CAASM as the foundation for a successful CTEM Program
The evolution of IT, including trends such as broad multi-cloud adoption, containerization, serverless, hyper segmentation, and dissolving perimeters, has made it exceedingly difficult for security teams to quantify and assess their ever-changing (internal and external) attack surface. Similarly, the staggering volume of vulnerability findings makes it infeasible to patch them all.
Increasingly, cyber teams must shift to a more pragmatic risk-based approach. Emphasis must shift to developing the skills, processes, and tooling to more effectively quantify, and prioritize the impact of, each threat and exposure facing their organization, be they unpatched vulnerabilities, misconfigurations, poorly designed software/systems, or third-party exposures.
Gartner® has highlighted this in the recent publication on Continuous Threat and Exposure Management (CTEM), which offers a perspective on how organizations should think about approaching this pragmatic shift. The report projects that “by 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach. “
The report also emphasizes that CTEM is a process, not a product. There are, however, several product categories which are instrumental in establishing an effective CTEM strategy.
The Role of CAASM in CTEM
One of the most foundational is Cyber Asset Attack Surface Management (CAASM). After all, you can’t effectively assess and prioritize your most critical threat and exposure-related risks if you don’t know them. CAASM products typically establish, and continually maintain, a comprehensive asset inventory by aggregating data about the assets from a wide range of existing tools, technologies, and datasets.
The problem is that most CAASM tools focus narrowly on compute assets and their vulnerabilities and configurations while cyber risks actually manifest from a far broader range of “assets” including users, exposed datasets, insufficient network segmentation, inappropriate privilege assignment, etc. Basic CAASM capabilities must be expanded or augmented to incorporate a broader viewpoint of all of these aspects which generate risk and to capture the characteristics or context necessary to effectively quantify their magnitude.
One of the key—and commonly missing—elements in “basic” CAASM offerings is an understanding of the relationships between assets. Clearly, a severe vulnerability on a test system segmented off in a development network does not represent the same risk of that same vulnerability on a production system supporting a critical business service with access to highly sensitive data. The relationships and context of an asset is as significant as knowing of its existence and its basic properties.
If you establish a CAASM capability which incorporates a broad view of all “asset” types of cyber relevance, and which incorporates the relationships and business context which illuminate risk, then you have strong foundation on which to build your CTEM program.
Gartner has proposed a 5-step process which can be repeatedly applied to assess and manage cyber exposure challenges. These are scoping, discovery, prioritization, validation and mobilization.
Scoping involves taking a fresh and broader look at the overall risk to the business which involve cyber components. This goes well beyond the bounds of typical vulnerability management efforts. It’s more akin traditional threat modeling approaches and should incorporate the attackers’ view and encompass all of the ways the attacker might hurt your organization.
A full-featured CAASM platform can considerably help here by providing a view across the totality of your cyber estate and expose assets you would not have otherwise been aware of. Even more so, it can provide visibility into the relationship of technical assets such as compute resources, networks, IP addresses, and databases/datasets back to the things which are critical to your business such as critical applications or services and the geolocation and governance of sensitive data.
Once you have defined the target scope, Discovery is the process of identifying all of the “assets” which fall within that scope and their related risks and exposures. A broad net should be cast here to capture the common technical exposures such as vulnerabilities, misconfigurations and missing control coverage, as well as other less technical risks such as gaps in security training, phishing testing, and data governance.
This is perhaps the most obvious place where a CAASM solution can add significant value. After all, its primary function is to collect data to create and maintain a comprehensive and current record of your entire asset landscape. But keep in mind that the ultimate goal is to use this information to quantify and prioritize risk.
The CAASM solution, and its underlying data model, must be sufficiently broad to encompass all asset types of cyber-relevance. It must also maintain sufficient fidelity of source information, although many CAASM products normalize source data into a common model thereby loosing critical details. Relatedly, it must preserve all of the context, particularly asset relationship context, needed to achieve the prioritization goals.
Prioritization is rooted in the reality that no organization can feasibly address every exposure. The goal instead is to be able to look across all the threats and exposures to your business and be able to quantify which are most critical and should be prioritized for remediation based on impact and likelihood.. It should also incorporate a consideration of aspects such as feasibility of mitigation and the existence of compensating controls.
Again, a full featured CAASM solution has a big part to play here. It becomes the lens through which you can understand the context and implications of each exposure which is used to drive a higher fidelity quantification.
The validation step is designed to add rigor to the process of identifying and processing which exposures can actually be exploited by the adversary and to what effect. This begins to shed light upon the efficacy of your mitigation and detective controls.
A comprehensive CAASM capability can aid the validation process by helping illuminate otherwise unknown portions of your attack surface or possible attack paths which should be explored. This improves both the efficiency and efficacy of the validation process.
As the word suggests, the mobilization phase is where the work is allocated to mitigate the most significant exposures. This is where the rich context of a comprehensive CAASM capability starts providing bonus value. For teams to know how to react in the most effective way, they must have full context and understand the implications of the various possible options.
This includes how the technical assets relate to various controls (or control gaps), to other assets, and to the broader business context. Having this broad cyber asset intelligence at hand enables quick and decisive actions in this phase.
Gartner rightly emphasizes that you can’t entirely rely on automation to address all mobilization activities, but with sufficient timely and accurate context you can leverage automation more effectively and with more confidence while also improving the efficiency of your teams working on activities that require human intervention.
The concepts highlighted by Gartner® in their CTEM literature are a pragmatic and common-sense reaction to the realities faced by today’s cyber and risk teams. We must focus our limited cybersecurity resources on the most significant risks, and that determination must be made at a level which spans business functions.
Organizations should be adopting a methodical process for assessing cyber risk which fundamentally incorporates the broader business concerns. Having an ‘always-current’ view across the entire cyber estate, which comprehends not just a list of technical assets but their control gaps, how they relate to each other, and how they relate to the broader business, is the foundational capability on which to build a CTEM program.
To learn more about how Noetic empowers teams to adopt a modern approach to attack surface management in our latest report: How to Implement Continuous Threat Exposure Management with Noetic.