What is Continuous Threat Exposure Management?

Definition

The concept “Continuous Threat Exposure Management” (CTEM) is coined by Gartner, Inc. and its definition reads as such:

“Continuous Threat Exposure Management Program is a set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets.”

A CTEM program promotes oversight and control over an organization’s visibility to hostile actors (i.e., lone, organized, sponsored individuals) who intend to inflict damage. Successful oversight in CTEM is dependent on a knowing of several factors: the expanse and worth of all organizational assets and their associated vulnerabilities, the compensatory security controls that surround them; and filtered knowledge about the organization’s threat environment. Only then can Security Teams draw on abusiness-relevant risk baseline from which to prioritize vulnerability remediation to reduce their threat exposure.

A Case for TEM

Enterprise Security Teams are piling up stalled and generic vulnerability remediation lists which they fail to reach consensus on with IT Operations Teams all while new vulnerabilities are constantly growing. Enterprise Security Teams are also unable to keep track of the threat environment with new advisories released daily and cannot properly ascertain the efficacy of their security controls against potential threats. There are tools in the cybersecurity market that can alleviate some of the problems; however, across different non-integrated point-solutions with contrasting data input and suggested output that is largely irrelevant to the company operating the tool. A holistic and business-centric solution is necessary. CTEM draws a framework towards an ideal end.

SCOPING

CTEM is a five-step program which occurs in cycles throughout the lifetime of several projects. These projects can be triggered by new business initiatives, audits, changes in security controls, or readjustments in risk appetite. Nonetheless, every project starts with a scoping stage. Scoping casts a specific net around the business-critical assets that are necessary to discover, test, and fortify. Ideally, all stakeholders—from security to IT Operations, GRC, and asset owners are aware that actionable risk-reduction is meant to follow in the mobilization phase. In the discovery phase, businesses are meant to uncover all relevant assets, their associated vulnerabilities, information about control misconfigurations, and other relevant weaknesses.

DISCOVERY

Oftentimes, discovery tools uncover far beyond the scope of a project. Unknown assets, vulnerabilities, and misconfigurations are risks that will be discovered. It’s at this point that Security Operations teams are stalled in a state of prolonged analysis paralysis. Not every vulnerability or misconfiguration is relevant and all of it does not matter equally. Immediately remediating all vulnerabilities is also impossible. Prioritization is necessary. 

PRIORITIZATION

To successfully prioritize signals, a strong business understanding, threat exposure understanding, and facilitating technology are integral. Predefined CVSS scores are helpful as a contributing factor; however, insufficient on its own. Organizations need to assign criticality levels to their assets and factor this in with continuous threat intelligence that identifies prevalence and proximity. They must also be practical in their understanding of remediation by documenting compensating controls and all other mitigation options.

According to Gartner, Inc:

“Prioritizing thetreatment of exposures needs to be based on a combination of the urgency,severity, availability of compensating controls, risk appetite and level ofrisk posed to the organization.”

It is simply infeasible to calculate this for even those enterprises with double digit assets and hundreds of vulnerabilities. Technology is a necessary component.

VALIDATION

In the Validation phase, organizations ask themselves, “How would an attack actually happen and how would we fair it?” Going beyond the documentation of proximal threats, is the ability to validate security controls and vulnerability remediation priorities with simulated/emulated attacks.  

Gartner, Inc states that Validation:

“...requires a mix of technical assessments (e.g.,pentesting, red teaming, breach and attack simulation and attack path analysis), but also organizational acceptance.”

In this phase, Security Teams can support their prioritization evidence with simulated action to “prove” to IT Operations and business stakeholders that business remediation is necessary. Though Prioritization is a hurdle to overcome, it is not insurmountable. It is in fact mobilization that is the most difficult phase of all.

MOBILIZATION

The reason why enterprises are piling up stalled and generic vulnerability remediation lists is because Security teams suffer from bureaucratic friction in approval and implementation processes. Cross-team approvals from IT Operations and asset owners are stalled by scrutiny of the evidence at hand and the remediation options presented. Up on more focused, business-centric, and threat-relevant priorities coupled with evidence-backed attack simulations, it would be hard to refute vulnerability remediation. Still, those cross-teams that are rarely involved in the affairs of Security will continue to push back on what they do not understand. That is why in theScoping phase, it is necessary to involve all stakeholders, if even in an informed manner up until this point. Technology is a great facilitator here to prove receipt and acknowledgement of alerts and updates. As a result of mobilization, Executive Leadership will finally have a fair understanding oft heir security posture and threat landscape.

‍Key Benefits

Gartner predicts that,

“By 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach.”

Organizations that follow CTEM will address threats from a proactive and predictive approach as opposed to a reactive and responsive approach. Organizations can also expect to reduce their vulnerability noise, minimize their risks, and enhance cross-functional collaboration. CTEM cannot be realized though if an organization’s facilitating tools are siloed and lack full integration. This is where ULTRA RED benefits CTEM.

ULTRA RED

The ULTRA RED: Threat Exposure Management platform was purpose-built to address key aspects and weak points with invulnerability and threat exposure management. To be effective, we believe that vulnerability and threat exposure management must be evidence-rich, collaborative, and analytically powerful. Following the principles of CTEM, we have created an all-in-one, fully integrated platform from which all stakeholders in vulnerability and threat exposure management can convene, collaborate, and remediate their most pressing risks and threat exposure. Below, we pair our platform capabilities with the phases of CTEM to paint you the full, platform story.

