How to Use Risk-Based Metrics in an Exposure Management Program

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable security engineers Arnie Cabral and Jason Schavel share how you can use risk-based metrics. You can read the entire Exposure Management Academy series here.

We’re information security engineers at Tenable. If you’re anything like us, you spend your days on the front lines of the battle against a constantly changing set of cybersecurity threats. No matter your role, you probably face any number of complex challenges to stay one step ahead of the bad guys. 

To be most effective, you need to move beyond operating across silos toward bringing all of the data together. Exposure management helps bring this all together. 

Maybe you’re contemplating a move to exposure management or maybe you’ve already started the shift. (Not sure how mature your program is? Check out the Tenable exposure management security assessment.) No matter where you are, exposure management represents a fundamental shift toward a unified view of exposures across the attack surface. It involves continuously discovering, assessing, prioritizing and remediating all types of security exposures, including vulnerabilities, misconfigurations and excessive permissions across various assets. As we like to say, “give us all the things.”

In our roles, we are helping Tenable move in this direction. So we thought we’d share some of our experiences. 

If you have any questions or you’d like to share your exposure management experiences with us, please use the form at the bottom of the page. 

Managing exposures

Exposure management is about more than just finding flaws. It's about understanding business risk and prioritizing actions that reduce the potential for attack. If you react to every alert or finding, you’ll soon end up draining your resources, burning out the staff and wasting tons of valuable time.

So, with limited resources, how can security teams effectively manage the vast threat landscape and focus on what truly matters? 

Robust, risk-based metrics are the key to guiding the exposure management lifecycle, which begins with comprehensive and continuous discovery of all assets, identities and applications. Then, by prioritizing risks based on business impact and technical context, and by proactively mitigating the highest-risk exposures through remediation, you’ll have an ongoing exposure management process. 

Exposure management builds upon vulnerability management to deliver results based on severity and adds the context and prioritization that comes with risk-based vulnerability management (RBVM). In addition, it ingests a wide array of security data sources across the enterprise. Exposure management provides critical context for those assets and we’re able to look at more than just the usual data points.

This approach can transform raw data into actionable intelligence so your organization has a focused, proactive defense.

Tracking progress with exposure management

A fundamental part of effective exposure management is consistent, clear communication about the organization's risk posture. Exposure management helps us paint a more holistic picture of our environment. For example, we monitor our cloud accounts and we have several different sensors there. Exposure management unites all those sources and shows us everything in a consolidated view, in contrast to the old way of looking at the data via multiple point products and having to put that all together manually.

These metrics provide a snapshot comparing the current exposure landscape to previous periods. They offer an overview of quantifiable risk across different business units and asset groups. Frequent assessments are essential for tracking progress, identifying emerging risk areas, and informing strategic decisions within a continuous exposure management framework.

Considerations that drive exposure prioritization

Our exposure management program relies on metrics that facilitate effective prioritization. It’s about understanding which exposures represent the most significant threat right now and communicating those threats to the right asset owners to ensure effective remediation of findings:

• Exploitability and threat context: Is there a known exploit for this exposure? Is it being actively used by threat actors? Prioritizing exposures based on real-world threat intelligence ensures remediations target the most likely attack vectors.
• Asset criticality and business context: How critical is the affected asset to the business? Understanding the potential impact of an exploit guides prioritization beyond technical severity alone.
• Actual impact vs. theoretical risk: A high-severity vulnerability might pose little actual risk in your specific environment due to mitigating controls or specific configurations. Assessing actual impact helps filter out less critical issues, though investigating every exposure's context remains challenging.
• Remediation service level agreements (SLAs): Tracking remediation timeliness against SLAs provides a crucial performance indicator for the exposure management program. Deviations often point to bottlenecks or systemic issues in remediation workflows, patching processes, or asset visibility that need addressing.
• Exposure trends: Monitoring trends over time so you can understand whether exposures are increasing or decreasing (overall and in specific areas) is vital. Upward trends signal potential breakdowns or emerging risks requiring investigation and potentially resource reallocation.

Getting to informed decisions 

Risk-based metrics are fundamental to each stage of the exposure management lifecycle. We look at it like this: 

• Discovery and assessment: Metrics give us the context we need to understand the raw data we gather from scanning and assessment tools.
• Prioritization: These metrics provide an objective basis to help us decide which exposures we should tackle first.
• Validation: Often, it can be hard to validate our remediation efforts. We can use metrics to understand whether we succeeded and if we reduced risk.
• Mobilization: Clear reporting based on these metrics helps mobilize the right teams and secure necessary resources.

By using metrics to connect technical findings with business risk, we have been able to communicate more effectively with our leadership. In turn, we have data that justifies the resources we need for targeted remediations and we’ve demonstrated the value of our exposure management program.

Takeaways

Incorporating risk-based metrics as part of an exposure management program requires addressing challenges like managing diverse asset types (including user workstations, mobile devices, cloud, IoT, etc.) so you can ensure accurate data across disparate tools and maintain visibility across the changing attack surface.

But an effective exposure management program requires more than just tools. Your metrics-driven approach should help you to continuously understand and reduce risk across the entire attack surface. 

With risk-based metrics focused on exploitability, impact, SLAs and trends, you’ll start to move beyond reactive prioritization. You and your team will proactively prioritize efforts, make smarter remediation decisions and optimize resource allocation. Ultimately, you’ll build a more resilient defense.

Have a question about exposure management you’d like us to tackle?

We’re all ears. Share your question and maybe we’ll feature it in a future post.