The Sevco Glossary
Cyber Asset Attack Surface Management (CAASM)
Cyber Asset Attack Surface Management (CAASM) is a cybersecurity strategy that helps organizations identify, manage, and reduce the risk of cyber threats to their assets. CAASM provides visibility into an organization’s IT environment, including devices, users, software, cloud assets, and services.
CAASM enables organizations to:
- Continuously manage the attack surface to reduce risk exposure and improve overall security
- Understand attack vectors and secure potential entry points
- Discover and identify vulnerabilities, misconfigurations, and other security risks
- Understand how cybercriminals can exploit vulnerabilities to compromise assets and data
- Take steps to secure any weak spots that cyber attackers could use to gain access to sensitive information
Additional Resources
Comparison Guide: The Criticality of Security Asset Inventory: Moving Beyond IT Asset Management
Cyber Hygiene and Asset Management: Perception vs. Reality
Controls
Software tools deployed to protect an organization’s systems, devices, and other assets from cyberthreats and attacks to prevent, detect, mitigate, and remediate risks and vulnerabilities. Controls enables organizations to protect the confidentiality, integrity, and availability of information
Controls Validation
“Controls validation” refers to the process of systematically testing and evaluating an organization’s security controls to ensure they are functioning effectively and adequately protecting against cyber threats, essentially verifying that the implemented security measures are working as intended and can withstand real-world attacks; it involves simulating attack scenarios to identify any gaps or weaknesses in the defense system.
Controls validation enables organizations to:
- Proactively identify security gaps (missing security controls coverage)
- Ensure compliance with security standards
- Proactively mitigate risk by staying ahead of emerging cyber threats
- Optimize security investments by identifying where to allocate resources
Continuous Threat Exposure Management (CTEM)
Continuous Threat Exposure Management (CTEM) is a cybersecurity framework that helps organizations identify, assess, and mitigate cyber threats. CTEM is a proactive approach that continuously monitors an organization’s digital assets and network infrastructure to identify vulnerabilities and weaknesses.
CTEM involves:
- Assessing an organization’s attack surface
- Proactively testing defenses
- Addressing vulnerabilities to reduce risk in real time
- Ensuring that an organization constantly monitors threats
This exposure management framework is comprised of five stages:
- Stage 1 – Scoping: Identifying the attack surface and critical assets
- Stage 2 – Discovery: Discovering assets and risk profiles, identifying security gaps including misconfigurations
- Stage 3 – Prioritization: Identifying and prioritizing the assets and threats most likely to be exploited
- Stage 4 – Validation: Validate how potential attackers might exploit an identified exposure
- Stage 5 – Mobilization: Ensure teams across the organization operationalize the findings
Additional Resources
CTEM in the Spotlight: How Gartner’s New Categories Help to Manage Exposures
How to Manage Cybersecurity Threats, Not Episodes
Exposure Management is Crucial for Businesses Seeking Compliance With the CMMC
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE) is a publicly accessible database that lists known software and hardware security vulnerabilities. The MITRE Corporation maintains the Common Vulnerabilities and Exposures (CVE) website and the CVE Board oversees the CVE program which includes the assignment of identifiers and the accuracy of the database.
Additional Resource
Common Vulnerability Scoring System (CVSS)
The CVSS was created by the National Infrastructure Advisory Council (NIAC) in 2005 and is currently maintained by the Forum of Incident Response and Security Teams (FIRST). The current version is CVSSv4.0, which was released in November 2023.
A Common Vulnerability Scoring System (CVSS) score is a numerical value between 0 and 10 that indicates the severity of a vulnerability in a computing system:
- 0.0: None
- 0.1–3.9: Low
- 4.0–6.9: Medium
- 7.0–8.9: High
- 9.0–10.0: Critical
The CVSS is a standardized framework that helps organizations prioritize security threats by assessing their potential impact. The score is based on three main metrics:
- Base: The inherent characteristics of the vulnerability
- Temporal: How those characteristics may change over time
- Environmental: How the vulnerability could affect a specific environment
Cybersecurity professionals use CVSS scores in conjunction with the Common Vulnerabilities and Exposures (CVE) glossary, which is a list of publicly known security flaws.
Additional Resources
Historical Methods for Prioritization
Close the Vulnerability Gap: Using Better Intelligence for Better Prioritization
Device Inventory
A device inventory is a comprehensive list of all connected devices within a network, including details such as operating system, model, serial number, associated user(s), and other identifying information, used to track and manage potential security risks across an organization’s IT infrastructure. An accurate device inventory is essential as it provides a detailed record of every device that could be a potential exposure.
A device inventory should aggregate, correlate, and deduplicate data from any tool that provides inventory details including: device name, IP address, operating system version, software applications installed, network location, user assigned, and other identifying characteristics.
