How Exposure Management Helped Three Companies Transform Their Cybersecurity Program

Part two of our Exposure Management Academy series on exposure management maturity explores how organizations like Drogaria Araujo, Tenable and Verizon have applied exposure management to strengthen their security postures. 

In the first post in this series, we explored the five stages of the Exposure Management Maturity Model: Ad Hoc, Defined, Standardized, Advanced and Optimized. 

In this post, we explore three case studies to understand how an exposure management platform can help organizations advance their cybersecurity programs. We look at how the core principles of exposure management, supported via the implementation of an exposure management platform, helped these companies achieve better cybersecurity and compliance outcomes.

Drogaria Araujo uses exposure management to improve attack surface visibility 

Drogaria Araujo, a leading Brazilian pharmacy chain, turned to exposure management to improve attack surface visibility and gain the context the CISO needed to report on his company’s highest-risk exposures and demonstrate compliance with Brazil’s General Data Protection Law (LGPD). 

Drogaria Araujo relies on a geographically dispersed, hybrid infrastructure consisting of traditional IT systems and a rapidly growing cloud footprint. Prior to embracing exposure management, the company’s initial security practices depended on basic vulnerability assessment of their IT infrastructure. This resulted in a storm of noisy findings — and a lot of remediation tickets — which strained security and IT teams, despite the fact that these assessments didn’t pull in findings from cloud, identity or OT systems.

Typically, most organizations would look to evolve vulnerability assessment to a vulnerability management program, or maybe a more robust risk-based vulnerability management program. But the firm’s team set its sights on a holistic exposure management program that could better satisfy its needs, one that accounted for the expanding attack surface and encompassed all cybersecurity risks that lead to exposure. 

The company said it selected the Tenable One Exposure Management platform because it provides a unified view of the attack surface across on-premises, cloud, identity and OT environments. This enables the security team to spot cloud misconfigurations and identity-related weaknesses, in addition to traditional software vulnerabilities, that, when combined, create attack paths for threat actors.

Drogaria Araujo’s experience demonstrates how an organization can quickly and cost-effectively expand its visibility with an exposure management platform.

Tenable turns to exposure management to integrate and unify security data 

At Tenable, the need to consolidate security data from across more than 50 tools, improve prioritization and automate reporting were the catalysts for implementing an exposure management program. 

Tenable’s CSO began the exposure management journey by establishing a central team that could own all security policies across various security domains, including vulnerability management, cloud security, web application security and others. It made sense to extend the charter of the vulnerability management team to exposure management as the central control point. But this alone was not enough.

Tenable recognized it also needed to unify its asset and risk data across disparate tools, so it used the Tenable One Exposure Management Platform to aggregate data from Tenable-specific tools and provide rich relationship context, prioritization and KPIs. Following Tenable’s acquisition of Vulcan Cyber, the security team was able to feed data from third-party tools into Tenable One. 

Within the first 48 hours of turning on this new third-party data ingestion capability, Tenable was able to integrate and unify data from 15 third-party tools. Reporting, which previously took the security team an average of three days to manually create, became available in minutes. In addition, the exposure management team was able to extend its scope of visibility from less than 10,000 assets to more than 100,000, representing the entire attack surface, and reduce alert to ticket volume by 1,500 to 1 — all with the same number of staff. 

Assess your exposure management maturity

Do you have elements of an exposure management program in place? Take our exposure management maturity assessment to find out. 

Verizon uses exposure management to prioritize real-world risks and exploitable threats 

Global telecommunications leader Verizon faced the inherent challenges of managing one of the most vast and complex attack surfaces in the world. Like many large organizations, security teams at Verizon had traditionally operated in silos, each with its own specialized tools and priorities for areas like attack surface management, vulnerability scanning, identity exposure and cloud security. 

However, this siloed approach hindered efficient response and raised the potential for visibility gaps falling outside a team's specific area of responsibility or expertise. Recognizing that a reactive approach to managing risk wasn’t enough, Verizon shifted its cybersecurity focus to proactive exposure management. 

In a recent case study and blog post, Verizon said it chose to consolidate its proactive security efforts onto a single platform — Tenable One. This move enabled the integration of data from various security domains, providing a unified view of assets and associated risks. This consolidation was not just a technological shift but also an organizational one, requiring a change in how teams collaborated and shared data. Through transparent communication and demonstrating early value, Verizon was able to unify its security functions, including previously separate attack surface management, Active Directory, IoT and OT security teams.

A core principle of Verizon's new exposure management program is prioritizing real-world risks and exploitable threats rather than addressing every risk finding. The company prioritizes risks that are part of a realistic attack path leading to "crown jewel" assets. This approach enables it to strategically address the most significant exposures, enabling clearer communication with executives about what is at risk and the most urgent priorities, ultimately shifting from a compliance-driven to a risk-based security posture.

Harnessing the power of exposure management

These case studies illustrate the very real benefits of exposure management. Whether you're looking to unify siloed data or achieve the highest levels of proactive security, exposure management provides the framework.

Learn more

• Ready to understand where your organization stands and how to accelerate your journey? Take our exposure management maturity assessment. In less than five minutes, you’ll get a personalized report with recommendations tailored to your organization.