The Road to CTEM, Part 3: BAS vs. Other Validation Technologies

The continuous threat exposure management (CTEM) model offers tremendous benefits to any organization implementing it. As we covered in the first and second chapters of this series, CTEM is a way of organizing cybersecurity activities that results in faster, more secure digitalization and adoption of software-as-a-service (SaaS)/cloud services, easier cyber due diligence around mergers and acquisitions (M&A), improved response times and mean time to repair (MTTR), validation of current and future investments, and more.

In this blog, we’ll discuss some of the challenges of implementing CTEM as well as the different tools and approaches that teams can leverage as a part of the validation phase.

CTEM Implementation Challenges & Key Considerations

Because CTEM is a new model, a practical implementation can be fraught with several challenges. As it becomes more widely adopted, teams will start to understand how to better optimize this program to suit their specific tooling and organization. For now, some of the most common challenges include:

1. Team alignment issues, which can lead to potential communication gaps and confusion over responsibilities between security and non-security teams.
2. Resource constraints with budget and personnel, which can impede effective CTEM implementation.
3. Due to the wide variety of security tools being used for CTEM, false positives can cause delays and confusion.
4. Current CTEM implementations require a lot of manual intervention, introducing potential for human error.
5. Complex, evolving threat landscapes require rapid decision-making and collaboration, and existing organizational silos may make this hard.
6. CTEM requires organizational security teams to be more proactive than reactive. This can be challenging for some organizations.
7. There is a need for true integration between all involved tools for CTEM to be effective.

Many of these challenges can be mitigated by selecting tools to help with implementation that incorporate the following key aspects:

• Breadth of Detection Capabilities – Adversaries are constantly updating their tactics and techniques to attack organizations. It is important that the tool(s) allow you to validate your organizational posture against a wide variety of attacks (and their entire kill chain) to ensure a comprehensive level of preparedness against today’s evolving threats.
• Organizational Environment Visibility – The ability to scale to your entire network as opposed to a specific part of your network. This is important, as you need to understand the true impact of a threat on the entire organization and its processes. Looking at network segments in silos will not reveal the scope of a threat, and any implemented remediations may not be comprehensive enough to prevent future attacks.
• Contextualization – The ability to truly contextualize risk in your organizational environment by understanding the true impact of a threat on your organizational processes. 
• Automation and Continuous Testing – The CTEM model makes the most sense for enterprises with high-level of security maturity. Given the size of the organization, the ability to automate the continuous validation of security controls at scale against advanced threats is a must for any tools being leveraged to implement the CTEM model. 
• Actionable Remediation and Prioritization – Understanding risk is just one part of securing your organization against advanced threats. Equally important is the ability to take quick and meaningful action against them. In order to do so, security teams need to be able to prioritize which threats to remediate first and how best to remediate them (through actionable insights).
• Executive Reporting – The CTEM program aims to create harmony between organizational business and security objectives. A key way to do this is by keeping key stakeholders (technical and non-technical) apprised of the risk facing the organization (security KPIs) and how it would affect the organizational bottomline. Gaining the ability to make data-driven decisions helps drive continuous improvement in organizational security posture.

Because CTEM doesn’t prescribe specific tool sets, organizations have the flexibility to leverage different types of tools and techniques to support each phase. When it comes to the validation phase, these tools include:

• Breach and attack simulation (BAS)
• Penetration testing (pen testing) and pen testing as a service (PTaaS)
• Automated pen testing and red team exercises 
• Digital risk protection service (DRPS)

However, not all of the tools above may be appropriate for each organizational environment or the goals you are trying to accomplish within your security program. 

Point-in-time validation “gets old”

Several validation processes deliver an “outside-in” view of your organization’s environment and attack surface, but only for the duration of the exercise (in other words, a single point-in-time). Results technically become outdated the second testing ends. Remember, the first part of ‘CTEM’ is continuous.

Point-in-time validation methods include:

Red and purple team exercises

Expanding on pen tests, red team exercises launch full-cycle attacks aimed directly at the crown jewels. Red teaming differs from pen testing in that defenders aren’t supposed to see an attack coming. Appearing as genuine threats, red team campaigns measure how long and how far attacks can progress without triggering detection. 

Like pen tests, the results of red and purple team exercises technically become outdated the minute testing concludes, and resulting insights start to decrease in value as hours, days, weeks, and months pass by. 

Scanning only tells half the story

Other techniques rooted in monitoring do provide ongoing coverage but do not let analysts see things from the attacker’s point of view. Vulnerability scanning and assessments identify individual assets connected to your network so you can evaluate whether they’re at risk from known vulnerabilities. Scanners correlate findings with databases of common vulnerabilities and exposures (CVEs) to find those already potentially being exploited by hackers, but do not let analysts take on the role of the attacker looking to enter via specific vulnerabilities.

Monitoring comes up short compared with modeling

Attack surface management (ASM) comes closest to BAS in that ASM tools provide continuous automated monitoring of your attack surface risk from the outside in. ASM lets security analysts see what adversaries see when they size up your attack surface but also does not equip defenders to model lateral movement through your network toward privileged assets and data.  

What makes breach and attack simulation unique?

While most of these techniques favor either continuous coverage or an active attacker’s perspective, BAS combines both to provide an accurate, real-time view of risk.

BAS emulates the way real-world attacks might be likely to unfold — from delivery through exploitation, installation, command and control, and malicious actions — and allows responders to rehearse their response so they can tweak controls and fine-tune procedures.  

Getting started with BAS as a part of your CTEM program

As your organization begins to consider, implement, and refine your CTEM program, breach and attack simulation should be considered as a key component of your validation phase. The SafeBreach team is here to support organizations who are considering a shift to CTEM as the basis of their security program. When you’re ready to learn more about the important role BAS plays in CTEM, connect with a SafeBreach cybersecurity expert.