The Transformative Power of Continuous Threat Exposure Management (Myth or Reality?)

Written by Alex Vakulov.

The growing dynamics of cyber risks are forcing companies to shift their approach to information security from reactive to proactive. Gartner has introduced a new concept called Continuous Threat Exposure Management (CTEM) to address this.

In 2022, Gartner first introduced CTEM, highlighting that it is not a specific product or solution but rather a program, a concept, and a strategic approach designed to form the foundation for companies aiming to minimize risks and significantly reduce the number of information security incidents.

In 2023, Gartner ranked CTEM among the top cybersecurity trends, noting that today's companies face an enormous number of potential vulnerabilities - so many that it requires significant effort and resources to address them. The task for CISOs is to refine methods for evaluating vulnerabilities to accurately gauge the real level of protection against threats.

Gartner predicts that by 2026, organizations that prioritize their security investments based on a Continuous Threat Exposure Management program will be 3x less likely to suffer a breach.

What is CTEM, and is it as revolutionary as Gartner claims?

Continuous Threat Exposure Management is a cyber risk management paradigm that offers a proactive and iterative approach to identifying and analyzing sources of danger. It aims to reduce information security threats through a continuous cycle of specific steps: identifying the attack surface, detecting vulnerabilities, prioritizing them, validating the findings, and preparing an incident response plan.

There are two fundamental points here: deep analytics and cyclicality. In other words, we are talking about a never-ending process associated with searching for threats and preparing response actions.

The CISO should view the company through the eyes of an attacker. We are accustomed to seeing our infrastructure from the position of a defender and often struggle to imagine what a hacker will see in our system, what actions they will perform, and what resources they can access. Gartner recommends continuously evaluating a company's defenses using all available means, including simulating attacks by running Red Teaming assessments and using automated PTaaS platforms, rather than just relying on existing vulnerability data.

According to Gartner, it is important to balance technical vulnerabilities with business priorities when assessing risks. The findings from this analysis should form the basis for developing a vulnerability remediation schedule. The order in which vulnerabilities are addressed should be determined collaboratively by stakeholders from both technical departments and business units.

As previously mentioned, the CTEM program consists of several steps. Let's explore each of these steps in more detail.

1. Scope

The first step of the CTEM program involves determining what assets will be included in the cycle. Since any organization comprises multiple business units - such as sales, manufacturing, accounting, and human resources - it is unlikely that implementing CTEM across the entire company simultaneously will yield successful outcomes. Small businesses might choose their focus based on departmental functions, like sales or finance, or by infrastructure type, such as on-premises or cloud systems. Larger organizations may require a more detailed separation of functions, such as credit pipeline, field sales, or contract management.

Defining the scope is important because it allows you to create a kind of boundary and thereby reduce the number of variables. In addition, this greatly simplifies the process of classifying identified digital and physical assets into those related and not related to the current cycle. Proper segmentation will allow the identification of assets that may be indirectly related to the current cycle but pose a significant risk to it in the event of a successful attack.

The scoping process involves finding connections between technical assets and business processes, and therefore requires the involvement of participants from both technical departments and the business side. The latter define the business context for establishing the boundaries of the cycle, while the former identify the systems and platforms that are supposed to be functional components of this context.

Gartner recommends going beyond the focus of typical vulnerability management and covering not only traditional devices and applications but also less obvious elements such as corporate social media accounts, integrated supply chain systems, and online code repositories.

2. Discovery

The discovery phase requires a deep understanding of technical systems and assets and their risk profiles within the ongoing CTEM cycle. At this stage, the information security department determines the attack surface using the following actions:

• Identification of technical assets and systems.
• Building connections between these systems and business processes.
• Scanning for vulnerabilities.
• Identifying misconfigurations of systems and controls.
• Monitoring deviations from established baselines and safety standards.

Identification and assessment should be continuous processes for any security team, involving the ongoing monitoring of new systems and platforms, as well as the regular assessment of vulnerabilities and the search for anomalies.

