What is exposure management?
Constituents
This publication is intended for IT and security professionals (administrators, ISOs and CISOs) who are aware that they need to get a better grip on the exposure of their organisation’s network and information systems so they can improve their resilience.
Background
Exposure and exposure management are interrelated. Exposure involves the extent to which your organisation’s network and information systems are visible and accessible to threats. A threat can only manifest if a network or information system is exposed to that threat. If you want to get a grip on your digital risks, you must be aware of your systems’ exposure level.
Exposure management is highly relevant in the context of the NIS2 Directive. Article 21 specifies that organisations must conduct a risk assessment and implement suitable security measures. Exposure management provides focus for organisations to comply with this requirement. This article focuses on systems with a direct internet connection since these are most easily accessible to malicious parties. Be aware of what is visible and gain insight into what you don’t see – because you can’t protect what you don’t see.
Exposure and exposure management: what are they?
Exposure management means the process through which you gain insight into, and get a grip on, your organisation’s system exposure. Exposure management allows you to lift your organisation’s digital resilience to a suitable level.
Exposure
Exposure of network and information systems is necessary for your organisation to function property. Employees can consult a database, exchange e-mails, and sometimes change a configuration as part of your regular operations, in the office, in the production space, or on the road. The network and information systems your employees use for these purposes must be visible and accessible to them, but this also exposes them to malicious parties.
In addition to the network and information systems your IT organisation manages, employees sometimes use other digital systems for their work as well, for instance personal devices such as their own mobile phones or online file transfer services. Such ‘shadow IT’ is not managed by the IT management department, yet also represents exposure of your organisation.
As shown in Table 1, network and information systems can be exposed to the outside world in various ways. Physical interaction may be necessary to operate a system, or an employee needs to log on to a local network to be able to do their work, for instance, which would limit exposure since a malicious party must also be physically present to perpetrate an attack. However, network and information systems are increasingly accessible via the internet, which increases exposure. This is the most relevant and urgent category for most organisations, which is why we focus on it most closely in this publication.
Table 1: Exposure categories and threat types
The scope of this publication is external network-facing.
| Category | How is the system accessed? | Where can the attacker be located? | Examples of assets that can be attacked |
|---|---|---|---|
| External network-facing | Open to the internet | Anywhere in the world | Websites, cloud servers, online APIs |
| Adjacent network-facing | Access to specific network | Within the same network | (Company) WiFi, internal systems |
| Local | Local access to the system | Within the same system | Local databases (in-house management) |
| Live in-person | Physical interaction required | Must be present at the device’s location | Server rooms (in-house management) |
Exposure Management
Exposure management is a process that aims to gain insight into, and get a grip on, the exposure of your organisation’s network and information systems, and to ensure that it is controlled before malicious parties can gain unauthorised access.
Exposure management has three key characteristics:
- It is an ongoing process. Your organisation and its network and information systems are in continuous development, requiring continuous adaptation and improvement.
- It is a combination of processes and analyses executed by people on the one hand, and automatic tooling on the other. Tooling can be used to detect, assess, prioritise and limit the exposure of digital assets with minimum effort. However, its results must be analysed and understood by actual people.
- It must be embedded within your organisation’s risk management process. Exposure management helps to analyse, prioritise and control digital risks.
It is not an independent process but is closely intertwined with other cybersecurity processes. Key aspects in this context are asset management, vulnerability management, and risk management.
- Asset management is the process that provides ongoing insight into all of the information and network systems in your organisation. Some form of asset management is always required when setting up exposure management.
- Vulnerability management is the process that allows you to stay on top of the vulnerabilities in your information and network systems. To determine the extent to which a vulnerability represents a risk to your organisation, you must know the associated system’s exposure level. In other words, exposure management is a precondition for vulnerability management. At the same time, you are giving the information and network systems that are exposed additional attention from the vulnerability management perspective, so there is a strong interrelationship between vulnerability and exposure management.
- Risk management is the overarching process that enables you to minimise the uncertainties that may disrupt your organisation’s objectives. You should use exposure management as a key part of your risk management process to map, prioritise and handle risks.