Continuous threat exposure management (CTEM) is an often-ignored cyber security practice, but used effectively, it not only continually reduces risk, it can also improve collaboration across the business. That’s according to Stephan Krynauw, CTO of Snode.
Krynauw was speaking at the recent ITWeb Governance, Risk and Compliance (GRC) Conference, which focused on how artificial intelligence was impacting GRC practices.
Being a proactive approach to reducing cyber risks, CTEM should be a key consideration for those responsible for cyber security and for driving GRC within their organisations, said Krynauw. It provides a systematic approach, with a clearly defined list of five steps, and is designed to be iterative so it leads to a long-term continuous cycle of taking action, learning and tightening. This can also lead to the automation and improvement of many processes.
Krynauw said from the conference discussions, he’d picked up that one of the main challenges faced across the board was a "struggle to take action".
“What CTEM tries to achieve is simplifying, giving us a structured approach and allowing us to take action. Repeated action,” he said.
XHEAD: Five steps
Scoping is the first of the steps, which involves defining the attack surface and understanding the business value of the assets to be protected, said Krynauw. “There should be a lot of emphasis put on – and involvement from – the different parts of the business, as well as the GRC and internal audit teams and technology departments.”
Discovery is step two and is about unearthing unknowns. “Discover everything you can about the business, run a vulnerability scan, use the firewall to assess the number of assets, how many domains the organisation oversees.”
Based on the information previously identified, step three is about prioritising and classifying what threats might be exploited and which vulnerabilities exist on the assets. Krynauw advised that care should be taken to identify the most critical assets to the business and align cyber spend and resources accordingly. “Looking at the likelihood of them being exploited and the impact it would have if they were to be exploited helps to give some risk valuation,” he noted.
Step four is validation; assessing if vulnerabilities are realistically exploitable and what controls may already be in place to block such exploits. Krynauw quoted Gartner advice, which is to explore every attack path to any of the identified risks, then to build out a tactical response plan.
The final step is mobilisation: operationalising the plan and addressing the risks. “With business involved from the beginning, this becomes quite easy as they know what the teams want to do and why; the tech team knows what it needs to do, and GRC and internal audit understand these things have to be done.”
Being continuous means CTEM is an iterative process that tightens over time. “It’s not about whacking moles all day, it’s about strengthening cyber posture in the long term,” he said.
Once the first CTEM cycle is complete, repeated cycles can then be streamlined, including approval processes, as there is already buy-in from various parts of the business. “CTEM improves collaboration between business, security, GRC and internal audit. As it’s a cycle it means we can inform our intentions going forward and learn how to do better, improve risk posture and minimise threat exposure,” said Krynauw.
Share