and cost-effectively expand its visibility with an exposure management platform.Tenable turns to exposure management to integrate and unify security data At Tenable, the need to consolidate security data from across more than 50 tools, improve prioritization and automate reporting were the catalysts for implementing an exposure management program. Tenable’s CSO began the exposure management journey by establishing a central team that could own all security policies across various security domains, including vulnerability management, cloud security, web application security and others. It made sense to extend the charter of the vulnerability management team to exposure management as the central control point. But this alone was not enough.Tenable recognized it also needed to unify its asset and risk data across disparate tools, so it used the Tenable One Exposure Management Platform to aggregate data from Tenable-specific tools and provide rich relationship context, prioritization and KPIs. Following Tenable’s acquisition of Vulcan Cyber, the security team was able to feed data from third-party tools into Tenable One. Within the first 48 hours of turning on this new third-party data ingestion capability, Tenable was able to integrate and unify data from 15 third-party tools. Reporting, which previously took the security team an average of three days to manually create, became available in minutes. In addition, the exposure management team was able to extend its scope of visibility from less than 10,000 assets to more than 100,000, representing the entire attack surface, and reduce alert to ticket volume by 1,500 to 1 — all with the same number of staff. Assess your exposure management maturityDo you have elements of an exposure management program in place? Take our exposure management maturity assessment to find out. Verizon uses exposure management to prioritize real-world risks and exploitable threats Global telecommunications leader Verizon faced the inherent challenges of managing one of the most vast and complex attack surfaces in the world. Like many large organizations, security teams at Verizon had traditionally operated in silos, each with its own specialized tools and priorities for areas like attack surface management, vulnerability scanning, identity exposure and cloud security. However, this siloed approach hindered efficient response and raised the potential for visibility gaps falling outside a team's specific area of responsibility or expertise. Recognizing that a reactive approach to managing risk wasn’t enough, Verizon shifted its cybersecurity focus to proactive exposure management. In a recent case study and blog post, Verizon said it chose to consolidate its proactive security efforts onto a single platform — Tenable One. This move enabled the integration of data from various security domains, providing a unified view of assets and associated risks. This consolidation was not just a technological shift but also an organizational one, requiring a change in how teams collaborated and shared data. Through transparent communication and demonstrating early value, Verizon was able to unify its security functions, including previously separate attack surface management, Active Directory, IoT and OT security teams.A core principle of Verizon's new exposure management program is prioritizing real-world risks and exploitable threats rather than addressing every risk finding. The company prioritizes risks that are part of a realistic attack path leading to "crown jewel" assets. This approach enables it to strategically address the most significant exposures, enabling clearer communication with executives about what is at risk and the most urgent priorities, ultimately shifting from a compliance-driven to a risk-based security posture.Harnessing the power of exposure managementThese case studies illustrate the very real benefits of exposure management. Whether you're looking to unify siloed data or achieve the highest levels of proactive security, exposure management provides the framework.Learn moreReady to understand where your organization stands and how to accelerate your journey? Take our exposure management maturity assessment. In less than five minutes, you’ll get a personalized report with recommendations tailored to your organization.
Analysis Summary
# Best Practices: Maturing Cybersecurity Posture through Exposure Management
## Overview
These practices focus on transforming security operations from a fragmented, compliance-driven approach to a cohesive, risk-based security posture, primarily achieved through the implementation of holistic Exposure Management programs. This involves unifying disparate security data sources, prioritizing threats based on real-world exploitability, and focusing remediation efforts on protecting critical assets.
## Key Recommendations
### Immediate Actions
1. **Establish Unified Visibility:** Immediately integrate data from siloed security functions (e.g., Attack Surface Management, Active Directory, IoT/OT security) into a central platform to form a comprehensive view of the entire attack surface.
2. **Prioritize by Exploitability:** Shift focus from addressing every minor finding to prioritizing remediation efforts based on real-world exploitable risks and threats.
3. **Identify Crown Jewel Assets:** Document and clearly define the organization's "crown jewel" or most critical business assets that require the highest level of protection.
### Short-term Improvements (1-3 months)
1. **Map Attack Paths:** Begin actively tracing and prioritizing security findings that form a realistic attack path leading directly to "crown jewel" assets.
