Embracing Continuous Threat Exposure Management (CTEM)

/by

With new vulnerabilities emerging daily and cyber threats becoming more sophisticated, organizations must evolve their cybersecurity strategies to protect their digital assets. One such strategy endorsed by a leading industry analyst firm is gaining traction with forward-thinking CISOs: Continuous Threat Exposure Management (CTEM). In this blog, we’ll explore the basics of CTEM, its benefits, and how it fits into modern cybersecurity strategies. 

What is Continuous Threat Exposure Management (CTEM)? 

Continuous Threat Exposure Management (CTEM) is a comprehensive framework or process designed to provide ongoing visibility and management of cybersecurity threats and vulnerabilities, putting greater priority on those that have greater business impact. No network will ever be perfect, and you can’t prevent or fix every single issue. CTEM emphasizes practical scoping, proactive threat discovery, continuous risk assessment and validation, and cross-team collaboration—to reduce both existing and future exposures. 

It’s important to note that with CTEM, “threat exposure” is not limited to vulnerabilities or external threats. An exposure is anything that puts an organization’s assets at risk. It could be an outdated password or firewall rule, a misconfigured router or gateway, an unknown device, a known vulnerability, or an unintended connection. It could be in on-premises, private cloud, public cloud, OT, or IoT environments. The sheer type and volume of exposures in today’s complex, hybrid networks are too many for overwhelmed teams to manage.   

A Fundamental Shift in Cybersecurity

Traditional cybersecurity strategies focus on event-based vulnerability management and periodic assessments. However, this type of episodic, reactive approach can leave significant gaps in protection, as threats evolve faster than many organizations can respond. 

CTEM represents a fundamental shift away from managing vulnerabilities based solely on severity or Common Vulnerability Scoring System (CVSS) scores. Instead of simply identifying and patching vulnerabilities, it takes into consideration the entire context of the exposure, including its exploitability, blast radius, and verified business impact to prioritize remediation efforts within the context of the business. As the term implies, Continuous Threat Exposure Management is a more continuous, holistic approach that encompasses dynamic threat assessment and response. 

The Five Stages of CTEM

Continuous Threat Exposure Management is a structured approach with five key stages, each critical to managing and mitigating cybersecurity threats effectively.

Stage 1 – Scoping (of business risks and relevant attack surfaces): This stage involves identifying the mission-critical priorities for the business, understanding the systems and processes involved, and determining risk owners and appetites. Scopes don’t limit the CTEM program’s reach but rather provide a means of organizing, reporting, and communicating exposure management work and results to senior leadership and business teams. Understanding the organization’s full attack surface, as well as that of individual scopes, helps put the broader concept of threat exposure management into meaningful business context. 

Stage 2 – Discovery (of all assets and threat exposures): This stage involves identifying all assets and connectivity (hidden and visible) and continuously assessing them for vulnerabilities and other exposures (known, unknown, and emerging). Running discovery against scopes outlined in the previous stage helps increase awareness of risks among relevant business teams and makes exposure management successes more impactful in later stages.  

Stage 3 – Prioritization (of exposure management work): In this stage, threat exposures of all types are prioritized, considering internal, external, business, and technical factors. Prioritization must go beyond CVSS scores and severity to include concepts of visibility, exploitability, asset criticality, and potential impact. Again, prioritization within and across defined scopes helps teams focus on high-business-value issues. 

Stage 4 – Validation (of exposure—and exposure management—viability/impact): In this stage, thinking like an attacker and verifying suggested remediation are key. Validating the exploitability of an exposure through virtual pentesting, red teaming, and attack path analysis—including the blast radius and further lateral movement—helps refine prioritization. Validating that proposed changes are feasible and won’t conflict with existing policies helps build the business case for remediation and collaboration. 

Stage 5 – Mobilization (of teams and stakeholders): While automated remediation makes sense for certain types of black-and-white issues, there is a lot of gray area in which stakeholders across teams must make decisions about how to address an exposure, whether that exposure is fixable or not. In this stage, communication and collaboration are key to documenting and operationalizing exposure management work for the (present and future) benefit of the entire organization. 

