What is CTEM?
Continuous Threat Exposure Management (CTEM) as a set of processes and capabilities that enable organizations to continually and consistently evaluate the accessibility, exposure and exploitability of their digital and physical assets. By implementing CTEM, organizations can gain a consistent, actionable security posture remediation and improvement plan that unifies the security strategy, operations and data, and ultimately aligns security risk to the business. By 2026, Gartner Inc. predicts that organizations prioritizing their security investments based on a CTEM program will realize a two-thirds reduction in breaches.
Why should an organization adopt CTEM?
As a busy security professional you may be asking yourself “Why should I try to adopt CTEM?”. It’s a fair question to ask given the excess of responsibilities paired with the scarcity of time and resources the average security organization faces these days. The short answer is that Continuous Threat Exposure Management (CTEM) is better for the business and is a pathway to navigate the responsibilities and constraints we are struggling with in security today.
By striving to execute security “by the books”, most security teams have drifted out of alignment with the core functions of the business they are working to secure. CTEM evangelizes that we start our exposure management lifecycle with a process of scoping, which seeks to catalog the functions of the business as “scopes” and rank these scopes by mission criticality. Whenever possible scopes can/should be defined in non-technology terms such as “payment processing” or “product X manufacturing”. By employing a CTEM-like focus on business function as the anchor for exposure management, we can introduce some incredible benefits to our security operations, such as:
What are the 5 stages of a CTEM approach?
- Stage 1 – Scoping: This stage involves understanding your organization’s attack surfaces as well as the importance of each asset to your business over time. Scoping involves input from multiple stakeholders, including IT, Legal, GRC, Research & Development, Product, and Business Operations teams.
- Stage 2 – Discovery: The Discovery stage is when each asset is assessed for potential exposures and where analysis occurs for understanding how the exposures translate to risks. This Discovery assessment stage includes exposures such as vulnerability, Active Directory, identity and configuration risks, and understanding how these exposures could be used in some combination to create attack paths targeting critical assets.
- Stage 3 – Prioritization: This step is where the rubber hits the road because typically there are more exposures identified than what can be fixed in a timely fashion due to the volume of exposures as well as the fluidity of environment changes. CTEM changes what prioritization has historically meant, focusing on more than just vulnerabilities and considering how the exposures relate to potential attack paths. This enables meaningful remediation to focus on the greatest risk to critical assets.
- Stage 4 – Validation: The validation stage is where you examine and confirm the vulnerabilities that can be exploited for attack as well as the likelihood of their occurrence. This stage can leverage attack simulations, other scans, penetration testing and more. Identifying the root cause of vulnerabilities is key to understanding what exactly should be addressed and can help enable prioritization.
- Stage 5 – Mobilization: This stage is where the security team collaborates with the business to ensure proper remediation, including which stakeholders are responsible for deploying patches, re-configuring resources, changing code, etc. This is also where the business can understand the value of any remediation effort, through reporting that shows security posture improvements over time.
What are key benefits of adopting a CTEM approach?
More Comprehensive Discovery
Many organizations struggle with discovery technology given the modern diverse technology environments many businesses find themselves faced with today. Continuous Threat Exposure Management helps discovery efforts in providing the context of what technologies we are looking for based on the scope. When performing a scope-based discovery we have an improved chance of discovering all the technology supporting a scope because we have better context and can partner with operational and design stakeholders to reverse engineer the scope’s environment.
More Effective Risk Reduction
When implementing CTEM it is a best practice to start with scopes that represent the organization’s mission critical priorities and work outward to less important functions of the organizations. By prioritizing critical functions first, we can ensure we are maximizing our risk reduction as our limited resources are being applied to reducing exposure where it matters most.
Clearer ROI on Security Functions
Just as CTEM scopes can help us more effectively reduce risk, they also provide a great framework to measure return on investment for security spending as scopes empower us with context on how our Security budget is being allocated across various business functions. When CTEM has been implemented fully, scopes can be a powerful means to make more intelligent decisions on security staffing and technology licensing on a continual basis.
Increased Likelihood of Buy-In
Not only do CTEM-aligned practices help us better allocate limited resources and target the most significant risk, but they also greatly increase the chance that we will experience improved buy-in and participation from non-Security stakeholders in our organization. Technology teams can be prone to tunnel vision, hyper focusing on their perceived primary job functions, often at the cost of exposure reduction activities. With CTEM we can rally both technical and non-technical teams around the business context of exposure—something that’s more intuitive and compelling to all members of the organization.
In addition to the business context, the validation efforts of CTEM provide more accurate exposure information to those tasked with remediation. By weeding false positives and mitigated findings out of triage, it is more likely operational partners will stay engaged in executing on exposure remediation efforts.
Practical Direction of Siloed Tools, Teams, & Data
One of the major barriers of understanding and reducing exposure is that the modern security organization has a variety of tools and sub-teams that are often operating mostly independently, which results in siloed data. Continuous Threat Exposure Management offers a framework that can unite and direct our existing “find and fix” toolsets and teams with a common purpose and produce meaningful, comprehensive output.
CTEM evangelizes using a breadth of exposure identification techniques over siloed depth, and this breadth of discovery extends beyond our organization’s managed footprint to areas such as SaaS security and leaked data detection. The goal of CTEM is to define the complete exposure profile of a given business scope, without being confined to a single discovery technology or data output format. CTEM adoption is a great opportunity to rethink the Security silos we have operated within for years and streamline our “find and fix” strategy to focus on exposure rather than technology platforms and traditional job responsibilities.
A More Evergreen Program
Because CTEM focuses on business functions at its core, promotes a breadth of discovery techniques, and has an iterative lifecycle, it is much less susceptible to changes in technology. The functions, ventures, and obligations of our business typically have longer time horizons than specific technology and architectures we use to operationalize them, so by anchoring our scopes to the business the program is more evergreen.
CTEM is a loop-based lifecycle that returns us to a Scoping phase with each iteration, in which we can and should ensure the scope is still properly aligned with the business function and adjust our scope (or sub-scopes) as needed. Each iteration of Scoping and Discovery are opportunities to course correct and adjust to changes in the technology and operational landscape of our organization.
These are just some of the many compelling reasons to kick off your CTEM adoption journey. In general, CTEM offers enough differentiation in approach from traditional siloed “find and fix” security disciplines that you could achieve better exposure data, better coordination and collaboration, better business alignment, and ultimately, more effective and efficient exposure reduction at scale.