Improving Cyber Resilience with Continuous Threat Exposure Management

By Seemant Sehgal, CEO and Founder, BreachLock

The modern attack surface is ever-expanding. Organizations are finding it increasingly difficult to keep up with the incredible scale of changes in their IT environment, while the expansion of cloud adoption has enabled businesses to move faster than ever before. However, this also implies that the attack surface is available to attackers and cybercriminals. For global organizations, there is a continuous risk of shadow IT introduction.

The modern attack surface is continuously expanding at an unprecedented rate. Recent research shows security teams are managing up to tens of thousands of assets every day.

As cloud adoption and the use of AI accelerate the pace of global business like never before, organizations are struggling to keep up with the incredible scale of their IT environment. Exposed threats and growing attack surfaces are being discovered every day by threat actors and cybercriminals. Meanwhile, enterprises are dealing with shadow IT exposures that bypass threat detection technology and governance protocols, escaping the SOC’s ability to monitor, protect, and defend company assets, data, and users.

In his latest article with Forbes, BreachLock’s CEO and Founder, Seemant Sehgal, explains the drivers behind the new approach that builds a continuous threat exposure management program – also known as CTEM.

Read the full article on Forbes here: Improving Cyber Resilience with Continuous Threat Exposure Management.

To mature security and ensure cyber resilience, security leaders must adapt to evolving business needs, complex technology landscapes, and evolving threats exposures that form the collective attack surface. Therefore, the CISO’s continuous visibility to their attack surface is paramount to adequately protecting and defending their organization against threat exposures in today’s dynamic threat landscape.

A new approach has arrived to help CISOs gain that essential visibility and take prioritized action to find and fix critical attack surface exposures with speed and accuracy. As defined by Gartner Research, the Continuous Threat Exposure Management (CTEM) program can help the Security Operations Center (SOC) work with DevSecOps teams to gain the edge over their most advanced and persistent adversaries by starting with their most critical risks on the attack surface first.

In his article, Seemant explores how security leaders can adapt the principles presented by Gartner for a Continuous Threat Exposure Management (CTEM) process to evolve security for business needs, complex technology landscapes, and expanding attack surfaces.

Read on to learn how a CTEM program continuously minimizes attack surface threat exposures and provides measurable improvements to improve cyber resilience and decrease attack surface exposures. Then find out how BreachLock’s award-winning, analyst-recognized platforms can be combined into one powerful, robust CTEM program today.

What is CTEM?

According to Gartner, a continuous threat exposure management (CTEM) program is, “an integrated, iterative approach to prioritizing potential treatments and continually refining security posture improvements… a set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets.” Researchers predict the focus on a CTEM approach will continue for years to come: “By 2026, organizations prioritizing their security investments based on a continuous exposure management program will be 3x less likely to suffer from a breach.”

A 300% reduction in breach likelihood is a good investment. But what exactly does a ‘continuous exposure management program’ entail?

CTEM gives security teams the ability to prioritize their most critical risks on their attack surface. With CTEM capabilities, security practitioners can prevent the most dangerous threat actors from gaining access while minimize potential breach costs impacts at the same time.

How Continuous Threat Exposure Management Can Help Improve Cyber Resilience

A CTEM program establishes capabilities for security teams to prioritize and remediate threat exposures that have critical risks associated with vulnerable assets.

To get started, the basics of a CTEM program will cover the functions and requirements needed to continually monitor, assess, and mitigate security risks through improvement plans and actionable security posture remediation of digital attack surfaces and vulnerable assets. A modern SOC will have a variety of technologies available and at the ready to tackle these phases.

The CTEM program includes five steps that an organization can use as a framework:

• Scoping
• Discovery
• Prioritization
• Validation
• Mobilization

In each step, the best results will come from using a combination of security technologies and human security expertise for success.

Importance Of Continous Attack Surface Management

Attack surface management (ASM) is an important risk reduction process and can help facilitate scoping, discovery, and prioritization in CTEM. The foundation of ASM supports the CTEM phases.