An accurate and comprehensive device inventory enables organizations to:
- Proactively identify risk exposure by having full visibility into all devices so security teams can quickly identify suspicious activity on unknown or unauthorized assets.
- Prioritize patch management by reviewing detailed device data (in addition to threat intelligence and business context) to make informed decisions on which devices to address first.
- Enforce compliance requirements by maintaining a record of all connected devices and validate security controls coverage
Additional Resources
Comparison Guide: The Criticality of Security Asset Inventory: Moving Beyond IT Asset Management
Cyber Hygiene and Asset Management: Perception vs. Reality
Exploit Prediction Scoring System (EPSS)
EPSS is a framework designed to estimate the likelihood that a vulnerability will be exploited in the wild based on various risk factors, including the vulnerability’s characteristics and contextual data. EPSS was launched in 2021, with the current version (v3) released in 2023. It is a daily estimate of the probability of exploitation activity being observed over the next 30 days.
According to FIRST, which manages EPSS (along with CVSS), the system is a “data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.” EPSS is not a replacement for CVSS, but complements CVSS. EPSS takes into consideration factors such as: the number of reference links associated with a CVE, the market share of the impacted software product, and industries and products that threat actors may be specifically targeting. EPSS does not measure the severity, but does measure exploitability.
Additional Resources
Historical Methods for Prioritization
Limitations of Existing Methods of Prioritization
Exploit Intelligence
Exploit intelligence refers to the collection and analysis of data about known exploits, including information on how vulnerabilities are being actively used by attackers in the wild, which enables security teams to prioritize and remediate the most critical risks within their systems by understanding which vulnerabilities are most likely to be exploited.
Exploit intelligence can be gathered from various sources including threat intelligence feeds, exploit code repositories, and analysis of malware samples. Unlike simply identifying vulnerabilities, exploit intelligence specifically looks at vulnerabilities that are being actively exploited by attackers in real-time. By understanding which exploits are most prevalent, security teams can prioritize patching and mitigation efforts accordingly.
Example scenarios where exploit intelligence is crucial:
- Rapid response to emerging threats: When a new critical vulnerability is discovered, exploit intelligence can quickly assess if attackers are already actively using it to target systems.
- Vulnerability assessment prioritization: By identifying which vulnerabilities are most likely to be exploited, security teams can focus their scanning and patching efforts on the highest-risk areas.
- Incident investigation: Analyzing exploit intelligence can help security teams understand the tactics, techniques, and procedures (TTPs) used by attackers during an incident.
Additional Resources
How Vulnerability and Exploit Intelligence Drives Better Vulnerability Prioritization
AMA with Brian Contos and VulnCheck’s Patrick Garrity
Exposure Assessment Platform (EAP)
By consolidating the capabilities of traditional endpoint security solutions and vulnerability prioritization tools (VPTs), Exposure Assessment Platforms empower organizations to efficiently address their most critical security gaps by enabling the prioritization of vulnerabilities based on real-world impact. The 2024 Gartner® Hype Cycle™ for Security Operations identified EAPs as marking a significant advancement in security technology.
EAPs are integral to continuous threat exposure management and supporting its five core phases—scoping, discovery, prioritization, validation, and mobilization. By integrating an EAP into the CTEM framework, organizations can proactively manage their attack surface and continuously validate their security posture, ensuring a robust and comprehensive security strategy.
Mitigating controls
Mitigating controls refer to strategies and actions taken to reduce the potential impact of a cyber threat by implementing preventive measures, detective controls, corrective actions, or a combination of approaches, aiming to minimize the severity of a security breach and bring the risk level to an acceptable level.
Examples:
- Access controls: Limiting user access to sensitive data based on their role and permissions.
- Data encryption: Encrypting sensitive data to protect it from unauthorized access even if breached.
- Network segmentation: Dividing a network into smaller segments to limit the spread of a potential attack.
- Intrusion detection systems (IDS): Monitoring network traffic to detect suspicious activity
- Security awareness training: Educating employees about cybersecurity best practices to prevent human error
- Incident response plan: A structured plan to respond to and contain security incidents effectively
Types of mitigating controls:
- Preventive controls: Measures taken to stop a threat from occurring in the first place, like strong passwords and firewalls.
- Detective controls: Mechanisms to identify potential threats or security breaches as they are happening, such as log analysis and anomaly detection
Corrective controls: Actions taken to remedy a security issue after it has been detected, including incident response and data recovery procedures
Remediation Validation
Remediation validation refers to the process of verifying and confirming that actions taken to address identified vulnerabilities, including patching systems or changing configurations, have successfully eliminated the threat. A closed ticket IT ticket does not signify security issues have truly been resolved. Remediation validation involves re-scanning systems to confirm the fix was applied without any issues, the vulnerability is no longer present, and potential risk has been mitigated. The process also helps prioritize critical (un-resolved) vulnerabilities that require immediate attention, and provides evidence of compliance with security standards and regulations.
