NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
Security Team Intelligence

Buyer’s Guide for Evaluating Cyber Threat Exposure Management (CTEM) Tools

Vulnerability Prioritization Buyers Guide Hero Image

The Problem with Vulnerability Assessment Scanners

If you’re reading this post, chances are you’re looking to take the next step in improving your Vulnerability Management program. At this stage, you’ve probably realized that your vulnerability assessment scanner isn’t cutting it in terms of helping reduce security workload or making a meaningful impact in reducing your risk exposure. In all reality, you probably feel like it is doing the exact opposite. Fear not, all Security teams make this realization on the journey toward cybersecurity maturity. To help with this problem, we’ve put together this buyer’s guide to aid your evaluation of a cyber threat exposure management tool so you can make the impact and efficiency gains you’re trying to achieve.

Let’s start with a fact of life – vulnerability assessment scanners, regardless of the type of scanner (infrastructure, endpoint, SAST/DAST, cloud/container) are not the end-all-be-all solution to achieve vulnerability management success. At their core, scanners do one thing – identify vulnerabilities. That’s it. This is just the first step in the vulnerability management lifecycle.

This is where cyber threat exposure management (CTEM) tools come into play.

Now most VA scanner providers will claim they provide vulnerability prioritization capabilities, but in reality many of these prioritization scores are solely based on CVSS scores. No asset context, no threat intelligence context, no mitigating controls validation, no machine-learning algorithm support. What this leaves you with, probably what you’re experiencing right now, is a long list of CRITICAL vulnerabilities that aren’t really critical after you apply the context of your organization. This is the reason why you aren’t making a meaningful impact on your risk exposure and why your workload isn’t improving. You’re remediating vulnerabilities, but you aren’t remediating those that actually matter.

 

How Cyber Threat Exposure Management Tools Solve the Problems Scanners Create

Cyber threat exposure management tools are designed to supplement the work that VA scanners do in identifying vulnerabilities. A good CTEM platform should add four major values to your Vulnerability Management program:

  1. Apply a “risk based” approach to vulnerability prioritization
  2. Create a single-pane-of-glass console for vulnerability management operations
  3. Facilitate remediation workflows and automation
  4. Enhance your reporting capabilities  

If the CTEM platform you’re evaluating accomplishes these four responsibilities then you can expect to reap the benefits you may have hoped a vulnerability assessment scanner would provide. Applying a risk-based approach to prioritization will decrease your security workload and risk exposure by helping your team focus on the vulnerabilities that are most likely to be exploited. A single pane of glass for your VM team will increase your team’s efficiency and maximize the ROI of your other security tool investments. Improved remediation workflows will better bridge the gap between the VM team and ITOps netting a reduced mean time to remediation. Enhanced reporting will ensure that every role from Security Analyst to CISO will get the information they need for their role’s responsibilities.

As you evaluate CTEM platforms, know that the devil is in the details and not all solutions are created equal. Below are the evaluation details you’ll want to be on the lookout for to ensure the CTEM platform you’re looking at accomplishes the three value-adds detailed above.

 

Risk-Based Vulnerability Prioritization/Management

A risk-based approach to vulnerability prioritization means including the context of your environment when risk ranking vulnerabilities. CTEM platforms apply this context to identified vulnerabilities in order to make risk-based ranking determinations. For example, a scanner might rate a vulnerability as “critical”, but after that vulnerability is run through a CTEM platform that takes into account a mitigating control, rating might be adjusted to a “low.”

This function is the meat and potatoes of a CTEM solution. When evaluating options ask the following questions:

  • How does the CTEM platform prioritize vulnerabilities?
  • Does the CTEM platform leverage a machine-learning algorithm?
  • Can the CTEM platform provide risk scores for CVE and non-CVE vulnerabilities?
  • Does the CTEM platform factor in mitigating and compensating controls in their risk scores for vulnerabilities that can’t be patched?
  • Does the CTEM platform’s prioritization mechanism factor in threat intelligence feeds? How many?
  • Does the CTEM platform’s prioritization mechanism factor in asset criticality?
  • Does the CTEM platform’s prioritization mechanism perform full-stack prioritization (stack ranking different kinds of vulnerabilities against one another – an infrastructure vs DAST vuln)?