3. Prioritization

The prioritization stage assesses the urgency and importance of addressing specific vulnerabilities. This decision is based on information about the system's topology, its configuration, and its relevance to critical business processes.

Vulnerability prioritization should consider more than just statistical indicators; it should also take into account a variety of factors, such as the severity of the vulnerability, how widespread the exploits are, the availability of protective measures and controls, and the potential data security risks these vulnerabilities pose to the business.

It is extremely important to assess the likelihood of exploitation of a particular vulnerability, especially if we are talking about shared resources that support the operation of several business processes since factors from other business contexts can influence the current context. The prioritized remediation schedule that results from this assessment should primarily focus on addressing high-risk impacts.

4. Validation

At the validation stage, the probability of attack success is assessed, potential damages are analyzed, and the information security team's response to the attacker's actions in the current cycle is checked.

Typically, this stage requires conducting a series of technical studies to determine the organization's security level. These studies might include penetration testing, attack simulation, threat modeling, red teaming, and attack trajectory analysis. Following these assessments, the information security team needs to connect the results to business risks. Together with business representatives, they must evaluate whether the risks are acceptable.

In the context of a CTEM program, the validation phase is designed to create and refine the action plan needed to effectively ensure safety and align with the company's perspective.

5. Mobilization

During the mobilization phase, tasks are assigned and resources are allocated to implement the vulnerability remediation plan established during the validation phase. This phase includes streamlining approval processes and implementing mitigation strategies to support the organization's security efforts.

This is achieved through collaboration between IT, information security, and business teams. IT and security teams identify potential recovery strategies and assess their impact on the infrastructure, while business teams review this information and provide feedback on the feasibility of these proposals and their alignment with business objectives. This approach requires clear communication protocols and formalized approval processes between teams.

So, the CTEM program can be considered effective if the following steps are carried out efficiently and completely:

• The attack surface for each business unit and/or business process is clearly defined.
• The possibility of exploiting each vulnerability is confirmed.
• Potential remedies are identified.
• The potential impact of the risk of vulnerability exploitation on the business is assessed.
• The potential business impact of vulnerability remediation is projected.

End Remarks: Significant Change or Marketing Spin?

As you may have noticed, the CTEM concept involves diagnosing problems (scoping, identifying threats, prioritizing vulnerabilities) and implementing specific actions to solve them (validation and remediation).

Have we seen this approach before? Yes, we have. Companies that moved beyond theoretical security measures have engaged in similar practices. However, the vast majority tended to diagnose problems separately, often failing to link these issues with broader business processes. Furthermore, these diagnostics were frequently conducted without automation tools, which are crucial for ensuring consistency and extensive coverage. This resulted in a patchwork approach, where it was never certain which segment/layer would be next for inspection.

Gartner has integrated various processes and solutions into the CTEM framework that were previously considered separate entities, such as Automated Pentest, Breach and Attack Simulation, External Attack Surface Management, and Vulnerability Management. It took time for the toolkit to mature to a level where it could provide an additional layer of information. This information allows for prioritizing vulnerabilities and refining their list to a manageable number that does not overwhelm or cause undue stress. Nowadays, it is entirely feasible to extract specific attack vectors and identify risks from the extensive "red canvas" of alerts.

However, as practice shows, many companies have been using a similar approach even without specific knowledge of CTEM. They use automated penetration testing to prioritize vulnerabilities: the data from the scanner is enhanced with additional information, and the IT department receives more than just a basic report from the information security team. Instead, they get a detailed document indicating which critical vulnerabilities were exploited during the automated penetration test and the consequences it led to.

Conducting automated checks solely with the tools mentioned, without integrating the diagnostics from steps 1, 2, and 3, is unlikely to achieve the result predicted by Gartner - a two-thirds reduction in the number of incidents over three years. However, products from the BAS and Automated Pentest categories enable you to open the "black box" and reveal what was previously hidden.

About the Author

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He is writing for numerous security-related publications sharing his security experience.