Improving your organisation’s continuous threat exposure management (CTEM) - your mission should you choose to accept it! | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales

Improving your organisation’s continuous threat exposure management (CTEM) - your mission should you choose to accept it!

From measuring vulnerabilities to understanding exposure
25 SOFC 2114 tenable campaign banners website (1) 25 SOFC 2114 tenable campaign banners website (1)

Lee Pillay

Senior Solutions Architect - Cyber Security

I grew up in the 80s and 90s, and like many of that age I spent a lot of time watching repeats of the classic 60s spy show, Mission Impossible. Every week the IMF team would break into somewhere they weren’t supposed to be and then right at a critical moment the security guard would come round on their hourly jiggle of the door locks, while the team sweated and held their breath. Then, with their check over the guard would depart, and the team could get back to stealing whatever critical secrets they were after, safe in the knowledge that they wouldn’t be troubled for another hour. 

During a recent rewatch, while laughing at how insecure these supposed ‘secure’ areas were, it suddenly struck me how similar an approach we still take to security when it comes to vulnerability management. 

Basic vulnerability management – a blast from the past 

At its most basic, a vulnerability scan determines what operating system version is in use on an asset and scans a set of common ports to determine whether a service is listening on that port. If a service is listening, it attempts to determine the version of that service. Using that information, it then compiles a list of known vulnerabilities for the asset. Originating in the days when our systems were relatively static and upgrades came in the form of service packs every few years, these scans rarely happened more than once a month. 

Continuous Threat Exposure Management – it's time to give vulnerability management a team 

While that was sufficient in the past, many organisations I encounter haven’t really changed from this approach to vulnerability management in the decades since. Some are even still running basic vulnerability scanners like Nessus, the venerable old security guard of our organisations. Decades ago, like the security guard in their prime who could bench press a cow and had the eyes of a hawk, Nessus was our one-stop-shop for finding and closing the weak spots in our estates. Today however it’s slowed down, and while it still has a wealth of experience, it can’t keep up with the rapidly changing world it’s supposed to be guarding. 

Worse still, many organisations treat vulnerability management like a security guard who’s stuck in a rut. Having them patrol on their tried and tested route, jiggling door handles as they go, by running a basic scan maybe once a month.  

Did I mention that they also have a broken radio? So even if another member of the security team notices a zip line on the roof, or a tied-up security guard in his underwear stuffed into a closet, Nessus would be none the wiser. It just carries on as normal with no interest or worry about what else is happening in the organisation.  

Additionally, our shift from on-premises to cloud hosted systems and data has changed our understanding of an organisation’s risk. It’s no longer sufficient to simply count how many critical vulnerabilities a particular piece of software has. These days we need to understand the entire attack surface and gauge the exposure arising from not just vulnerable code, but also misconfigurations and other security threats.  

So what do we do? Is it time to retire the old fella? Nope, it’s time to embrace CTEM and give Nessus a team. 

Identify initial scope - start with what you know 

For many organisations this step will begin as just a copy of the scan targets from your Vulnerability Management software. If you have a separate critical asset list, that should also be used. This step should encompass both internal and external assets, in any location that you store it e.g. on-premise datacentre, Cloud Service Provider (CSP) Infrastructure as a Service (IaaS), or Software as a Service (SaaS). 

Discover assets and assess risks - find out what you don’t know 

Once you’ve identified where your assets may be located (e.g. subnets, CSPs, SaaS providers) it’s time to scan those locations and review Cloud Service Provider information to produce a real list of what resides there. Once an asset list is produced these should be assessed for both vulnerabilities (e.g. using our trusty vulnerability scanner) and for potential exposures and misconfigurations (often using Posture Management and Attack Surface Management tooling). 

This is where a holistic view of exposure to the organisation is required rather that the previous focus on vulnerabilities. For example, sensitive data may be placed on a publicly accessible data store with no encryption, without that data store having any unpatched security vulnerabilities. Failures in internal processes and controls are not things that our vulnerability scanner is equipped to detect by themselves.   

It’s also important to include areas that we historically ignored as “out of our remit” such as Operational Technology, which could provide a pivot point into the main network. 

