In a world of ever-expanding jargon, adding another FLA (Four-Letter Acronym) to your glossary might seem like the last thing you'd want to do. But if you are looking for ways to continuously reduce risk across your environment while making significant and consistent improvements to security posture, in our opinion, you probably want to consider establishing a Continuous Threat Exposure Management (CTEM) program.
CTEM is an approach to cyber risk management that combines attack simulation, risk prioritization, and remediation guidance in one coordinated process. The term Continuous Threat Exposure Management first appeared in the Gartner ® report, Implement a Continuous Threat Exposure Management Program (CTEM) (Gartner, 21 July 2022,). Since then, we have seen that organizations across the globe are seeing the benefits of this integrated, continual approach.
Webinar: Why and How to Adopt the CTEM Framework
XM Cyber is hosting a webinar featuring Gartner VP Analyst Pete Shoard about adopting the CTEM framework on March 27 and even if you cannot join, we will share an on-demand link, don't miss it!
Focus on Areas With the Most Risk
But why is CTEM popular, and more importantly, how does it improve upon the already overcrowded world of Vulnerability Management?
Central to CTEM is the discovery of real, actionable risk to critical assets. Anyone can identify security improvements in an organization's environment. The issue isn't finding exposures, it's being overwhelmed by them – and being able to know which pose the most risk to critical assets.
In our opinion, a CTEM program helps you:
- Identify your most exposed assets, along with how an attacker might leverage them
- Understand the impact and likelihood of potential breaches
- Prioritize the most urgent risks and vulnerabilities
- Get actionable recommendations on how to fix them
- Monitor your security posture continuously and track your progress
With a CTEM program, you can get the "attacker's view", cross referencing flaws in your environment with their likelihood of being used by an attacker. The result is a prioritized list of exposures to address, including ones that can safely be addressed later.
The Five Stages of a CTEM Program
Rather than a particular product or service, CTEM is a program that reduces cyber security exposures via five stages:
- Scoping – According to Gartner, "To define and later refine the scope of the CTEM initiative, security teams need first to understand what is important to their business counterparts, and what impacts (such as a required interruption of a production system) are likely to be severe enough to warrant collaborative remedial effort."
- Discovery – Gartner says, "Once scoping is completed, it is important to begin a process of discovering assets and their risk profiles. Priority should be given to discovery in areas of the business that have been identified by the scoping process, although this isn't always the driver. Exposure discovery goes beyond vulnerabilities: it can include misconfiguration of assets and security controls, but also other weaknesses such as counterfeit assets or bad responses to a phishing test."
- Prioritization – In this stage, says Gartner, "The goal of exposure management is not to try to remediate every issue identified nor the most zero-day threats, for example, but rather to identify and address the threats most likely to be exploited against the organization." Gartner further notes that "Organizations cannot handle the traditional ways of prioritizing exposures via predefined base severity scores, because they need to account for exploit prevalence, available controls, mitigation options and business criticality to reflect the potential impact onto the organization.
- Validation – This stage, according to Gartner, "is the part of the process by which an organization can validate how potential attackers can actually exploit an identified exposure, and how monitoring and control systems might react." Gartner also notes that the objectives for Validation step includes to "assess the likely "attack success" by confirming that attackers could really exploit the previously discovered and prioritized exposures.
- Mobilization – Says Gartner, "To ensure success, security leaders must acknowledge and communicate to all stakeholders that remediation cannot be fully automated." The report further notes that, "the objective of the "mobilization" effort is to ensure the teams operationalize the CTEM findings by reducing friction in approval, implementation processes and mitigation deployments. It requires organizations to define communication standards (information requirements) and documented cross-team approval workflows."
CTEM vs. Alternative Approaches
There are several alternative approaches to understanding and improving security posture, some of which have been in use for decades.
- Vulnerability Management/RBVM focuses on risk reduction through scanning to identify vulnerabilities, then prioritizing and fixing them based on a static analysis. Automation is essential, given the number of assets that need to be analyzed, and the ever-growing number of vulnerabilities identified. But RBVM is limited to identifying CVEs and doesn't address identity issues and misconfigurations. Furthermore, it doesn't have information required to properly prioritize remediation, typically leading to pervasive backlogs.
- Red Team exercises are manual, expensive, point-in-time tests of cyber security defenses. They seek to identify whether or not a successful attack path exists at a particular point in time, but they can't identify the full array of risks.
- Similarly, Penetration Testing uses a testing methodology as its assessment of risk, and it provides a point-in-time result. Since it involves active interaction with the network and systems, it's typically limited with respect to critical assets, because of the risk of an outage.
- Cloud Security Posture Management (CSPM) focuses on misconfiguration issues and compliance risks solely in cloud environments. While important, it doesn't consider remote employees, on-premises assets, or the interactions between multiple cloud vendors. These solutions are unaware of the full path of attack risks that cross between different environments—a common risk in the real world.
It is our opinion that a CTEM program-based approach offers the advantages of:
- Covering all assets—cloud, on-premises, and remote—and knowing which ones are most critical.
- Continuously discovering all types of exposures—traditional CVEs, identities, and misconfigurations.
- Presenting real-world insights into the attacker view
- Prioritizing remediation efforts to eliminate those paths with the fewest fixes
- Providing remediation advice for reliable, repeated improvements
The Value of CTEM
We feel that the CTEM approach has substantial advantages over alternatives, some of which have been in use for decades. Fundamentally, organizations have spent years identifying exposures, adding them to never-ending "to do" lists, expending countless time plugging away at those lists, and yet not getting a clear benefit. With CTEM, a more thoughtful approach to discovery and prioritization adds value by:
- Quickly reducing overall risk
- Increasing the value of each remediation, and potentially freeing up resources
- Improving the alignment between security and IT teams
- Providing a common view into the entire process, encouraging a positive feedback loop that drives continuous improvement
Getting Started with CTEM
Since CTEM is a process rather than a specific service or software solution, getting started is a holistic endeavor. Organizational buy-in is a critical first step. Other considerations include:
- Supporting processes and data collection with the right software components
- Defining critical assets and updating remediation workflows
- Executing upon the right system integrations
- Determining proper executive reporting and an approach to security posture improvements
In our view, with a CTEM program, organizations can foster a common language of risk for Security and IT; and ensure that the level of risk for each exposure becomes clear. This enables the handful of exposures that actually pose risk, among the many thousands that exist, to be addressed in a meaningful and measurable way.
For more information on how to get started with your CTEM program, check out XM Cyber's whitepaper, XM Cyber on Operationalizing The Continuous Threat Exposure Management (CTEM) Framework by Gartner®.