Establishing Your Exposure Baseline: The Critical First Step in CTEM

Establishing Your Exposure Baseline: The Critical First Step in CTEM

After working with dozens of enterprise security programs, we’ve observed a consistent pattern: organizations significantly underestimate their attack surface. Many security leaders believe they have comprehensive visibility when in reality they’re missing approximately 30% of their assets. This isn’t speculation—it’s a documented fact supported by Mandiant’s M-Trends report. This visibility gap creates substantial risk, as you cannot effectively protect assets you don’t know exist.

One of the reasons security programs fail is because they built sophisticated defenses around an incomplete understanding of what needed protecting. At NorthStar.io, we’ve guided dozens of enterprises through the trenches of exposure management, and here’s the truth: your exposure baseline is everything.

The Expensive Truth About Your Attack Surface

Most CISOs think they know their attack surface. Most CISOs are wrong.

When we run initial discovery for new clients, we consistently find:

  • Forgotten development environments with production data
  • Shadow IT deployed by business teams
  • Unpatched systems running outdated software
  • Misconfigurations exposing sensitive data to the internet
  • Legitimate services with excessive permissions

This isn’t unique to our experience. Palo Alto’s 2023 Attack Surface Report found that the average organization has 29% more cloud assets than their security teams realized.

These unknown assets aren’t just a theoretical risk – they’re actively being targeted. According to Verizon’s Data Breach Investigations Report, 72% of breaches involved assets the victim didn’t know they had exposed.

Building a Baseline That Actually Works

Creating a genuine exposure baseline requires brutal honesty and thorough discovery. Here’s how to do it right:

1. Go Beyond Traditional Asset Inventory

Asset management tools are a starting point, not the finish line. They miss cloud resources, IoT devices, and shadow IT. Implement continuous discovery that combines:

  • External attack surface scanning
  • DNS enumeration
  • Cloud resource inventory across all accounts
  • Network traffic analysis
  • Certificate transparency logs monitoring

Diverse discovery methods catch different blind spots – no single approach is sufficient.

2. Map Connections and Dependencies

Individual assets don’t exist in isolation. You need to understand how they connect and depend on each other. Document:

  • Data flows between systems
  • Access dependencies
  • Shared authentication mechanisms
  • Third-party integrations
  • Supply chain connections

The MITRE ATT&CK framework demonstrates how attackers chain together vulnerabilities across interconnected systems. Your baseline must capture these relationships.

3. Evaluate Actual Exposure, Not Theoretical Risk

Stop obsessing over CVE scores and start measuring actual exploitability. For each asset, document:

  • Is it internet-facing?
  • What authentication protects it?
  • Is sensitive data accessible?
  • What business functions depend on it?
  • Can vulnerabilities be triggered remotely?

The real-world impact of exposures varies dramatically based on these factors. As Rob Joyce from NSA famously explained, attackers don’t brute force their way in – they look for the path of least resistance.

4. Automate Continuous Discovery

Your attack surface isn’t static – it changes daily. One-time assessments become dangerously obsolete within weeks. Implement:

  • Daily perimeter scans
  • Continuous cloud configuration monitoring
  • Real-time asset change detection
  • Development pipeline visibility
  • API security monitoring

Gartner’s research on exposure management emphasizes that continuous discovery is essential because the average enterprise deploys new internet-facing assets daily.

5. Document Everything in a Single Source of Truth

Scattered information kills security efforts. Consolidate your findings into a central system that:

  • Maps all assets
  • Tracks ownership and business context
  • Documents risk levels
  • Records validation results
  • Integrates with security workflows

Case Study: Financial Services Wake-Up Call

One of our financial services clients thought they had roughly 2,400 internet-facing assets. Our initial baseline assessment discovered over 3,700 – a 54% gap.

Among those unknown assets, we found:

  • A developer portal with leaked AWS credentials
  • Three forgotten test environments with production data
  • Customer service tooling with default credentials
  • A legacy API endpoint with SSRF vulnerabilities

These exposures had been sitting in the dark for an average of 7 months. Within two weeks of implementing continuous baseline monitoring, their security team prevented a potential breach by catching and remediating an exposed MongoDB instance before it could be discovered by attackers.

Start With Reality, Not Assumptions

Your entire security program is built on your understanding of what needs protecting. If that foundation is incomplete, nothing else matters – not your EDR tools, not your zero trust architecture, not your threat hunting team.

The first step toward real security is admitting what you don’t know. The second is finding out.

NorthStar.io’s platform provides automated discovery, attack surface mapping, and continuous monitoring to help you establish and maintain a complete exposure baseline.