By Brett Kelsey, CEO, Reveald
Hackers recently exploited flaws in the Binance blockchain to steal $570 million and vanish into thin air. At any other time, a half-billion-dollar theft would feel like the crime of the century. But in today’s cybersecurity landscape, it’s just another incident, bound to be quickly forgotten and soon surpassed.
As cybersecurity statistics continue to get worse by every measure – the complexity, frequency, and devastation of cyber attacks are all breaking records – it’s time to admit an uncomfortable truth: what we’re doing isn’t moving the needle. In fact, the status quo in cybersecurity deserves some (or most) of the blame for the recent explosion in successful attacks.
That status quo states that we can’t prevent unknown zero-day attacks or stop advanced persistent threats, so we must emphasize detection and response instead. It feels like we’ve given up, conceding that attacks are not just inevitable but fundamentally unstoppable. Vast amounts of resources (time, money & people) go towards finding attacks that are in progress or have occurred and even more go towards removing and remediating them, only for the cycle to begin again after the next attack breaches the defenses. We can’t stop them, says this mentality; we can only hope that our defenses hold out long enough. But they aren’t.
Freud’s definition of insanity is doing the same thing and expecting a different result – so why do we expect a security posture built only around detection and response to get better instead of continuing to get worse? Rather than persisting with a singularly focused strategy that has shown time and time again that it’s over-matched by today’s threats, why don’t we try something different, and drastically so? We don’t just need fresh thinking in cybersecurity – we need to flip the script entirely.
Exposure Management – Playing Offense for Cyber Defense
The reason we initially gave up on the idea of preventing attacks and being proactive (rather than reactive) about cybersecurity is that attacks change constantly. Hackers have the time and resources to create endless new threats that cloak themselves in clever new ways to bypass defenses and evade detection. You can’t stop what you can’t see, so it’s no surprise that a cybersecurity model based on intercepting incoming attacks has traditionally produced such underwhelming results and convinced so many it was a futile effort.
Exposure management takes a different track. Instead of focusing on the type of attack itself, it focuses on the attack path, thinking like a hacker to imagine where attacks might strike and what tactics and techniques they might apply (a process we coined as risk hunting). After identifying and analyzing possible exposure points, each gets ranked by risk based on how vulnerable it is and the criticality of how damaging a breach would be to the business as a whole. Finally, a true exposure management program systematically resolves the critical exposures – things like misconfigurations or missing patches – starting with those that pose the highest risk to the business. Therefore, exposure management isn’t a tech play but an operational play.
With this approach, exposures disappear. Attacks fail before infiltration, thereby minimizing downstream threats. Most importantly, whether the attack is unknown or evasive doesn’t matter. Instead of trying to catch attacks post-breach, exposure management “locks them out” by shutting down the most obvious or riskiest pathways to reach sensitive targets. Exposure management isn’t answered with an off-the-shelf tech approach and it isn’t a one-and-done scenario. Properly operationalized, it is a continuous approach that requires expert analysis to incorporate the right data and tech, rank exposures, and pre-empt breaches.
If the dominant approach in cybersecurity emphasizes defenses (catching and stopping attacks), exposure management flips the script by emphasizing offense (finding and fixing exposures) instead. The result is the opposite of what we’ve come to expect; security teams prevent attacks by proactively addressing exposures instead of waiting until the attack is in progress or done and hoping to contain or minimize the damage. For resource-strapped security teams, this can be game-changing.
The case for exposure management is evident, especially given the worsening situation in cybersecurity threats and resource challenges. But people have known that for a while; security teams have always made some attempt to locate and remediate vulnerabilities. But as many learned after repeated frustrations, exposure management involves a significant and ongoing commitment of time, staff, and other resources – more significant than what most security teams have to spare. They could find some exposures but nowhere close to all of them. And they could shut down a few attack pathways, but then new ones would appear. Exposure management felt like an ideal but impossible concept – something security teams would love to do but would always come up short at.
It’s time to flip the script on that as well.
Continuous Threat Exposure Management
Continuous Threat Exposure Management (CTEM), a concept introduced into the market by a leading analyst firm, is an attempt to practice exposure management as an operational edict. Occasional self-assessments fail to uncover all exposures or keep up with those that have emerged, so a CTEM program makes the assessment ongoing and turns exposure management into a multi-layered process consisting of:
- Risk hunting to isolate and predict likely attack paths.
- Criticality evaluations to rank exposures by risk.
- Systematic remediations to neutralize vulnerabilities.
- Goal setting to align cyber risk management with strategic business outcomes.
As important as it is to incorporate all four facets, more important is doing so continuously to address all the exposures in a constantly growing and changing attack landscape. That illustrates the potential of a CTEM methodology to prevent the newest, worst, and most common attacks out there successfully. But it also illustrates the problem: CTEM requires a different expertise than before.
Fortunately, some service providers are stepping in. Innovative providers now offer CTEM as a service, providing risk hunting, evaluation, and remediation to deliver business-driven outcomes. Service providers need to have the specific experience and expertise to uncover and resolve more exposure paths, combined with the time, staff, and technologies to focus on exposure management as part of an overall improved security program. Outsourcing makes logical sense for a highly valuable yet resource-intensive undertaking like exposure management and an offense to defense approach to cybersecurity. And now that outsourcing is a viable option, more companies can leverage CTEM to go on the offensive, turning weaknesses into strengths downstream, and regaining the upper hand against attackers.
With the addition of CTEM, any security team takes on a formidable security posture. As we flip the script on what works in cybersecurity, we must also rethink what’s possible…and set the bar higher than before. Because that is what attackers are doing.
About the Author
Brett Kelsey is Chief Executive Officer at Reveald. He is a well-respected executive in the information security field with a successful career spanning more than 30 years. An internationally recognized expert in Cybersecurity, he is renowned for his exceptional ability to conceptualize, develop, and implement technology strategies. As the CEO of Reveald, Brett is on a mission to shift the paradigm on how companies address cyber threats. Previously Brett served as the VP of Global Professional Services & Customer Adoption Services at Forescout Technologies. Other past roles include CSO, CTO and VP of Professional services all enabling Brett to leverage his business & practice development while driving strategic customer engagement to shape the direction of future technologies.
Brett can be reached online at email@example.com and at our company website, https://www.reveald.com/