Understanding Continuous Threat Exposure Management (In Under 5 Minutes)

Continuous Threat Exposure Management (CTEM) is a proactive cybersecurity framework outlined by Gartner.

This article is meant to be a "SparkNotes" version of the 16-page Gartner report.

Bolded quotes are taken directly from the initial Gartner report published July 21, 2022: Implement a Continuous Threat Exposure Management (CTEM) Program.

What is CTEM?

Continuous Threat Exposure Management (CTEM) “is a set of processes and capabilities that allow enterprises to continually and consistently evaluate the accessibility, exposure and exploitability of an enterprise’s digital and physical assets.”

In other words, it’s a framework that enables organizations to proactively discover and remove risks that could lead to a cybersecurity incident.

The purpose is twofold:

1. Reduce the likelihood and impact of an attack
2. Do so in the most efficient and effective way in the context of business objectives

The second point is crucial.

“The goal of exposure management is not to try to remediate every issue identified nor the most zero-day threats, for example, but rather to identify and address the threats most likely to be exploited against the organization.”

It aims to answer the question: “What does my organization look like from an attacker’s point of view, and how should it find and prioritize the issues attackers will see first?”

Why Should M(S)SPs Care?

As a cybersecurity provider, your job is to mitigate risk.

And Gartner estimates, “By 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach.”

The days of reactive-only cybersecurity are in the past. The prevalence and impact of cyber incidents are too great. The stakes are too high.

And vulnerability management alone, as a primary mitigation strategy, doesn’t work.

“Traditional approaches are no longer keeping up with quickly evolving business needs and expanding attack surfaces. Exposure extends beyond vulnerabilities. Even taking a risk-based vulnerability management (RBVM) approach might not be sufficient."

A CTEM-based approach enables M(S)SPs to better protect their clients (while showing measurable progress) and deploy internal resources more effectively.

How Does CTEM Work?

There are five stages in a CTEM program, with each stage contributing to the others.

Stage one: Scoping

The initial stage focuses on cybersecurity in the context of the greater business objectives. "CTEM is not a purely risk-driven exercise either. Transforming a traditionally diagnostic function into an actionable set of outcomes requires clarity regarding objectives."

Stage two: Discovery

This stage focuses on asset discovery, including hidden ones, and their risk profiles. It's important to note: "Exposure discovery goes beyond vulnerabilities: it can include misconfiguration of assets and security controls, but also other weaknesses such as counterfeit assets or bad responses to a phishing test.”

Stage three: Prioritization

“Prioritizing the treatment of exposures needs to be based on a combination of the urgency, severity, availability of compensating controls, risk appetite and level of risk posed to the organization. In other words, organizations should determine their high-value assets (where critical business value is located) depending on whether there are existing security controls in place and the likelihood of the asset being exploited by an adversary, and then focus treatment of efforts where appropriate.”

Stage four: Validation

The goal of this stage is to determine how an attack could occur, the likelihood of "attack success", and the potential business impact. It also aims to test the effectiveness of existing controls. Importantly, "Then, the scope of the validation should include not only the relevant threat vectors, but also the possibility of pivot and lateral movement."

Stage five: Mobilization

The final stage is about turning insights into concrete actions across stakeholders. "The objective of the 'mobilization' effort is to ensure the teams operationalize the CTEM findings by reducing friction in approval, implementation processes and mitigation processes."

Context Matters

The core theme of CTEM is continuous risk reduction in the context of business objectives.

Without understanding the likelihood of exploit, existing controls and mitigation options, and potential business impact of exposures in an environment, it's impossible to effectively mitigate risk. A CTEM-based approach aims to proactively remove the most critical risks on an organization's most critical assets.

“The most successful protection approach combines preparation for unknown threats with a risk reduction strategy, emphasizing publicly known vulnerabilities and identified control gaps.”

This "successful protection approach" can only occur with the right combination of people, processes, and tools.