CTEM 101 – Go Beyond Vulnerability Management with Continuous Threat Exposure Management

In a world of ever-expanding jargon, adding another FLA (Four-Letter Acronym) to your glossary might seem like the last thing you’d want to do. But if you are looking for ways to continuously reduce risk across your environment while making significant and consistent improvements to security posture, in our opinion, you probably want to consider establishing a Continuous Threat Exposure

In a world of ever-expanding jargon, adding another FLA (Four-Letter Acronym) to your glossary might seem like the last thing you’d want to do. But if you are looking for ways to continuously reduce risk across your environment while making significant and consistent improvements to security posture, in our opinion, you probably want to consider establishing a Continuous Threat Exposure Management (CTEM) program.

CTEM is an approach to cyber risk management that combines attack simulation, risk prioritization, and remediation guidance in one coordinated process. The term Continuous Threat Exposure Management first appeared in the Gartner ® report, Implement a Continuous Threat Exposure Management Program (CTEM) (Gartner, 21 July 2022,). Since then, we have seen that organizations across the globe are seeing the benefits of this integrated, continual approach.

Webinar: Why and How to Adopt the CTEM Framework

XM Cyber is hosting a webinar featuring Gartner VP Analyst Pete Shoard about adopting the CTEM framework on March 27 and even if you cannot join, we will share an on-demand link, don’t miss it!

Focus on Areas With the Most Risk

But why is CTEM popular, and more importantly, how does it improve upon the already overcrowded world of Vulnerability Management?

Central to CTEM is the discovery of real, actionable risk to critical assets. Anyone can identify security improvements in an organization’s environment. The issue isn’t finding exposures, it’s being overwhelmed by them – and being able to know which pose the most risk to critical assets.

In our opinion, a CTEM program helps you:

Identify your most exposed assets, along with how an attacker might leverage themUnderstand the impact and likelihood of potential breachesPrioritize the most urgent risks and vulnerabilitiesGet actionable recommendations on how to fix themMonitor your security posture continuously and track your progress

With a CTEM program, you can get the “attacker’s view”, cross referencing flaws in your environment with their likelihood of being used by an attacker. The result is a prioritized list of exposures to address, including ones that can safely be addressed later.

The Five Stages of a CTEM Program

Rather than a particular product or service, CTEM is a program that reduces cyber security exposures via five stages:

Scoping – According to Gartner, “To define and later refine the scope of the CTEM initiative, security teams need first to understand what is important to their business counterparts, and what impacts (such as a required interruption of a production system) are likely to be severe enough to warrant collaborative remedial effort.” Discovery – Gartner says, “Once scoping is completed, it is important to begin a process of discovering assets and their risk profiles. Priority should be given to discovery in areas of the business that have been identified by the scoping process, although this isn’t always the driver. Exposure discovery goes beyond vulnerabilities: it can include misconfiguration of assets and security controls, but also other weaknesses such as counterfeit assets or bad responses to a phishing test.”Prioritization – In this stage, says Gartner, “The goal of exposure management is not to try to remediate every issue identified nor the most zero-day threats, for example, but rather to identify and address the threats most likely to be exploited against the organization.” Gartner further notes that “Organizations cannot handle the traditional ways of prioritizing exposures via predefined base severity scores, because they need to account for exploit prevalence, available controls, mitigation options and business criticality to reflect the potential impact onto the organization. Validation – This stage, according to Gartner, “is the part of the process by which an organization can validate how potential attackers can actually exploit an identified exposure, and how monitoring and control systems might react.” Gartner also notes that the objectives for Validation step includes to “assess the likely “attack success” by confirming that attackers could really exploit the previously discovered and prioritized exposures.Mobilization – Says Gartner, “To ensure success, security leaders must acknowledge and communicate to all stakeholders that remediation cannot be fully automated.” The report further notes that, “the objective of the “mobilization” effort is to ensure the teams operationalize the CTEM findings by reducing friction in approval, implementation processes and mitigation deployments. It requires organizations to define communication standards (information requirements) and documented cross-team approval workflows.”

