The business challenges that now necessitate CTEM Implications for cyber security teams and managers Turbocharge your cyber security risk management with CTEM Benefits of CTEM solutions The connection between CTEM, TDIR, and cyber resilience Automation of the EM process Improved cyber security efforts Cyber resilience: where it all comes together, and the goal for leadership Solutions

In today’s digital world, businesses face a myriad of cyber security threats and they are evolving all the time. Attackers are becoming more sophisticated and systems more complex; so it’s increasingly difficult for organisations to keep pace.

The business challenges that now necessitate CTEM

The business challenges that now necessitate CTEM

It’s imperative that businesses keep up. Cyber security is all about risk management. Relying on good luck is not a strategy. In fact, bolstering cyber security posture and mitigating risks is an increasingly shared responsibility of both technology and business teams.

The nature and complexity of the control environment needed to protect systems and their data against disruption, means that it’s not enough to just select a set of controls and assume they are working.

Regularly reviewing your control environment to identify and mitigate vulnerabilities, means organisations can significantly reduce the likelihood of a security incident impacting their operations. Executive, board, and risk teams are now requiring oversight and verifiable assurance that current controls are present and operating effectively.

Interestingly, the cyber insurance industry initially led on this, requiring organisations to declare and attest to the state of their cyber security controls, and those of their third-party suppliers. Regulators, both cyber security and corporate, are now moving beyond that – defining best practice frameworks to benchmark your cyber security maturity and improve resilience. In many jurisdictions new laws and regulations now mandate that boards have visibility and are able to report on the efficacy of the controls in place:

  • To protect
    • The resilience of the organisation;
    • Critical systems and other IT assets;
    • Important business processes;
    • 3rd party suppliers and down-stream customers;
  • To report on issues where existing controls are inadequate to defend against the assessed risk, and mitigation is required.

It is important to remember that compliance reporting and risk management are very different business objectives.

Implications for cyber security teams and managers

Implications for cyber security teams and managers

Visibility of security threats and the state of your cyber security effectiveness is more than just knowing the operating status of a control and what needs fixing. It also requires oversight, telemetry and measurement of the coverage, maturity and performance of those control systems across the estate.

Without a clear understanding of the vulnerabilities and potential threats that could impact your enterprise, security teams and their senior executives are essentially operating in the dark. A security risk assessment will help identify the vulnerabilities and the existence of any exposed attack vectors that might threaten your inadequately protected IT assets. A review of the nature and business value of those assets will assist the security team in identifying the potential purpose and level of intent of an attacker; and hence the mitigating controls necessary.

The Australian Cyber Security Centre’s (ACSC) Essential Eight Maturity Model, for example, bases increasing defence maturity levels on the overall capability, targeting and level of tradecraft with which a malicious actor may pursue a particular target. The greater the level of intent of an adversary the more effective and mature your controls should be.

Evidence from international security agencies such as ACSC, NCSC in the UK and CISA in the US has confirmed, time and again, that a key reason for successful cyber security attacks is poor basic security controls. Weak passwords, unpatched software, and misconfigured systems, are easily exploited by cybercriminals as a means of infiltrating your network. In fact, more than one national security agency has noted that poor basic controls is the significant factor in the high number of opportunistic cyber attacks. Beyond poor controls the typical internal problems behind present-day cyber attacks are:

  • Lack of adequate visibility into security risks;
  • Risk of human errors and ongoing emerging vulnerabilities;
  • Inadequate threat detection and mitigation capabilities at scale;
  • Inability to continuously report, or attest to, the effectiveness of the risk-control environment to risk management stakeholders;
  • The absence of evidence-based risk information to inform decision-making.
Turbocharge your cyber security risk management with CTEM

Turbocharge your cyber security risk management with CTEM

Moving beyond simple compliance to the proactive management of vulnerabilities and threat exposure depends on:

i. reliable evidence and visibility of any changed state of security control effectiveness as a result of your cyber security risk management efforts; and

ii. informing all stakeholders of any changed cyber resilience conditions impacting your business and its operations.

The format, outputs and visualisations may vary, but both the senior executives and the first line technical teams need a shared understanding of any issues the business and system are exposed to, and the consequences of any mitigation strategies deployed.

The fundamental benefits of CTEM and its ability to inform more efficient security operations risk management activities, is its widely acknowledged ability to identify and then mitigate emerging risks in order to better manage cyber resilience.

Benefits of CTEM solutions

Benefits of CTEM solutions

Continuous Threat Exposure Management is a compelling approach to cyber security risk management. CTEM was originally seen as a process to identify and manage threats, but is fast moving beyond that. Data volumes, the scarcity of skills and security team workloads mean that CTEM processes are being progressively replaced by software and potentially automated solutions. The result being that near real-time cyber security information is increasingly available to risk management teams to deliver ongoing and reliable threat readiness (or control effectiveness) information, at scale, to both the technical and business teams.

When integrated into your cyber security governance model, and depending on your chosen level of process automation, CTEM delivers important risk management information for organisations to:

  1. Continuously monitor threat exposure – gathering and monitoring vulnerability information, configuration issues and account settings from across the organisation.
  2. Systematically identifying and measuring emerging vulnerability gaps where existing controls are no longer effectively protecting the critical assets, systems and data.
  3. Regularly verify and accurately report cyber resilience levels, as the shifting threat environment alters your attack surface.
  4. Regularly adjust control settings to effectively manage cyber security to an agreed level of maturity.
  5. Reliably report the status and effectiveness of the controls to ensure that operational and regulatory obligations are being met by all stakeholders.
  6. Provide evidence-based information and a single source of cyber security truth to all risk management stakeholders, to better inform tactical and strategic decision making.
  7. Dramatically reduce security team workloads, increase operational efficiencies and identify issues in a timely manner to enable responsive risk mitigation strategies.

