By Brian Martin
For a long time, cybersecurity has been in reactive mode, focused on scanning for vulnerabilities and trying to remediate them as quickly as possible. Most organisations struggled with this approach because as the attack surface proliferated, it gave rise to problems such as vulnerability overload and an inability to keep up. It’s an approach that fails to take into account the ever-increasing number of new CVEs, and the much wider attack surface of the modern-day enterprises, preventing them from seeing the bigger picture and not doing enough to identify and reduce the full exposure. Rather than running to stand still, it feels like running forwards while still going backwards.
Exposure management attempts to rectify this by understanding and managing the full attack surface and what it looks like from an attacker’s perspective. It looks at the vulnerabilities of all (not just IT) assets, and many other exposures such as user permissions, misconfigurations, security controls and other key pieces of the puzzle to adds context which then allows for the prioritisation of remediation efforts and better security planning.
In short, Threat Exposure Management addresses three main areas:
- Vulnerability Management – identifying and managing vulnerabilities of the organisation across complex environments
- Attack Surface Management – Understanding the internal and external attack surface and the exposures they present along with their relative risk profile and sensible remediation prioritisation
- Continuous Controls Testing – A mechanism to continuously test an organisation’s defences and pick up on any new exposures that may manifest and validate that remediated exposures have indeed been addressed.
Therefore, Threat Exposure Management goes far beyond Vulnerability Management, and yet, in the context of a rapidly evolving spectrum of threats, to be truly effective, exposure management needed to become a continuous process.
Breach prevention
Continuous Threat Exposure Management (CTEM) is a term coined by Gartner prior to 2020 and is fast becoming mainstream. The strategy outlines a set of processes and capabilities that can used to assess and manage the exposure of the business from the attacker’s perspective on a continuous basis. It identifies threats which might be exploited and determines how using simulations to explore and disrupt attack paths, a valuable tactic given how quickly adversaries now chain multiple exposures. In fact, Gartner predicts that by 2026, organisations that use CTEM to prioritise security spend will be three times less likely to suffer a breach.
CTEM is a programme, not a tool or a technology. Implementing a CTEM programme is a methodical process which Gartner describes as covering five stages. The first is scoping the attack surface itself, and this will include traditional vulnerabilities and exposures, but also avenues of exposure that might not have been considered before, such as social media channels, dark web leakages, and human or organisational risk. It is up to each organisation to map out the scope of its own exposure for adoption within CTEM, as every organisation will have a unique risk profile.
The second phase is discovery, whereby an inventory of the potential risks and exposures across the attack surface within this defined scope is identified and catalogued. This is followed next by the prioritisation of exposures. Key to this is understanding both the internal and external attack surface, but also the attack paths an attacker might use to navigate a complex attack. This can produce insightful information to help organisations prioritise which exposures offer chokepoints to protect against the highest risk and volume of attack paths. And the final stage sees the mobilisation of resources to address the most prioritised exposures which then needs to be validated.
Implementation, however, can be challenging, with three main teething problems. Firstly, there’s an abundance of tooling that is available to underpin these processes, which can add to an already bloated cybersecurity stack. When we talk about threat exposure management, there are a few different pillars, products and capabilities available, including External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), Attack Path Mapping (APM), Digital Risk Protection (DRP), Vulnerability Assessment (VA), and continuous controls testing. Tools are evolving to integrate these capabilities into one platform, but significant fragmentation still exists.
Getting it right
Secondly, simply relying on scoping and failing to properly inventory the IT estate and its assets can be a stumbling block. If this is proving difficult, the advice from Gartner is to focus primarily on identifying risk and the potential impact of that risk being realised. However, risks can be interdependent so that the impact should also take into account other knock-on effects i.e. the supply chain and how this might increase the blast radius of a successful attack. Risk is also a movable feast, with new technologies being added or business practices changing in response to market dynamics, so the inventory of exposures needs to be revised on a continuous basis. This feeds back into the Scoping phase of CTEM, making it a continuous process that should never end.
Thirdly, CTEM typically sees the crunching and analysis of large amounts of data from disparate sources, which can be costly and resource intensive. However, hope is on the horizon. CTEM came only second to AI in Gartner’s top ten list of Strategic Technology Trends for 2024. These are the technologies that its leading analysts predict will be integral in protecting the organisation, generating value and achieving business goals going forward. CTEM is indeed a programme and not a tool, but an underpinning and supporting integrated solution can greatly help the process.
Future promise
During 2024 we will see CTEM move into the mainstream. As momentum gathers pace and more organisations roll out CTEM programmes, we can expect to see the technology required to implement it converge, leading to consolidation in the space. Those point solutions will converge under umbrella offerings that seek to serve market requirements, and Managed Security Service Providers (MSSPs) are likely to develop outsourced service offerings. If CTEM achieves mass adoption and reaches a tipping point, it could well rewrite the security rulebook when it comes to threat and vulnerability management.
Under CTEM we can expect to see more comprehensive mapping of risks that go beyond the immediate vulnerabilities of systems and which take into account the exposure of the business overall. There will be a shift towards more predictive planning that can use modelling to plan the likelihood, impact and the remediation required for an exposure risk to be mitigated. And CTEM will lead to the prioritisation of resources and investment, leading to more astute spend based upon these factors.
A substantial proportion of security technology innovation is going into the CTEM category and could possibly turn out to be the next great inflexion point in the perennial quest for a cybersecurity nirvana. Organisations could do worse than look closer at CTEM and understand the security benefits that can accrue from this holistic approach to managing exposure.
Martin is Director of Product Management of Integrity360.