How to Implement Continuous Threat Exposure Management (CTEM)

Executive Summary: Mastering Continuous Threat Exposure Management (CTEM)

In the realm of cybersecurity evolution, Continuous Threat Exposure Management (CTEM) emerges as a transformative approach, surpassing traditional vulnerability management. Developed by Gartner, CTEM's proactive security posture remediation plan navigates five core stages: scoping, discovery, prioritization, validation, and mobilization, ensuring adaptability in the face of evolving cyber threats.

Gartner's forecast, predicting organizations embracing CTEM will be three times less likely to suffer breaches by 2026, underscores its pivotal role. With the surge in IoT, cloud services, and AI-driven attacks, CTEM demands a proactive evaluation of assets, collaboration-focused prioritization, and a nuanced understanding of evolving cyber threats. Nanitor stands as a dedicated CTEM solution, guiding organizations through every phase, offering robust asset identification, exposure discovery beyond CVEs, intuitive prioritization, detailed remediation steps, and comprehensive tracking features.

CTEM represents the evolution of vulnerability management, centering on business-critical assets, moving beyond CVEs, and integrating prioritization based on business needs. The cyclical model, enriched by continuous learning and collaboration, positions organizations to adapt swiftly in the face of evolving cyber threats. As collaboration proves foundational, organizations must embrace it to garner full support during CTEM implementation, solidifying a robust foundation for ongoing cybersecurity resilience.

What is Continuous Threat Exposure Management (CTEM)?

Continuous Threat Exposure Management is defined as “getting consistent, actionable security posture remediation and improvement plan that business execs can understand and architecture teams can act upon.” ¹ This new program was developed by Gartner and can be seen as an evolution of vulnerability management which is commonly used today. As a recap, vulnerability management programs focused on the organizations total risk exposure by identifying known hardware and software vulnerabilities, remediating these weaknesses, and restarting the cycle.

In CTEM, the objective of CTEM is achieved through the following five core stages: scoping, discovery, prioritization, validation and mobilization. The CTEM program is cyclical and could be triggered by business projects, risk appetite changes, upgrades to security controls, and changes to the IT environment. It is important that each stage is repeated during each iteration so that organizations are able to learn “why” and “how” elements are discovered.

Why is CTEM Essential to Stay Ahead of Cyber Threats?

According to Gartner, “By 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach”. ¹ With the increasing use of IoT devices, cloud-based services, and the use of AI in attack methods, CTEM will play a key part in staying ahead of cyber threats. CTEM requires a thorough evaluation of the assets in your environment, a proactive approach on identifying vulnerabilities, a collaboration-focused strategy for prioritization and resiliency, and a thorough understanding of attack methods to validate an attack’s probability of being successful.

Simply gathering reports of known vulnerabilities from a range of security tools and trying to remediate the findings will not suffice. It will leave your management concerned on the known risk and your security team stressed with ever growing list of concerns.

In order to expand your organization’s knowledge of possible risks, CTEM goes beyond identifying known vulnerabilities in your hardware or software and requires you to stay up to date on the latest cybersecurity threats. This includes possible threats to your nation’s grid that could in turn have an effect on the availability of your servers or understanding the attack methods used in the latest data breach to an organization in your industry.

This does require resources some smaller organizations might not have, however, the scoping stage in the CTEM model helps alleviate these challenges. By having a thorough understanding of your attack surface, you’ll address what is only applicable to you. You are also not required to jump into a fully implemented CTEM model. The CTEM model is cyclical and during each iteration your organization can gather intelligence from new cyber threats and slowly but surely, gain a better understanding of the cyber threats your organization faces.

How Does CTEM Help in Exposure Management?

To truly understand where your organization can be attacked from, most organizations fail at acknowledging an attacker’s point of view. Attackers are not just looking at your servers but are also considering indirect access to your environment like the Software as a Service (SaaS) application your users may be using for scheduling meetings or the vulnerabilities in your supply chain partners like we saw during the SolarWinds hack in 2020.²

Most organizations only focus on what their security tools are telling them is a weakness but CTEM goes beyond that by including what could be acted on by attackers and reducing the attack surface for your environment. Once these vulnerabilities are identified, exposure management requires the organization to prioritize them according to your organization’s business needs. Assets that are essential to business processes, must take priority. CTEM focuses on your defensive view and the attacker’s view so that you can protect yourself from ongoing threats and future threats.

What Are the Five Steps of CTEM?

CTEM is broken down into 5 core steps. However, it is not always necessary to start with the first phase. Some organizations might be transitioning from a vulnerability management program and have completed the discovery phase for their environment, they can then start with prioritizing which vulnerabilities they will address first. At the end of the program your organization needs to have clear instructions on how to remediate the findings discovered during the process. The “lessons learned” will be valuable input for future iterations.

