Getting your Trinity Audio player ready...
|
Welcome to the fifth and final chapter of our five-part journey through Continuous Threat Exposure Management (CTEM).
In 2022, Gartner introduced the CTEM framework to help security teams focus on high-impact risks among the endless lists of exposures. Organizations who adopt the CTEM framework protect their business and infrastructure from attackers with a consistent, actionable remediation plan. To accomplish this, CTEM employs a five-stage methodology. In this blog series I review each of the five stages: Scoping, Discovery, Prioritization, Validation, and Mobilization.
And now, in this final installment, let’s dive straight into CTEM stage 5: Mobilization.
Mobilization refers to the process of rallying support or action from a group of people for a particular cause or goal. Mobilization involves coordinating and directing efforts towards a common objective, often involving communication, planning, resource allocation, and the ability to inspire and engage people to work towards a common purpose.
What Does “Mobilization” Refer to in Cybersecurity?
In cybersecurity, mobilization refers to the process of preparing and organizing resources, tools, and personnel to respond to and mitigate cyber threats or incidents. This includes activating incident response teams, implementing security protocols, and deploying necessary tools and technologies to detect, contain, and remediate cybersecurity incidents. To ensure a consistent and effective response to cyber threats organizations need to be prepared for potential cyber attacks by conducting training and establishing response protocols.
Mobilization in cybersecurity also refers to implementing proactive measures to strengthen defenses, such as conducting security assessments, implementing security controls, and continuously monitoring systems for potential threats. This proactive approach helps to reduce the likelihood of cyber attacks and improve overall resilience to threats and incidents.
Overall, mobilization in cybersecurity is a critical component of a robust cybersecurity strategy, as it enables organizations to effectively detect, respond to, and recover from cyber threats and incidents in a timely and coordinated manner. By being prepared and mobilizing resources proactively, organizations can better protect their assets, data, and reputation from cyber threats.
What is Mobilization in CTEM?
The mobilization stage in CTEM refers to the phase of the process where resources, tools, and personnel are prepared and organized to proactively remediate threat exposures. But this stage isn’t just about advising what needs to be fixed, but also advising what doesn’t need to be fixed. Security teams need to realize who should be responsible for remediating the risk, whether it is patching a vulnerability, blocking users, adjusting configurations, and in certain cases, risk acceptance.
Why Mobilization Causes Friction
In most organizations, there is a separation between security teams and operational teams who are responsible for executing the remediation. This separation often leads to miscommunication and misalignment around what needs to be fixed and why.
Add to that the endless lists of vulnerabilities and other exposures that security teams send to their counterparts in IT, and the result is frustration and distrust. If the remediating teams have no context or guidance for requested fixes, they may not have the bandwidth or ability to execute them, leaving the exposure, well, exposed and enabling the next cyber attack.
I’ll illustrate this with an example; a CISO at one of our customers told of the mutual frustration he experienced with his operations team before deploying XM Cyber. He talks about how the operations team would come to him, filled with pride as they reported on fixing an entire list of vulnerabilities, only to be met with doubt and a lack of confidence that these were the right exposures to fix, and that they were fixed correctly – and in the end, they’d get a new list of vulnerabilities to be fixed.
The 6 Factors to Effective Mobilization
- Focus on the exposures with the highest impact:
To increase confidence and ensure the operations team has the bandwidth to establish the most effective fixes, make sure you only send those exposures that are in fact exploitable in your environment AND that are compromising critical assets (business or IT infrastructure). You need a reliable way to narrow down the endless lists of vulnerabilities and other exposures into a shortlist of what really matters, and identify the fixes that would block multiple attack vectors.
- Provide full context and justification:
Lack of transparency increases frustration on both sides of mobilization. Collect the context of the exposure and the entity it was found on, including the justification of why they are on the shortlist. This can be based on how easy or difficult they are to exploit in your IT environment, and on the number of critical assets that are compromised by this exposure and the impact it would have on your business. Just like in any relationship, communication cannot be overrated.
- Provide complete guidance on what and how to fix:
Don’t assume that the operations team will know exactly what to fix and how. Although in most cases they make the final decision, remediation guidance could increase effectiveness and level set expectations. Make sure you have the full context of the exposure and the full context of the required fix, whether it’s applying a patch, blocking access, restricting permissions, or adjusting configurations of systems and controls.
- Provide remediation alternatives:
In some cases, the exposure with the highest severity or impact cannot be fixed. This can be due to a versioning issue, system-defined group permissions, or other limitations. In most cases, the operations team will notify you of the limitation, but in some cases the risk will remain without your knowledge. This could be the exposure that jeopardizes your business on the next cyber attack. You need to be able to provide alternatives that would still reduce risk and block a potential attack. To do so you may need to visualize and analyze the attack paths that leverage this exposure and remediate an adjacent step in the path.
- Leverage integrations to streamline and automate the process:
Your organization has the tools in place to automate remediation processes. Whether you are using a ticketing system, a SIEM, and/or a SOAR system, remediation requests should be streamlined in order to ensure consistency and efficiency. To facilitate remediation you will have to adhere to the existing process flow and package justification, guidance, and alternatives for the fix into an ITSM ticket, or an incident.
- Close the loop and verify the remediation was effective:
To ensure risk reduction and regain confidence, you’ll need to verify that the applied fix resolved the high impact exposure and that potential attacks will be blocked. Not verifying remediation leads to a disconnect between teams and could create a false sense of resilience. The way to achieve remediation verification is by running continuous discovery across your holistic environment. If the exposure is no longer discovered on the entity AND the attack paths that cross this entities are blocked, then remediation was effective reducing risk.
The Bottom Line
CTEM isn’t just about identifying and fixing exposures, it’s about understanding what should be fixed and what risks can be accepted. But while CTEM can help align priorities, you need to maintain a culture of collaboration, open communication, and an understanding and respect of roles and responsibilities, to reduce friction between the different security teams and between security and IT operations. Implementing the 6 factors to effective remediation will help foster a collaborative approach and enhance the overall security posture of your organization.
To read the other Blogs in the series: Scoping, Discovery, Prioritization, and Validation.