The Value of Continuous Threat Exposure Management in Securing the Evolving Attack Surface

In cybersecurity, current approaches don’t stay current for long. Organizations that fail to adapt accordingly often discover this fact at the cost of their secure network. This is particularly true in the face of complex and increasingly unpatchable attack surfaces and a corresponding reduction in the impact of automated remediation practices. Traditional security approaches are unable to fully address these challenges.

In response, Gartner has proposed a new approach — continuous threat exposure management (CTEM) — to uncover an organization’s networks, systems, and assets on an ongoing cycle to identify vulnerabilities and weaknesses and prioritize remediation plans before cybercriminals can exploit them. Following our introduction to CTEM, we outline how organizations can maximize the benefits of CTEM.

Addressing the Unpatchable Exposure Layer

While attack surfaces always shift, recent social and cultural changes accelerated this trend. The rise of the cloud as a key business resource, the growth of remote and hybrid working, and the increase in social media led to a broadening of organizations’ unpatchable attack exposure. In fact, Gartner predicts that by 2026, unpatchable attack surfaces will increase from less than 10% to more than half of the enterprises’ total exposure, weakening the value of automated remediation practices.

(Source: Gartner Research, Predicts 2023: Enterprises Must Expand from Threat to Exposure Management, December 2022)

Automated and reactive approaches to threat assessment and management cannot provide the full breadth and depth of insight that organizations now require. Despite the threat landscape constantly changing and organizations themselves always evolving, many security programs still focus on point-in-time assessments. Even when scheduled regularly, more traditional security programs have the potential to overlook key vulnerabilities. This is why Gartner highlights a proactive and continuous approach, stating that organizations must progress from simply responding to threats to proactively managing their threat exposure.

The CTEM process aims to consistently monitor, evaluate, and mitigate security risks through strategic improvement plans and actionable security posture remediation.

CTEM puts all kinds of exposure in scope, not just software-based vulnerabilities, and includes practices to validate findings to facilitate difficult remediation decisions. Another key benefit of a CTEM program is that, unlike traditional solutions such as vulnerability management, it considers the “why” and “how” elements of what is discovered, providing more complete security insight.

From Scoping to Mobilization: Advancing Threat Exposure Management

A CTEM program is made up of five key stages:

• Scoping - This step aims to understand and identify the aspects most important to the individual business.
• Discovery - The Discovery stage is critical for uncovering assets and their risk profiles. Exposure discovery should include the misconfiguration of assets, security controls, and other weaknesses.
• Prioritization - Base prioritization on indicators that can provide an accurate picture of impact and likelihood, such as threat severity and availability of security controls.
• Validation - This stage is the part of the process in which an organization can validate how potential attackers can exploit an identified exposure and the potential response of monitoring and control systems.
• Mobilization - This stage ensures teams operationalize their findings by reducing obstacles to approval, implementation processes, and mitigation deployments.

Cybersecurity Validation: The Missing Link in the Threat Lifecycle

Organizations now seek to go beyond threat detection and response for their IT, OT, and cloud environments to proactively and continually improve their security posture and reduce exposure. Businesses also recognize that they need to address a lack of visibility of their security service's benefits and a lack of resources to effectively mitigate changing risks.

CTEM, specifically the validation stage, can help address these complex challenges. Validation harnesses the controlled simulation or emulation of attackers’ techniques in production environments, often using manual assessment activities, such as red team exercises, to extend its reach. It also includes verifying the suggested treatments to enhance security and assess their suitability for the organization.

From Pilot to Mature: Maximizing CTEM

While the advantages of establishing a CTEM program are clear, getting started and progressing toward maturity can be challenging. However, one of the advantages of CTEM’s cyclical approach is that it can be constantly updated in light of the uncovered insights. This gives organizations the scope to adjust and adapt to maximize results.

Gartner recommends tackling threat exposure by using emerging areas such as attack surface management and security posture validation and highlights that once organizations start growing in maturity, they can then begin to include assets over which they have less control.

A successful CTEM pilot and ongoing development relies on collaborative working. To define and later refine the scope of the CTEM initiative, security teams must first ensure that they understand what is important to their organization and the types of impacts (such as a required interruption of a production system) likely to be severe enough to require a collaborative remedial effort.

As organizations seek to mature their CTEM program, they also need to improve its weakest components, which are often the prioritization and mobilization steps. The maturity of individual steps might differ and evolve at different speeds.

Getting Started with CTEM

For some organizations, incorporating their CTEM program into their security strategy can be daunting. However, they can get started more easily by applying Kroll’s approach:

• Identify WHERE (Scoping and Discovery) - Where your highest priority exposures are, using attack surface management and threat intelligence monitoring (surface and dark web)
• Validate HOW (Prioritization and Validation) - How your attackers will exploit and how effective your controls are, using agile pen testing, red teaming, and, if mature enough, purple teaming exercises
• Address WHAT (Mobilization) - What controls, policies, and processes should be implemented using virtual CISO (vCISO) services (policy design, remediation plans, security training and awareness, system hardening and configuration, etc.)

If your organization requires specialist help with putting these steps into action, Kroll is ideally positioned to provide support with implementing a new CTEM program or helping to mature an existing one. Our unrivaled expertise ensures that your CTEM program enhances your cyber resilience and maximizes your security investment. Our elite cyber risk practitioners are seasoned at delivering services such as our vCISO offering and our end-to-end retainer client services, penetration testing, breach and attack simulation, and vulnerability assessments to empower businesses to benefit from effective, impactful CTEM programs.

Contact us to learn more.