In a world of ever-expanding jargon, adding another FLA (four-letter acronym) to your glossary might seem like the last thing you want to do. But if you’re looking for ways to continually reduce risk in your environment by making meaningful and consistent improvements to your security posture, we think you’ll probably want to consider establishing a Continuous Threat Exposure Management (CTEM) program.
CTEM is an approach to cyber risk management that combines attack simulation, risk prioritization, and remediation guidelines into a single coordinated process. The term Continuous Threat Exposure Management first appeared in the Gartner ® report, Implement a Continuous Threat Exposure Management (CTEM) Program (Gartner, July 21, 2022). Since then, we have seen that organizations around the world are seeing the benefits of this integrated and seamless approach.
Webinar: Why and how to adopt the CTEM framework
XM Cyber will be hosting a webinar with Gartner VP Analyst Pete Shoard on adopting the CTEM framework on March 27, and even if you can’t attend, we’ll share a link upon request, don’t miss it!
Focus on the areas of greatest risk
But why is CTEM so popular and, more importantly, how does it improve the already overcrowded world of vulnerability management?
Central to CTEM is the discovery of real and actionable risks to critical assets. Anyone can identify security improvements in an organization’s environment. The problem is not finding exposures, but being overwhelmed by them and being able to know which pose the greatest risk to critical assets.
In our opinion, a CTEM program helps you:
- Identify your most exposed assets and how an attacker could exploit them
- Understand the impact and likelihood of potential breaches
- Prioritize the most pressing risks and vulnerabilities
- Get practical advice on how to fix them
- Continuously monitor your security level and track your progress
With a CTEM program, you can get the “attacker’s point of view”, cross-referencing flaws in your environment with their likelihood of being used by an attacker. The result is a prioritized list of exposures to address, including those that can be safely addressed later.
The five phases of a CTEM program
Rather than a particular product or service, CTEM is a program that reduces cybersecurity exposures through five steps:
- Scope – According to Gartner, “To define and subsequently refine the scope of the CTEM initiative, security teams must first understand what is important to their business counterparts and what impacts (such as the necessary disruption of a production system) could be severe enough to justify a collaborative corrective effort.”
- Discovery – Gartner says: “Once scoping is complete, it is important to begin a process of discovery of assets and their risk profiles. Priority should be given to discovery in areas of the business that have been identified by the scoping process scope, although this is not always the driver. Exposure discovery goes beyond vulnerabilities: it can include misconfiguration of resources and security controls, but also other weaknesses such as counterfeit resources or incorrect answers to a test of phishing.”
- Priority – At this stage, says Gartner, “The goal of exposure management is not to try to remediate every problem identified nor the most zero-day threats, for example, but rather to identify and address the threats most likely to be exploited against the organization.” Gartner also points out that “organizations cannot manage traditional ways of prioritizing exposures through pre-defined baseline severity scores, because they must take into account the prevalence of exploits, available controls, mitigation options and business criticality to reflect the potential impact on the organization.
- Validation – This phase, according to Gartner, “is the part of the process through which an organization can verify how potential attackers can actually exploit an identified exposure and how monitoring and control systems might respond.” Gartner also notes that the goals of the validation phase include “assessing the likely ‘success of the attack’ by confirming that attackers could indeed exploit previously discovered and prioritized exposures.”
- Mobilization – Says Gartner: “To ensure success, security leaders must recognize and communicate to all stakeholders that remediation cannot be fully automated.” The report also notes that “the goal of the “mobilization” effort is to ensure that teams operationalize CTEM outcomes by reducing friction in approval, implementation processes, and mitigation implementations. It requires organizations to define communication standards (information requirements) and cross-document – team approval workflows.”
CTEM vs. Alternative approaches
There are several alternative approaches to understanding and improving security, some of which have been in use for decades.
- Vulnerability Management/RBVM focuses on reducing risk by scanning to identify vulnerabilities, then prioritizing and remediating them based on static analysis. Automation is essential, given the number of assets to analyze and the ever-increasing number of vulnerabilities identified. But RBVM is limited to identifying CVEs and does not address identity and misconfiguration issues. It also lacks the information needed to adequately prioritize remediation solutions, typically leading to pervasive backlogs.
- Red team exercises they are manual, expensive, and timely tests of cybersecurity defenses. They try to identify whether or not a successful attack path exists at a particular point in time, but fail to identify the full range of risks.
- Likewise, Penetration testing uses a testing methodology as a risk assessment and provides a timely result. Since it involves active interaction with the network and systems, it is generally limited with respect to critical resources, due to the risk of disruption.
- Cloud Security Posture Management (CSPM) focuses on misconfiguration issues and compliance risks exclusively in cloud environments. While this is important, it doesn’t consider remote employees, on-premises resources, or interactions between multiple cloud providers. These solutions are unaware of the full path of attack risks that traverse different environments, a common risk in the real world.
It is our opinion that a CTEM program-based approach offers the benefits of:
- Cover all resources (cloud, on-premise and remote) and know which are the most critical.
- Continuous discovery of all types of exposures: traditional CVEs, identities and misconfigurations.
- Present real information about the attacker’s point of view
- Prioritize remediation efforts to eliminate those paths with the fewest fixes
- Provide corrective advice for reliable and repeated improvements
The value of the CTEM
We believe the CTEM approach has substantial advantages over alternatives, some of which have been in use for decades. Fundamentally, organizations have spent years identifying risks, adding them to endless “to-do” lists, spending endless time engaging with those lists, yet achieving no clear benefit. With CTEM, a more thoughtful approach to discovery and prioritization adds value:
- Quickly reduce overall risk
- Increase the value of each repair and potentially free up resources
- Improve alignment between security and IT teams
- Provide a common understanding of the entire process, encouraging a positive feedback loop that drives continuous improvement
Getting started with CTEM
Because CTEM is a process rather than a specific service or software solution, getting started is a holistic undertaking. Organizational buy-in is a critical first step. Other considerations include:
- Support processes and data collection with the right software components
- Defining critical resources and updating remediation workflows
- By performing the right system integrations
- Determining appropriate executive reporting and approach to security strategy improvements
In our opinion, with a CTEM program, organizations can foster a common language of security and IT risk; and ensure that the level of risk for each exposure becomes clear. This allows the few exposures that actually pose risks, among the many thousands that exist, to be addressed in a meaningful and measurable way.
For more information on how to get started with the CTEM program, see XM Cyber’s white paper, XM Cyber on Operating the Gartner® Continuous Threat Exposure Management (CTEM) Framework.
