A New Approach in Cyber Security: The CTEM Process - Part 1

We already have lots of abbreviations in cyber security fields such as VA (Vulnerability assessment), DRPS (Digital Risk Protection Service), TI (Threat Intel), EASM (External Attack Surface Management), CAASM (Cyber Asset Attack Surface Management), and BaS (Breach Attack Simulations)

Today, we have a new abbreviation: CTEM, which is short for Continuous Threat Exposure Management.

Hooray!

But how will we utilize it? Is it a product, a framework, or a methodology?

In Gartner reports, CTEM is referred to as a program, but we prefer to classify it as a process.

Before we begin, let's take a moment to clarify a few product categories and use cases. This will ensure that we understand the topic at hand.

Brief Introduction To Cyber Security Products

VA (Vulnerability Assessment)

VA is a well-known practice in cyber security, where organizations scan their systems and applications to identify any vulnerabilities that attackers can exploit.

It is generally done by multiple tools according to target technologies such as web applications, networks, systems, and mobile applications.

It can be scheduled or integrated into the CI/CD pipeline.

DRPS (Digital Risk Protection Service)

DRPS is a relatively new concept focusing on organizations' sensitive data on the Internet, generally using TI (threat intel services.

It uses various techniques such as web crawling, social media monitoring, email security, and threat intelligence feeds to provide comprehensive coverage against potential risks.

Some DRPS tools can use VA tools to calculate risk more precisely.

However, DRPS products generally focus on the leaked or harmful data related to organizations.

EASM (External Attack Surface Management)

EASM aims to identify the assets that belong to the organization but are exposed on the Internet.

An asset can be a domain, IP, or any service.

Usually, organizations use EASM tools to reduce their attack surface by closing unnecessary ports or services and implementing additional security measures.

These tools provide lots of information about organization attack surfaces, including web servers, emails, web application inputs, subdomains, DNS services, SSL certificates, technologies, and much more.

EASM products can also be used to monitor changes in external assets and provide alerts if any new asset is detected or an existing one is changed.

The main difference with DRPS is that EASM tools do not focus on data related to organizations but on the attack surfaces of internet-faced assets.

So we can call DRPS products are reactive solutions (finding harmful data that has already leaked) and EASM products proactive (detecting the potential weaknesses for the assets accessible over the internet that can be used for future attacks).

CAASM (Cyber Asset Attack Surface Management)

CAASM is an alternative approach that shares similarities with EASM. However, it identifies and manages an organization's internal and external assets.

BaS (Breach Attack Simulation)

BaS is a type of software that simulates cyber attacks and determines an organization's security posture.

This approach helps organizations identify vulnerabilities and weaknesses in their systems, allowing them to strengthen their defenses before an attack occurs.

Organizations generally use BaS to understand how their systems, networks, and employees are vulnerable to cyber threats.

It can also help organizations prioritize remediation efforts by simulating the most likely attack scenarios and identifying which areas require immediate attention.

BaS helps organizations stay ahead of attackers by providing real-time insights into their security posture.

Products From Organizations's (Customer's) View

We can extend the above list. We can determine new product categories. But have you ever considered what exactly these product categories mean regarding customers' needs?

Let's briefly summarize all customer requirements: "Digital Security Assurance."

To achieve this, organizations must address three critical inquiries:

"Have I been secure in the past?", "Am I currently secure?", and "Will I remain secure in the future?"

Logging and monitoring services with DRPS services focus on the first questions. Answering this question proves challenging as it requires a clue to initiate any exploration. This clue can be a triggered alarm in log analysis tools (generally a SIEM) or threat intelligence data to start an incident response.

The second question focuses on up-to-date weaknesses. A weakness can be a vulnerability or a lack of experts to manage IT/OT infrastructure. EASM, CAASM, or VA products can be used to answer this question. Depending on the answer, the first question can be asked again. For example, if a recently published but pre-existing vulnerability is found, an investigation must be started to check if the vulnerability is exploited.

The last but most critical question is about future security. This requires risk algorithms and simulation products such as breach and attack simulation (BaS) tools. These tools simulate potential attack scenarios and evaluate the organization's security posture, providing valuable insights into potential future threats. In the event of any failure detected in a process or system, it is crucial to ask the other two questions first.

It can be seen that each product addresses a specific problem for organizations; however, they are closely connected. Managing each product and its associated alarms, as well as integrating product data to create meaningful alarms, can be a challenging and resource-intensive task. It requires significant time and cost investment.

So, to create feasible solutions, organizations need to move away from a reactive approach and apply a process that;

• automatically manage any scope of the organization,
• continuously detect and prioritize threats, including newly discovered vulnerabilities,
• simulates potential future attacks and assesses the organization's security posture,
• creates a risk-scoring algorithm with a realistic approach,
• uses automation without the need for human interaction,
• creates meaningful alarms with integrated data,
• provides easy-to-use service to minimize the disadvantages of a lack of human resources,

Continuous Threat Exposure Management (CTEM)

Gartner named this process the continuous threat exposure management (CTEM) program. It is a five-step process that helps organizations surface and actively prioritize the threats that most impact their business.

1. Scoping
2. Discovery
3. Prioritization
4. Validation
5. Mobilization

Since this program's steps and ideas align perfectly with our team's vision, which led to the establishment of our company in 2021, I'm planning to give more detail in the next five blog posts.

Although it was a lengthy post, I sincerely appreciate your time and effort reading it.