Continuous threat exposure management (CTEM) – a model for more comprehensive risk exposure management – is emerging as a solution to many of the challenges organisations face in mitigating cybersecurity risks.

According to chief product officer at Skybox Security Haggai Polak (pictured), effective exposure management not only identifies and prioritises the most critical exposures; it also reduces noise and brings down the number of issues to remediate to a manageable level.

“The Gartner hype cycle for security operations has defined exposure management as an embryonic market, and vendors are still aligning with it,” he said. However, Gartner recently predicted that by 2026, organisations prioritising their security investments based on CTEM programmes would be three times less likely to suffer from a breach.

Exposure vs vulnerabilities

Polak noted that the legacy models for vulnerability management address only a small subset of the total risk exposure, informing the need for broader exposure management.

“For example, a vulnerability on a server typically means a software or even a hardware defect that creates an opening an attacker could exploit to do something malicious. But when we look at the attack surface, we quickly realise there are a lot of potential exposures and risks that are not caused by vulnerabilities.

“Take a BYOD device that doesn’t have endpoint security, or a misconfiguration of a firewall, for instance. These are not software defects, but they create huge openings. Exposure is a much wider term used to describe any risk, created in any way, that can be exploited.”

Why continuous monitoring is crucial

Polak says the continuous nature of CTEM recognises that the attack surface and threat landscape are changing all the time.

“Modern organisations are agile – they continually add new servers, applications and network paths, so the attack surface is ever evolving. In addition, the threat landscape is changing very rapidly, with about 30 000 new common vulnerabilities and exposures (CVEs) published every year. It’s no longer enough to perform vulnerability assessments periodically – monthly, or just once or twice a year.

“Continuous exposure means we use a set of tools and capabilities to do threat analysis much more often,” he said.

Annual analysis can result in reports with millions of entries that security and infrastructure teams are ill equipped to deal with. Polak said most Skybox customers do daily analysis and prioritisation so that analysts can cut the noise and surface the top exposures they need to address.

Five stages of CTEM

Polak says CTEM programmes comprise five distinct stages:

Scoping: this entails the definition of the assets which will be included in the programme, with an inventory of all endpoints, servers, potentially network devices, cloud infrastructure and OT assets. Polak says it may also include user identities and applications. “One challenge in scoping is to correctly classify and prioritise the assets. Asset importance is an extremely useful parameter to use when trying to decide the priority of exposures,” he said.
Discovery: a comprehensive discovery of exposures which is far broader than vulnerability scans. This should include looking at missing controls, misconfigurations and testing infrastructure against security industry benchmarks that define best practices. “When you perform adequate discovery you find a large number of exposures and vulnerabilities – we find an average of 10 exposures per asset. In a large enterprise, the total number of exposures could be overwhelming.”
Prioritisation: a critical stage that can narrow down the number of occurrences detected from millions to double digits that must be addressed. “Prioritisation distils the overwhelming number of exposures down to the things most likely to cause harm,” Polak said. Properly executed, prioritisation looks at the published severity of risks, CVSS score for an indication of the potential damage of exploitation of a vulnerability and how easy it would be to exploit it, and whether the vulnerability is theoretical or whether it is actually being exploited in the wild. Added to this, using an exploit probability score, asset importance, and network access analysis allows organisations to narrow down the number of severe and exploitable exposures on important assets. Attack path analysis is especially useful since it determines if the asset is actually exposed to the vulnerability, or if there is an access list, firewall rule or intrusion detection signature that mitigates the attack and reduces urgency.
Validation: an extension of prioritisation which checks whether the vulnerability or exposure can actually be used for malicious purposes on the specific asset.
Mobilisation: the response or remediation stage. Polak said: “This is the step where you take action and try to remove exposures from the list. Gartner makes the important observation that the most often neglected phases are prioritisation and mobilisation. Inadequate prioritisation and remediation often have a lot to do with organisational structures – for example, security may come up with reports, and “throw them over the fence” to the IT team to fix. So, mobilisation is hard technically and organisationally. Remediation also requires integration into ITSM, with automation to streamline and automate cyclical processes. You also need the ability to report on the success of the programme, with KPIs and SLA reports on how effective you were.”

Exposure management

Organisations evolving to adopt CTEM models should move to acquire the tools and capabilities to run these models effectively. “Organisations could potentially need to make organisational changes to implement programmes – for example, joint security and infrastructure teams to implement them. In terms of tools, many probably already have some of the building blocks like security scans in place.

“They need additional tools like Skybox to analyse configurations, missing controls and shadow IT, and they need to be able to aggregate the scans into one data model. This will allow organisations to look at exposure holistically, mobilise to remediate exposure, and measure the success of the remediation,” he said.