Go to content
logoNanitor
ALL

Vulnerability Management

Adopting CTEM to Replace Your Legacy Vulnerability Management Solution

Derek Melber

Derek Melber

Chief Strategist

22.12.23

7 min read

Continuous Threat Exposure Management (CTEM), a category that was designated by Gartner, is trending to be one of the hottest topics in 2023. Gartner has stated that CTEM is designed to secure digital and physical assets for any sized organization. Gartner states “By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach.” There is no doubt that CTEM will become the defacto security concept that every organization, from the smallest SMB to the largest enterprise, will be adopting to secure the environment.  

Components of CTEM 

CTEM has a lot of moving parts and concepts. At the core of CTEM are the following components: 

  • Scoping 
  • Discovery 
  • Prioritization 
  • Validation 
  • Mobilization 

Scoping, discovery, and prioritization focus on the analysis of the assets, with an emphasis on helping the organization know what needs to be addressed to target the biggest security risk. Validation and mobilization target the remediation of the security issues that are organized and prioritized in the analysis stages.  

These component terms don’t make much sense by themselves, so this technical paper will explain what each component truly incorporates, plus we will push the limits of CTEM to include more security areas that are essential to every organization.  

Scoping 

You can equate scoping to the attack surface. CTEM stresses that the attack surface has expanded due to work-from-home, cloud integrations, and a more remote workforce. Therefore, CTEM stresses that scoping needs to incorporate as much of the new network as possible.  

The past few years have proven that this expansion to the attack surface has benefited attackers more than anyone. Attackers have proven that they will exploit any and every possible “issue” that they find on any device, application, service, etc. The attackers alone prove that vulnerability management alone is not enough. Breaches including Exchange, SolarWinds, and supply chain prove that vulnerability management is just one of many aspects of security that every organization needs to address.  

Additional attack surfaces like social media, IoT, OT, cloud applications, and supply chain considerations need to be included. Traditional assets like workstations, servers, domain controllers, and network devices still need to be included, but now external attack surfaces and SaaS security should also be involved.   

Nanitor has expanded this component to ensure that scoping includes as much of the enterprise as possible. This would include: 

  • Support for over 75 platforms, as shown in Figure 1 
  • Automatic asset discovery and inventory is essential 
  • All computing devices are included: workstations, laptops, network devices, networks, printers, and more 
  • Cloud assets are included 
  • External asset security and scanning (ASM) is included 

Figure 1. Platforms supported in Nanitor  

Discovery 

Since CTEM is expanding the traditional security emphasis to much more than vulnerability management, discovery is one of the most important aspects of CTEM. Discovery defines what security aspects need to be included for each asset. Security aspects such as misconfigurations and other related security risks are included in the CTEM platform definition. Gartner clearly states that security needs to be analyzed on both visible and hidden assets. In essence, CTEM clearly states that all assets need to be known and included in the analysis. Without the inclusion of all assets, attackers have an additional attack surface that is not being considered by the organization.  

Nanitor agrees with the approach detailed by Gartner. However, this is where Nanitor truly shines and stands out from other CTEM platforms. Nanitor believes that more than vulnerabilities and misconfigurations need to be analyzed. The following is a list of what Nanitor includes for their CTEM platform: 

  • Vulnerabilities 
  • Misconfigurations 
  • Patching 
  • Identity 
  • Software 
  • Cloud 
  • PII 

Nanitor also takes the concept of including all assets to a new level. Each asset is also given a priority, so certain devices are given more weight than others. This combination of asset + issue prioritization is a unique differentiator for Nanitor, which every organization wants and needs.  

Prioritization 

Without prioritization, even the smallest SMB would be overwhelmed with the volume of data that is being analyzed and results that need to be remediated. There is no possible way that every security issue, including vulnerabilities, can be remediated. CTEM clearly states this as a premise to the concept: “Not every security issue can be fixed.” With a slight twist to the traditional prioritization approach, CTEM prioritization should include: 

  • Urgency 
  • Security 
  • Compensating controls 
  • Residual attack surface 
  • Risk levels 

Not only does CTEM emphasize that more than vulnerability issues need to be included and be prioritized, but the fact that assets also need to have priorities. This combination of asset and issue priority gives any organization a clearer and more risk-centric view of what security issues need to be addressed on each asset.  

