The 5 Key Elements of Continuous Threat Exposure Management
Security leaders are increasingly focused on how best to understand and manage their expanding attack surface. There are many reasons why attack surface management (ASM) has become a priority, as security teams are faced with the daunting task of understanding and mapping a more complex digital environment. Still, ASM also needs to be seen in the context of a wider security initiative—the need for a greater preventative focus in the wider cybersecurity program.
Gartner® has identified ASM as one of the three pillars of a wider continuous threat exposure management program (CTEM), and states in a recent report that ‘the objective of CTEM is to get a consistent, actionable security posture remediation and improvement plan that business executives can understand, and architecture teams can act upon.’
At Noetic, we believe that an exposure management program is refined approach to managing the attack surface in a constantly changing digital world. This modern approach considers vulnerability prioritization and remediation, mitigating controls, asset inventory as well as detection and response capabilities as part of a wider initiative.
The potential benefits of adopting this approach are significant. According to Gartner®, “by 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach.”
How to Implement a Continuous Threat Exposure Management Program
Noetic’s perspectives on the key steps that need to be addressed
Most organizations will have some of the necessary building blocks, whether that is part of an existing vulnerability management program or a security posture initiative. It is important to consider this initiative as a combination of people, processes and technology to enable and empower the security team to make better decision due to improvements in the intelligence and context they have.
Gartner® states that “at any stage of maturity, a CTEM cycle must include five steps to be completed: scoping, discovery, prioritization, validation and mobilization”.
If we look at the five steps in a CTEM cycle, there are considerations that you need to make to build a successful program. Here are Noetic’s perspectives on these steps and the factors that security leaders need to consider on rolling out their CTEM program.
The first challenge for any security team is to understand what they are dealing with. Organizations should have worked to define this as part of their vulnerability management process, but as we have seen, this is often incomplete. This is an area where external attack surface management (EASM), network scanning and digital risk protection services (DRPS) can provide value as they are optimized for mapping the exposed attack surface, as well as potential threats from outside the organization.
It is also important here to try and understand the wider business context around critical applications and services, as this will help when we are looking to prioritize remediation work later in the process.
The second phase is often–but not always–mapped to scoping and involves asset discovery and risk profiling. The goal here is to map all assets in the organization and the cyber relationships amongst them.
This includes–but is not limited to–vulnerabilities. Additional components could also be misconfigurations, security coverage gaps and toxic combinations. It is entirely possible that the discovery phase will identify cyber risks which were outside the initial scope.
Prioritization is the natural outcome of the scoping and discovery work. As security leaders are well aware, it is not practical, or even desirable, to remediate every security issue that has been identified. Security teams need to prioritize based on the risk to the business.
This has evolved beyond traditional vulnerability severity scores, which do not consider the exploitability or the potential business impact on the affected assets.
Prioritization is arguably the most critical phase of a CTEM program, and security teams need to consider a combination of severity, exploitability, the criticality of the potential impact to the business, as well as any compensating security controls, to ensure that they are addressing the right security risks. This is also an area where cross-functional collaboration between security, IT and the Lines of Business (LOB) are vital.
Gartner® defines validation as ‘the part of the process by which an organization can validate how potential attackers can actually exploit an identified exposure, and how monitoring and control systems might react’.
This is also an area where security teams are increasingly investing in tooling and automation, whether for breach attack simulation (BAS), red teaming, or attack path analysis. The goal is to think and act like an attacker to monitor the effectiveness of existing controls and processes.
The final phase, mobilization, is focused on organizational readiness and ability to remediate. This can and should include automated remediation. Gartner emphasizes that prematurely relying entirely on automation will result in failure.
As we have seen, vulnerability and exposure remediation is a cross-functional task, where the requirements and potential impact of different parts of the business need to be considered. Therefore, mobilization needs to be about building a shared understanding of what cyber risk is acceptable and what business impact is not.
Getting Started with CTEM
As security leaders think about how best to reduce their attack surface and improve their security posture, they need to work on how to gain the asset visibility and context that will allow them to effectively scope, discover and prioritize their CTEM program.
Discover how to establish a strong foundation for an effective CTEM initiative with multi-dimensional cyber asset intelligence in ‘Making the Case for CAASM’.
Gartner subscribers are able to access the full report and its recommendations here.
Implement a Continuous Threat Exposure Management (CTEM) Program, Gartner, July 2022
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.