Cloud solutions are more mainstream – and therefore more exposed – than ever before.

In 2023 alone, a staggering 82% of data breaches were against public, private, or hybrid cloud environments. What’s more, nearly 40% of breaches spanned multiple cloud environments. The average cost of a cloud breach was above the overall average, at $4.75 million. In a time where cloud has become the de facto standard – with 65% of IT decision-makers confirming that cloud-based services are their first choice when upgrading or purchasing new solutions – despite its overwhelming prominence, cloud security still faces multiple challenges.

Security Challenges in the Cloud

One major hurdle is the lack of visibility. Unlike physical servers you can see and touch, cloud resources are often spread across vast networks, making it difficult to monitor for suspicious activity and leaving vulnerabilities undetected. Another challenge is the inconsistency across cloud vendor permission management systems. Different providers have different controls for who can access and modify data. This inconsistency creates complexity and increases the risk of accidental misconfigurations, which are a leading cause of breaches.

Moreover, with multiple teams involved in cloud deployments – development, operations, security – clear ownership and accountability for cloud security can be blurred. This lack of coordination can lead to situations where security best practices are overlooked or bypassed. Additionally, many attacks move across the cloud to on-prem environments and vice versa, which can put both environments at risk.

All these challenges highlight the urgent need for robust cloud security solutions that provide comprehensive visibility, standardized permission management, and clear lines of responsibility. Yet security resources are stretched thin even in the best-provisioned teams – and cloud security teams are expected to investigate and remediate thousands of exposures that may not all have the same impact on critical resources. This leads to uncertainty around what to fix first and how to actually address all the identified exposures, leaving cloud environments exposed to cyberattacks.

Continuous Exposure Management is Essential

Instead of chasing countless vulnerabilities, security teams need to prioritize the most critical ones. This means being able to quickly identify the most dangerous attack paths and take preemptive action against advanced attack methods in the cloud.

By focusing on high-risk areas, cloud security teams can build targeted remediation plans that prevent major attacks, streamline workflows, and accurately report on real threats across multiple cloud environments. The key to achieving this is Continuous Threat Exposure Management (CTEM), a proactive and continuous five-stage program or framework that reduces exposure to cyberattacks. First introduced by Gartner in 2022, CTEM has proven essential for preventing high-impact attacks, improving remediation efficiency, and reporting true risk.

CTEM was introduced to solve the problem of endless lists of exposures, and more specifically vulnerabilities, across on-prem environments. Not being able to highlight and fix the exposures that are most critical leaves security teams fixing CVEs that may or may not be exploitable or impactful in their specific environment. In multi-cloud environments, the lists of vulnerabilities may be shorter, but together with misconfigurations and highly privileged access, they add up to a long list of exposures that attackers can use to breach the multi-cloud environment and that security teams must address. The only way to block attacks is by identifying and fixing the exposures with the highest impact on your business. That requires adopting the CTEM framework in the cloud environment.

Fix What Matters Across Multi-Cloud

To help cloud security teams fix what matters and block high-impact attacks in multi-cloud environments, a comprehensive CTEM program will highlight the most impactful entities that can compromise cloud resources. These solutions identify the cloud resources that can be compromised and discover all the exposures that attackers can use to compromise them. Mapping the attack paths that attackers could exploit helps prioritize and validate the most impactful exposures that are exploitable in the multi-cloud environment in order to address them first.

For example, taking the attacker’s perspective allows identifying top choke points. Choke points are critical weaknesses in your cloud defenses, where multiple attack paths converge on a single exposure. They can be easily breached by attackers who can then access a vast network of resources – databases, computers, identity controls, and more. By prioritizing these high-impact areas, security teams focus on the most attractive targets for attackers, maximizing the return on their security efforts. Common choke points include internet-facing systems and unused access accounts. Addressing them significantly reduces the attack surface, effectively fortifying your entire cloud environment.

Example of Cloud Choke Point showing inbound and outbound attack paths

Another example of a high-impact exposure stems from pre-defined highly-privileged access. Highly privileged accounts, like pre-defined admins, are considered “game-over” assets. If compromised, attackers can wreak havoc. Having a comprehensive approach to CTEM helps by identifying these accounts and uncovering weaknesses that could leave them vulnerable. This includes spotting admin access without multi-factor authentication (MFA) or unused service accounts – essentially; weaknesses attackers would love to exploit.

