Many organisations struggle to remediate their vulnerabilities and this is not surprising when you consider that we’ve seen a 25% year-on-year growth in critical vulnerability exposures, according to the NIST National Vulnerability Database. But it’s not just the scale of these vulnerabilities that is causing the problem because the reality is that these represent the tip of the iceberg in the context of the wider attack surface. The State of Exposure Management Report 2024 found the average organisation has 15,000 exposures of which CVEs make up just 1%.
Vulnerability management focuses on traditional assets such as endpoints, servers and network devices and does not consider other exposure types such as issues with identities, credentials, and permissions, misconfiguration, or issues with security controls, to name but a few. It has further limitations too in that it uses periodic scanning so cannot provide a real-time view and lacks true prioritisation. In fact, Gartner has stated that fixing every vulnerability may be operationally infeasible.
Overwhelmed and divided
Expanding the scope to encompass more exposures that go beyond just CVEs threatens to overwhelm the business, however, and this is why some are finding it challenging to move beyond CVE monitoring. We’re already seeing a disconnect between security and IT, with the former struggling to get IT to complete remediations without clear justification and the latter becoming frustrated by a growing ‘to do’ list that lacks clarity on the risk impact. Adding exposures to that list will widen the divide still further. So, in order to make exposure management achievable, it’s vital that a risk-based, prioritised approach is adopted.
It’s here where Continuous Threat Exposure Management (CTEM) comes in. The term, coined by Gartner, describes a five-step programme that is used make exposure management more practical and it’s an ever-evolving continuous process within the organisation using it.
The first step involves scoping the attack surface to determine the most important assets and potential impacts, followed by discovery to map out exposures across the entire IT landscape, including less tangible risks such as the DevOps process, for example. The third step is prioritisation which looks at the accessibility, exploitability and impact of the exposure while the fourth, validation, ensures that attack paths are identified along with potential treatments so that only those exposures that are likely to affect the organisation are acted upon. The final step is mobilisation and this is where the IT team, internal or third party, are then engaged to respond to and mitigate the threat posed.
Crucially, CTEM allows the business to take the defender’s and attacker’s view to the estate and to map possible attack paths, exposed assets and to evaluate the impact of compromise. The organisation is then able to assess the level of risk involved much more accurately.
Mapping is important because that risk increases in accordance with the number of hops an attacker makes as part of their lateral movement. For example, the State of Exposure Management report found one hop in an on-premise estate placed 62% of critical assets at risk but that rose to 80% with four hops. Attack path modelling can also be used to ascertain whether critical assets in cloud platforms are at risk from an on-premise exposure. The report found attackers could traverse from on-premise to cloud environments in 70% of organisations with the attacker then able to compromise 93% of critical assets held in the cloud in just two hops and 97% in four hops.
Do you need to remediate?
In some cases, there may be exposures or vulnerabilities on areas of the network where the attacker cannot reach. In fact, the report found 74% of exposures are dead-ends so devoting resource to mitigating these would be wasted effort. Being able to validate these means theycan be deprioritised. But conversely, where attack paths converge, there will be exposuresthat must be prioritised. These are the choke points and by addressing these it becomes possible to drive down demands on the IT team while also dramatically reducing risk. An example here is the Log4j vulnerability. An organisation might have hundreds of instances where that code is used of which perhaps 83 are exploitable but only two of those occur at choke points. Prioritising remediation on those two choke points will therefore provide the biggest return.
The report found 1.5% of exposures lie on choke points and of those one in five will expose10% or more of the organisation’s critical assets, so focusing attention on those choke points both focuses resource and prevents unnecessary remediation. In effect, determining exploitability ensures maximum risk reduction for minimal effort and as a consequenceCTEM has the capacity to align both the IT and security teams by providing some much-needed clarity.
It doesn’t mean though that lower priority exposures must be forever ignored. Instead, those can be mopped up in a more cost-effective manner, perhaps through scheduled upgrades that take care of a lot of low-hanging fruit at the same time, or through other non-urgent means.
Additional benefits
CTEM can be used to reduce the risk associated with numerous vulnerabilities and exposures, from zero-day vulnerabilities to areas previously unaddressed such as operational technology, and can make the organisation more resilient, enabling ransomware readiness, for example. It can be used to improve risk reporting by providing an intelligible and practical process that can precisely measure the risk posed by different exposures. Plus, it can be useful in terms of supply chain risk and M&A activity because it looks at onward attack paths that might impact other parties.
In conclusion, it’s clear that vulnerability management is quite rightly being subsumed into exposure management, which encompasses attention to the wider attack surface. But to implement it efficiently, CTEM is a must. The ability of CTEM to map and ascertain the exploitability of exposures and to validate them for remediation is undoubtedly going to make a huge difference in terms of the effective use of resource but it will also provide longer term benefits by enabling the business to realistically appraise risk and improve the security posture on a continuous basis.