These should then all be risk-assessed to allow for accurate understanding of how these things compare to each other. 

Prioritise threats that matter - is this important to you? 

This step is key, and allows for focus, especially if a team has limited resources. Using the information gathered in the previous step and coupling that with the business context, i.e. knowing what systems and data are important to the business’ operations, will help the organisation understand its real priority list of threats to the business. This list may be very different than if they just looked at a pure vulnerability list prioritised using Common Vulnerability Scoring System (CVSS) scores alone.  

The importance of this contextualised view has been highlighted by the development of new scoring systems such as the Exploit Prediction Scoring System (EPSS). These utilise Machine Learning techniques and threat intelligence to understand what exploits are being used in the wild and to give you a predicted likelihood of the threat being exploited in the next 30 days.  

Attack path analysis can also be used in this stage to understand where several vulnerabilities can be related to a single issue further up the path, meaning the risk is consolidated and the priority is consequently higher. 

Validate exploitability and security response - are your defences meeting the challenge? 

This is an important step to ensure that an organisation isn’t committing resources to a highly scored vulnerability that is impossible to exploit. For example, a legacy server that cannot be upgraded or migrated may be critical to the business functions. Even though it might be riddled with known vulnerabilities that set off critical alerts on even the most basic of vulnerability scanners, appropriate mitigating controls such as full segregation with tightly controlled and monitored boundaries may mean that it is impossible to reach the server without being detected. 

As stated above, predictive analysis tools like EPSS can be used to further filter out threats that are unlikely to be exploitable in the next 30 days and streamline the priority list for the next stage. 

All protective and detective controls should be taken into account in assessing this stage. This includes use of tools such as Breach and Attack Simulation (BAS) to validate that the controls you think have in place are actually providing the protective and detective benefits they’re supposed to. This can also be used to validate changes from previous cycles, in  a similar way to validating patching has been successful by re-scanning with a vulnerability scanner.  

Mobilise security teams and plug any defence gaps 

The goal of this stage is to ensure that any gaps identified in the stage above are quickly mitigated. Either by fixing the underlying problem (i.e. patching or rectifying misconfigurations) or by modifying protective or detective mitigating controls to reduce the risk to an acceptable level. 

So what have we achieved here. We’ve taken Nessus, our lone wolf security guard, and turned them into a team leader with a full folder full of potential CTEM team members. Each member of the team has their own strengths, and now that they have working radios (i.e. integrations) they can share information and identify suspicious behaviour that when looked at in isolation, might be missed. 

The goal of CTEM  

So you might be saying that all of that sounds great, but it also sounds time consuming and expensive when compared to just sticking with Nessus. So why would you do it? 

Today’s world is not the same as it was 20 years ago. Our systems and data are no longer relatively static. Most organisations have seen large drives to make systems and data accessible to a more remote workforce and often this is via SaaS services that are not under the direct control of the organisation. Siloed tools, running once a month cannot keep up with this level of churn. 

However, a properly implemented CTEM programme can: 

  • Reduce the risk of exposure by identifying problems before they can be exploited. 

  • Ensure that the focus of any remediation efforts is truly on the highest risk to the organisation. 

  • Enable the security team to understand and mitigate threats in an ever-changing environment. 

It’s important to note that CTEM is not a tool. It’s a framework that encompasses a mix of different specialised tools, knowledge and processes to help identify and reduce risk to the organisation. 

So how can I start? 

One reason why projects to upgrade vulnerability management software may face challenges is that security teams are often engaged with ongoing tasks and may find it difficult to allocate time for large-scale deployments of new tools. Additionally, there is a common belief that existing systems are sufficient if they are functioning well. 

However, moving to Continuous Threat Exposure Management isn’t an all or nothing approach. A valuable first step can be moving from Nessus to Tenable Vulnerability Management. As well as giving you additional features such as the ability to track vulnerabilities to remediation and more contextualisation of the vulnerabilities through Tenable’s Vulnerability Priority Rating (VPR) Risk score, it puts you within the Tenable One ecosystem, allowing for an expansion into full CTEM at whatever pace is required. 

If you’d like to find out more, please contact your Softcat Account Manager or our Sales team, to discuss how we can help.