Continuous Threat Exposure Management (CTEM)

Always-on monitoring for a never-ending attack surface

Gartner® Threat Exposure Roadmap

What is Continuous Threat Exposure Management (CTEM)?

Continuous Threat Exposure Management (CTEM) is a program that security practitioners can put into place to automate continuous monitoring of attack surfaces that are seeing exponential growth due to the number of IT and security systems needed to maintain modern network infrastructure and the sheer volume of devices requesting network access.

Identity and access management (IAM) capabilities are a critical part of a CTEM program in that they help to properly authenticate the large number of users and machines to an enterprise network, thus proactively preventing threats. According to Gartner® research, CTEM programs are enjoying an upswell in popularity at the moment due to:

  • "Lack of visibility into the huge volume of potential issues
  • Siloed acquisition of technology across the business
  • Increased dependency on third parties"

The research goes on to state, “The focus of concern with exposure-related problems has shifted away from simply managing software vulnerabilities in commercial products. The realization of increased technology risk on such a large scale is overwhelming to security operations teams.”

The implication of potential large-scale risk on an enterprise environment that may be healthcare-focused, for example, is that there could be more access points and/or vulnerabilities for threat actors to exploit at will.

The Five Stages of CTEM

From front to back, end to end, there are several steps in the process of continuously managing threat exposure. It’s important they are performed sequentially so that no vulnerabilities or potential threats slip through the cracks and come back to haunt the organization.

  • Scoping: Assessing an attack surface’s risk posture according to key performance indicators (KPIs) and business goals is what will aid a security team in obtaining and agreeing on a clear plan of action.
  • Discovery: After scoping has completed, discovery tools within a CTEM program can then begin to identify actual vulnerabilities and attack surface-gaps in a raw way, i.e. before prioritization begins.
  • Prioritization: Based on the initial scope that was performed according to security and business strategy, a CTEM program will then begin its automated process of assigning discovered issues a priority rating.
  • Validation: According to Gartner, “automated validation using technology or service capabilities, such as breach and attack simulation (BAS), or automated penetration testing tools will:
    • Assess the likely “attack success” by confirming that attackers could really exploit the previously discovered and prioritized exposures.
    • Estimate the “highest potential impact” by pivoting beyond the initial footprint and analyzing all potential attack paths to a critical business asset.
    • Identify if the processes to respond and remediate the identified issues can be both fast enough and adequate for the business."
  • Mobilization: Closing the loop on the process – while also calling back to the first step of scoping – is communication between and buy-in of all affected stakeholders of a plan of remediation action(s) after potential threat vectors have been validated.

Benefits of CTEM

There are obvious benefits to an always-on approach with regard to monitoring, discovering, and remediating network attack surface issues. The following benefits a business can expect to see assume that a CTEM program has been properly implemented according to the specific needs of the security organization.

A Reduction of Blast Radius and Impact

By leveraging IAM and network access control (NAC) authentication and segmentation best practices, it becomes more difficult for threat actors to access a network – but not impossible. But incorporating these tangential network defense capabilities into one continuous-monitoring program, it becomes possible to vastly reduce the impact of a potential breach if an attacker is able to actually breach.

A Stronger Security Posture

Due to the potential for ample risk reduction that can occur after standing up a successful CTEM program, it becomes possible for a security organization to adopt more proactive threat-mitigation measures and ultimately achieve stronger cloud security posture management across cloud environments. The results are a less-porous attack surface as well as protecting the enterprise from a position of strength and resilience.

Cost Reduction

This is the benefit every stakeholder likes to see. The costs of a breach – especially a sizable one – are many: potential ransomware payouts, initiating backups that might not account for current data, lost customers from reputational fallout, and many more. A CTEM program that can effectively help to decrease risk, improve security posture, leverage automation, and reduce breach fallout can save untold amounts of money and headaches in the long run.

CTEM Program Implementation Best Practices

A CTEM program will likely pull in existing aspects of a security program to shore up and automate capabilities under one roof, so to speak. When it comes to an enterprise attack surface, there are constant threats looming and exposures surfacing that didn’t previously pose a risk.

With a proliferation of providers out there, it can be difficult not only to know which vendor’s offering best fits an organization but also what exactly is involved in the implementation of the program. Let’s take a look at the various standalone capabilities upon which a CTEM program might rely in a consolidated capacity to further the goal of achieving cyber resilience.

Ensure External Threats are Addressed

Consider that gaps or vulnerabilities along an organization’s attack surface can quickly become threat vectors for an external attacker to breach the network and quickly cause lots of damage.

Integrating external attack surface management (EASM) capabilities into a CTEM program can help to fortify defenses along a post-perimeter attack surface so that teams can address things like exposed credentials, cloud misconfigurations, and external commercial operations.

Communicate and Align on Outcomes - As Early as Possible

A CTEM program brings together many different tools to protect an enterprise attack surface by continuously monitoring for and identifying exposures. The purpose of CTEM bears re-stating because it’s got a big job, with many stakeholder opinions to take into account.

Thus, agreeing on outcomes and aligning on what CTEM’s objectives are will help day-to-day security practitioners to sift through the inevitable diagnostic noise that the different CTEM tools will inevitably bring. Automating prioritization of this massive number of alerts can only be done when the system is properly calibrated according to those outcomes.

Gain a Clear and Current View of Risk

If CTEM spots the exposures and helps teams remediate them, then incorporating digital risk protection (DRP) capabilities will impart a view of the overall likelihood that network systems will contain vulnerabilities/exposures and help teams remediate these issues.

The risk level for one public-internet facing application – tied to any number of internal systems – might be much higher than an older company webpage that hasn’t seen significant traffic in a few years.

The application with the higher risk level might not contain any significant exposures right now, but it’s receiving more frequent updates than the outdated webpage – way more. And more frequent updates means more potential for inadvertent exposures, and thus the higher risk level.