Gartner: “Organizations Must Expand From Threat to Exposure Management in 2023”
Gartner: “Organizations Must Expand From Threat to Exposure Management in 2023”
Gartner Predicts notes are the summation of efforts from analysts’ market research, vendor briefings, investor and end-user inquiries to predict an event, market or trend’s evolution for the year ahead.
In November, Gartner analysts released the note “Predicts 2023: Enterprises Must Expand From Threat to Exposure Management”. Considering HivePro’s focus on threat exposure management, we were excited to read what Gartner had in store.
Many of Gartner’s Strategic Planning Assumptions were in line with our own general assumptions:
As organizations expand their digital footprint, they also expand the breadth of their attack surface and technical vulnerabilities. We can only assume that this breeds opportune ground for attackers to take advantage. But in all the ways attackers can take advantage of your vulnerabilities, what will be the most probable avenue?
Organizations struggle with understanding this, most often because they’re overwhelmed with learning the ways of cybercriminals while building an understanding of the relationship between their risk appetite and vulnerabilities.
Gartner’s “Predicts 2023: Enterprises Must Expand From Threat to Exposure Management” note gives us an idea of what to look forward to and watch out for as cybercrime threats grow while organizations continue to digitally expand.
Below, we share our Top 5 takeaways:
A summation of aforementioned literature promotes, but is not limited to the following concepts:
- Continuous Threat Exposure Management
- Risk-Based Vulnerability Management
- Security Posture Optimization
We agree on the importance of these concepts in minimizing organizations’ exposure to present and future threats. The general narrative we see forming is that to combat present and future threats, organizations must start by understanding the breadth of their digital ecosystem to evaluate their threat exposure. The digital ecosystem extends beyond acquired software, so it’s natural that threat exposure extends beyond software vulnerabilities and into spaces like cloud services/applications, third-party risks, IoT devices, etc. It’s impossible for everyone to understand everything, but the effort goes a long way. Organizational efforts made here will determine the extent of their knowledge in exposed vulnerabilities. Once an organization understands their vulnerabilities, Gartner proposes that remediation take place in a strategic, prioritized and risk-informed manner. This is the only way to optimize security efforts as the attack surface expands.
This is the general story, at least. But it is truly easier said than done.
That’s why we at Hive Pro work to simplify this process for customers with HivePro Uni5, our Threat Exposure Management Platform. Our goal is to optimize your security posture by contextualizing your business-specific threats, prioritizing your vulnerabilities and promoting actionable paths to resolution.
We will continue to expand on HivePro Uni5 throughout given its close relation to and promotion of the messages presenting in this Predicts note.
In this context, a threat is an action that is likely to cause harm and/or damage if it manifests into an attack. For a threat to become an attack, it requires intent, capability, and opportunity. When we’re talking about threat actors, organizations can’t control their intent and capabilities. However, they can control their opportunities. Threat actors’ opportunities are contingent upon how exposed and vulnerable an organization is to their intended action(s).
The “Management” angle of “Threat Exposure Management” calls for organizations to take control of reducing opportunities that threat actors could have in manifesting their intent and capabilities into an attack. The possibilities are limitless here. Threat actors can do anything they want. Predicting this has been an endless game of cat and mouse. This is Clausewitz’ “fog of war” manifest.
So how do we combat this “fog of war”?
We take some notes from Robert McNamara (Wilson’s Ghost: Reducing the Risk of Conflict, Killing, and Catastrophe in the 21st Century; co-authored with James G. Blight) and Errol Morris (Director, Movie: The Fog of War) to say you do this by empathizing with the enemy, maximizing efficiency, getting the data, re-examining our beliefs, and “engaging in evil”. Then we put this in tech terms and result with: understanding our threat actors, our own vulnerabilities, and maximizing efficiency in tackling our vulnerabilities through on risk-based prioritization. We then re-examine our beliefs and test what we know to be true through some good-old red, blue, and purple teaming.
Proper threat exposure management requires this level of evidence and assurance.
Hive Pro aggregates more than 50,000 data points (and increasing) of up-to-date threat intelligence into the HivePro Uni5 platform and molds it to the customer based on their asset vulnerabilities, risk appetite, and the proximity and likelihood of those threats manifesting based on the correlated actions of threat actors.
What do you do if there isn’t a patch for a vulnerability? Security teams have grown reliant on out-of-the-box patches, or simply just auto-remediation…so much so that compensating controls and risk management processes have taken a backseat in some of these discussions.
Well, it’s time for a resurgence of holistic vulnerability management.
We’re calling this “holistic vulnerability management”. It’s not a Gartner term, but the takeaway stands in that the authors promote remediation actions beyond patching.
Just because there’s a vulnerability doesn’t mean that patching is the answer. Sometimes configuration changes and/or software updates are the answer. Sometimes compensating controls can be the answer (e.g. IPSs, WAFs, network segmentation, and strong authentication).
Nonetheless, many organizations have grown complacent with auto-remediation and have lost the security importance of a patch within the context of their organization and their most likely threats. Now that organizations are drowning in a deluge of alerts and long-lists of remediations, we feel as though now is a good time to emphasize holistic vulnerability management with our perspective on vulnerability prioritization.
HivePro Uni5 looks at vulnerability management and prioritization from the attacker and the defender perspective. This harkens back to Takeaway #2. We do not rely on the Common Vulnerability Scoring System because though it provides a good baseline, it doesn’t take into account the action of threat actors. This is what we care about. The threat actor perspective we integrate in HivePro Uni5 builds on the importance, context and sensitivity of your assets, how those assets are managed, and how exposed they are. HivePro Uni5 closes the loop by proposing remediation actions that extend beyond patch management, while looping in all stakeholders through ITSM integrations.
We acknowledge that Threat Exposure Management is more than just your SOC. TEM also involves your GRC team. In fact, TEM involves everyone to some respect.
Threat Exposure Management is the great facilitator between “Threat Detection and Incident Response” (TDIR) and “Governance, Risk and Compliance” (GRC).
You know that whole Security v. IT argument: Security slows down IT? Well, Security takes its own medicine with GRC involved.
While TDIR requires fast-paced responses, GRC takes the long game (e.g. week-long IR investigations, shifting business priorities, resetting the tactical and operational SOC roadmap, etc.). The two are sometimes at odds. In the same way that IT might overlook Security, so might the TDIR function to GRC. This doesn’t change that cross-team mobilization is necessary to optimize security posture. Everything that is done in TDIR must translate to effective business outcomes.
What TEM does to find the middle-ground between the two is it takes the data-heavy and technical TDIR output and translates it into measurable, prioritized, and easy-to-understand analysis for GRC to read and concur with from a strategic position. When vulnerabilities are prioritized by proximity to threat, this makes strategic business reporting easier to understand and the call-to-action more pressing. With internal agreement in Security, a united front helps to communicate to I&O and Architecture teams the importance of the proposed remediation actions and associated timelines.
HivePro Uni5 takes great care in integrating ITSM tools and remediation tools to close the loop on resolution and also provides metrics to show the efficacy of and diplomacy in action across all necessary teams and stakeholders. The metrics proposed dig deeper into operational and behavioral efficiency, and these metrics can be translated into customizable reports for all stakeholders across the organization and at all levels.
These Top 5 takeaways drive home the message that it takes a team to manage threat exposure and that managing said threats requires more than just auto-remediation of vulnerabilities. If organizations want to truly mitigate the vulnerabilities in their expanding attack-surface, they will have to continuosly meet their threats head on and with composure.
