By Kasey Panetta | 4-minute read | August 21, 2023
Big Picture
Today’s cybersecurity attackers pivot fast, leaving organizations scrambling to automate controls and deploy security patches to keep up, but such tactics don’t reduce future exposure. What’s needed is a continuous threat exposure management (CTEM) program that surfaces and actively prioritizes whatever most threatens your business. Creating any such program requires a five-step process.
Download now: The IT Roadmap for Cybersecurity
Start by scoping your organization’s “attack surface” — vulnerable entry points and assets — which extends beyond the focus of typical vulnerability management programs. Include not just traditional devices, apps and applications but also less tangible elements such as corporate social media accounts, online code repositories and integrated supply chain systems.
Organizations looking to pilot their first CTEM initiative could consider one of the following two areas:
External attack surface, which combines a relatively narrow scope with a growing ecosystem of tools.
SaaS security posture, which has become an increasingly important area of focus as more remote workers have resulted in more critical business data being hosted on SaaS.
While many discovery processes initially focus on areas of the business that were identified during scoping (Step No. 1), they should proceed to identify visible and hidden assets, vulnerabilities, misconfiguration and other risks.
Confusion between scoping and discovery is often the first failure when building a CTEM program. The volume of discovered assets and vulnerabilities is not success in and of itself; it’s far more valuable to accurately scope based on business risk and potential impact.
The goal of this process is not to fix every single security issue. Prioritization should factor in:
Urgency
Security
Availability of compensating controls
Tolerance for residual attack surface
Level of risk posed to the organization
The key is to identify the high-value assets of the business and focus on a plan of treatment that addresses them.
First, confirm attackers could actually exploit a vulnerability, analyze all potential attack pathways to the asset, and identify if the current response plan is fast and substantial enough to protect the business.
Also key is convincing all the business stakeholders to agree on what triggers lead to remediation.
By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach.
You can’t wholly rely on the promise of automated remediation (though it might make sense for some obvious and unobtrusive issues). Rather, communicate your CTEM plan to the security team and to business stakeholders, and make sure it’s well understood.
The objective of the “mobilization” effort is to ensure teams operationalize the CTEM findings by reducing any obstacles to approvals, implementation processes or mitigation deployments. In particular, document cross-team approval workflows.
“Continuous threat exposure management is a pragmatic and effective systemic approach to continuously refine priorities and walk the tightrope between two modern security realities. Organizations can’t fix everything, nor can they be completely sure what vulnerability remediation they can safely postpone.”
0:00 / 0:00
Cybersecurity is a business issue, not a technical one, according to 88% of boards of directors surveyed. Join Distinguished VP Analyst Paul Proctor as he explains how to communicate outcome-driven metrics to your business stakeholders and ensure those outcomes drive key success metrics.
3 things to tell your peers
Enterprise management of cybersecurity threats currently focuses on tackling certain events, but this isn’t the best long-term solution.
Tactical approaches to security rarely reduce future exposure to threats.
Continuous threat exposure management prioritizes threats most material to your business.
Share this article
As a Research VP for security operations and infrastructure protection, Jeremy D'Hoinne assists chief information security officers and their teams to develop strategies to protect against advanced threats. Mr. D'Hoinne's research includes exposure management and how to run a continuous threat exposure management (CTEM) programme, but also how covers the related technologies, such as cybersecurity validation technologies,including breach and attack simulation (BAS). He also studies the intersection of artificial intelligence and cybersecurity with a focus on the disruptions caused by large language models and generative AI. Mr D'Hoinne continue to advise organization on infrastructure protection, especially network detection and response, remote access, and network and micro-segmentation.
For More Insights