SCOPING & Attack Surface Management (ASM)  

Attack surface defense starts with visibility. After all, you can’t protect what you don’t know about. Manually maintaining an asset register of Internet facing assets and services is impractical if not impossible for most organizations. Asset audits are resource intensive and time consuming to conduct, and the result is a point in time snapshot that is both incomplete and obsolete as soon as it is created.  

Blind spots resulting from shadow IT deployments, cloud adoption and mergers and acquisitions can result in a large pool of organization-owned assets that are unknown to security teams. These unknown assets quickly become the soft underbelly of the attack surface, harboring vulnerabilities that would normally be identified and remediated. Better knowledge to this end can help Red Teams in their adversary-emulation exercises, Blue Teams in fortifying defenses, IT Management Teams in knowing what asset landscape they should keep a keen eye on, and GRC teams in communicating more accurate threats and risks to Security Leadership and Board.

In as little as 3 clicks, ULTRA RED automatically discovers hosts, domains and IP addresses which are within the organization's scope, including assets created by shadow IT activities and cloud deployments. Utilizing recursive techniques and proprietary technology to check and re-check validity, ULTRA RED creates an asset register with an extremely low false positive rate. ULTRA RED's asset discovery is a continual process, uncovering new assets and services as they are introduced to ensure you aways have an up-to-date view of your attack surface.

SCOPING/DISCOVERING & Digital Risk Protection Services (DRPS)

Is your company primed to be compromised? DRPS answers this question by bringing to light all exposed identities and credentials in the open web, social media, dark web, and deep web sources. Intelligence also includes potential threat actors, their tactics and processes used to initiate compromise. DRPS will immediately show you all your exposed digital assets up-for-grab and potentially already in play by cyber attackers.

VALIDATING & Cyber Threat Intelligence (CTI)

With enhanced CTI, Red Teams are armed with enough to automate potential cyber attacker hacks. Breach and Attack Simulation supports this goal, saving Red Teams cognitive space and time to find more innovative means for attack.

ULTRA RED continuously scans assets in the Asset Inventory to detect new vulnerabilities and weaknesses. It not only identifies known public vulnerabilities, but also cross references assets against a wide range of proprietary scanning findings and documented Dark Net references. All detected weaknesses are validated without impacting the scanned system and its security infrastructure and controls, ensuring production system continuity. The security team receives all the accompanying intelligence for each identified vector; impacts, external references, an actionable remediation list along with required steps, and POCs for leveraging the weakness.

CTEM & Vulnerability Management (VM)

The average external attack surface contains a range of assets and services with vulnerabilities of varying severity, and it is impractical to address them all. While zero-day vulnerabilities are a threat to be considered, most breaches are the result of exploiting known vulnerabilities that organizations could have remediated. In fact, malicious actors focus their efforts on recently announced vulnerabilities, scanning the Internet for vulnerable systems to exploit.  

Manual efforts, either in-house or through bug-bounty programs are resource intensive activities that often serve up a disproportionate number of low and mid-severity vulnerabilities. The real challenge is to identify and focus on those vulnerabilities that represent the greatest risk to the organization. This can best be done using automated methods against a complete asset register. Better knowledge to this end can help Red Teams in their adversary-emulation exercises, Blue Teams in fortifying defenses, IT Management Teams in knowing what to patch, where and why, and GRC teams in communicating more accurate threats and risks to Security Leadership and Board.

Relying on CVSS scores and other external indicators to prioritize vulnerabilities has its limitations because every attack surface is different. Some high-risk vulnerabilities will have mitigating controls in place and others may not have the required pre-requisites for successful exploitation.  

ULTRA RED continuously scans assets in the Asset Inventory to detect new vulnerabilities and weaknesses. It not only identifies known public vulnerabilities but also cross references assets against a wide range of proprietary scanning findings and documented Dark Net references. All detected weaknesses are validated without impacting the scanned system and its security infrastructure and controls, ensuring production system continuity. ULTRA RED’s vector scoring is based on a combination of the CVSS severity and exploitability. For example, a high-risk CVE may not be considered a vector as there are mitigating controls that prevent it from being exploited. A vector with a high CVSS score may have a lower Ultra Red score if the weakness exists but cannot be exploited due to missing prerequisites. In both cases, continual monitoring will update their status and priority if the situation changes. Asset risks are categorized into logical groupings such as VPNs, development environments, admin & sensitive information. This helps managers and teams understand the potential impact of affected assets to further assist with prioritization.  

Expected ROI

With the ULTRA RED: Threat Exposure Management platform, you will…

• Build assurance in your security function with specific, actionable, and pointed Intelligence for all of your stakeholders.
• Enable faster vulnerability remediation with our intelligence-rich prioritization and remediation suggestions.
• Reduce your attack surface by remediating vulnerabilities faster and fortifying necessary security controls.
• Optimize your costs by lowering your total cost of ownership (TCO) through in-platform automation and reduced sourcing, implementation, maintenance, and operating costs.
• Maximize your Security controls by testing and enhancing rule sets to minimize your risks.