What is Continuous Threat Exposure Management?

Definition

The concept “Continuous Threat Exposure Management” (CTEM) is coined by Gartner, Inc. and its definition reads as such:

“Continuous Threat Exposure Management Programme is a set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets.”

A CTEM program promotes oversight and control over an organization’s visibility to hostile actors (i.e., lone, organized, sponsored individuals) who intend to inflict damage. Successful oversight in CTEM is dependent on a knowing of several factors: the expanse and worth of all organizational assets and their associated vulnerabilities, the compensatory security controls that surround them; and filtered knowledge about the organization’s threat environment. Only then can Security Teams draw on abusiness-relevant risk baseline from which to prioritize vulnerability remediation to reduce their threat exposure.

A Case for TEM

Enterprise Security Teams are piling up stalled and generic vulnerability remediation lists which they fail to reach consensus on with IT Operations Teams all while new vulnerabilities are constantly growing. Enterprise Security Teams are also unable to keep track of the threat environment with new advisories released daily and cannot properly ascertain the efficacy of their security controls against potential threats. There are tools in the cybersecurity market that can alleviate some of the seproblems; however, across different non-integrated point-solutions with contrasting data input and suggested output that is largely irrelevant to the company operating the tool. A holistic and business-centric solution is necessary. CTEM draws a framework towards an ideal end.

SCOPING

CTEM is a five-step program which occurs in cycles throughout the lifetime of several projects. These projects can be triggered by new business initiatives, audits, changes in security controls, or readjustments in risk appetite. Nonetheless, every project starts with as coping stage. Scoping casts a specific net around the business-critical assets that are necessary to discover, test, and fortify. Ideally, all stakeholders—from security to IT Operations, GRC, and asset owners are aware that actionable risk-reduction is meant to follow in the mobilization phase. In the discovery phase, businesses are meant to uncover all relevant assets, their associated vulnerabilities, information about control misconfigurations, and other relevant weaknesses.

DISCOVERY

Oftentimes, discovery tools uncover far beyond the scope of a project. Unknown assets, vulnerabilities, and misconfigurations are risks that will be discovered. It’s at this point that Security Operations teams are stalled in a state of prolonged analysis paralysis. Not every vulnerability or misconfiguration is relevant and all of it does not matter equally. Immediately remediating all vulnerabilities is also impossible. Prioritization is necessary. 

PRIORITIZATION

To successfully prioritize signals, a strong business understanding, threat exposure understanding, and facilitating technology are integral. Predefined CVSS scores are helpful as a contributing factor; however, insufficient on its own. Organizations need to assign criticality levels to their assets and factor this in with continuous threat intelligence that identifies prevalence and proximity. They must also be practical in their understanding of remediation by documenting compensating controls and all other mitigation options.

According to Gartner, Inc:

“Prioritizing thetreatment of exposures needs to be based on a combination of the urgency,severity, availability of compensating controls, risk appetite and level ofrisk posed to the organization.”

It is simply infeasible to calculate this foreven those enterprises with double digit assets and hundreds ofvulnerabilities. Technology is a necessary component.

VALIDATION

In the Validation phase, organizations ask themselves, “How would anattack actually happen and how would we fair it?” Going beyond thedocumentation of proximal threats, is the ability to validate security controlsand vulnerability remediation priorities with simulated/emulated attacks.  

Gartner, Inc states that Validation:

“...requires a mix of technical assessments (e.g.,pentesting, red teaming, breach and attack simulation and attack pathanalysis), but also organizational acceptance.”

In this phase, Security Teams can support their prioritization evidencewith simulated action to “prove” to IT Operations and business stakeholdersthat business remediation is necessary. Though Prioritization is a hurdle toovercome, it is not insurmountable. It is in fact mobilization that is the mostdifficult phase of all.

MOBILIZATION

The reason why enterprises are piling upstalled and generic vulnerability remediation lists is because Security teamssuffer from bureaucratic friction in approval and implementation processes.Cross-team approvals from IT Operations and asset owners are stalled byscrutiny of the evidence at hand and the remediation options presented. Uponmore focused, business-centric, and threat-relevant priorities coupled with evidence-backedattack simulations, it would be hard to refute vulnerability remediation.Still, those cross-teams that are rarely involved in the affairs of Securitywill continue to push back on what they do not understand. That is why in theScoping phase, it is necessary to involve all stakeholders, if even in aninformed manner up until this point. Technology is a great facilitator here toprove receipt and acknowledgement of alerts and updates. As a result ofmobilization, Executive Leadership will finally have a fair understanding oftheir security posture and threat landscape.

Key Benefits

Gartner predicts that,

“By 2026, organizations prioritizing their security investments basedon a continuous exposure management program will be three times less likely tosuffer from a breach.”

Organizations that follow CTEM will addressthreats from a proactive and predictive approach as opposed to a reactive andresponsive approach. Organizations can also expect to reduce theirvulnerability noise, minimize their risks, and enhance cross-functionalcollaboration. CTEM cannot be realized though if an organization’s facilitatingtools are siloed and lack full integration. This is where ULTRARED benefitsCTEM.

ULTRARED

The ULTRARED: Threat Exposure Managementplatform was purpose-built to address key aspects and weak points withinvulnerability and threat exposure management. To be effective, we believe thatvulnerability and threat exposure management must be evidence-rich,collaborative, and analytically powerful. Following the principles of CTEM, wehave created an all-in-one, fully integrated platform from which allstakeholders in vulnerability and threat exposure management can convene,collaborate, and remediate their most pressing risks and threat exposure.Below, we pair our platform capabilities with the phases of CTEM to paint youthe full, platform story.

