Want to know what’s the latest and greatest in SecOps for 2024? Gartner’s recently released Hype Cycle for Security Operations report takes important steps to organize and mature the domain of Continuous Threat Exposure Management, aka CTEM. Three categories within this domain are included in this year’s report: Threat Exposure Management, Exposure Assessment Platforms (EAP), and Adversarial Exposure Validation (AEV).
These category definitions are aimed at providing some structure to the evolving landscape of exposure management technologies. Pentera, listed as a sample vendor in the newly defined AEV category, is playing a pivotal role in increasing the adoption of CTEM, with a focus on security validation. Following is our take on the CTEM related product categories and what they mean for enterprise security leaders.
CTEM, coined by Gartner in 2022, presents a structural approach for continuously assessing, prioritizing, validating, and remediating exposures in an organization’s attack surface, enabling businesses to mobilize response to the most critical risks. The framework it lays out helps to make an ever-growing attack surface manageable.
The recent reorganization of categories aims to help enterprises identify the security vendors that are best equipped to support CTEM implementation.
Threat Exposure Management represents the overall set of technologies and processes used to manage threat exposure, under the governance of a CTEM program. It encompasses the two new CTEM related categories described below.
Vulnerability Assessment and Vulnerability Prioritization Technology capabilities have been merged into one new category, Exposure Assessment Platforms (EAP). EAPs aim to streamline vulnerability management and enhance operational efficiency, undoubtedly why Gartner has given this category a high benefit rating.
Meanwhile, Adversarial Exposure Validation (AEV) merges Breach and Attack Simulation (BAS) with Automated Pentesting and Red Teaming into one newly created function that’s focused on providing continuous, automated evidence of exposure. AEV is expected to have great market growth for its ability to validate cyber resilience from the adversarial point of view, challenging the organization’s IT defenses with real-world attack techniques.
A few things, but for a start, they make you less dependent on CVSS scores for prioritizing vulnerabilities. While a useful indicator, that’s all it is, an indicator. The CVSS score doesn’t tell you how exploitable a vulnerability is in the context of your specific environment and threat landscape. The data provided within an EAP set-up is much more contextualized with threat intelligence and asset criticality information. It serves insights in a way that supports action, rather than oceans of data points.
This added contextualization also means vulnerabilities can be flagged in terms of posing a business risk. Does a poorly configured device that no one ever uses and isn’t connected to anything, need to be patched? EAPs help to direct efforts towards addressing vulnerabilities that are not just exploitable, but actually lead to assets that hold business significance, either for its data or for operational continuity.
While EAPs leverage scans and data sources to provide exposure context, they are limited to theoretical data analysis without actual evidence of exploitable attack paths. And that’s where AEV comes in, it confirms exposures from an adversary’s point of view. AEV involves running adversarial attacks to see which security gaps are actually exploitable in your specific environment and how far an attacker would get if they were to be exploited.
In short, AEV takes threats from the playbook to the playground.
Yet there are other benefits too; it makes running a red team much easier to get off the ground. Red teams require a unique set of talents and tools that are hard to develop and obtain. Having an automated AEV product to conduct numerous red-teamer tasks helps to lower that threshold of entry, giving you a more-than-decent baseline from which to build.
AEV also helps to make a large attack surface more manageable. Easing the load of security staff, automated test runs can be executed routinely, consistently, and across multiple locations, leaving any aspiring red teamer to focus only on high-priority areas.
Not all a hedge of roses, there are some thorns that companies need to clip to get the full potential out of their Threat Exposure Management initiatives.
When it comes to EAP, it’s important to get thinking beyond compliance and CVSS scores. A mind shift is required from viewing assessments as tick-box activities. In this limited context, vulnerabilities are listed as isolated threats, and you’ll end up missing the difference between knowing there are vulnerabilities and prioritizing those vulnerabilities according to their exploitability and potential impact.
On the AEV side, one challenge is finding the right technology solution that will cover all bases. While many vendors offer attack simulations and/or automated penetration testing, they’re typically seen as distinct functions. Security teams looking to validate both the true effectiveness of their security controls and the true exploitability of security flaws may choose to implement multiple products separately.
The evolution of the CTEM framework since its introduction two years ago indicates the growing acceptance of the critical need for a proactive risk exposure reduction mindset. The new categorization presented in the Hype Cycle reflects the growing maturity of products in this space, supporting the operationalization of CTEM.
When it comes to the AEV category, our recommendation is to use a solution that will seamlessly integrate BAS and penetration testing capabilities, as this is not a common feature for most tools. Look for agentless technologies that accurately replicate attacker techniques and ease operational demands. This unique combination ensures that security teams can validate their security posture continuously and with real-world relevance.
Learn more about how Pentera is used as an essential element of any CTEM strategy that empowers enterprises to maintain a robust and dynamic security posture, continuously validated against the latest threats.
For more insight into Continuous Threat Exposure Management (CTEM), join us at the XPOSURE Summit 2024, hosted by Pentera, and grab the Gartner® 2024 Hype Cycle for Security Operations report.