Threat Exposure Management – What it is and what problems does it solve?

Threat Exposure Management (“TEM”) is a term that Gartner introduced in their publication “Emerging Tech Impact Radar: Preemptive Cybersecurity” (Castillo, 2024).  Since that initial publication, multiple existing and new technical solutions have been categorized and placed under the TEM umbrella.  This has resulted in market confusion about what the capabilities TEM solutions should provide and the problems with existing approaches that TEM solutions are attempting to solve

What is Threat Exposure Management solving?

Ultimately, TEM is addressing the ongoing issue with the prioritization of remediating vulnerabilities.  Those who have used vulnerability scanning solutions are familiar with scans performed on external and internal assets and applications can return results in the hundreds of vulnerabilities.  The scanning solutions provide criticality ratings to help prioritize which vulnerabilities to address with priority as derived from The Common Vulnerability Scoring System (“CVSS”).  This is the method that has been in place for 20 years and helps place vulnerabilities into Critical, High, Medium, Low, and Information groupings.  This is helpful, but what companies that created and run vulnerability management programs realize is that it is not enough.  What happens when there are 25 critical and 75 high vulnerabilities?  Are all the critical vulnerabilities weighed the same?  What should really be addressed first?  To address this issue, TEM solutions all provide the following base capabilities.

Baseline features of a TEM

Asset discovery:

All the solutions have some capability to discover assets associated with a company via IP address ranges, domain names, or a combination of both.  Some are focused on external or internal environments only, and some can be used for both.

Identification of existing vulnerabilities:

This is essential functionality for all TEM solutions.  Accurately identifying vulnerabilities associated with systems and applications, where assessing criticality is the objective.

Enhanced criticality ratings:

Criticality is not just based on CVSS but considers other potential risk factors such as the importance of an asset, threat intelligence about the vulnerability, and an Exploit Prediction Scoring System (EPSS) score, which represents the likelihood of a vulnerability being exploited within the next 30 days.  These factors may be used to raise or lower the criticality rating of a vulnerability with resulting in raising the most important vulnerabilities to fix to the top of the list.

Frequency of scanning:

The TEM solutions can be scheduled to run or configured to continuously run to ensure that new vulnerabilities are identified, remediated vulnerabilities drop off the list, and measure the Mean Time to Remediation (MTTR) for tracking the effectiveness of the TEM program.  It is the frequency aspect that transforms a TEM into a Continuous Threat Exposure Management (“CTEM”) program.  In practice, a good place to start for scanning frequency is weekly.  Based on the criticality of the assets, you may decide to increase or decrease the frequency.

The CTEM Approaches

There is a wide gap in the functionality of CTEM solutions that is not readily apparent until you demo the different solutions. The approach a CTEM solution takes in addressing the goal of prioritizing vulnerabilities to be remediated can be broken into three different categories.

RISK BASED VULNERABILITY SCANNING (“RBVS”):

These solutions utilize the baseline features of a TEM to produce more impactful criticality scores to aid in the patching of systems and remediation of applications.  They can be scheduled to run at whatever frequency is desired and can scan external and internal environments.  This is as far as they go.  There is no step to validate if vulnerabilities can be exploited, and provide evidence of the exploit.  Also, these solutions need to be whitelisted within existing security controls like Web Application Firewalls, IDS/IDP, and endpoint protection to determine existing vulnerabilities.  There may still be some confusion about whether a critical finding is truly critical based on the existing security controls a company may have in place.

This is a typical delivery process for an RBVS solution.

EXTERNAL ATTACK SURFACE MANAGEMENT (“EASM”):

These solutions provide the baseline features of a TEM but add the capability to validate vulnerabilities that are exploitable by providing evidence of the exploit.  These solutions return the attack commands issued to an asset and record the response received as proof.  Even better, there is no whitelisting needed to run these solutions, and the results returned are validated vulnerabilities that can be exploited even with all the security controls in place.  This is a key differentiator in approach.  They are designed to run frequently and automatically provide metrics for delta changes.  They discover assets based on IP and Domain Names and are not restricted to sampling, as seen in manual penetration testing engagements (more on that later).

This is the typical delivery process for an EASM solution.  Key differences of EASM compared to an RBVS approach are highlighted.

AUTOMATED PENETRATION TESTING:

These solutions offer automated capabilities to identify and exploit capabilities primarily for internal infrastructure.  Automated penetration testing is intended to offer an alternative to manual penetration testing and can be deployed quickly and run more frequently.  They operate similarly to what is typically referred to as an “Assumed Breach” in which an appliance is placed on the internal network (simulating an attacker that has made it through perimeter defenses).  The appliance may or may not be whitelisted within the company’s existing security controls, and it provides intelligence on what an attacker may be able to do once access has been obtained. Attack simulations can be initiated from the appliance to mimic specific types of attacks that have been programmed into the appliance, and attack chains may be generated to graphically display the components of a successful attack.  Typically, the focus is not on the external attack surface and may have an operational impact on the systems and applications during the exploitation of vulnerabilities.  With the evolution of artificial intelligence (AI), these solutions may become less script-dependent than they are at this time.

This is the typical delivery process for an automated penetration testing solution.  A key distinction is that the criticality of an asset is typically not considered when scoring the overall threat rating of a vulnerability.

What about Manual Penetration testing?

HALOCK is well known in the security industry for providing risk-based assessments and manual penetration testing.  We see manual penetration testing as an essential component of any security program that has systems, services, and applications that are exposed to the internet.  However, most companies only conduct a test every year and with a limited sampling size to keep the cost of completing one as low as possible.  Manual testing goes deeper than the approaches described herein, but may not discover and test all the available assets associated with a company.  Also, attackers don’t just attack once a year; they are attacking continuously.  The solutions reviewed do not replace a targeted penetration test, such as Web Application or API testing, that requires a skilled human to provide attack creativity that the automated solutions do not yet provide.  Manual penetration testing provides a deeper inspection by assessing role-based access controls, executing privilege escalations, and validating network segmentation testing that the automated solutions do not.

How HALOCK Addresses CTEM

At HALOCK, we’ve developed a TEM service using the EASM approach to complement our manual penetration testing capabilities.  By coupling an EASM service (CTEM if you like) with our penetration testing services, we can provide a holistic approach to solving the issue of risk-prioritized remediation of true vulnerabilities. This comprehensive service enables continuous and in-depth remediation.

Is that all that is needed for Threat Exposure Management?

Unfortunately, no.  Other areas are essential to securing exposed assets.  A few for consideration are Web Application Firewalls (WAF), Third Party Risk Management, and Continuous Cloud Monitoring for Azure, AWS, and Google.  HALOCK has thought through the needed solutions and approaches to proactively identify and protect a company from external threat actors.

Learn more External Attack Surface Management and other security areas such as User and Asset Protection and Data Management

Cybersecurity & Risk News, Updates, Resources

HALOCK Breach Bulletin
Exploit Insider
Cybersecurity Awareness Posters