To ensure critical exposures are addressed, advanced exposure management solutions provide remediation guidance and alternatives. More often than not highly privileged accounts or internet-facing resources cannot be restricted, but analyzing the attack path that leads to them makes it possible to find a fix that lowers their exploitability and hence their level of risk.

Stopping Hybrid Environment Attacks

Attackers are not limited by hybrid environments, and defenders must ensure they too are not limited. Solutions that analyze hybrid attack paths, across on-prem and multi-cloud environments allow security teams to stay one step ahead of attacks – understanding exactly where they are exposed to cyber threats. These tools provide complete details around potential breach points, attack techniques, permissions usage, and remediation alternatives to help customers address these exposures and block the most critical attack paths.

Example hybrid attack path across MS Active Directory and AWS

Summary

While traditional cloud security struggles against the volume of ever-present exposures, CTEM offers an actionable remediation plan by focusing on the most critical ones in a specific environment. The right approach to CTEM reaches across on-prem and multi cloud, encompassing your entire IT landscape. This holistic approach eliminates blind spots and empowers organizations to transition from reactive to proactive defense. By embracing CTEM, organizations can ensure their success in the cloud-based future.

Note: This expertly contributed article is written by Zur Ulianitzky, VP Security Research at XM Cyber.

Mar 12, 2024The Hacker NewsCTEM / Vulnerability Management

In a world of ever-expanding jargon, adding another FLA (Four-Letter Acronym) to your glossary might seem like the last thing you’d want to do. But if you are looking for ways to continuously reduce risk across your environment while making significant and consistent improvements to security posture, in our opinion, you probably want to consider establishing a Continuous Threat Exposure Management (CTEM) program.

CTEM is an approach to cyber risk management that combines attack simulation, risk prioritization, and remediation guidance in one coordinated process. The term Continuous Threat Exposure Management first appeared in the Gartner ® report, Implement a Continuous Threat Exposure Management Program (CTEM) (Gartner, 21 July 2022,). Since then, we have seen that organizations across the globe are seeing the benefits of this integrated, continual approach.

Webinar: Why and How to Adopt the CTEM Framework

XM Cyber is hosting a webinar featuring Gartner VP Analyst Pete Shoard about adopting the CTEM framework on March 27 and even if you cannot join, we will share an on-demand link, don’t miss it!

Focus on Areas With the Most Risk

But why is CTEM popular, and more importantly, how does it improve upon the already overcrowded world of Vulnerability Management?

Central to CTEM is the discovery of real, actionable risk to critical assets. Anyone can identify security improvements in an organization’s environment. The issue isn’t finding exposures, it’s being overwhelmed by them – and being able to know which pose the most risk to critical assets.

In our opinion, a CTEM program helps you:

1. Identify your most exposed assets, along with how an attacker might leverage them
2. Understand the impact and likelihood of potential breaches
3. Prioritize the most urgent risks and vulnerabilities
4. Get actionable recommendations on how to fix them
5. Monitor your security posture continuously and track your progress

With a CTEM program, you can get the “attacker’s view”, cross referencing flaws in your environment with their likelihood of being used by an attacker. The result is a prioritized list of exposures to address, including ones that can safely be addressed later.

The Five Stages of a CTEM Program

Rather than a particular product or service, CTEM is a program that reduces cyber security exposures via five stages:

