The Five Steps of CTEM, Part 3

The Art of Prioritizing Exposures Based on Exploitability and Impact in YOUR Environment

Welcome to the third installment of our five-part journey through Continuous Threat Exposure Management (CTEM).

Gartner introduced the CTEM framework in 2022 to assist security teams in continuously improving their security posture by prioritizing and validating exposures to build a consistent, actionable remediation plan. Leveraging a five-stage methodology (Scoping, Discovery, Prioritization, Validation, Mobilization), CTEM enables organizations to reduce their attack surface and enhance cyber resilience by inventorying and contextualizing assets and exposures to focus on fixing what matters most.

In today’s blog, we’ll take a deep dive into CTEM Stage 3: Prioritization.

What Does “Prioritization” Refer to in Cybersecurity?

In cybersecurity, vulnerability prioritization technology (VPT) collects data from various sources of vulnerability meta-data to provide recommendations of what to fix first based on exploitability, business-criticality, the severity of a vulnerability, and compensating controls in place, recognizing that not all vulnerabilities carry the same weight. 

The fact is that no organization has unlimited resources to fix everything and that not every vulnerability can be fixed. This means that security teams need to focus on remediation of the most critical issues rather than chasing every single vulnerability. Prioritizing vulnerabilities is proactive cybersecurity in action – but it requires continuous visibility into assets, exposures, and potential severity. The clarity offered by effective vulnerability prioritization facilitates more effective resource allocation – enabling teams to address the most urgent vulnerabilities first.

How Do Organizations Prioritize Vulnerabilities?

To prioritize vulnerabilities, organizations need to consider severity, measured by tools like the Common Vulnerability Scoring System (CVSS), exploitability (often measured based on the Exploit Prediction Scoring system – or EPSS), impact, asset value, and threat intelligence. 

Severity scores are a good starting point, indicating the potential impact of a vulnerability. Similarly, evaluating exploitability can define the potential ease of exploitation by a threat actor, should he or she choose to do so. Assessing potential consequences also helps prioritize vulnerabilities based on the potential harm a threat actor could cause, while granularly understanding the diverse values of each asset aids in targeting remediation efforts. Finally, incorporating threat intelligence ties all these efforts together – pointing a finger at actively exploited vulnerabilities and how they align with trending attack patterns. 

More specifically, organizations prioritize vulnerabilities by:

• Creating threat scenarios to better understand the potential materialization of risks enables the development of actionable plans for their mitigation. Establishing a threat profile involves detailing threat actors, sources, scenarios, and critical assets. This information guides the prioritization of security threats and protection of assets.
• Developing assessment and probability scales that enhance risk prioritization by assigning financial values to each risk and determining appropriate responses based on risk severity. Probability scales help assess the likelihood of specific events and aids in strategic planning.
• Incorporating cyber threat intelligence is crucial for prioritizing risks. Threat intelligence platforms monitor and analyze alerts, facilitate risk-based incident management, identify and neutralize threat actors, and assess the business-level impact of each cyber risk. This comprehensive approach ensures well-informed prioritization of cyber risks and effective mitigation and response.

What is Prioritization in CTEM?

The goal of exposure management is not to remediate every identified issue or focus solely on zero-day threats but to prioritize and address the most likely threats that could be exploited in YOUR environment and have the most critical consequences on your business. 

The prioritization stage of CTEM involves assessing potential vulnerabilities identified in the discovery stage and addressing them based on priority, considering their likelihood of exploitation and potential impact on the organization. Factors such as potential damage to assets or reputation, the probability of successful exploitation, and the difficulty in dealing with the vulnerability are considered in this stage.

Once prioritized, CTEM offers a guiding framework for organizations to develop a plan to validate and address vulnerabilities – implementing security controls or processes, conducting regular testing to ensure effectiveness.

How Do I Create a CTEM Prioritization Process?

