CTEM step-by-step guide | Stage one: Scoping

Welcome to our blog series on Continuous Threat Exposure Management (CTEM), where we dig into the five essential stages of implementing a robust CTEM program. Coined by Gartner in 2022, CTEM is a powerful process that can help continuously manage cyber hygiene and risk across your online environment. It’s also a lot to think about when you’re starting out, so it helps to break things down. Our series begins with the crucial first stage: Scoping.

Scoping is about defining the boundaries of the assets within your CTEM program. This stage is about getting visibility over your IT assets, but also deciding which are critical to the business and should be within scope of your CTEM process. This initial scope should also help to prove the value of the CTEM program to stakeholders. Of course, CTEM is an ongoing process, so decisions made here don’t have to be set in stone forever. This scope isn’t static; it’s expected to grow as the attack surface expands, the program matures, and as more insights are gained. Scopes can shift and evolve.

What does successful CTEM scoping look like?

Accurate scoping based on business risk and potential impact is crucial for the success of the CTEM process. It’s vital for security teams to align their efforts with what is critical to the business, focusing on the most severe impacts that could warrant collaborative remedial actions. This requires understanding of what’s important to business counterparts and identifying impacts severe enough to warrant collaborative remediation efforts. The goal is to keep the focus on what is important to the business and to take the ‘attacker’s view’ beyond common vulnerabilities and exposures (CVEs).

By taking an attacker’s perspective, the scoping exercise aims to prioritize vulnerabilities that could be most detrimental to the business. This might begin with a focus on external attack surfaces or the security posture of your various Software-as-a-Service (SaaS) platforms. This is especially relevant to modern organizations who rely on SaaS and have remote and hybrid workers. Scoping goes beyond traditional vulnerability management by considering an extended set of assets, including:

  • Traditional devices
  • Cloud applications
  • Corporate social media accounts
  • Online code repositories
  • Integrated supply chain systems

Scoping is crucial for setting up the rest of the CTEM process because it helps define and refine the scope of what’s important to your organization. This keeps the focus on key areas to the business, which is different to simply discovering a large number of assets and vulnerabilities. This initial step sets the stage for the subsequent steps of discovery, prioritization, validation, and mobilization, ensuring that the CTEM program is aligned with what’s most valuable to an organization.

What are the risks of not scoping correctly?

If an organization failed to define a proper scope, it could significantly impact the rest of the CTEM process in several ways:

  • Confusion between scoping and discovery: Improper scoping can lead to confusion in the second CTEM phase (discovery). You could end up with a large number of assets and vulnerabilities being explored without a clear understanding of their business risk and potential impact.
  • Scope creep: Without a defined scope, the CTEM process could become difficult to manage, with assets and vulnerabilities being removed or added during future steps and complicating the process.
  • Burden on prioritization: Scope creep shifts the burden onto the prioritization step (step three of CTEM), necessitating additional efforts to cut through the noise and focus on what truly matters. It’s easier and more time-effective to do this at the start of the scoping step.
  • Compromised assessments: The effectiveness of vulnerability assessments and threat intelligence gathering is compromised, as the focus may be misdirected towards less critical areas rather than high-value assets that pose significant risks to the organization.
  • Overall inefficiency: The entire CTEM process can become inefficient and less effective, potentially leaving critical vulnerabilities unaddressed and the organization at risk.

Which tools should you use for CTEM scoping?

There are several tools that can be helpful for scoping. These include tools to inventory and categorize assets and vulnerabilities, and tools to simulate or test attack scenarios. This work is essential for identifying the initial scope of the CTEM program, which not only helps in proving the value of the program to stakeholders but also sets a foundation for its expansion as the program matures.

External Attack Surface Management (EASM) should be highlighted for playing a crucial role in the scoping process by automating the discovery of assets and domains across the entire attack surface. It identifies both known and unknown assets, providing a comprehensive view of the attack surface. This helps in ensuring that all relevant assets are considered to be included in the scope for further analysis and protection, instead of new assets constantly cropping up later on. AI assisted domain discovery can also assist here to help organizations quickly identify the domains belonging to them.

Outpost24’s EASM dashboard view with AI Domain Discovery

EASM’s ability to continuously update and identify risks makes it an essential tool for maintaining an accurate and up-to-date scope in the CTEM process. Interested to see how EASM works? Book a free attack surface analysis with Outpost24’s EASM solution (part of the Outpost24 Continuous Threat Exposure Management Platform).

Four key pieces of advice for a successful CTEM scoping

  • Consider all assets: Don’t only look at traditional assets but also external attack surfaces, SaaS security postures, devices, apps, corporate social media accounts, online code repositories, and integrated supply chain systems.
  • Initial scope and value proving: Start with a manageable scope that demonstrates value to stakeholders, focusing on critical business risks and impacts rather than just the entire list of discovered assets, domains and vulnerabilities.
  • External attack surface management (EASM): Implement EASM to automate the discovery of both known and unknown internet-facing assets across your entire attack surface. This gives you the perfect starting point to start narrowing down the scope.
  • Pilot initiatives: You can always test your CTEM program on a smaller scale with pilot initiatives before rolling it out across the entire organization, particularly in areas like external attack surfaces and SaaS security, which are crucial in the context of remote work and cloud-based business operations.

Moving into step two: Discovery

Scoping sets you up for success in the discovery step of CTEM by ensuring that the focus is on areas of the business that are important and relevant. This targeted approach ensures that the discovery process is aligned with business priorities and reduces the likelihood of confusion or disagreement down the line. Precise scoping is crucial for more than just uncovering a high volume of assets – it’s about pinpointing real risks.

Keep an eye on our blog, where we’ll be posting a new CTEM step each month, helping explore strategies and solutions to avoid common CTEM pitfalls and establish a robust foundation for your program. Next, we’ll dive into the discovery step. This is where you’ll start to discover vulnerabilities that exist within the assets in scope of your CTEM program.

Learn more about Outpost24’s Threat Exposure Management platform here.