Aside from the first question in this list, you want a resounding “YES!” response to all of these questions. If the answer to the first question is “our risk ranking scores are based on CVSS scores,” end the conversation. The tool you’re looking at will do you no better than the scores your scanner(s) are already providing you. The rest of these questions are focused on vulnerability classification, context, and exploitability. You want a tool that has the ability to assess and stack rank a wide range of different vulnerabilities. You need the ability to overlay unique threat intel and organizational context onto your identified vulnerabilities. You need to gut check vulnerability real-world likelihood of exploitability. With these components factored in, you’ll know you have a data-backed and prioritized list of vulnerabilities to tackle. No more endless void.

 

Single Pane of Glass Vulnerability Management Console

Cybersecurity teams are almost always plagued by having a disparate menagerie of tools to complete the various functions they are responsible for. Hopping from one tool to another to compile information or consume data from different sources is not an efficient or effective way to remediate critical vulnerabilities. Security teams can be far more scalable and impactful when they only need to work out of one single-source console that compiles all of this information under one roof.

When comparing cyber threat exposure management platforms ask providers about the following integrations: 

  • Does the CTEM platform integrate with infrastructure scanners?
  • Does the CTEM platform integrate with AppSec SAST and DAST scanners?
  • Does the CTEM platform integrate with endpoint scanners?
  • Does the CTEM platform integrate with cloud/container scanners?
  • Does the CTEM platform integrate with business intelligence tools?
  • Does the CTEM platform integrate with ITSMs platforms?
  • Does the CTEM platform integrate with CMDBs?
  • Does the CTEM platform integrate with threat intelligence feeds?

The list of questions above covers the majority of integration types you’ll want to ask about with respect to an enterprise-level cybersecurity tech stack. What is equally important to inquire about is how these integrations bring together the data from these different sources and make it accessible to your team. Just to have it in one place is not enough. Look carefully at how tools enable you to drill into information. Raise an eyebrow if data is siloed in different unconnected areas of a tool. Some providers claim to have certain integrations, but they do this by leveraging a modular approach. One module will contain one set of information, but it won’t be shared or accessible from other aspects of the platform.

 

Remediation Workflow Enablement and Automation

In terms of workflow, cyber threat exposure management platforms are designed to bridge the process gap between identifying vulnerabilities and remediating them. A lot of time and energy is burned by Security teams walking across the aisle to discuss with ITOps what needs to be remediated and why. Many organizations rely on endless spreadsheets to handle this communication and track progress of efforts. Does that sound familiar?

Here are the questions you need to ask your potential CTEM platform vendor about their remediation capabilities:

  • Can you push tickets from the CTEM platform to the integrated ITSM?
  • Are ticket statuses bi-directionally synced between the CTEM platform and ITSM?
  • Can you communicate exceptions and risk acceptance from the CTEM platform to your scanners?
  • Does the CTEM platform have dedicate remediation and exception plans?

The points we covered in the risk-based prioritization section of this article factor into this discussion. With prioritized lists of vulnerabilities, backed by environmental context and machine-learning algorithms, the debate of WHY something needs to be patched should decrease greatly. To achieve additional efficiency, focus should then shift to aligning workflows that speak the same language. The ITSM system is that common language. Pushing tickets directly into ITSMs means slotting requests seamlessly into the system that ITOps spends everyday in. No more spreadsheets.

While the above is a big gain, it doesn’t address the necessary feedback loop in this process. Security teams need to be kept in the loop on what’s happening with remediation efforts. Bi-directional syncing between the ITSM and CTEM platform is critical for this. Without it, those meetings for discussing the state of remediations will start to creep back onto your team’s calendars. 

Similarly, when Vulnerability Management teams are marking risks as accepted or mitigated they normally would do so in the individual scanners. This deviates from the single pane of glass approach you should be striving for. Good CTEM platform will enable your team to manage risk acceptance from the platform and confidently know that the next time they run a scan those same risks won’t come up.