1.     Scoping

This will go beyond what is typically defined as your servers, laptops, applications, etc. This needs to include social media accounts, SaaS applications, code repositories, and other assets that are essential to your business processes. Collaboration between the security team and other business teams is required so that the security team knows the importance of the assets and so security teams can get the necessary support from the other teams during implementation. The other teams will be able to see the value of the CTEM program and know the scope was defined with input from the entire organization.

2.     Discovery

Once you’ve identified the areas in your environment that contain the critical business assets, you’ll need to start exposure discovery. Most organizations already look for Common Vulnerability Exposures (CVEs), but this phase must go beyond that. This can include misconfigurations of assets and security controls, rogue assets, or not correctly identifying indicators of compromise (IOCs). It is important to note that once you’ve performed exposure discovery, you might be still be feeling overwhelmed with number of findings even though you scoped the program correctly. The next step in the model will help you further focus your remediation efforts.

3.     Prioritization

Organizations cannot rely on severity scores and trying to remediate all of the findings their combination of tools reports. The prioritization efforts need to include a combination of urgency, severity, availability of controls, and risk appetite for the assets that are essential to critical business functions. If the prioritization is done correctly, it will also help system owners understand their assets positioning in the prioritization efforts and how it will be treated if a new critical vulnerability is discovered.

4.     Validation

This phase involves the likelihood of exploiting a vulnerability, potential pivoting in the attack path, and whether remediation efforts are sufficient. Red teams can host controlled simulations where they might use MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)³ to mimic adversary behavior. If a simulated attack is successful, the team can then verify if the security controls available can successfully stop the attack and if the processes to implement these controls can be done by the different teams. In addition to the technical assessments, the validation needs to be approved by the system owners of the assets. They need to also support the remediation efforts if you want to be successful.

5.     Mobilization

Throughout the steps, collaboration was a key factor in successfully completing the steps. This final step aims for collaboration during the implementation or as Gartner puts it “operationalizing the CTEM findings by reducing friction in approval, implementation processes, and mitigation deployments”. As your teams work through remediation findings, they need to have defined communication channels and cross-team approval workflows. It is also important to note that automated remediation cannot be your only solution. This can be used for simple issues but the best solution will only be what addresses your specific environment.

What are possible obstacles during implementation?

A mature adoption of the CTEM model will take several iterations and some steps may evolve quicker than others. Most organizations will have to focus on the “Prioritization” and “Mobilization” steps since these tend to be the weakest component. ¹ As noted throughout the five steps, collaboration will be a key factor in successful completion of the steps but it will also be large hurdle for many organizations. Silos are a common occurrence in organizations but the security team will need to know where their focus should be and will need other teams’ help when implementing remediations. Tracking the security posture of the organization over time will be a challenge but strong workflows that do not only consist of full automation will be important.  

How Does Nanitor Help You Implement an Effective CTEM Solution

Nanitor is a CTEM solution that is designed to help you during all stages of the CTEM program. Whether you’re an organization that is transitioning from a vulnerability management program or if you are starting from the ground up. Nanitor identifies unknown assets in your environment in your environment, discovers weaknesses not captured in CVEs, provides prioritization with the Nanitor Diamond™ so that critical security issues affecting critical business assets are easily identifiable, provides remediation steps for validation, and provides tracking for remediation efforts. ⁵

Nanitor’s additional features include framework compliance across several industries, data normalization across the different platforms, minimal resource requirements, and valuable reporting features for management and technical audiences.

Conclusion

The CTEM model is an evolution of vulnerability management where you focus on business-critical assets, you look beyond CVEs, prioritize based on business needs, validate attack impacts and scenarios, and operationalize the remediation efforts. The cyclical nature of the model allows you to adapt the lessons learned and quickly focus your efforts in the event of a security breach. Collaboration plays a key role throughout the model and can be an obstacle that many organizations face, but in order to gain full support during implementation of the program, it must be a part of the foundation of your program.

 

 

Resources:

¹ D’Hoinne, J., & Shoard, P. (2022). (tech.). 2022 Gartner Exposure Management Report.

Gartner. Retrieved November 13, 2023, from https://www.tenable.com/analyst-research/2022-gartner-exposure-management-report?utm_campaign=gs-{20322666617}-{159262678468}-{664025787114}_00028058_fy23&utm_promoter=tenable-one-gatedasset-gartner-ctem-report-00028058.

² https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know

³ https://www.mitre.org/focus-areas/cybersecurity/mitre-attack