Organizations should enforce the following steps:
- Identify vulnerabilities through a vulnerability scan.
- Implement remediation actions like patching or configuration changes.
- Conduct a follow-up scan to verify the vulnerabilities are no longer present.
- Document the remediation process and results.
Scanners
Scanners are tools used to enhance network security. They can help identify vulnerabilities, detect services and operating systems, and discover networks. Incorporating data from scanners, in addition to existing security tools, enables organizations to take a more holistic approach to vulnerability management.
Some types of scanners include:
- Port scanners: Detect open ports and running services on a target host
- Network scanners: Discover IP addresses, topology, and operating systems
- Vulnerability scanners: Gather information about known vulnerabilities in a target
- Authenticated scanners: Also called “credentialed scans”, these scans use the access privileges of an authorized user to perform a deeper analysis
- External scanners: Focus on systems that face the internet, like web servers and cloud services
- Internal scanners: Conducted within the network infrastructure, these scans focus on strengthening applications and resources against internal threats
Additional Resource
Close the Vulnerability Gap: Using Better Intelligence for Better Prioritization
Security Inventory
A security inventory refers to a comprehensive list of all the physical and digital assets within an organization’s environment that need to be protected, including hardware, software, network devices, users, and data. An accurate security inventory, along with comprehensive asset telemetry, enables security teams to identify potential vulnerabilities and implement appropriate security measures to mitigate risks across the entire enterprise.
A security inventory includes:
- Hardware details like computers, servers, network devices, peripherals
- Software applications and versions
- User accounts, roles, and access levels
- Data types and locations
With a comprehensive security inventory, organizations can:
- Proactively identify vulnerabilities and limit exposures by having visibility and knowledge of all connected devices which could be entry points for attacks
- Prioritize and enhance security for the most critical assets
- Meet compliance requirements that mandate maintaining a detailed asset inventory.
Additional Resources
Comparison Guide: The Criticality of Security Asset Inventory: Moving Beyond IT Asset Management
Cyber Hygiene and Asset Management: Perception vs. Reality
Threat Intelligence
Threat intelligence refers to the process of collecting, analyzing, and interpreting information about potential cyber threats, including the tactics, techniques, and procedures used by malicious actors, to gain insights and context about emerging dangers, allowing organizations to proactively defend against them and make informed security decisions.
Vulnerability Assessment Tool
Vulnerability assessment tools identify, categorize, and prioritize potential vulnerabilities within a computer system, network infrastructure, or application, allowing organizations to proactively address them before they can be exploited by attackers. The tools scan known assets for security flaws so security teams can remediate those vulnerabilities.
These tools automatically scan systems for known vulnerabilities by comparing system configurations against a database of security flaws (CVEs, CVSS, EPSS). Scans can include: network-based scans to identify vulnerable systems on a network, host-based scans to check individual devices, or application scans to assess web applications for specific vulnerabilities like SQL injection.
Vulnerability Prioritization
Vulnerability prioritization is the strategic process of ranking security vulnerabilities based on factors such as potential impact, severity, and likelihood of exploitation. This approach enables organizations to focus their remediation efforts on addressing the most critical vulnerabilities first, thereby optimizing resource allocation and reducing overall risk exposure.
Organizations should take a holistic approach to vulnerability prioritization to include:
- Common Vulnerability Scoring System (CVSS)
- Exploit Prediction Scoring System (EPSS)
- CISA Known Exploited Vulnerabilities (KEV)
- Exploit Intelligence
- Threat Intelligence
- Business Context and Impact
- Vulnerability Prioritization Technology) (VPT)
Additional Resources
Modernize Your Vulnerability Management
6 Steps to a Proactive Vulnerability Management Program
Vulnerability Prioritization Technology (VPT)
Vulnerability Prioritization Technology (VPT) enables organizations to prioritize and reduce risk by cutting through the noise of endless alerts. Rather than treating all vulnerabilities as equal, VPT unifies asset, vulnerability, and threat data along with business context to prioritize and mitigate exposures. This approach combines multiple critical factors—exploitability, asset criticality, business impact, and existing compensating controls—and delivers intelligence so remediation efforts can be prioritized based on real-world risk. By focusing on the vulnerabilities that attackers are most likely to exploit, VPT ensures that security teams can act quickly to protect their most valuable assets.
Organizations should look for VPT platforms that deliver:
- Comprehensive visibility and inventory of the assets including hardware, software, network devices, users, and controls.
- Risk ranking of vulnerabilities based on real-world risk—considering their severity, exploitability, and potential impact on individual business requirements
- Real-time threat intelligence to identify vulnerabilities actively targeted by attackers to prioritize remediation
- Active scans of the entire attack surface to alert and prioritize new vulnerabilities across all cyber assets
- Business context and insights to align vulnerability management with business-specific risk tolerance and objectives
- Automated remediation through outbound integrations to your existing tools and processes