Significant improvement to MTTR using Continuous Threat Exposure Management program

As markets evolve, more and more tools and solutions are created that aim to help security teams optimize their security. One of the most commonly asked questions is “how do I justify the need for this tool?”. In order to answer such a question, some sort of a metric is required in order to monitor performance. One can measure the “security level” (or “resilience”) of an organization in many different ways. Due to ULTRA RED’s natural attacker point of view approach (black box approach) we believe the MTTR (mean-time-to-remediate) is an accurate, measurable criteria that organizations can track in order to understand whether they are improving.

As attacks evolve, more and more methods and products are breached. This happens at an exponential rate, therefore requiring a continuously updated and maintained source of information that you can benchmark and validate your security against. ULTRA RED’s continuously expanded vulnerabilities are tracked over time, giving them essentially a “timeframe” of how long they are found for. Due to a continuous scanning approach - vectors are tracked over time. Once a vector is detected, it is given a “finding date”. Because of the continuous scanning, every vector that was detected and is re-found in the next scan will continue to “live”. When a vector is not identified in the next scan, it is identified as an anomaly and re-tested in different time intervals to accommodate for potential network disruptions. When the vector is no longer identified - it is considered as “remediated”. By measuring the lifetime of a vector (vulnerability), we can estimate the MTTR of an organization.

Using ULTRA RED, we have been able to see customers’ true MTTR before and after use. Initially assessed at a gross 4-5 days, by leveraging the CTEM platform they have gained a holistic view on the real situation - assets were not actually remediated. This led to an actual MTTR of (initially) a gross 4 weeks for “true remediation” status. Part of that holistic view is understanding the whole process that is considered under the MTTR:

Security operator identifies a new asset found in tool #1

  • Discovery of the new asset (4-7 days)
  • Assessment of the newly discovered asset and understanding whether it belongs to the organization, then identifying the technical owner (1-14 days) - this step was highly inconsistent due to lack of information regarding ownership and authority.

Forwarding to vulnerability assessment / application security team

  • Decision on which sort of assessment is required (1-2 days)
  • Identification of the vulnerability with evidence (proof of concept) - potentially a combination of multiple tools (4-7 days)
  • Communicating & reporting recommended remediation - depending on the issue reported (1-2 days)

Forwarding to system owner / developer

  • Validating the implemented remediation such as security control, WAF configuration, patch, etc. (7-14 days)
  • Closing the issue and reporting remediation

From the above, we can understand the organization has created a protocol around remediation of an asset. This protocol involved multiple teams across potentially different organizations. This lengthy process was caused by the lack of consolidation and automation. In addition to those - every finding (asset and vulnerability) required additional manual effort of operators in order to assess whether the finding is a false-positive or not. ULTRA RED helps organization solve this exact pain point by providing an all-in-one CTEM platform:

After 1 year of using ULTRA RED’s platform to implement a CTEM program, security teams reported to have reduced their MTTR by 400% (<8 days) by consolidating communications across security teams, backed by hard evidence.

The new process looks like this:

  • Automated discovery alerts team of a validated new asset that is found (1-2 days)
  • New asset is automatically scanned for any weakness, attached with proof of concept and additional information (<1-4 hours)
  • Automated remediation suggestions for different strategies are created based on the findings, such as firewall configuration, sanitization, patching, or other alternatives. (instant)
  • New ticket is created in ITSM platform (instant)
  • Owner performs the remediation using detailed information, selecting from different recommended strategies (1-2 days)
  • Remediation is automatically detected by the system and reported (1-2 days)

New max gross MTTR: <7 days

Similar findings and improvements are noticed across multiple organizations that are monitored by ULTRA RED. The fastest organizations to adopt the Continuous Threat Exposure Management program have managed to achieve the following improvements:

Using ULTRA RED’s context-based prioritization, organizations managed to remediate twice as fast as they used to. Alerts from other platforms have been reduced by 75% due to automated validation methodologies - all alerts were compared and benchmarked against findings in the system. Anything that wasn’t fully validated was either reduced in priority or dropped. False positive reporting rates dropped from approximately 25% to less than <1%. The attack surface is beginning to change more and more frequently, and records struggle to keep up. ULTRA RED uncovered (on average), approximately 30% more assets than the organizations initially thought they had on an on-going basis. This means that on average there was approximately 30% more “happening” than they were aware of. Asset discovery times that weren’t keeping up with the rate of environment and domain changes used to keep organizations behind. Discovery time was reduced from an average of 8 days to 1-2 days. Overall, the gross MTTR was reduced from a previous 4 weeks to a maximum of <7 days.

Organizations can also leverage the Playbooks in order to streamline even more processes, automating as much as the remediation itself. We have been asked “what is the next big thing after CTEM?”, which is a great question. ULTRA RED believes in security, therefore we say - it doesn’t matter. What’s most important is reducing your MTTR, increasing your resilience, security team maturity - signifying the way you react to the ever-changing cyber security landscape.