How RedSeal Supports the CTEM Process 

While the CTEM term might be relatively new or unfamiliar, the framework’s core principles have been at the heart of RedSeal’s approach for two decades. Since 2004, RedSeal has been pioneering network exposure management to close gaps in cybersecurity defenses on premises and in the cloud. Our hybrid network modeling technology is key to helping our customers know their networks better than their adversaries do.   

RedSeal integrates with hundreds of networking and security tools to simplify and accelerate the CTEM process, delivering a unique combination of capabilities from a single platform: 

  1. Scoping: RedSeal models the entire connected network across public cloud, private cloud, and on-prem environments; then, it maps resources into physical/logical/custom topology groups to help organizations understand and organize their attack surface. This visualization helps stakeholders easily identify business-critical systems and assets and define scopes within their business context.
  2. Discovery: RedSeal continuously identifies all assets and exposures, including those due to hidden assets, misconfigurations, unintended connections (direct and indirect), firewall rules, and policy violations, as well as known and unknown vulnerabilities. It also runs automated attack path analysis and compliance checks against external regulations/standards, internal policies, and best practices to keep exposure assessments current.
  3. Prioritization: RedSeal considers a range of internal, external, business, and technical factors to assess risk and prioritize all exposures. Risk scores are calculated based on security controls, asset criticality, and vulnerability data—combined with unmatched network context, which includes the visibility, exploitability, exploitation potential, and potential impact of the exposure. Exposures with greater business impact take higher priority.
  4. Validation: RedSeal runs virtual penetration tests to confirm the viability of exposure exploitation, analyze lateral movement (blast radius), and measure the impact of exposures. It validates vulnerability scans and security controls such as network segmentation and device configurations. Simulating what-if scenarios, the platform minimizes unforeseen complications when making changes to live environments.
  5. Mobilization: Unlike any other platform on the market, RedSeal serves as the single source of truth for teams collaborating on CTEM. It delivers detailed remediation guidance, including an asset’s precise logical and physical location as well as access paths for containing unpatchable exposures. It also sends alerts directly to stakeholders when policy violations are detected and provides an executive-level dashboard and score to measure the CTEM program over time.  

Overall, the RedSeal network exposure management platform embodies the proactive, continuous cybersecurity model that CTEM advocates—and includes a comprehensive set of technical capabilities to accelerate the process. 

Accelerate CTEM with RedSeal 

Ultimately, Continuous Threat Exposure Management is about proactively mitigating threats and reducing risk. CTEM is not a standalone solution or any single tool but rather a comprehensive, coordinated process to enhance an organization’s overall protection and security posture. With the right level of visibility and collaboration among teams, a CTEM strategy can also inform and support more reactive and longer-term initiatives, such as incident response and digital resilience programs. 

By leveraging the capabilities of the RedSeal platform, organizations can significantly enhance their CTEM process, ensuring they stay ahead of cyber threats, mitigate risks efficiently, and safeguard their digital assets in an increasingly complex cyber environment. Contact us for a demo today. 

 

Updated Monday, August 26, 2024

Understanding the UnitedHealthcare Data Breach: The Importance of Good Segmentation

/by

After receiving a call from KCBS to comment on the UnitedHealthcare data breach, I was reminded of the critical importance of cybersecurity measures and proactive solutions like RedSeal in safeguarding sensitive information.

The Impact on Patients and Healthcare Organizations

The repercussions of the UnitedHealthcare data breach extend beyond the confines of the company itself. Patients whose personal and medical information may have been compromised face the unsettling reality of potential identity theft, fraud, privacy breaches, and in this case, health implications with a nationwide outage of some of the largest prescription processors. Moreover, healthcare organizations are left vulnerable to reputational damage, legal liabilities, and regulatory penalties.

The swift response by Change Healthcare to halt the spread of the incident is commendable. By implementing effective containment measures and building segmentation into network design, they demonstrated the importance of proactive cybersecurity strategies especially in mitigating the impact of such breaches.

