Introduction to a Continuous Threat Exposure Management (CTEM) Program
Sep 6, 2022 | Industry Insight
Expanding MDR Threat Hunting to Include Exposure Hunting
Most Managed Detection and Response (MDR) providers offer some type of threat hunting.
In a nutshell, threat hunting is searching for indicators of compromise (IOC) or areas of concern, usually to supplement automated rules/algorithm-based alerts from a Security Incident and Event Management (SIEM) platform or other security monitoring tool. Proactively exploring for IOCs allows SecOps groups to spot and mitigate malicious activities earlier in the kill chain.
As threat hunting has matured, it has evolved from predominantly a manual process to utilizing analytics from newer technologies such as machine learning (ML), User and Entity Behavior Analytics (UEBA), and Endpoint Detection and Response (EDR). This type of threat hunting is referred to as “Analytics-Driven” threat hunting.
An additional type of threat hunting, named “Intelligence-Driven” threat hunting, uses externally derived data, for example threat intelligence or malware analysis, to determine if currently active attack vectors, actors, or sources are or have been present in an organization’s environment.
A final category of threat hunting, “Situational-Awareness Driven” threat hunting, considers an enterprise's risk based on its unique IT environment, most often using vulnerability assessment results, to create hunting hypotheses. Using a vulnerability assessment as an organization’s primary indicator of exposures creates substantial problems, as very often vulnerability scanning tools:
- Are used to perform periodic point-in-time assessments.
- Accumulate thousands of repeat vulnerabilities that are not acted upon because they are not put in context of broader business risk, are not on-target, or are not aggregated by root cause to address a security control improvement.
- Do not cover an organization’s entire attack surface, for example not including identity, cloud, or SaaS exposures.
Because of these weaknesses, a new category of hunting, as well as overall management of exposures to unknown threats and risk, has been developed by SecureSky, recently termed by Gartner® as “Continuous Threat Exposure Management.”
Implementing a Continuous Threat Exposure Management (CTEM) Program
As the name suggests, a CTEM program establishes a continuous process across the responsible teams in an organization, to identify exposures, prioritize and validate remediations, and enable solutions.
One of the most critical elements for success is in creating a cadence for review of exposures and fixes that is much quicker than standard “project-based” governance, to ensure that the required cross-team collaboration and operational viability becomes standard.
CTEM also examines a much wider set of exposures, rather than relying on outputs from only vulnerability assessment tools, including assets such as IaaS environments, SaaS applications, and data held by supply chain partners. This can also include additional information, for example cost data to determine the risk of unauthorized, unknown, or increased costs from cloud providers
It is important to understand that CTEM is a program and a mindset, aimed at creating a consistent, actionable security posture improvement plan that all business executives can understand.
Creating a successful CTEM program requires a new proactive hunting process to search for weaknesses in security controls and detection policies.
Exposure hunting especially makes use of evolving tools to validate security posture and analytics to determine the effectiveness of such security controls. In simpler terms, are the right security controls enabled and do they really work as intended.
SecureSky is leading the way among MDR providers in this new discipline of exposure hunting and managed CTEM. While we find that most clients initially engaging our services are severely lacking in secure configuration of their environments (https://blog.securesky.com/azure-security-maturity-trends), a welcome byproduct of deploying protective measures is the corresponding decrease in threats and resulting investigations within client environments, greatly reducing alert fatigue for SecOps groups. By focusing on reducing exposures, many of SecureSky’s clients lower related threat volumes by over 50%.
Keep an eye out for future blogs that will address specific queries and techniques to gain visibility to exposures, as well as how to gauge the risk of exposures.