This article is the second in a two-part series detailing how to leverage CTEM principles in a practical manner. To read part one in this series, click here.
By this point, you should have a clear idea of the basic principles of CTEM, as well as how to get started with the first three phases. Through the scoping process, you can determine which areas of the business you want to focus on. Thorough discovery will ensure you have a clear idea of the challenges and vulnerabilities you face. And effective prioritization can help you determine which issues are most pressing and where resources need to be allocated. But these steps aren’t enough on their own—it’s critical to validate suspected vulnerabilities, and to understand how to mobilize the internal support to address them in a meaningful way.
Part two of this two-part series will walk you through the final phases of CTEM (validation and mobilization), as well as helping to illustrate when further scoping, discovery, and prioritization may be necessary.
Phase 4: Validation
The prioritization and validation phases are intrinsically linked—in fact, there are circumstances where prioritization needs to be reevaluated following the validation phase. That might mean raising the priority of certain exposures that carry a higher risk than previously thought, or lowering the priority of issues that are more strongly defended than anticipated. Essentially, validation is about understanding breach feasibility and the probably of success for a given path of attack.
By this point, the organization should have a plan to address exposures, but the ability to verify that the plan will work as intended is critical. That means it’s important to validate whether existing controls are working, verify response systems, and confirm that remediation methods are effective. For example, if a new endpoint policy was pushed to close a particular gap in one business context, it’s important to know whether it was installed properly and calibrated correctly to close the gap while avoiding the disruption of other business operations.
Breach and Attack Simulation (BAS) and automated red teaming solutions play a key role in validation: they allow organizations to better understand which vulnerabilities and exposures are usable by attackers and not effectively blocked by controls and security processes. As new information is discovered throughout the validation phase, organizations may find the need to reevaluate their priorities and expand the scope of the project (though it is important to limit scope creep to prevent the project from spiraling out of control). Often, if issues are discovered outside the current scope, that information can be used to build scope for a future CTEM cycle.
Phase 5: Mobilization
The validation phase reveals valuable information—including problems that cannot be fixed with existing hardware or software. The mobilization phase brings business stakeholders back into the picture. If a business stakeholder defined an issue as critical and it cannot be addressed with existing resources, it’s up to them to authorize the budget, downtime, or other steps needed to remediate the issue. Mobilization is about taking action.
Mobilization may require changes to the processes used by the business groups within the scope. In these cases, it becomes a business decision to either authorize corrective action or declare the risk to be acceptable. Exposure analytics can help here by better defining the potential risk posed by the process if it is left unchanged. This allows business stakeholders to more clearly see the potential impact on the organization, and whether the risk is simply too much to permit.
A common example of this phenomenon is the use of a legacy platform for a business process. If that platform is vulnerable and can no longer be updated with security patches, cannot be upgraded to a newer version due to the loss of a critical function only found in earlier versions, cannot be replaced with actively supported alternatives, and cannot be defended by compensating controls, mobilization becomes a critical component of the process. It will become a business decision – whether to change the business process to allow for proper defense, or to accept the risk of the exposure itself.
These decisions are not always black and white: a full fix might be available for one price, while a compensating control or other workaround can be managed more affordably. Most importantly, if a risk is determined to be acceptable, that decision should include all stakeholders affected. A weakness that can open the door to a more extensive compromise of the organization requires that other business stakeholders must agree on an exemption before it can be accepted.
Of course, CTEM doesn’t stop here. Following mobilization, the cycle starts again. The stakeholders can gauge how the overall risk profile has been impacted by these changes and move forward to generate a new scope.
Connecting Technical Needs and Business Needs
When one CTEM cycle is finished, the organization may return to the same business area with a new scope or move on to a different scope to continue the evaluation process. Sometimes it may even make sense to jump back a step or two to reprioritize the remaining exposures or conduct additional validation.
While CTEM has distinct “phases,” organizations should always feel free to take a step back before continuing forward anytime circumstances (or new information) dictate. For example, a decision to create an exemption for one business process may reveal an unintended impact on other areas of the organization, necessitating the need for additional scoping and validation.
Despite the occasional need to backtrack, CTEM methodologies make the overall process of exposure management relatively straightforward. By integrating business stakeholders from the beginning and providing them with understandable explanations of risk, roadblocks can be removed and exemptions made during the cycle to avoid the all-too-common issue of never-ending review and approval processes. These steps can all be modeled out in advance, and risk implications better understood before, during, and after implementation.
This allows organizations to more easily draw connections between business needs and technical needs, bridging the gap by validating whether controls are working as intended and better understanding how they impact the business and its risk profile.
The CTEM process is never “finished.” Instead, it is an ongoing cycle of continuous improvement that enables businesses to bridge the gap between security goals and business outcomes.
To learn more about exposure management, check out the Cymulate whitepaper Continuous Threat Exposure Management (CTEM): From Theory to Implementation.