CTEM vs. Alternative Approaches

There are several alternative approaches to understanding and improving security posture, some of which have been in use for decades.

Vulnerability Management/RBVM focuses on risk reduction through scanning to identify vulnerabilities, then prioritizing and fixing them based on a static analysis. Automation is essential, given the number of assets that need to be analyzed, and the ever-growing number of vulnerabilities identified. But RBVM is limited to identifying CVEs and doesn’t address identity issues and misconfigurations. Furthermore, it doesn’t have information required to properly prioritize remediation, typically leading to pervasive backlogs.
Red Team exercises are manual, expensive, point-in-time tests of cyber security defenses. They seek to identify whether or not a successful attack path exists at a particular point in time, but they can’t identify the full array of risks.
Similarly, Penetration Testing uses a testing methodology as its assessment of risk, and it provides a point-in-time result. Since it involves active interaction with the network and systems, it’s typically limited with respect to critical assets, because of the risk of an outage.
Cloud Security Posture Management (CSPM) focuses on misconfiguration issues and compliance risks solely in cloud environments. While important, it doesn’t consider remote employees, on-premises assets, or the interactions between multiple cloud vendors. These solutions are unaware of the full path of attack risks that cross between different environments—a common risk in the real world.

It is our opinion that a CTEM program-based approach offers the advantages of:

Covering all assets—cloud, on-premises, and remote—and knowing which ones are most critical.
Continuously discovering all types of exposures—traditional CVEs, identities, and misconfigurations.
Presenting real-world insights into the attacker view
Prioritizing remediation efforts to eliminate those paths with the fewest fixes
Providing remediation advice for reliable, repeated improvements

The Value of CTEM

We feel that the CTEM approach has substantial advantages over alternatives, some of which have been in use for decades. Fundamentally, organizations have spent years identifying exposures, adding them to never-ending “to do” lists, expending countless time plugging away at those lists, and yet not getting a clear benefit. With CTEM, a more thoughtful approach to discovery and prioritization adds value by:

Quickly reducing overall risk
Increasing the value of each remediation, and potentially freeing up resources
Improving the alignment between security and IT teams
Providing a common view into the entire process, encouraging a positive feedback loop that drives continuous improvement

Getting Started with CTEM

Since CTEM is a process rather than a specific service or software solution, getting started is a holistic endeavor. Organizational buy-in is a critical first step. Other considerations include:

Supporting processes and data collection with the right software components
Defining critical assets and updating remediation workflows
Executing upon the right system integrations
Determining proper executive reporting and an approach to security posture improvements

In our view, with a CTEM program, organizations can foster a common language of risk for Security and IT; and ensure that the level of risk for each exposure becomes clear. This enables the handful of exposures that actually pose risk, among the many thousands that exist, to be addressed in a meaningful and measurable way.

For more information on how to get started with your CTEM program, check out XM Cyber’s whitepaper, XM Cyber on Operationalizing The Continuous Threat Exposure Management (CTEM) Framework by Gartner®.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

“}]] The Hacker News 

Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

ODNI appoints new election security leader ahead of presidential race

Next Post

Watch Out: These PyPI Python Packages Can Drain Your Crypto Wallets

Related Posts

Eight European consumer watchdogs file complaints over Meta’s data processing

Eight European consumer organizations have filed complaints against Facebook parent Meta accusing it of breaching the EU’s General Data Protection Regulation (GDPR) with its so-called “pay-or-consent” policy and opaque internal policies.The organizations are all members of BEUC, the European Consumer Organization.  Their complaints, publicized Thursday, argue that the large-scale consumer data collection practiced by Meta violates the GDPR, and that the company has abused its dominant market position to essentially coerce customers into accepting its terms. Each of the eight groups filed their complaints with their national data protection authorities, as there is no pan-European office to accept such complaints.To read this article in full, please click here
Read More