Some organisations are already migrating CTEM processes to automated software solutions to better meet the frequency, complexity, quantum and accuracy risk assessment needs of their maturing cyber security governance model.

The connection between CTEM, TDIR, and cyber resilience

The connection between CTEM, TDIR, and cyber resilience

When combined with an organisation’s existing Threat Detection and Incident Response (TDIR) solution (perhaps a SIEM or XDR platform), the value of automated and continuous threat exposure management becomes compelling.

While these benefits depend very much on the level of integration between the two solutions, the information from the CTEM process is key to guiding the efforts of Security Operations Centre (SOC) teams. The tighter the integration of this contextualised threat information into the TDIR process, the more efficient and streamlined the resulting SOC operations.

The sophistication of your chosen Exposure Management (EM) process will impact the extent of these benefits. The level of manual participation in the EM process remains very much a decision for the security team; but with an automated data-driven process, the evidence-based threat information systems can quickly inform situational awareness – and guide the subsequent investigation and response actions of security analysts. Knowing that a suspicious attack detected by your TDIR solution is targeted at a priority or poorly protected asset enables limited SOC resources to quickly focus most effectively on the risks that will impact your business activities.

Choosing to have CTEM capabilities, operating continuously in the background on the network, means that information is available to quickly prioritise and streamline the TDIR process.

Automation of the EM process

Automation of the EM process

The regular bottom-up measurement of your control effectiveness can be used to set a target security posture and to manage your ongoing resilience maturity levels. In all but the smallest organisations the cost, disruption and reliability of frequent manual threat assessments and their management will inevitably lead to more automated processes. In larger enterprises, already, automated data-driven CTEM platforms are providing continuous EM to proactively inform the risk management and response process and dramatically limit the risk of cyber disruption to the business.

This “automation” of the EM process delivers the very real benefits of systematic, reliable near-real time situational awareness. It replaces much of the time-consuming efforts of data collection and subjective decision making by providing logical evidence-based outcomes. Whether it’s using data-driven CTEM information to guide your cyber security governance and disclosure obligations, or to accurately manage the ongoing resilience, the quality of the information will dictate the reliability of your situational awareness. So, as cyber resilience increasingly becomes a critical component of organisational resilience, and security and business stakeholders demand to move beyond intuition and anecdotal judgements to evidence-based decision making, EM processes introduce an appropriate level of scientific method into the cyber security risk management process.

Improved cyber security efforts

Improved cyber security efforts

When leveraged appropriately, this two-way link between a TDIR solution, such as a SIEM, and CTEM activities, can significantly improve both the speed and fidelity of your actionable threat intelligence. The SIEM, whether by rules or inference, identifies security incidents needing resolution and CTEM measures the current effectiveness of the controls, identifying where any security control improvement is required. This means that when measured against a best-practice cyber security framework, like the ACSC Essential Eight Maturity Model, the efficacy of each proactive mitigation strategy can be assessed, and if necessary adjusted, as part of a cyber resilience program. Gartner already expects that by 2026, CTEM will fundamentally reduce the number of security breaches by 2/3. So when this high-fidelity CTEM information is automatically integrated into the TDIR telemetry and analysis processes, the SOC investigation workflows, and analyst activities can be instructed by evidence-based actionable intelligence.

In combination, for example, Huntsman Security’s Enterprise SIEM and its Scorecard software, delivers unparalleled efficiencies to your cyber security efforts:

(i) continuously reporting the state of your internal cyber security controls to all stakeholders;

(ii) automatically correlating potentially suspicious events with priority or poorly protected assets; and as a result

(iii) streamlining analysts’ efforts to focus on risky events and IT assets that are known to be less protected or more valuable to the activities of the business.

Cyber resilience: where it all comes together, and the goal for leadership

Cyber resilience: where it all comes together, and the goal for leadership

The goal, for both the business leadership and the security team, is to improve cyber resilience and protect the IT systems, assets and data that contribute to the ongoing operation of the organisation. Increasingly legislators are demanding it.

For some Critical Infrastructure sectors, cyber resilience is the cornerstone of the wider regulatory requirement for Operational Resilience (sometimes called Operational Risk Management) that is being mandated in various jurisdiction like the Digital Operational Resilience Act (DORA) in the EU; and the Financial Conduct Authority’s (FCA) PS21/3 regulations in the UK. There have also been similarly onerous cyber security disclosure obligations being sought – in the US by the U.S. Securities and Exchange Commission (SEC). In Australia too, the Security of Critical Infrastructure Act 2018 (SOCI) stipulates increasingly granular Risk Management Program and resilience reporting for priority CI providers.

Organisational resilience more broadly is becoming a fundamental tenet of corporate governance and continuous disclosure. In essence, the measure of the ability of an organisation to continue to conduct operations, even in the event of disruption to key components of the product or services value chain, is becoming a collective operational responsibility. Cyber security leaders are now expected to contribute to the broader organisational resilience across all operations – where the resilience of systems, processes, people and 3rd party inputs into the delivery of a product or service are required to be managed.

Cyber resilience and this broader organisational resilience is now firmly part of directors’ responsibilities. While delegation is acceptable, oversight evidence of the effectiveness of controls, lessons learned and an objective assessment of the success of operational resilience efforts, are a Board’s responsibility and must be available and demonstrable.

Solutions

At Huntsman Security, we work with government agencies and commercial clients across Australia, the UK and Japan to supply out of the box CTEM software solutions.

Our CTEM products are proven to deliver reliable evidence-based risk assessment reports in minutes.

Explore Essential 8 Auditor

Explore SmartCheck

Read more on how CTEM can integrate into your broader cyber risk management ecosystem to build contemporary enterprise cyber resilience.

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.