Attack Surface Scoping

In the scoping step, the attack surface is identified with scannable criteria to tailor the attack surface being managed. According to Gartner, “accurate scoping based on business risk and potential impact is far more valuable” over asset discovery and vulnerability scans. Teams need to tailor scoping for their unique environments, risk tolerance, and their attacker’s view to go beyond the traditional common vulnerabilities and exposures. The scoping process should include considerations of cross-functional teams, departmental stakeholders, and potential business impacts.

Protective controls that can support this step of the CTEM program include vulnerability management software, web vulnerability scanners, and dark web diagnostic tools. Data feeds will require analysis in the prioritization and security validation steps to produce meaningful context of the identified attack surface.

Continuous Discovery

In the discovery step, scanning of the designated attack surface begins. This automated scanning can be scheduled for 24/7 asset and vulnerability discovery to reveal threat exposures continuously. Discovery tools include IP scanners, web vulnerability scanners, vulnerability management tools, firewalls, intrusion protection and detection systems (IPS, IDS), and cloud-native application security protection platforms (CNAPP).

Prioritization of Findings

In the prioritization step, both known and unknown assets and threat exposures are discovered based on available vulnerability intelligence, assessed, and prioritized using both manual and automated techniques. Technology in the prioritization step can include vulnerability management tools, penetration testing tools, risk management tools, CNAPP, cloud infrastructure enforcement management (CIEM), breach and attack simulation tools (BAS), and endpoint detection technology (EDR).

Importance Of Continuous Security Validation

In the security validation step, quality is extremely important as it ensures the most critical risks are prioritized for remediation correctly. The step ensures that findings from the previous discovery step are assessed, vulnerabilities are validated, false positives are removed, and associated risks are scored for cyber resilience. This step should validate data on threat vectors, lateral movement, privileged escalation, security control hardening, potential attack paths and threat actor techniques, processes, and procedures (TTPs).

Security validation technology can include data and context gathering from vulnerability scanning tools, dynamic application security testing (DAST), software application security testing (SAST), and EDR.

Concurrently, security validation requires manual validation provided by human experts to remove false positives, validate vulnerabilities, score risks, and prioritize remediation. Organizations can use their in-house teams, or with a trusted partner, such as an IT services provider or penetration testing as a services provider (PTaaS) for security validation.

When in-house security experts are unavailable, trusted service providers can augment manual security validation with prioritized, guided remediation for in-house teams. In-house activities, such as security assessments, patch management, threat hunting, etc., can help supplement context and intelligence gathering for the security validation phase of the CTEM program.

Another opportunity that an external provider can offer is helping the CISO overcome any barriers to organizational acceptance. Collaborating with a trusted, certified security testing vendor provides independent, accurate recommendations. Because certified security testers are free of institutional bias and focused on results, tapping into external resources for security validation can help improve overall accuracy and efficiency while establishing trust with stakeholders and the board. Certified external testing by a third-party provider will provide better, more consistent results.

Leveraging proven, established offensive security testing service providers can augment security validation requirements to enable the following capabilities:

• Automated Penetration Testing
• Pentesting as a Service
• Red Teaming as Service
• Breach and Attack Simulations

Furthering cyber resilience real-time, trusted security testing service providers can test and validate the security of production assets to continuously reduce threat exposures proactively. Due to the fine balance between the use of automation and human expertise, CISOs seeking the right service providers need to be mindful, as it’s crucial to reduce the risk of a self-inflicted incident or disruption.

Importance of Mobilization to Achieve Sustainable Cyber Resilience

In the mobilization step, security teams can take meaningful action with accurate remediation actions, a crucial aspect for effective mobilization. This involves obtaining high-quality security testing results that offer precise and actionable recommendations.

Organizations must aim to obtain dependable insights that direct them towards successful risk mitigation. By employing extensive security testing approaches, in-depth evaluations can pinpoint weaknesses, configuration errors, and possible exposures accurately. The ensuing suggestions ought to be explicit, pragmatic, and customized to the organization’s distinct setting. This guarantees that corrective actions are targeted and effective, ultimately enhancing the overall security stance.

