At Tenable, we believe that you need exposure management to protect your modern attack surface. But it’s not just us. We feel the Gartner “Predicts 2023: Enterprises Must Expand from Threat to Exposure Management” report is required reading for cybersecurity teams adopting an exposure management program and platform.
At Tenable, we see this scenario every day when we talk to cybersecurity leaders: As IT environments become increasingly dynamic, complex and distributed, they become harder to protect, leading to the adoption of myriad point products to assess multiple assets and exposure types.
That’s why we believe that to protect the modern attack surface, cybersecurity teams must adopt an exposure management program that lets them proactively prevent breaches by providing:
- Comprehensive visibility of all assets, vulnerabilities and misconfigurations
- The ability to predict and prioritize which threats to address first
- A centralized, easy-to-communicate view of cyber risk
Gartner insights on exposure management
In December 2022, Gartner published the report “Predicts 2023: Enterprises Must Expand From Threat to Exposure Management.”1 In this blog we highlight three portions of this report and provide Tenable’s perspective on each:
- Key findings
- Recommendations
- Strategic planning assumptions
These insights reflect only a portion of the Gartner report, which we believe cybersecurity leaders and practitioners should read in its entirety as they anchor their cybersecurity programs on exposure management.
Key findings from the report
- “The responsibility for remediation extends beyond security teams and sometimes beyond the organization’s control as more critical data is accessed or owned by partners.”
- “Fully remote workers often lack the same security controls as workers who are within corporate networks, yet many security teams consider their remote access security problem solved.”
- “Enterprise threat exposure goes beyond software vulnerabilities that can often be (virtually) patched automatically.”
- “Ever-growing adoption of cloud services and evolving work habits expand the attack surface faster than threat detection and response controls mature.”
Tenable’s take on the report’s key findings
It’s crystal clear to us that organizations must evolve and expand their security programs beyond traditional vulnerability management, where software flaws of on-prem assets are fixed via patches.
For example, the threat from remote workers whose home-based setups often have weak security controls heightens the importance of granularly managing increasingly complex identity and access privileges in systems like Active Directory.
As attackers try to take advantage of all the gaps and blind spots in modern and dynamic IT environments – not just software vulnerabilities, but also cloud misconfigurations and the aforementioned identity flaws – cybersecurity teams encounter critical challenges, including:
- Limited visibility into the extended and amorphous attack surface
- Fragmented context stemming from organizational silos and tool sprawl
- Skills shortage and budgetary constraints
- Lack of comprehensive metrics
- Difficulty assessing and communicating risk to the C-suite and the board
To understand the deep and broad scope of today’s exposures and take preventative and precise actions, we believe that cybersecurity teams must take a holistic approach and bring together in an exposure management program for areas including:
- vulnerability management
- web application security
- cloud security
- operational technology security
- identity security
- attack path analysis
- external attack surface management
Recommendations from the Gartner report
In its Recommendations section, the report states:
“Security and risk management leaders responsible for managing today’s and tomorrow’s enterprise exposure to threats should:
- Embrace a security posture validation approach to augment their prioritization workflow and enhance cybersecurity readiness.
- Broaden security visibility to include systems and subscriptions that are business critical, but perhaps not owned by IT or managed by the business.
- Integrate continuous threat exposure management principles progressively, notably the inclusion of non-patchable exposure, in the scope.
- Invest in a long-term strategy to migrate from an access management mindset to a continuous adaptive trust (CAT) approach.”
Tenable’s take on the report recommendations
At Tenable, we believe that full visibility of all assets and of their security weaknesses is key in order for security teams to make quick decisions and prioritize which exposures to address first. That includes not only approved and conventional assets, but also “shadow IT” products, such as consumer-grade cloud applications used by staffers without IT’s permission for work tasks.
With exposure management, the security team gets comprehensive, continuously updated visibility into the attack surface, as well as the data required for deciding what needs to be prioritized based on the risk to the business.
At Tenable, it’s our view that to create an effective, comprehensive exposure management program, you should follow these five steps:
- Assess your security technologies to determine if they offer you comprehensive insights into your exposures, derived from a unified and uniform security data set
- Identify blind spots in your attack surface, especially assets connected to the internet that are externally accessible
- Determine how to best prioritize your preventative efforts
- Evaluate your remediation processes to identify opportunities for improvement
- Rate your ability to communicate risks clearly to all stakeholders – from security leaders to the board
Gartner report’s strategic planning assumptions
- “Through 2026, non-patchable attack surfaces will grow from less than 10% to more than half of the enterprise’s total exposure, reducing the impact of automated remediation practices.
- Through 2025, security leaders who implement cross-team mobilization as part of their exposure management program will gain 50% more security optimization than those only prioritizing automated remediation.
- By 2027, the likelihood of breaches will increase threefold for organizations who fail to continuously manage remote access architecture and processes.
- Through 2026, more than 60% of threat detection, investigation and response (TDIR) capabilities will leverage exposure management data to validate and prioritize detected threats, up from less than 5% today.”
Tenable’s take on the report’s strategic planning assumptions
By adopting an exposure management program and platform, organizations can shift from a reactive and siloed approach, hampered by tool sprawl and fragmented data, to a proactive, holistic and preventative strategy.
With exposure management, cybersecurity teams get full visibility into the attack surface – from endpoints to the cloud so that they can anticipate threats, prioritize remediation and slash risk.
We’ve identified a variety of benefits that stem from adopting an exposure management platform — like the Tenable One Exposure Management Platform — as opposed to having a collection of “best of breed” tools that don’t interoperate well, or at all.
- Improved security posture
- Reduced complexity
- Improved prioritization of exposures for remediation
- Simplified management
- Improved integration of tools
- Unified reporting
- Cost effectiveness
To get all the details about the Gartner report “Predicts 2023: Enterprises Must Expand from Threat to Exposure Management,” download it here.
To learn more about the benefits of adopting an exposure management program and platform, check out the following Tenable resources:
- 3 Real-World Challenges Facing Cybersecurity Organizations: How an Exposure Management Platform Can Help (white paper)
1Gartner, Predicts 2023: Enterprises Must Expand From Threat to Exposure Management, 1 December 2022, Jeremy D'Hoinne, Pete Shoard, Mitchell Schneider, John Watts.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.