Prioritization in CTEM is an ongoing process. It requires that security stakeholders and teams continually assess, rank, and select which assets require immediate attention based on the potential risk to them. To gain these insights, organizations using the CTEM approach need to evaluate and rank identified exposures based on their:

• Exploitability in YOUR environment – Vulnerabilities that may have high severity and exploitability in the wild, may be invalid in your environment depending on the specific systems and applications in use, and based on the connectivity between the systems. Adding a context of potential attack paths that could exploit the exposure provides analysis on whether or not this exposure compromises your environment. 
• Urgency – Whereas some vulnerabilities or exposures truly require immediate attention to mitigate damage, others can wait. For example, if an exposure is associated with leaked or stolen credentials, it may be more urgent to address than other less likely exposures.
• Impact – Prioritization involves understanding the potential consequences to the business if a certain exposure is exploited by threat actors. To evaluate the impact the exposure requires adding context of potential attack paths and the critical assets they compromise. 
• Compensating security controls – Assessing existing compensating controls (i.e. security tools or solutions), and how effective they might be against a given exposure, helps calculate the exploitability of an exposure in your environment, as well as the potential to impact a critical asset.

How XM Cyber Prioritization Aligns with CTEM to Boost Remediation Efficiency 

By incorporating XM Cyber into your CTEM program, organizational security teams can more efficiently manage threats and exposures, ensuring accurate and cost-effective prioritization and remediation that rapidly improves security posture. XM Cyber manages prioritization by::

• Prioritizing across CVEs, misconfigurations and identity issues – In a single dashboard view, XM Cyber helps teams discover, prioritize, remediate, and validate all exposure types from the external attack surface, to on-prem and cloud environments – offering a more holistic and contextual view into risk.
• Generating Attack Paths from the Attacker’s Perspective – XM Cyber leverages the attack paths to check the exploitability and the potential impact on critical assets in YOUR environment. The attack path provides the business context of each asset and each exposure to not only calculate the priority, but even to identify remediation alternatives to block the attack path in case an exposure cannot be fixed.  
• Deprioritizing Dead Ends – XM Cyber also leverages  attack paths to identify exposures that are on attack paths that do not compromise critical assets – meaning that an attacker who exploits these for lateral movement will not endanger business critical systems and applications – Dead Ends that can be deprioritized as opposed to exposures that directly impact critical assets.  Recent research found that 75% of exposures are  “Dead Ends” and can be deprioritized. 
• Highlighting Choke Points – XM Cyber leverages its proprietary Attack Graph Analysis ™  to highlight assets and exposures that when remediated block multiple attack paths – the Choke Points that offer more bang for your remediation buck. By fixing these Choke Points first customers are able to gain remediation efficiency and save time and money on analysis and remediation efforts. A recent research found that 2% of exposures are Choke Points, meaning that 2% of your current remediation efforts can block most of your critical attack paths (Fix less. Prevent more.).
• Monitoring Security Controls – XM Cyber Security Control Monitoring (SCM) module provides insights into the activation and configuration of security solutions along the attack path that could block it from compromising critical assets.  
• Continuously Evaluating the Security Posture Score – XM Cyber helps you share continuously updated metrics of security posture and trending that shows the impact of remediation efforts – and thus the success of prioritization.

Summary

To summarize, there are many vulnerability prioritization solutions that would consider severity and exploitability of vulnerabilities in the wild. That will help focus your efforts to some extent, but it may leave you exposed if you are only looking at a subset of exposures (for example, only at vulnerabilities, or only on-prem) or if your most critical system is actually compromised by an exposure that has not yet been exploited. In addition to that in many cases the high severity vulnerabilities may still be unmanageable, like for instance a large global company that had 8 million vulnerabilities, and when narrowed it down still had to address 1 million vulnerabilities. 

Leverage an exposure management solution that aligns with the guidelines of the CTEM framework and helps you focus on the high-impact risk and fix the exposures that matter most to your business. 

Are you ready to select the solution to help you fix what matters? Then check out our CTEM Buyer’s Guide to learn more.