The attack surface isn’t what it used to be, and it’s becoming a nightmare to defend. The ever-expanding and evolving attack surface means that the risk to businesses has increased dramatically, and today’s security measures are struggling to protect it. If you have clicked on this article, there is a good chance that you are looking for solutions to manage this risk.
In 2022, Gartner developed a new framework to address these issues – Continuous Threat Exposure Management (CTEM). Since then, the implementation of this framework has become a priority for many organizations for deep improvement, which is expected to lead to maintaining a high level of security readiness and resilience.
“By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be three times less likely to be breached.” Gartner, “How to Manage Cybersecurity Threats, Not Episodes,” 21 Aug 2023
CTEM provides a continuous and comprehensive view of the attack surface and the impact on it, verifying whether security measures are effectively blocking the potential exploitation of the impact, and then ordering the mobilization to address the selected vulnerabilities.
Adopting CTEM can quickly become overwhelming because it involves organizing many disparate and moving parts. Unification of digital assets, workloads, networks, identities and data across the enterprise. So to simplify it, we’ve broken down the framework into its pillars, providing manageable steps to guide you through the process to make impact management manageable.
Pillar #1: Increase the visibility of the attack surface
The main problem of asset management is its limited scope. It provides only a cross-section of the attack surface, typically focusing solely on local vulnerabilities, without the ability to apply the vulnerability data it generates.
CTEM provides better visibility into all types of attack surface exposures – internal, external and cloud – to help organizations better understand their real-world security risk profile.
The process begins with a phased coverage of the environment for digital assets. We recommend an initial volume that includes:
- An external attack surface that is typically smaller in scope and supported by a growing ecosystem of tools.
- SaaS tools that facilitate risk communication, as SaaS solutions tend to increasingly house critical business data.
As a second step, consider expanding your scope to include digital risk protection, which adds greater visibility to the attack surface.
Once scope is determined, organizations must define their risk profiles, identifying the exposure of high-priority assets. It should also include misconfiguration of assets, especially as it relates to security controls, and other weaknesses such as fake assets or poor responses to phishing tests.
Pillar #2: Enhance vulnerability management
Vulnerability management (VM) has long been a cornerstone of many organizations’ cybersecurity strategies, focusing on identifying and remediating known CVEs. However, with the increasing complexity of the IT environment and the expanded capabilities of threat actors, a single virtual machine is no longer sufficient to maintain enterprise cyber security.
This is especially evident when you take into account the growing number of CVEs published every year. Last year alone there were 29,085 CVE and only 2-7% of them have ever been exploited in the wild. This makes it an unrealistic task to be the perfect patch, especially since it doesn’t account for unpatched vulnerabilities such as misconfigurations, Active Directory issues, unsupported third-party software, stolen and leaked credentials, and more that will by 2026, more than 50% of enterprises.
CTEM shifts the focus to prioritizing exposures based on exploitability and risk impact on critical assets as opposed to CVSS scores, timelines, or supplier ratings. This ensures that the most sensitive digital assets to the organization’s continuity and mission are addressed first.
Therefore, prioritization is based on security gaps that are easy to exploit while providing access to sensitive digital assets. The combination of the two results in prioritizing these impacts, which typically account for a proportion of all identified impacts.
Pillar #3 Validation Transforms CTEM from theory to proven strategy
The final pillar of the CTEM strategy, validation, is a mechanism to prevent exploits of security gaps. To ensure the continued effectiveness of security controls, testing should be offensive in nature, emulating the methods of attackers.
There are four strategies for testing your environment as an attacker, each of which reflects techniques used by adversaries:
- Think in graphs – While defenders often think in terms of lists, be it assets or vulnerabilities, attackers think in terms of graphs, depicting relationships and paths between different network components.
- Automate tests – Manual penetration testing is an expensive process that involves stress testing your security elements by a third-party pentester. Organizations are limited in what they can audit. In contrast, attackers use automation to execute attacks quickly, efficiently, and at scale.
- Check the actual attack paths – Attackers do not focus on individual vulnerabilities; they consider the entire attack path. Effective testing means testing all the way, from initial access to exploited exposure.
- The test is continuous – Manual pentesting is typically performed periodically, once or twice a year, but testing in “sprints” or short iteration cycles allows defenders to adapt to the speed of IT change by protecting the entire attack surface by addressing impacts as they occur.
CTEM: Invest Now – Get Consistent Results
With all the different elements of people, processes, and tools in a CTEM strategy, it’s easy to get overwhelmed. However, keep a few things in mind:
- You are not starting from scratch. You already have asset and vulnerability management systems in place, the focus is simply to extend their scope. Make sure your tools fully cover the entire attack surface of your IT environment and that they are constantly updated to keep up with the pace of change.
- Think of it as a process of continuous improvement. Implementing the CTEM framework becomes an agile cycle of discovery, mitigation, and validation. The work is never truly done. As your business grows and matures, so does your IT infrastructure.
- Put validation at the center of your CTEM strategy. This gives you confidence that your security operations will stand the test. You need to know where you are at all times. Maybe things are coming true, and that’s great. Alternatively, you can identify a gap, but now you can fill that gap with a prescriptive approach, fully aware of what the consequence will be.
Learn more on how to implement a CTEM strategy for validation with Pentera.
