How modern SecOps teams use CTEM to Assess and Reduce Cyber Threats

By Yuval Wollman Chief Cyber Officer, UST [ Join Cybersecurity Insiders ]
166

Gartner created the Continuous Threat Exposure Management (CTEM) framework as a strategic approach to help organizations of all sizes and maturity levels address modern cybersecurity challenges by continually and consistently evaluating the accessibility, exposure, and exploitability of an enterprise’s assets. Gartner predicts that organizations prioritizing their security investments based on a continuous threat exposure management program will realize a two-third reduction in breaches by 2026. The framework has garnered quite a bit of attraction over the last two years as new startups offer their take on a threat exposure management solution in a race for industry dominance. An even greater number of existing security solutions have modified their positioning to highlight their legacy vulnerability management, attack surface management, or breach and attack simulation tools as CTEM offerings. 

Most organizations address part of the story because they are missing the contextualized threat data that functions as an intelligence layer. It is estimated that an average enterprise organization can have anywhere from 40-70 tools in its security stack. Yet many security teams still struggle to understand their cybersecurity readiness capabilities, including detection, response, and preventive measures, because of a lack of integration. Manual configuration reviews, occasional penetration tests, or siloed, tool-centric administration of security controls are insufficient in the face of rapidly changing attack techniques. Dedicated threat exposure management solutions, on the other hand, take a broader approach, encompassing the entire organization’s IT infrastructure and identifying potential attack paths while considering the impact of vulnerabilities. 

Why starting with threat is key

With the proliferation of sophisticated threats outpacing the evolution of defenses, the pivot from a reactive to a proactive security strategy will be a challenge for security practitioners. Taking a threat-centric approach ensures alignment of cyber threat intelligence against actual defenses to understand and triage the most critical issues. 

Automated threat prioritization is necessary to properly assess, configure, optimize, and align current security tools to defend against advanced threats in a timely manner, but is not often integrated into traditional security offerings. For example, when a new threat advisory is released, organizations need to ensure they have real-time access to information required to determine if they are at risk, such as visibility into unpatched vulnerabilities, the likelihood of an attack, validate that controls can defend against the specific threat, and measure the potential business impact. The time-consuming manual processes of threat mapping, threat intelligence fusion, and determining defense readiness diminish an organization’s ability to proactively address exposures. 

Today, that process can take days or even weeks as cybersecurity products and services like cyber asset attack surface management (CAASM), cloud security posture management (CSPM), SIEM, XDR, and vulnerability managers compile data that don’t work together. This issue means organizations have severe gaps in their defenses for extended periods of time. Without automation and the ability to scale, organizations leave themselves susceptible when they scramble to understand their exposure to new threats.  

Implementation Challenges

Having a CTEM strategy is critical for organizations to optimize existing security investments. Implementation involves unifying various security tools to help organizations understand all exposure risks, including vulnerabilities, security tool deployment and configuration, exploitable public-facing assets, and missing detection coverage; however, several challenges can hinder the successful execution of a program, including:

  • Lack of holistic visibility into the entire defense surface and tool integration complexities
  • The time and effort it takes to operationalize cyber threat intelligence 
  • Difficulties in prioritizing specific organizational vulnerabilities and associated threats
  • The ability to continuously automate security control assessments rather than relying on point-in-time assessments and audits 
  • Not being able to systematically map tool capabilities and detection coverage to adversarial TTPs 
  • Skills gaps

To start understanding your relevant threats and vulnerabilities, organizations need to overcome issues with data integration, organizational silos, a lack of skilled personnel, and the complexities of automation. Addressing these challenges will require fostering cross-team collaboration amongst threat and security operations teams and adopting technologies that can unify security data and automate analysis.

Market Adoption

Although the threat exposure management market is gaining traction amongst security leaders, it is still considered an emerging market, with Gartner research placing market adoption between 5% and 20%. The cost of ownership should not be a hindrance to adoption. It will likely lead to a net positive on an organization’s bottom line, as these programs have proved to help with tool consolidation and save time, resources, and manpower used to automate manual processes and testing. Finding the cost of CTEM as a tool is generally justified when reflected against optimization and saving on defense infrastructure, effectively managing threats in a better way and ultimately helping to avoid the cost of a breach in the long run.

Security teams will continue to struggle with ensuring cyber defenses are calibrated and responsive to the threats that matter most to them without early adoption. CTEM adoption will require an industry shift as we move away from reactive tooling to a more proactive and programmatic approach; however, we have slowly seen an uptick in exposure management initiatives since actions by the Security and Exchange Commission (SEC) requiring publicly traded companies to disclose material breaches of any cybersecurity incident and to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. To achieve this, security leaders must have quantitative data to demonstrate and attest that their program is well-reasoned and defendable.  

The bottom line is that organizations must overcome siloed technologies, broken integrations, the complexity of analyzing the dynamic relationships between adversaries and defensive capabilities, and the difficulties in exposure measurement and management. To stay ahead of emerging threats and establish your team as a modern SecOps organization you must implement an effective CTEM program that will allow you to continuously analyze defensive capabilities, prioritize threats and vulnerabilities, and optimize tooling across your security ecosystem.

 

Ad
Join over 500,000 cybersecurity professionals in our LinkedIn group "Information Security Community"!

No posts to display