The attack surface isn’t what it once was and it’s becoming a nightmare to protect. A constantly expanding and evolving attack surface means risk to the business has skyrocketed and current security measures are struggling to keep it protected. If you’ve clicked on this article, there’s a good chance you’re looking for solutions to manage this risk.
In 2022, a new framework was coined by Gartner to address these challenges – Continuous Threat Exposure Management (CTEM). Since then, putting this framework into action has become a priority across many organizations for the profound improvement it is expected to make towards maintaining a high level of security readiness and resilience.
“By 2026 organizations that prioritize their security investments based on a continuous exposure management program will be three times less likely to suffer a breach.” Gartner, “How to Manage Cybersecurity Threats, Not Episodes,” August 21, 2023
CTEM is a process that provides continuous and comprehensive visibility of the attack surface and the risk exposure it creates, testing whether security controls are effectively preventing exposure, and mobilizing the organization to increase cyber resilience.
Adopting CTEM can quickly become overwhelming as it involves the orchestration of many disparate and moving parts. It requires pulling together digital assets, workloads, networks, identities, and data across the enterprise. Therefore to simplify this, we have broken down the framework to its pillars, providing manageable steps that guide you through this process of making exposure management – manageable.
Asset management is an essential step at scoping the entire environment, and getting a full inventory of digital assets and their relative sensitivity, however the ability to understand each asset’s exposure profile remains a challenge.
Organizations adopting CTEM gain a more realistic view of the exposure profile of each digital asset. CTEM imposes an attacker’s mindset, where instead of trying to get a comprehensive inventory, the aim is analysing the attack surface like an attacker would, assessing each asset in terms of its availability, integrity, and confidentiality.
The process starts by scoping the environment for digital assets in stages. We recommend an initial scope that includes either:
At a second stage, consider expanding the scope to include digital risk protection, which adds greater visibility into the attack surface and SaaS tooling, which lends itself to an easier communication about risks, as SaaS solutions tend to increasingly host critical business data.
Once the scope is determined, organizations should determine their risk profiles by discovering exposures on high priority assets. It should also incorporate the misconfiguration of assets, especially as they relate to security controls, and other weaknesses, such as unmanaged assets or compromised credentials.
Vulnerability Management (VM) has long been the cornerstone of many organizations’ cybersecurity strategies, focusing on identifying and patching against known CVEs. However, with the growing complexity of the IT environment and the enhanced capabilities of threat actors, VM alone is no longer enough to maintain the cybersecurity posture of the enterprise.
This is particularly evident when taking into account the escalating number of published CVEs each year. Last year alone, 29,085 new CVEs were published, and only 2-7% of these were ever exploited in the wild. This makes becoming patch-perfect an unrealistic goal, especially as this doesn’t take into account non-patchable vulnerabilities such as misconfigurations, Active Directory issues,unsupported third-party software, stolen and leaked credentials and more, which will account for over 50% of enterprise exposures by 2026.
CTEM shifts the focus to prioritizing exposures based on their exploitability and their risk impact on critical assets as opposed to CVSS scores, chronology, or vendor scoring. This ensures that the most sensitive digital assets to the organization’s continuity and objectives are addressed first.
The final pillar of the CTEM strategy, validation, is the mechanism to prevent the exploitation of security gaps. To ensure the ongoing efficacy of security controls, validation needs to be offensive in nature, by emulating attacker methods.
There are four strategies to testing your environment like an attacker, each mirroring the techniques employed by adversaries:
With all the different elements of people, processes and tools in a CTEM strategy, it’s easy to get overwhelmed. However keep a few things in mind:
1) You’re not starting from scratch. If you already have your asset management and your vulnerability management systems in place, the focus here is to simply extend their scope. Make sure your tools are comprehensively covering your IT environment’s entire attack surface and they are continually updated with the pace of change.
2) Consider this as a process of continual refinement. Implementing the CTEM framework becomes an agile cycle of discovery, mitigation, and validation. The job is never truly done. As your enterprise grows and matures, so does your IT infrastructure.
3) Put validation at the center of your CTEM strategy. This gives you the confidence to know that your security operations will stand up when put to the test. At any point in time, you should know where you stand. Perhaps everything checks out, which is great. Alternatively, a gap might be identified, but now you can fill that gap with a prescriptive approach, fully aware of what the downstream impact will be.
Learn how to implement a validation-first CTEM strategy with Pentera
Begin your journey in security validation and see why leading companies trust us with their cybersecurity validation.