Pundits have been stressing the importance of continuous security validation and threat monitoring for the past few years. With the staggering sophistication and aggressiveness of threat actors, the conventional ways of establishing security posture no longer suffice. However, it appears more needs to be done to keep up with the rapid evolution of cyber threats.
In Gartner’s 2022 Hype Cycle, the tech research and consulting firm introduced a new program that focuses on the steps before security validation. It supplements ceaseless security validation with greater emphasis on threat exposure. It highlights the critical role of threat exposure in modern cyberattacks in line with the following rationale: the continuous planning, monitoring, and reduction of risks through validation solutions that enable prioritized remediation according to business context.
Continuous Threat Exposure Management
Continuous threat exposure management (CTEM) is designed to establish a cyclic process to ensure complete awareness of threats and an effective handling of attacks. It is not meant to supplant continuous security validation. Instead, threat exposure management boosts cyber defense capabilities by addressing weaknesses even before attacks happen, at the points where possible attacks are carried out.
CTEM has five stages, namely (in sequential order) scoping, discovery, prioritization, validation, and mobilization. These stages seek to optimize security posture by anticipating attacks at the points threat actors are likely to exploit or assail. These stages are undertaken repeatedly to achieve continuous threat exposure management.
Scoping entails the comprehensive determination of all external attack surfaces and risks, particularly those involving the software supply chain and SaaS apps. It requires the security team to collaborate with the management to identify areas that are deemed sensitive, high-value, and mission-critical.
Discovery is the mapping of the organization’s infrastructure, network, apps, and sensitive data assets. It is at this stage that vulnerabilities, configuration errors, and other process issues are identified and classified into risk levels.
The third stage, prioritization, focuses on the evaluation of the probabilities that certain threat surfaces will be exploited. This is important because of resource limitations. It is not possible for cybersecurity teams and automated security mechanisms to be available to address incidents simultaneously. Priorities must be set to make the most of available remediation resources.
Meanwhile, the validation stage is where simulations are conducted on the identified potential cyber attack points. These simulated attacks determine the effectiveness of existing security controls and possible areas for improvement.
Lastly, mobilization happens when remediating or corrective measures are activated in response to the outcomes of the validation stage. This is mostly a manual undertaking and is focused on the local context.
Difference between CTEM and attack surface management
Threat exposure refers to attack surfaces. As such, it will not be unusual to wonder how CTEM is different from attack surface management (ASM). They are essentially aimed at the same concerns: the points through which threat actors come in direct or indirect contact with the IT infrastructure and assets of an organization.
Additionally, both CTEM and ASM entail some form of security validation to determine if the security controls put in place are working as intended. They both simulate attacks to stress-test installed defense systems, revealing weaknesses such as encryption problems, misconfigurations, unpatched or outdated software, and weak passwords.
However, they are different because CTEM is a program that emphasizes collaboration between the security and business management teams, while ASM is a security product or technology that may be part of a broader security posture management platform. Gartner makes it clear that CTEM is neither a new tool nor a new technology. It is a five-stage program that fortifies defenses at and around the attack points or attack surfaces without a specific framework but guided by a cyclic process consisting of five stages.
How organizations can use CTEM
There are no cybersecurity products specifically marketed as a continuous threat exposure management solution, at least for now. However, the CTEM program can be adopted as part of existing multifunction cybersecurity validation platforms.
CTEM can mean an enhancement of existing ASM products or functions. Organizations may implement modifications in their existing attack surface management solutions to coincide with the five stages described above. Most ASM solutions are already designed to work continuously, so they may only need to tweak some steps to make the remediation or mobilization stage more comprehensible to business managers or executives who are likely not tech-savvy but fully knowledgeable in the operational nitty-gritty of their business.
For organizations that do not have defined attack surface management functions, CTEM can be implemented as a collaborative endeavor of the cybersecurity team and the managers, from top to low level. The managers or executives share their expertise in how the business works, especially when it comes to interacting with customers and stakeholders, setting workplace policies and protocols, and regulating data storage and transmission in the organization. Meanwhile, the cybersecurity team provides the tools and proficiency in using advanced security solutions and technologies.
The implementation of CTEM can be summed up by three vital requirements, which are discussed briefly below.
The use of a multifunction security validation platform – Again, CTEM is not a security technology or product. It uses already existing security solutions for its implementation. These include ASM, automated red teaming, advanced purple teaming, and breach and attack simulation. The incorporation of security frameworks such as MITRE ATT&CK also helps to establish robust threat detection and profiling. It is important that the cybersecurity platform used is multifunction or supports the addition or integration of new functions.
Continuous testing and learning – Aside from using continuous security testing tools and strategies, CTEM also requires the cybersecurity and business management teams to work together in evaluating the testing results and learn how to improve defenses further. The cyclical nature of CMET means that baselines can be established after the mobilization to improve the system as a new scoping stage is initiated.
Guidance on business implications – The continuous testing, consolidation of various security tools, and collaboration between the security and business management teams yield loads of information and insights that can be translated into business implications. The involvement of business managers means that informed security decisions are made rapidly, leading to better security control performance and improved security drift management.
The importance of business context
In summary, continuous threat exposure management is similar to attack surface management but with emphasis on business context and the involvement of the business management team. It is not a predefined strategy, method, or technology to secure IT assets but a program that improves cyber defenses by paying meticulous attention to threat exposure and its impact on business operations.
Cybersecurity teams can be highly efficient and up-to-date with the latest security tools and threat intelligence. However, without executive leadership support and inputs, it would be difficult to accurately assess the operational impact of certain threats that target specific attack surfaces. Also, without proactive business management involvement, cybersecurity policies and remediation efforts may not be formulated and enacted promptly to stop attacks on their tracks or significantly mitigate their consequences.