Side note – Automated patching might be on your radar when it comes to the topic of remediation automation. We recommend treading lightly here. Some CTEM platform vendors will have backgrounds in these orchestration functions and offer this solution, but we don’t recommend them for enterprise size companies. At least not in a broad-stroke application. There is too much that needs to be considered and verified to apply patches automatically in environments of that level of complexity. The human element is definitely still needed here to make sure something doesn’t accidentally get broken by an update.

 

Security Performance and State of the Union Reporting

Reporting usually ranks high on the list of time sucks for most security teams. This stems from needing to collect, clean, and present data from various tools to various roles. Again, spreadsheets are usually the answer that many companies turn to. Just like trying to track remediation efforts in spreadsheets, this doesn’t scale. Providing reports and answers should be near effortless. Your ability to do so is what ultimately tells the story of your program’s ROI.

While reporting requirements can differ heavily organization to organization, the following questions will help you shape what you can expect to get from a provider:

  • What are the standard reports offered out of the box?
  • What does the CTEM platform consider KPIs?
  • How can reports be filtered or manipulated?
  • Are dashboards fully customizable?
  • Can reports be scheduled?
  • Can reporting data be piped to businesses intelligence tools?
  • Can the CTEM platform perform full-stack reporting (reporting all on the data coming from various integrations)?
  • What executive-level reports are available?
  • Can reporting be done by business line?

The first five questions on this list are fairly standard to ask when evaluating any technology’s reporting suite. Organizational needs will determine what are acceptable answers to these questions. We recommend reflecting on where you’ve had blind spots or difficulties with your historical reporting efforts to find enhancements. 

The last four questions are the gold standard of great CTEM platforms. Having the ability to integrate security data with a tool like Tableau or Power BI is a big plus to enterprises. This helps put security front and center, rather than leave it in the dark corner of a basement. Full-stack reporting takes the value of integrations to the next level. It’s one thing to be able to ingest data from multiple sources and leverage it from a prioritization perspective. However, being able to report on that information as well completes the single pane of glass goal. Executive level security reporting and business line reporting speak to the tool’s ability to communicate data at a business level. Security tool reports are notoriously technical and jargon heavy, making them difficult to interpret by non-technical executives. Your C-Suites will thank you for being able to communicate the state of security in a common language. It will go a long way in helping secure additional resources for the team.

 

In Conclusion

The fact of the matter is that evaluating a cyber threat exposure management tools takes time. This is not a purchase to rush. As we’ve hopefully articulated here, the devil is in the details. However, the end result of those efforts will be a night and day difference for your Security team. With a successful implementation of a CTEM platform, you’ll achieve a far more accurate assessment of your risk, be able to expedite your remediation efforts, and communicate vulnerability management in a way you’ve never been able to do before. If you’re not making the impact you want on your risk exposure with your scanners alone, adding a CTEM platform is the next step in maturing your program.

If you have any additional questions, don’t hesitate to contact us. Our team of security experts will gladly help in any way you can. If you’re interested in seeing how our cyber threat exposure management tool stacks up to competitors, schedule a demo with us today.

 

FAQ

Question #1: How are cyber threat exposure management tools priced?

Although all company’s pricing models will vary to some extent, cyber threat exposure management tools are usually priced on some basis by the number and type of asset in the customer’s environment. 

Question #2: How much do cyber threat exposure management tools cost?

On average, large enterprises with asset counts in the tens of thousands to hundreds of thousands can expect to spend in the ballpark of a $1,000,000 a year on a cyber threat exposure management tool. This cost can vary greatly depending on the specific packages and add-ons that are selected.

Question #3: How do I know if need a cyber threat exposure management tool?

Common signs of needing a CTEM platform including have an asset count in the tens of thousands to hundreds of thousands, having a variety of assets types (infrastructure, cloud, app, etc.), trying to manage remediation efforts and prioritization with spreadsheets, long mean times to remediation, and low trust in the accuracy of scores being provided by scanners.

Categories
Category
Tags
Verizon 2020 DBIR Report, Vulnerability management
Read Next

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.