2. **Align Remediation to Risk:** Ensure that remediation campaigns are strategically aligned with the prioritized, high-impact attack paths rather than random enumeration of vulnerabilities.
3. **Introduce Exposure Analytics:** Begin utilizing tools that provide exposure analytics to continuously monitor the effectiveness of risk reduction efforts.
### Long-term Strategy (3+ months)
1. **Achieve Risk-Based Security Posture:** Fully transition the organizational security culture and operations from being primarily compliance-driven to being risk-based, driven by quantified exposure metrics.
2. **Optimize Resource Efficiency:** Use exposure management insights to direct limited security resources (personnel and budget) toward areas that provide the greatest reduction in business risk.
3. **Enhance Executive Communication:** Leverage aggregated, risk-focused reporting to clearly and accurately communicate the current cyber risk posture, urgent priorities, and remediation progress to executive leadership.
## Implementation Guidance
### For Small Organizations
- Focus on achieving foundational visibility across your most critical assets first.
- Utilize free or entry-level tools for initial vulnerability scanning and attack surface discovery.
- Adopt a simplified, single-platform approach to avoid the complexity of integrating multiple disparate tools early on.
### For Medium Organizations
- Prioritize connecting data sources relevant to your primary risk vectors (e.g., integrating cloud security posture management (CSPM) data if you are cloud-native).
- Begin formalizing the concept of "crown jewels" and integrate this context into your existing vulnerability management workflows.
- Pilot attack path analysis to refine remediation prioritization lists.
### For Large Enterprises
- Mandate the unification of previously separate security teams (e.g., ASM, AD, IoT/OT security) under a centralized exposure management governance model.
- Leverage AI-powered exposure management platforms to handle the scale and complexity of data integration and sophisticated exposure analytics.
- Establish continuous monitoring loops for security hygiene across the entire infrastructure portfolio (Cloud, IT, OT).
## Configuration Examples
*This source material emphasizes methodology (Exposure Management) rather than specific command-line configurations. Specific technical configurations would depend entirely on the chosen Exposure Management Platform.*
**Conceptual Configuration Focus:**
1. Configure **Connectors** to seamlessly ingest data from existing third-party security tools (e.g., endpoint detection, cloud configuration scanners, directory services) into the central exposure management hub.
2. Define **Risk Rules** within the platform that automatically elevate findings if they exist on an asset tagged as a "Crown Jewel" or that are known to participate in a critical exploit chain (e.g., those associated with CISA KEV catalog entries).
## Compliance Alignment
The shift toward Exposure Management inherently supports robust compliance efforts by providing verifiable data on risk reduction and security hygiene:
- **NIST Cybersecurity Framework (CSF):** Directly aligns with all five functions (Identify, Protect, Detect, Respond, Recover) by providing holistic risk context for decision-making.
- **ISO 27001:** Assists in demonstrating due diligence in risk treatment by prioritizing remediation based on impact rather than just severity scores.
- **CIS Controls:** Provides the data necessary to measure the effectiveness of implementing foundational security controls (e.g., inventory, vulnerability management).
## Common Pitfalls to Avoid
1. **Continuing to Treat All Risks Equally:** Failing to move beyond generic vulnerability severity scores and not incorporating exploitability or asset criticality into prioritization.
2. **Data Siloing Persistence:** Allowing security teams to operate independently after adopting a unified platform (e.g., only the vulnerability team uses the data, ignoring OT or Identity findings).
3. **Focusing Only on Compliance Checkboxes:** Using the exposure management tool merely to report on compliance gaps instead of leveraging it strategically to reduce the likelihood of a **real** breach.
## Resources
- **Exposure Management Maturity Assessment:** Utilize organizational assessments to benchmark current status and receive tailored recommendations for improvement. (Tool link referenced: $\text{assess.tenable.com/exposure-management-maturity-assessment}$)
- **Continuous Threat Exposure Management (CTEM) Framework:** Research established frameworks for structuring the holistic management of external and internal exposures.
- **Tenable One Platform Documentation:** Review vendor documentation for guides on platform integration, connector setup, and achieving risk-based reporting.