Segmentation: Building Stronger Defenses

In the face of evolving cyber threats, healthcare organizations must prioritize robust cybersecurity measures to protect sensitive data and maintain the trust of their patients. A critical step, which Change Healthcare executed effectively, is incorporating segmentation into network design. This strategic approach enabled them to isolate and contain potential threats, shutting down access swiftly.

By dividing networks into distinct segments and implementing access controls based on user roles and permissions, organizations can contain breaches and limit the lateral movement of attackers within their infrastructure.

The Importance of Transparency and Disclosure

Another noteworthy aspect of the UnitedHealthcare data breach is the transparency and prompt disclosure of pertinent details surrounding the incident. Unlike in years past, where data breaches were often shrouded in secrecy and only disclosed months or even years later, the current landscape emphasizes the importance of timely and transparent communication.

Moving Forward: Strengthening Cyber Defenses

As the healthcare industry continues to confront evolving cyber threats, proactive measures and collaborative efforts are essential to fortify defenses and safeguard sensitive information.

By embracing cybersecurity solutions and prioritizing segmentation and transparency, healthcare organizations can mitigate risks, protect patient data, and uphold the integrity of their operations. As the adage goes, “good fences make good neighbors,” and investing in robust cybersecurity defenses is paramount to safeguarding the future of healthcare.

RedSeal can play a pivotal role in enhancing security.

RedSeal acts as a vital tool in mapping out defensive boundaries within the network. It provides organizations with a comprehensive overview of their network architecture, allowing them to understand how different segments interact and where potential vulnerabilities lie. With RedSeal, organizations can accurately assess their defensive posture and make informed decisions to block moving threats before they spread.

In times of uncertainty, one thing remains clear: proactive cybersecurity measures and innovative solutions like RedSeal are indispensable allies in the ongoing battle against cyber threats. Let us heed the lessons learned from this incident and collectively work towards a safer and more secure future for all.

Contact us for a demo www.redseal.net

Tales from the Trenches: When Low-Risk is Actually High-Concern

/by

Since 2004, RedSeal has been instrumental in empowering our clients to comprehensively visualize and fortify their intricate networks. While our customers initially grasped the importance of understanding their network architecture, connections, and identifying potential risks, there’s often an enlightening “aha” moment when the true significance becomes unmistakable. These narratives, cherished within the confines of RedSeal, vividly exemplify the practical value of our platform beyond mere theory. In the words of our dedicated field team, who collaborates directly with our clients, this blog series aims to unveil the instances where the theoretical transforms into tangible reality. 

Today’s post is brought to you by Chris Morgan, Client Engagement Director 

 

In the realm of cybersecurity, where threats and vulnerabilities lurk aplenty, RedSeal stands as a beacon of innovation. Pioneers in network security analytics, RedSeal delivers actionable insights, enabling customers to close defensive gaps across their entire network. 

While reviewing a large medical provider’s network, we discovered several high- and medium-severity vulnerabilities within the network. However, it was the low-risk vulnerability we found to be of highest concern.  

Delving deeper into our investigation, we unearthed a situation of seismic proportions. Amidst the chaos of the COVID-19 era, the client’s IT team had inadvertently granted unrestricted access to a seemingly mundane printer. However, unbeknownst to them, and visible now only because of RedSeal, this printer served as direct access to more than 14,000 hosts within the client’s expansive network, opening access that could enable bad actors to directly invade much of the network. RedSeal’s comprehensive approach, merging risk and access, empowers genuine prioritization for clients. 

With a fresh eye toward restricting access, we worked with the medical provider to remediate the exposure immediately, tightening access controls for printers and implementing access logs, securing them for the future.  

At RedSeal, we’re committed to helping you fortify your digital infrastructure, for good. We proactively help visualize your network, identify attack paths, prioritize risk, and help you stay in compliance to ensure your business and customers stay secure. 

Reach out to RedSeal or schedule a demo today.