Best practices for implementing threat exposure management, reducing cyber risk exposure
In this Help Net Security interview, Sanaz Yashar, CEO at Zafran, discusses the role of threat exposure management (TEM) in modern cybersecurity strategies.
As traditional vulnerability management evolves, TEM addresses the overwhelming risks arising from expanded attack surfaces and fragmented security tools. The proactive TEM approach prioritizes risks and integrates seamlessly with existing security tools, enabling organizations to mitigate threats before they can be exploited effectively.
Why has Threat Exposure Management (TEM) become critical in modern cybersecurity strategies?
Fairly, I would call it “the Crack finder”. Threat exposure management is the evolution of traditional vulnerability management. Several trends are making it a priority for modern security teams.
1. An increase in findings that overwhelm resource-constrained teams
2. As the attack surface expands to cloud and applications, the volume of findings is compounded by more fragmentation. Cloud, on-prem, and AppSec vulnerabilities come from different tools. Identity misconfigurations from other tools.
3. This leads to enormous manual work to centralize, deduplicate, and prioritize findings using a common risk methodology.
4. Finally, all of this is happening while attackers are moving faster than ever, with recent reports showing the median time to exploit a vulnerability is less than one day!
Threat exposure management is essential because it continuously identifies and prioritizes risks—such as vulnerabilities and misconfigurations—across all assets, using the risk context applicable to your organization.
By integrating with existing security tools, TEM offers a comprehensive view of potential threats, empowering teams to take proactive, automated actions to mitigate risks before they can be exploited. Meanwhile, by mapping the technical policies of your security stack to the threat landscape, TEM enables CISOs to measure the effectiveness of their overall security controls and assess the return on investment.
It’s not enough to deploy tools and processes that proactively mitigate exposure, you need to be able to measure it and take action.
What are the core components of a comprehensive TEM strategy, and how do organizations prioritize their focus on exposure versus risk mitigation?
A modern TEM strategy encompasses three key components:
Discovery: The initial phase involves connecting with all existing scanners to create a single, consolidated view of vulnerabilities. Additionally, it integrates with Endpoint Detection and Response (EDR) controls, network security, and identity controls using an agentless, API-based approach. By identifying misconfigurations in technical security controls and correlating them with asset, vulnerability, and exposure data from integrated assessment sources, organizations gain an understanding of their security landscape.
Prioritization: Effective risk management begins with calculating the base risk of each vulnerability. This assessment considers factors such as vulnerability scores, runtime presence, internet reachability, and whether the vulnerability is currently being exploited in the wild. To determine the residual risk to the business, it’s crucial to factor in existing compensating controls. This means overlaying the context of security controls with asset and vulnerability information. By doing so, organizations can prioritize vulnerabilities based on the actual risk they pose, rather than relying solely on severity scores.
Mobilization: The final phase involves implementing specific mitigation strategies within technical security controls. This includes making necessary configuration changes, developing custom detection rules, and applying virtual patches to address vulnerabilities promptly. Evaluating how network, host, and cloud controls are deployed and configured helps protect against exploitation. By adopting this risk-based approach, security operations teams can efficiently manage millions of vulnerabilities, focusing on those that present the most significant risks instead of attempting to “patch all the critical.”
By systematically applying these best practices in a cohesive threat exposure management program, organizations can proactively address threats, reduce their overall cyber risk exposure, and allocate resources more effectively to protect critical assets.
What are the most common obstacles to implementing TEM, and how can they be overcome?
The expanded scope of TEM over traditional vulnerability management introduces new complexities and budgetary challenges. Many organizations lack integrated processes for end-to-end threat awareness, often limiting efforts to compliance-driven scanning, which leaves security gaps.
Additionally, modern attacks are complex and require specialized skill sets to understand and counter.
To overcome these challenges, CISOs should:
- Establish agreements with key stakeholders across the organization to collectively address exposures.
- Clearly communicate cybersecurity risks to the board to secure necessary resources for improving threat awareness and response capabilities.
- Prepare detailed reaction strategies to promptly address identified threats, ensuring the organization is not just monitoring but also ready to act.
What are some best practices for aligning CTEM strategies with broader enterprise goals like digital transformation, cloud migration, or zero-trust architectures?
The business need for broader CTEM strategies goes hand in hand with digital transformation and cloud migration. The move to the cloud increases the volume and fragmentation of findings that requires new tools and processes to unify risk management across the entire organization.
Digital transformation also leads to an expanded attack surface beyond vulnerabilities (such as identities, SaaS apps, supply chain risk) that align with CTEM.
In short, as our attack surface expands, so does the need to build in scalable processes and technology to reveal, remediate, and mitigate the risk of exposures.