Like the validation step, the mobilization step requires human experts to remediate critical threat exposures in the CTEM program. When in-house security analysts and DevOps engineers are in high demand, organizations can leverage extended services from trusted providers, such as PTaaS and managed detection and response services to assist in guided remediation activities.

Other mechanisms that support the mobilization step are already active in many security programs, including monitoring KPIs for continuous improvement, routine retesting, regular compliance audits, etc. These existing activities will supplement an emerging CTEM program, as findings can be integrated real-time to refresh the intelligence and prioritization of threat exposures on the attack surface.

Organizations should strive to acquire reliable insights that guide them towards effective risk reduction. Through the implementation of comprehensive security testing methods, thorough assessments can identify vulnerabilities, configuration mistakes, and potential exposures with precision. The resulting recommendations should be clear, practical, and tailored to the organization’s unique environment. This ensures that remedial actions are focused and efficient, ultimately improving the overall security position.

It is crucial for organizations to establish strong partnerships with security testing vendors during the mobilization phase. Careful selection of vendors that provide extensive support and guidance throughout the remediation process is essential. This cooperative approach guarantees the successful implementation of suggested security measures. Trustworthy vendor assistance can be invaluable in addressing challenges and complexities that may emerge during the remediation stage.

By working closely with vendors, organizations can maximize the benefits of a solid CTEM program, effectively overcoming common obstacles related to insufficient testing outcomes and lack of support.

Emphasizing accurate recommendations and dependable vendor assistance can also aid organizations in enhancing their ability to tackle security vulnerabilities and reduce risks. This proactive strategy strengthens the overall security infrastructure and boosts the effectiveness of the CTEM program.

Furthermore, after implementing remediation actions, it is equally important to evaluate their success in mitigating exposures. Conventional security testing techniques, such as penetration testing, can pose significant difficulties in this aspect.

Similar to the validation phase, the mobilization phase necessitates human experts to address critical threat exposures within the CTEM program. When internal security analysts and DevOps engineers are in high demand, organizations can also utilize extended services, such as PTaaS and other managed security services, to support guided remediation activities.

Additional mechanisms that aid the mobilization phase are already present in many security programs, including monitoring KPIs for ongoing improvement, regular retesting, periodic compliance audits, and more. These existing activities can complement an emerging CTEM program as findings can be incorporated in real-time to update the intelligence and prioritization of threat exposures on the attack surface.

By adopting advanced testing methods, encouraging collaboration with vendors, and integrating these solutions into current workflows, organizations can accelerate the retesting and validation of remediation efforts. This optimized mobilization process can boost the overall efficiency of the CTEM program, strengthening the organization’s security posture and facilitating effective risk mitigation.

Achieving Success With CTEM

Organizations aiming to improve their cyber resilience can greatly benefit from the successful execution of a Continuous Threat Exposure Management (CTEM) program. By efficiently mapping the attack surface, consistently detecting vulnerabilities and exposures, and ranking them according to their exploitation probability, organizations can proactively pinpoint and tackle security risks.

CISOs have the option to develop their CTEM programs using current in-house resources or to expand internal teams with the help of external solutions. Regardless of the approach, the advantages offered by a continuous threat exposure management program are substantial.

Build Your CTEM Program with BreachLock

Ready to learn how you can build a CTEM program by combining BreachLock’s new External Attack Surface Management platform for external surface discovery and identification, with Pentesting as a Service (PTaaS) to assess, test, and validate attack surface exposures that require remediation.

Together, these solutions form a continuous threat exposure management program that identifies vulnerabilities and validates them by simulating attacks that test potential system impacts.

When combined into a CTEM program, PTaaS and EASM form capabilities that give teams the exact priorities they need first and foremost to repair the exposed vectors that collectively form high potential attack paths. Together, EASM and PTaaS provide the right balance of speed and accuracy, making it one of the most efficient, effective CTEM approaches available today.

To learn more, book a discovery call with one of our security experts to see how CTEM can work for you.