Examining the Difference Between CTEM and Vulnerability Management
Posted by: Chris Peltz
I’ve recently been fielding this question in my conversations with customers: “What is the difference between CTEM and Vulnerability Management?”
One compelling aspect of Continuous Threat Exposure Management (CTEM) is that it unites and directs siloed functions of security, such as Vulnerability Management, Application Security, Cloud Security, SaaS Security, Identity Exposure Management, Leaked Data/Secrets, IoT/OT Security and Asset Management. Additionally, CTEM incorporates exposure information from sources that were traditionally used as “point” solutions.
There are several notable differences between traditional Vulnerability Management (VM) and CTEM, and these new elements are intended to correct friction points that inhibited success in VM programs over the years. Continuous Threat Exposure Management (CTEM) can actually be a force multiplier for your Vulnerability Management efforts. We can examine the key differences between CTEM and VM by looking at the CTEM lifecycle, specifically the phases of Scoping, Validation, and Mobilization.
Scope
What most organizations typically call their “VM program” is vulnerability assessment on self-hosted infrastructure. CTEM expands the scope of Discovery across technologies that aren’t usually within the scope of a VM program such as cloud-hosted resources, SaaS, identity stores, and even leaked data. The Scoping phase of the Continuous Threat Exposure Management lifecycle is markedly differentiated compared to most conventional VM programs.
Historically VM programs have sought to discover all technology, find weaknesses in that technology, and then attribute those weaknesses to business owners and functions by overlaying metadata from the business. The issue with this workflow is that most organizations don’t have complete and accurate business metadata to overlay, so the attribution of findings is incomplete and/or incorrect.
By starting the lifecycle with a defined business function, the attribution/impact of discovered exposures is known from the start. Another advantage of “starting with the scope” is that it gives you a frame of reference for discovery so that you’re less likely to miss assets than if you were looking for “everything.”
Validation
There are two main variables to the exploitability of a security weakness:
- Exploit viability: a measure of the maturity and prevalence of exploitation of a given weakness
- Environmental exploitability: refers to how exploitable a given weakness truly is in one’s specific environment, considering mitigating controls and control gaps
CTEM specifies a Validation phase to confirm—through penetration testing, attack path analysis, clone analysis, or breach and attack simulation—the environmental exploitability of weaknesses that have been discovered. This is a new function that most organizations have not performed as part of traditional VM practices, and it adds significant value in that we can validate that a weakness is actually an exposure in our environment.
Mobilization
The mantra of many conventional VM programs is to: “Find the problems and get the right people to fix them.” While this works in principle, the true remediation and risk reduction outcomes of Vulnerability Management have been underwhelming due to two factors:
- Often security organizations have struggled to consistently know who is responsible for remediating a vulnerability.
- Lack of ability to act upon triaged vulnerabilities due to a number of factors, such as: vulnerabilities being triaged as findings (CVEs/CWEs) rather than fixes (the effort to resolve the CVEs/CWEs), a lack of change approval to enact the fixes, or even a lack of capability to carry out the fixes at scale (poor systems management tools, etc.).
CTEM designates the triage and remediation activities as the Mobilization stage, and this renaming isn’t just a change in the vernacular. The mission of Mobilization is to provide remediation parties (called “Mobilization partners” in CTEM) with accurate, actionable information to resolve existing exposures and to collaborate in preventing similar new exposures in the future.
If undertaken dutifully, exposure information in a CTEM approach is more compelling and actionable than in a traditional VM. CTEM essentially provides organizations with a more robust approach to identifying issues for Operations staff to fix on an ongoing basis.
With a CTEM approach, a known exploitable issue is linked to a business function that Security and Operations teams can understand, with the Security team maximizing its role in collaborating on “find and fix” issues. If Mobilization outcomes aren’t occurring after properly generating fix-based exposure information, then a compelling escalation can be made to leadership that there is no further area of opportunity in Discovery, Prioritization, and Validation and that Mobilization parties need to be rallied more effectively or resourced better.
It’s important to note that Gartner has described Continuous Threat Exposure Management as an “umbrella program” that would help and unite efforts in Vulnerability Management, rather than being a one-to-one program swap. Where organizations can benefit most is in revamping their VM programs in a CTEM-supportive method to realize all the benefits above (and more) from this compelling new paradigm.
Chris Peltz
Practice Lead, Northeast Region,
GuidePoint Security
Chris Peltz has a technology career spanning over fifteen years with experience in industries including financial services, higher education, software development, and healthcare. Currently he contributes to the Engineering leadership in the Northeast at GuidePoint Security. His focus is on partnering with organizations of varying sizes and industries to design, implement, and maintain results-based functional security programs.