Always-on monitoring for a never-ending attack surface
Gartner® Threat Exposure RoadmapContinuous Threat Exposure Management (CTEM) is a program that security practitioners can put into place to automate continuous monitoring of attack surfaces that are seeing exponential growth due to the number of IT and security systems needed to maintain modern network infrastructure and the sheer volume of devices requesting network access.
Identity and access management (IAM) capabilities are a critical part of a CTEM program in that they help to properly authenticate the large number of users and machines to an enterprise network, thus proactively preventing threats. According to Gartner® research, CTEM programs are enjoying an upswell in popularity at the moment due to:
The research goes on to state, “The focus of concern with exposure-related problems has shifted away from simply managing software vulnerabilities in commercial products. The realization of increased technology risk on such a large scale is overwhelming to security operations teams.”
The implication of potential large-scale risk on an enterprise environment that may be healthcare-focused, for example, is that there could be more access points and/or vulnerabilities for threat actors to exploit at will.
From front to back, end to end, there are several steps in the process of continuously managing threat exposure. It’s important they are performed sequentially so that no vulnerabilities or potential threats slip through the cracks and come back to haunt the organization.
There are obvious benefits to an always-on approach with regard to monitoring, discovering, and remediating network attack surface issues. The following benefits a business can expect to see assume that a CTEM program has been properly implemented according to the specific needs of the security organization.
By leveraging IAM and network access control (NAC) authentication and segmentation best practices, it becomes more difficult for threat actors to access a network – but not impossible. But incorporating these tangential network defense capabilities into one continuous-monitoring program, it becomes possible to vastly reduce the impact of a potential breach if an attacker is able to actually breach.
Due to the potential for ample risk reduction that can occur after standing up a successful CTEM program, it becomes possible for a security organization to adopt more proactive threat-mitigation measures and ultimately achieve stronger cloud security posture management across cloud environments. The results are a less-porous attack surface as well as protecting the enterprise from a position of strength and resilience.
This is the benefit every stakeholder likes to see. The costs of a breach – especially a sizable one – are many: potential ransomware payouts, initiating backups that might not account for current data, lost customers from reputational fallout, and many more. A CTEM program that can effectively help to decrease risk, improve security posture, leverage automation, and reduce breach fallout can save untold amounts of money and headaches in the long run.
A CTEM program will likely pull in existing aspects of a security program to shore up and automate capabilities under one roof, so to speak. When it comes to an enterprise attack surface, there are constant threats looming and exposures surfacing that didn’t previously pose a risk.
With a proliferation of providers out there, it can be difficult not only to know which vendor’s offering best fits an organization but also what exactly is involved in the implementation of the program. Let’s take a look at the various standalone capabilities upon which a CTEM program might rely in a consolidated capacity to further the goal of achieving cyber resilience.
Consider that gaps or vulnerabilities along an organization’s attack surface can quickly become threat vectors for an external attacker to breach the network and quickly cause lots of damage.
Integrating external attack surface management (EASM) capabilities into a CTEM program can help to fortify defenses along a post-perimeter attack surface so that teams can address things like exposed credentials, cloud misconfigurations, and external commercial operations.
A CTEM program brings together many different tools to protect an enterprise attack surface by continuously monitoring for and identifying exposures. The purpose of CTEM bears re-stating because it’s got a big job, with many stakeholder opinions to take into account.
Thus, agreeing on outcomes and aligning on what CTEM’s objectives are will help day-to-day security practitioners to sift through the inevitable diagnostic noise that the different CTEM tools will inevitably bring. Automating prioritization of this massive number of alerts can only be done when the system is properly calibrated according to those outcomes.
If CTEM spots the exposures and helps teams remediate them, then incorporating digital risk protection (DRP) capabilities will impart a view of the overall likelihood that network systems will contain vulnerabilities/exposures and help teams remediate these issues.
The risk level for one public-internet facing application – tied to any number of internal systems – might be much higher than an older company webpage that hasn’t seen significant traffic in a few years.
The application with the higher risk level might not contain any significant exposures right now, but it’s receiving more frequent updates than the outdated webpage – way more. And more frequent updates means more potential for inadvertent exposures, and thus the higher risk level.