Exposure Management? Understanding the Attacker Takes Center Stage

Most companies know that they have significant vulnerabilities, and increasingly want cybersecurity technology that helps them prioritize their approach to securing systems, applications, and data — and vendors are accommodating those efforts.

Tenable introduced an "exposure management" platform, which combines its previous acquisition of attack surface management firm Bit Discovery, with vulnerability and exposure intelligence from its other products into a unified platform. The company is the latest vendor to create a new category of products that aims to centralize data from a variety of systems to create an attacker's eye view of a company's exposed systems and data, as well as give customers recommendations on which systems to fix first.

The platform, Tenable One, attempts to satisfy the demands of customers, says Nicolas Popp, chief product officer at Tenable.

"When you talk to customers, the first thing they tell you is, 'Help me find all my exposures across the attack surface,'" he says. "But then, at that point, you have discovered so many assets and security issues that the big problem becomes 'You cannot fix everything, so can you help me prioritize?'"

The drive for simplification — as well as the current uncertain economic times — have companies looking to consolidate their vendors, with a focus on companies that help businesses understand their cybersecurity weaknesses and highlight ways to protect their attack surface. In September, a Gartner survey found that three-quarters of companies planned to reduce the number of cybersecurity vendors from whom they buy products and services.

The top candidates for those acquisitions have been attack surface management startups and prioritization intelligence service providers. In 2021, Cisco acquired vulnerability management and prioritization firm Kenna Security, and Microsoft announced its intent to purchase RiskIQ, an asset discovery and attack-surface management firm. At the RSA Conference this year, IBM announced plans to purchase Randori, also an attack-surface management firm.

The vendors are responding to their customers' economic reality, says Jess Burn, senior analyst on the security and risk research team at Forrester Research, a business intelligence firm.

"As we head into more and more uncertain economic times, there will be pressure on the budget to consolidate and move to specific platforms that offer as many capabilities as you can get," she says. "And I also think, if not consolidation there will be demand for tight integration with as many of your other systems as possible."

In its announcement of the Tenable One platform, Tenable noted that the average large organizations have more than 130 cybersecurity point solutions, and the plethora of products results in a sprawl of data. Tenable aims to bring together all that data into a single intelligence silo that helps companies identify their weakest points and prioritize remediation, says Tenable's Popp.

"The first idea of exposure management is that you need visibility into your exposure across the entire attack surface — cloud, active directory, OT, traditional infrastructure, user machines, and source code — the entire thing," he says. "Extending the breadth of the platform is about giving you unified visibility across the attack surface."

The names of these categories are all fairly new. While attack surface management is increasingly known, many security professionals do not know about cloud security posture management, for example. Exposure management is likely not an original term, but Tenable has invested a lot into equating itself with the term, even adopting the motto "The Cyber Exposure Company."

"These are not categories that people are asking for by name right now," says Forrester's Burn. "They are being exposed to the concepts themselves through the provider community, when they do activities like breach and attack simulations."

The goal of any of the latest crop of products — whether exposure management, attack surface management, or next-generation vulnerability management platforms — is to determine where the greatest risks lie, Burn says. The best platforms integrate a massive number of sources of data with which companies are already dealing. Hints of weaknesses and exploitation can be found using vulnerability scanning, external asset discovery, identity and access management system, endpoint scanning, and network log files, but the volume of data hides critical information.

"There is already too much data, and really long to-do lists for both security and IT," she says. "It is not going to help with security if more data is added to the pile, so this is something that people need to adopt. Otherwise, all that data is just noise."