In Cybersecurity, you will find several well-known, market-established frameworks. The most popular ones are ISO27001, NIST CSF, and SOC2. But in an interesting move, in 2022, Gartner created the CTEM (Continuous Threat Exposure Management), a new Threat Exposure Management Framework that mixes things up a little using a unique approach to risk assessments.
The main difference between the new Threat Exposure Management Framework and the other management frameworks lies in how risk discovery works. Instead of having a static risk assessment based on some theoretical value of a particular asset to the organization, continually assesses the entire ecosystem–including networks, systems, assets, etc. This allows a higher level of agility to identify exposures and weaknesses to reduce the likelihood of these weaknesses being exploited.
CTEM steps
1- Identify initial scope
This might be one of the most challenging steps when implementing any new framework. If we select the proper scope, we can improve the organization’s security posture successfully. Still, if we choose the scope wrong, we will either leave some assets unprotected or apply some redundant set of controls, which would, at least, increase the operational complexity for no reason.
One of the areas that can benefit the most from implementing the CTEM framework is the external surface of the organization. This is where most of the threat actors poke around to find vulnerabilities. Therefore, where should we put most of our efforts?
2- Discover assets and risks
We will initiate a discovery process once we have a clear idea of what is in scope. This is intended to identify all assets and vulnerabilities on them. It should go beyond pulling an inventory list and working on them. It is recommended that some proactive discovery, either passive or active monitoring, be generated to help us identify hidden network assets.
Once the assets are inventoried, we have proper visibility into the risks and vulnerabilities the different assets can bring. This should go beyond what CVEs have been found associated with a specific asset version. It should include a revision of the different components’ configurations, development practices, and a code review from the original repo. All this brought together would be able to provide a much more complete understanding of the vulnerability, which could be the potential kill chain that could lead to a breach.
3- Prioritize threats
With the work done during the discovery phase, this phase is less based on the technical legwork of understanding the vulnerabilities and the different threats and more aligned with managing the vulnerabilities.
Depending on the size of the organization, it is almost impossible to have a vulnerability-free environment. This is a reality that most management personnel will not understand. Nevertheless, it is a reality that we must live with, and this step helps us steer the limited resources that any organization might have in order to focus on the areas that will provide a higher value. Meaning, reducing the higher risks.
4- Validation
In this step, we will use attack simulation tools or other control simulations to validate the exploitability of the prioritized threats. In this step, we can also validate if the controls that are currently in place suffice to mitigate the attack chains that were deemed a risk.
Once the clear risks are prioritized, we should start working on what triggers should be considered to launch the response plan. And ensure that those are effective in case an attack is exploited.
5- Mobilization of resources
This is the last step of the process before we start over by reviewing the program’s scope based on the findings. In this step, we will go through the approvals and implementation phases of the processes and playbooks identified in the previous steps. As well as the initiation of the different mitigation activities.
This step might be the one that requires the involvement of a more extensive range of teams. Usually, the asset or application owners are tasked with remediation activities. However, those must be coordinated with the security and IT teams and run by management for approval. Therefore, it is crucial to keep in mind that when assigning some responsibilities, we should constantly monitor its fix and set a target date for the corrections to be implemented.
Conclusions
At the end of the day, having a security framework that allows for continuous monitoring and improvement of the process, like CTEM, allows us to understand the application risk better. CTEM has several advantages for the organization compared to other frameworks, like reducing the risk exposure. Another of the benefits of this new Threat Exposure Management Framework is that it allows for an improved prioritization of the risks on which resources are worth focusing. Being able to not only see a complete picture but also validate that the different risks match what was expected helps the organization to focus on the most critical tasks.
Also, the use of CTEM allows a more proactive approach than other frameworks, as it would not be based on a one-time picture but rather on a continual vision of the enterprise threat landscape. Finally, it would allow for better incident response techniques as the generation of a playbook and the validation of the implemented controls are also embedded in the framework process.
Sources:
https://www.splunk.com/en_us/blog/learn/continuous-threat-exposure-management-ctem.html
https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes