Scoping Risk and Impact: A Deep Dive

A Series on the 5 Stages of CTEM (Stage 1 = Scoping)

Welcome to the first installment of our five-part journey through the stages of Continuous Threat Exposure Management (CTEM). In this series, I’ll take you on a deep dive through the 5 stages of the CTEM framework as defined by Gartner. Gartner introduced CTEM in July 2022, and it has since gained significant traction among organizations. That’s because CTEM’s 5 stage approach (Scoping, Discovery, Prioritization, Validation, Mobilization) is helping organizations reduce their attack surface and continually improve security posture.

In this blog series, I aim to provide a complete understanding of each stage so organizations can tailor the adoption of CTEM to their needs and goals. In this blog post, I’ll take a deep dive into the 1st stage, Scoping. I’ll look at what “scope” refers to in cybersecurity, what it means specifically in CTEM, how to create a scoping process and how to help enable it in your organization.

What Does “Scope” Refer to in Cybersecurity?

In the realm of cybersecurity, “scope” defines what assets require protection or assessment: code bases, domains, subdomains, online service accounts, IPS, servers, whatever. Defining scope is a key first step in identifying and managing the risks associated with any device, application, or entity within an organization’s IT environment.

This makes proper scoping pivotal to safeguarding organizational assets effectively. Without a well-defined scope, the challenge of protecting assets becomes nearly impossible, especially for entities with hundreds or thousands of assets. Scoping ensures accurate identification of critical and vulnerable systems, which makes it the foundational step in devising security measures. It constructs a strategic framework that allows organizations to first understand and then prioritize their security efforts.

What is Scoping in CTEM?

In the CTEM framework, scoping is the initial phase, in which security teams identify the infrastructure segments to be included in the program, and determine the critical assets. As part of this step, organizations essentially decide what matters most to their business and then adapt the CTEM program accordingly.

Large organizations have complex attack surfaces that extend far beyond traditional devices and applications. These attack surfaces encompass intangible elements like social media accounts, online code repositories, integrated supply chain systems, and much more. To effectively protect this ecosystem, most organizations start by establishing an initial scope. This initial CTEM scope should demonstrate rapid value to stakeholders and thus generally takes a narrow focus. Organizations then add multiple scopes that encompass digital risk protection, and provide different focus for reporting on  the attack surface.

Defining and refining the scope of CTEM demands that security teams understand business priorities and identify the potential impact of threats. Unlike traditional vulnerability management projects, CTEM programs adopt an “attacker’s point of view” – looking far beyond common vulnerabilities and exposures (CVEs). Scoping for a CTEM program pilot involves considering external attack surfaces and evaluating SaaS security postures – especially given the increasing reliance on remote work and critical business data hosted in the cloud.

A well-defined and evolving scope is vital for the success of CTEM programs in large organizations, considering the diverse and expanding nature of the modern attack surface.

How Can You Create a CTEM Scoping Process?

An effective CTEM scoping process is built on two pillars: continuous monitoring and automation. Continuous monitoring is a must-have owing to the dynamic nature of cyber threats – organizations must keep pace with evolving risks and the ever-changing IT infrastructure landscape. Automation is indispensable because manual scoping processes are time-consuming, prone to human error, and simply impractical when dealing with a multitude of digital assets.

The scoping process itself encompasses multiple steps, starting with a detection phase that:

Leverages open-source intelligence methods to detect assets
Uses attack surface management techniques to monitor changes in the attack surface map
Employs network scanning tools to identify network-level services
Uses crawlers to discover URLs and user inputs

There is a wide diversity of tools available to accomplish the detection step. By selecting tools and processes aligned with their specific needs and risk tolerance levels, organizations can establish a robust scoping framework.

It is critical to ensure that detection happens across the hybrid environment of the organization. In order to identify and address lateral movement across on-prem and cloud environments, endpoints and applications, you must be able to define a holistic scope. That is one reason why traditional security solutions may not be able to cover the expanded attack surface.

The next step would be to determine which are critical assets for which risk and impact would be amplified in the case of cyberattack. While continuous, automated detection can increase efficiency, you may need to verify that critical systems holding sensitive data, essential for business transactions, or holding intellectual property are not overlooked.

Summary

To summarize, scoping will determine the breadth and accuracy of your CTEM program. If you leave out external attack surfaces, you will ignore certain breach points that expose you to cyberattacks. If you do not include your cloud environment in your scope definition then lateral movement from on-prem to cloud will go unnoticed, leaving you vulnerable. The definition of critical assets will determine calculations and decision making around the impact of exposures. It has the potential to keep your security team busy fixing vulnerabilities that have no impact on your security posture, or miss overly permissiveness on unidentified critical assets.
To learn more read our ebook on Operationalizing the CTEM Framework with XM Cyber.
Next stop: Discovery.