SCOPING & Attack Surface Management (ASM)  

Attacksurface defense starts with visibility. After all, you can’t protect what youdon’t know about. Manually maintaining an asset register of Internet facingassets and services is impractical if not impossible for most organizations.Asset audits are resource intensive and time consuming to conduct, and theresult is a point in time snapshot that is both incomplete and obsolete as soonas it is created.  

Blind spotsresulting from shadow IT deployments, cloud adoption and mergers andacquisitions can result in a large pool of organization-owned assets that areunknown to security teams. These unknown assets quickly become the softunderbelly of the attack surface, harboring vulnerabilities that would normallybe identified and remediated. Better knowledge to this end can help Red Teamsin their adversary-emulation exercises, Blue Teams in fortifying defenses, ITManagement Teams in knowing what asset landscape they should keep a keen eyeon, and GRC teams in communicating more accurate threats and risks to SecurityLeadership and Board.

In aslittle as 3 clicks, ULTRA RED automatically discovers hosts, domains and IPaddresses which are within the organization's scope, including assets createdby shadow IT activities and cloud deployments. Utilizing recursive techniquesand proprietary technology to check and re-check validity, ULTRA RED creates anasset register with an extremely low false positive rate. ULTRA RED's assetdiscovery is a continual process, uncovering new assets and services as theyare introduced to ensure you aways have an up-to-date view of your attacksurface.

SCOPING/DISCOVERING & Digital Risk Protection Services(DRPS)

Is your company primed to be compromised? DRPS answers this question by bringing to light all exposed identities and credentials in the open web, social media, dark web, and deep web sources. Intelligence also includes potential threat actors, their tactics and processes used to initiate compromise. DRPS will immediately show you all your exposed digital assets up-for-grab and potentially already in play by cyber attackers.

VALIDATING & Cyber Threat Intelligence (CTI)

With enhanced CTI, Red Teams are armed with enough to automate potential cyber attacker hacks. Breach and Attack Simulation supports this goal, saving Red Teams cognitive space and time to find more innovative means for attack.

ULTRA REDcontinuously scans assets in the Asset Inventory to detect new vulnerabilities and weaknesses. It not only identifies known public vulnerabilities, but also cross references assets against a wide range of proprietary scanning findings and documented Dark Net references. All detected weaknesses are validated without impacting the scanned system and its security infrastructure and controls, ensuring production system continuity. The security team receives all the accompanying intelligence for each identified vector; impacts, external references, an actionable remediation list along with required steps, and POCsfor leveraging the weakness.

CTEM & VulnerabilityManagement (VM)

The average external attack surface contains a range of assetsand services with vulnerabilities of varying severity, and it is impractical toaddress them all. While zero-day vulnerabilities are a threat to be considered,most breaches are the result of exploiting known vulnerabilities thatorganizations could have remediated. In fact, malicious actors focus theirefforts on recently announced vulnerabilities, scanning the Internet forvulnerable systems to exploit.  

Manualefforts, either in-house or through bug-bounty programs are resource intensiveactivities that often serve up a disproportionate number of low andmid-severity vulnerabilities. The real challenge is to identify and focus on those vulnerabilities that represent the greatest risk to the organization.This can best be done using automated methods against a complete asset register. Better knowledge to this end can help Red Teams in their adversary-emulation exercises, Blue Teams in fortifying defenses, IT ManagementTeams in knowing what to patch, where and why, and GRC teams in communicating more accurate threats and risks to Security Leadership and Board.

Relying onCVSS scores and other external indicators to prioritize vulnerabilities has itslimitations because every attack surface is different. Some high-risk vulnerabilities will have mitigating controls in place and others may not havethe required pre-requisites for successful exploitation.  

ULTRA RED continuously scans assets in the Asset Inventory to detect new vulnerabilitiesand weaknesses. It not only identifies known public vulnerabilities but also cross references assets against a wide range of proprietary scanning findingsand documented Dark Net references. All detected weaknesses are validated without impacting the scanned system and its security infrastructure andcontrols, ensuring production system continuity. ULTRA RED’s vector scoring is based on a combination of the CVSS severity and exploitability. For example, ahigh-risk CVE may not be considered a vector as there are mitigating controls that prevent it from being exploited. A vector with a high CVSS score may havea lower Ultra Red score if the weakness exists but cannot be exploited due tomissing prerequisites. In both cases, continual monitoring will update their statusand priority if the situation changes. Asset risks are categorized into logicalgroupings such as VPNs, development environments, admin & sensitiveinformation. This helps managers and teams understand the potential impact ofaffected assets to further assist with prioritization.  

Expected ROI

With the ULTRARED: Threat Exposure Managementplatform, you will…

  • Buildassurance in your security function with specific, actionable, and pointedIntelligence for all of your stakeholders.
  • Enablefaster vulnerability remediation with our intelligence-rich prioritization andremediation suggestions.
  • Reduceyour attack surface by remediating vulnerabilities faster and fortifyingnecessary security controls.
  • Optimizeyour costs by lowering your total cost of ownership (TCO) through in-platformautomation and reduced sourcing,implementation, maintenance, and operatingcosts.
  • Maximize your Security controls by testing andenhancing rule sets to minimize your risks.