Moving from a reactive to a proactive stance has dominated the cybersecurity agenda for years in a bid to be one step ahead, rather than behind, any adversary. It’s a journey that has seen vulnerability management complemented by the emergence of threat exposure management (which seeks to identify and manage exposures across the attack surface as a whole, not just within software vulnerabilities) and which has now evolved into the concept of Continuous Threat Exposure Management (CTEM).
CTEM is a term that was first coined by Gartner and as the moniker implies it’s used to encapsulate an approach that seeks to assess and manage the exposure of the business on a continuous basis. CTEM is not a tool or technology, although its implementation can be aided through the use of numerous tools, but rather a programme that moves us on from static analysis to constant attack surface understanding and scoping, real-time monitoring of vulnerabilities and exposures, and continuous controls testing, resulting in proactive threat identification and prioritised remediation.
Why CTEM marks a sea change in security
CTEM doesn’t just identify threats, however, but also explores how they might be exploited and uses simulations to determine, understand, and disrupt attack paths – a highly valuable tactic given how quickly adversaries can now pivot or combine multiple exposures together. Its vigilance in terms of monitoring for threats on a continuous basis is a key differentiator as it means the process can detect when new exposures emerge and enable new attack paths.
What’s interesting is that the process has now come of age and is beginning to be adopted more widely, with CTEM coming second only to AI in Gartner’s top ten list of Strategic Technology Trends for 2024. It’s a list that aims to flag advances that will enable organisations to better protect their assets, generate value and achieve business goals and so those that do seek to embrace CTEM can expect it to help conserve resource and steer security spend. In fact, Gartner predicts that by 2026 organisations that use CTEM will be three times less likely to suffer a breach.
So, what does implementing CTEM entail? Gartner describes the process as having five steps: scoping, discovery, prioritisation, validation, and mobilisation.
Scoping involves mapping the attack surface by identifying vulnerable entry points and assets and it extends beyond the usual devices and apps to include things like internal and external attack surface, all IT, IoT, and OT infrastructure, cloud, identities, the dark web, and human or organisational risk. In fact, it encourages organisations to consider all facets of its operations to identify and prioritise the aspects of any category of exposure to be brought into the process.
Discovery sees the identification of visible and hidden assets, vulnerabilities and risks, but it would be unrealistic to protect them all, so prioritisation is required. This sees these evaluated to identify the highest value assets and the biggest threats as well as how they might be exploited individually or in concert with one another. Exposures that are identified as being a critical step in numerous attack paths, for instance, can provide choke points that if addressed, can significantly reduce risk. As Gartner points out, the organisation can’t fix everything, but it also needs to know which issues can be deprioritised, so by continuously reappraising exposures, priorities can be refined.
The next step is the validation of how attackers could exploit the vulnerability and this is where the business looks at attack paths, the level of response and how and when the business should remediate. The final stage is mobilisation, to ensure everyone is informed and onboard with the CTEM process so that there is minimal friction when it comes to approvals, implementation and mitigation.
Issues to be wary of
However, while each of the steps makes sense, organisations often fall foul of some common issues when trying to implement CTEM. Firstly, there’s a tendency to confuse the scoping and discovery process, limiting the inventory of exposures to immediate network entities. Avoiding this pitfall requires a change of mindset so that the focus becomes not the network itself but the exposure and its impact and any possible knock-on repercussions. What’s more, neither the scope nor the discovery phase should be regarded as a finite process. Both will change as the risk profile of the business does, influenced by changing conditions such as the addition of new technology, M&A etc. Consequently, there should be continuous iterations of these processes in the CTEM lifecycle. Indeed, it is this approach – to always be on the lookout for new exposure categories – that makes CTEM so powerful, rather than always iterating solely within the age-old categories of exposure.
Another risk is that the organisation can become bogged down by technology in an attempt to automate aspects of the process. It’s certainly true that tools can help the programme run smoothly but deploying External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), Attack Path Mapping (APM), Digital Risk Protection (DRP), Vulnerability Assessment (VA), and continuous controls testing can add to a bloated cyber stack, exacerbating management issues. Thankfully, the interest in CTEM is now seeing these point solutions converge and expectations are that we will see these offered via a unified, integrated platforms.
CTEM is undoubtedly worth adopting in the face of the ever-growing threat spectrum and increasing areas of exposure, particularly given the advent of Generative AI which is liable to see threat actors combine techniques and significantly scale their attacks. Without the ability to prioritise threats and associated remediation, security teams are liable to become even more overwhelmed. CTEM addresses this problem by utilising finite resources to identify and tackle exposures that represent the most risk, filtering out the noise. Plus, as CTEM is a continuous programme, it creates a feedback loop that ensures ongoing refinement and improvements. It is this combination of CTEM’s approach to conserving resources, focusing remediation and reducing risk that makes it such a promising area of adoption within the cyber security industry.
Brian is an experienced senior product leader with over 20 years experience in guiding strategic planning, business innovation, product development, and go-to-market execution in the B2B technology and services sector, with deep knowledge of market and technical elements of cybersecurity, telecoms, networking, IT, software, and related services.