Nanitor takes prioritization to a completely new level, even above CTEM standards. Nanitor is the only unified CTEM platform that is built on the same code. This means that the priorities of highly disparate security issues (vulnerabilities vs. misconfigurations vs. identity) are all normalized against one another. This gives the organization a holistic view of exactly what security issues need to be addressed to make the biggest impact on overall security posture and lowering risk. Nanitors Priority Diamond is the only singular view of splicing both asset priority and issue priority together, as you can see in Figure 2.  

 

Figure 2. Nanitors’ Priority Diamond. 

Nanitor takes the concept of priority to a new level by including the following features: 

  • Vulnerability urgency 
  • Misconfiguration exploitability 
  • Identity risk and exploitability 
  • Network health and segregation 
  • Every issue and security control has a priority 
  • Every asset has a priority 
  • All issue, control, and asset priority is normalized for direct comparison 

Validation 

Gartner designed the validation component of CTEM to help with organizations that are not experienced with the variety of security issues that fall under the CTEM umbrella. This component is designed to prove that the security issue being analyzed is exploitable. CTEM includes various methods to prove this, including pen-testing, simulations, attack path analysis, and more. Ideally, the result will prove if the asset being evaluated is exploitable, and can help with the overall priority of other security issues that fall in the path of the attacker.  

Although this approach helps validate the analysis of the assets and security issues, it is very time consuming, prone to false positives, and very costly.  

Nanitor takes a different approach in validating that security issues are relevant by using industry standards in the analysis of all issues.  

  • Vulnerabilities are validated by using CVSS and EPSS scoring, as well as if the vulnerability is used in current exploits 
  • Misconfigurations are validated by CIS Benchmarks 
  • Identity validation is done against MITRE and documented known exploits 
  • Patching is validated against vendor-documented patch requirements 

Mobilization 

Automation of remediation of security issues has been a long-time goal and desire. CTEM includes this concept in the mobilization component. Although CTEM does not attempt to automate every possible remediation, the overall effort is clear. As an offset to remediation that might disrupt production, cause downtime of a system, or even cause a catastrophic issue, CTEM includes operationalizing teams by providing better metrics on which issues need to be addressed.  

Nanitor also pushes the envelope in this mobilization component by adding more checks and balances to help security and IT teams address issues that are analyzed and put at the top of the priority list. Nanitor does this by: 

  • Including a complete API to communicate with ticketing systems, the SOC, and other security solutions 
  • Providing RBAC for precise access control 
  • Reporting for constant updates on organization, asset, and issue health, as you can see in Figure 3. 

Figure 3. Health reports on the organization and issues.  

CTEM Benefits 

A long time coming, CTEM takes a long time industry standard, vulnerability management, and piles on other needed security issues. A unified CTEM solution will start with an asset-centric inventory and prioritization approach, followed by the inclusion of key security metrics that every organization needs to address, especially based on common attacks and tactics. This list of security issues goes way beyond vulnerabilities and misconfigurations alone. Patching, software, cloud, identity, and PII must also be considered in the overall CTEM analysis and prioritization. Without a complete view of security, per asset, organizations are leaving themselves wide open for easy exploitation.  

Nanitor is the only unified CTEM solution built from the ground up. This means that all security issues, per prioritized asset, are normalized and prioritized on an even playing field to one another. The Nanitor Priority Diamond organizes this unique view, so organizations know “what to fix today!” No longer do organizations need to manually shuffle multi-vendor security platform output to know what to focus on to reduce security risk.  

Nanitor provides the following to any organization:  

  • Free security assessment 
  • Free trial of the platform 
  • CTEM security suite pricing for vulnerability management-only solution pricing