In today's rapidly evolving technology landscape, safeguarding your investment in technology is good business sense. With the ever-present threat of cyber-attacks to companies of all sizes and the need for scalability, businesses must adopt proactive measures to protect their assets while maintaining flexibility for growth. This article explores a concept called “continuous threat exposure management” and strategies to ensure scalability in the face of these evolving challenges.
Continuous Threat Exposure Management
- Vulnerability Assessment: Scope for cybersecurity exposure
- Develop a discovery process for assets and their risk profiles
- Prioritize the threats most likely to be exploited
- Validate how attacks might work and how systems might react
- Mobilize people and processes
SUMMARY
Continuous Threat Exposure Management (CTEM) is a formal, proactive approach to identifying, assessing, and mitigating risks to an organization's digital assets. It involves continuously monitoring the organization's technology infrastructure, applications, networks, and data for vulnerabilities and potential threats. The goal of CTEM is to minimize the organization's exposure to cyber threats by identifying and addressing weaknesses before they can be exploited by attackers. The need for processes like CTEM in organizations of all sizes is an unfortunate reality of today’s world.
According to Gartner, the 5 major steps in CTEM are:
Vulnerability Assessment: Regularly scanning and assessing the organization's systems and networks to identify vulnerabilities, misconfigurations, and weaknesses that could be exploited by cyber threats.
The full vulnerability assessment process is an ongoing investigation of not only what ports might be accessible from the Internet, but also a complete scan of internal resources and what might be accessible to a “bad guy” if they do get inside the network. In years past, it was often deemed sufficient to do a scan of your company’s “public” footprint to see what ports might be open to internal resources and identify any misconfigurations or flawed security from that perspective. More recently however, since over 90% of cyberattacks begin with a phishing email, which ends up either compromising a local system, or a cloud email platform, looking at the technology from the perspective of the bad guy is the better approach.
Most organizations, especially smaller companies, may not have the internal resources or tools to conduct these types of scans internally. The use of an external 3rd party resource which specializes in Cyber Security Penetration Testing is advised. Even MSPs (Managed Service Providers) find it wise to outsource this specialized service to 3rd parties on behalf of their clients.
Threat Intelligence Integration: Incorporating threat intelligence feeds from various sources to stay informed about emerging threats, attack techniques, and indicators of compromise relevant to the organization's industry and technology environment.
Keeping up to date on everything technology related is a daunting process, and now we need to keep a close eye on Threat Intelligence as well. While there are many open-source, online resources that provide lots of up-to-date information on threats, keeping up to date on them is difficult, especially for small businesses.
The FBI’s InfraGard program is a collaborative product between the FBI (Federal Bureau of Investigation) and members of the private sector. Authorized users of the InfraGard program can share information, networks and educational workshops to keep up on threats relevant to 16 specific infrastructure categories.
There are also 3rd party resources providing consolidated resources for vulnerability and intelligence.
Patch Management: Implementing a structured process for installing security patches and updates promptly to address known vulnerabilities in software, operating systems, and applications.
It is common knowledge that Microsoft, as one of the predominant software providers, releases their standard patches on “Patch Tuesday” -- the second Tuesday of each month. Patch Tuesday is the unofficial term for the day when Microsoft releases update packages for the Windows operating system and other Microsoft software applications, including Microsoft Office. In some cases, Microsoft will issue "out-of-band" updates for particularly critical security flaws, especially ones that are being exploited in the wild.
As Microsoft patches security vulnerabilities, it doesn't release those patches immediately. Instead, the company gathers those fixes into a larger update, which is released on Patch Tuesday.
Windows workstations and servers automatically (by default) check for updates about once per day. The average system should automatically download these updates quickly but may delay installation.
With the number of issues with Microsoft updates over the past several years, many organizations hold off on applying updates for a week or two, to make sure there are no issues noticed.
Security Monitoring: Using monitoring tools and technologies to continuously monitor network traffic, system logs, and user activities for signs of suspicious or malicious behavior that could indicate a security threat.
Network monitoring is crucial for small businesses to ensure the health and functionality of their computer networks. In today’s digital landscape, where businesses heavily rely on technology, having a robust network monitoring system is essential to find issues and potential threats. As small businesses often have limited IT (Information Technology) resources, it becomes even more vital to have efficient network monitoring in place.
Incident Response Planning: Developing and regularly testing incident response plans to ensure the organization is prepared to detect, contain, and respond effectively to security incidents when they occur.
Businesses should have a written plan that identifies those steps to take in an incident, including notifications to Cyber Insurance carriers, customers, and law enforcement. Preventive steps to keep business functionality include backup and recovery procedures to help a business recover and get back to normal operation as quickly as possible.
Risk Prioritization and Remediation: Prioritizing vulnerabilities and security risks based on their severity, likelihood of exploitation, and potential impact on the organization's operations, and implementing proper remediation measures to mitigate these risks.
The formal Continuous Threat Exposure Management (CTEM) process is an approach to identify, assess and mitigate risks to an organization's technology assets. While this approach is ideal in a perfect world, it does entail significant investments in processes and resources.
For smaller business without the internal resources for this process, a Managed Service Provider may be able to provide these services or coordinate with 3rd parties for some of these steps such as Vulnerability Assessments, understanding threats, implementing Patch Management controls and Security Monitoring.
Bio: Barry Hassler is the founder and President of Hassler Communication Systems Technology, Inc (HCST), a business IT Managed Services Provider based in Beavercreek OH. HCST has been in business since 1991 and serves a variety of small businesses primarily in the Dayton and Springfield Ohio
Panetta, Kasey, “How to Manage Cybersecurity Threats, Not Episodes”, Gartner, 3 May 2024, https://www.gartner.com/en/articles/how-to-manage-cybersecurity-threats-not-episodes