1. Scoping – According to Gartner, “To define and later refine the scope of the CTEM initiative, security teams need first to understand what is important to their business counterparts, and what impacts (such as a required interruption of a production system) are likely to be severe enough to warrant collaborative remedial effort.”
2. Discovery – Gartner says, “Once scoping is completed, it is important to begin a process of discovering assets and their risk profiles. Priority should be given to discovery in areas of the business that have been identified by the scoping process, although this isn’t always the driver. Exposure discovery goes beyond vulnerabilities: it can include misconfiguration of assets and security controls, but also other weaknesses such as counterfeit assets or bad responses to a phishing test.”
3. Prioritization – In this stage, says Gartner, “The goal of exposure management is not to try to remediate every issue identified nor the most zero-day threats, for example, but rather to identify and address the threats most likely to be exploited against the organization.” Gartner further notes that “Organizations cannot handle the traditional ways of prioritizing exposures via predefined base severity scores, because they need to account for exploit prevalence, available controls, mitigation options and business criticality to reflect the potential impact onto the organization.
4. Validation – This stage, according to Gartner, “is the part of the process by which an organization can validate how potential attackers can actually exploit an identified exposure, and how monitoring and control systems might react.” Gartner also notes that the objectives for Validation step includes to “assess the likely “attack success” by confirming that attackers could really exploit the previously discovered and prioritized exposures.
5. Mobilization – Says Gartner, “To ensure success, security leaders must acknowledge and communicate to all stakeholders that remediation cannot be fully automated.” The report further notes that, “the objective of the “mobilization” effort is to ensure the teams operationalize the CTEM findings by reducing friction in approval, implementation processes and mitigation deployments. It requires organizations to define communication standards (information requirements) and documented cross-team approval workflows.”

CTEM vs. Alternative Approaches

There are several alternative approaches to understanding and improving security posture, some of which have been in use for decades.

• Vulnerability Management/RBVM focuses on risk reduction through scanning to identify vulnerabilities, then prioritizing and fixing them based on a static analysis. Automation is essential, given the number of assets that need to be analyzed, and the ever-growing number of vulnerabilities identified. But RBVM is limited to identifying CVEs and doesn’t address identity issues and misconfigurations. Furthermore, it doesn’t have information required to properly prioritize remediation, typically leading to pervasive backlogs.
• Red Team exercises are manual, expensive, point-in-time tests of cyber security defenses. They seek to identify whether or not a successful attack path exists at a particular point in time, but they can’t identify the full array of risks.
• Similarly, Penetration Testing uses a testing methodology as its assessment of risk, and it provides a point-in-time result. Since it involves active interaction with the network and systems, it’s typically limited with respect to critical assets, because of the risk of an outage.
• Cloud Security Posture Management (CSPM) focuses on misconfiguration issues and compliance risks solely in cloud environments. While important, it doesn’t consider remote employees, on-premises assets, or the interactions between multiple cloud vendors. These solutions are unaware of the full path of attack risks that cross between different environments—a common risk in the real world.

It is our opinion that a CTEM program-based approach offers the advantages of:

• Covering all assets—cloud, on-premises, and remote—and knowing which ones are most critical.
• Continuously discovering all types of exposures—traditional CVEs, identities, and misconfigurations.
• Presenting real-world insights into the attacker view
• Prioritizing remediation efforts to eliminate those paths with the fewest fixes
• Providing remediation advice for reliable, repeated improvements

The Value of CTEM

We feel that the CTEM approach has substantial advantages over alternatives, some of which have been in use for decades. Fundamentally, organizations have spent years identifying exposures, adding them to never-ending “to do” lists, expending countless time plugging away at those lists, and yet not getting a clear benefit. With CTEM, a more thoughtful approach to discovery and prioritization adds value by:

• Quickly reducing overall risk
• Increasing the value of each remediation, and potentially freeing up resources
• Improving the alignment between security and IT teams
• Providing a common view into the entire process, encouraging a positive feedback loop that drives continuous improvement

Getting Started with CTEM

Since CTEM is a process rather than a specific service or software solution, getting started is a holistic endeavor. Organizational buy-in is a critical first step. Other considerations include:

• Supporting processes and data collection with the right software components
• Defining critical assets and updating remediation workflows
• Executing upon the right system integrations
• Determining proper executive reporting and an approach to security posture improvements

In our view, with a CTEM program, organizations can foster a common language of risk for Security and IT; and ensure that the level of risk for each exposure becomes clear. This enables the handful of exposures that actually pose risk, among the many thousands that exist, to be addressed in a meaningful and measurable way.

For more information on how to get started with your CTEM program, check out XM Cyber’s whitepaper, XM Cyber on Operationalizing The Continuous Threat Exposure Management (CTEM) Framework by Gartner®.