Extending The 5 Stages of CTEM to the Cloud

Posted by: Batya Steinherz
April 04, 2024
CTEM v.2.0
Getting your Trinity Audio player ready...

If you’re a regular reader of this blog, you’ll know that Continuous Threat Exposure Management (CTEM) is a major driver of everything we do here. The simple reason is that CTEM is the backbone of a healthy exposure management methodology and the key to protecting digital assets from the ever-growing number and variety of threats facing them.

But sometimes absent from the CTEM conversation is the topic of the cloud. 

Vulnerabilities as we know them, like CVEs, are more the territory of on-prem, and thus the CTEM conversation took root in the on-prem world. But considering that cloud solutions are now the de facto standard, and therefore more exposed than ever before, the need to bring the cloud into the exposure management conversation has never been more important.

(Some of the Many!) Security Challenges in the Cloud 

Security in the cloud, as we know all too well, is less than air-tight. Multiple challenges put cloud investments and deployments at risk:

Siloed approach increases risk – With the multiple teams and owners involved in cloud projects – from devops, to security, to cloud teams – it can be very challenging to get clear lines of ownership and accountability for cloud security. This breeds situations where security best practices aren’t followed for lack of clarity and unified approach.

Limited visibilityThere’s also a troubling lack of consistency when it comes to cloud vendor permission management systems, each having their own protocols and controls regarding who can access and change data. This leads to a vastly increased risk of misconfigurations, which are a leading cause of breaches. Moreover, the fact that cloud environments can change significantly on a constant basis is a breeding ground for misconfigurations and issues that slip through cracks.

Inefficient remediation can’t keep up with exposures – One last challenge is that of the amount of issues teams need to investigate – with thousands of exposures ranging from misconfigurations to identity-based issues such as weak credentials, teams are often left with no clue about which issues actually need to be addressed first and which can wait.

This is why CTEM is crucial for the cloud. 

The whole goal of CTEM is to reduce risk and improve security posture. Using the 5 stage methodology of scoping, discovery, prioritization, validation, and mobilization helps organizations build a consistent, repeatable and ACTIONABLE plan to focus on issues that actually matter, to close the remediation gap and get ahead of the threats that do indeed put them at risk. 

By extending the 5 stage approach to cloud environments, organizations can build an exposure management strategy that reduces risk in the most efficient way possible.

The 5 Stages of CTEM for the Cloud

So let’s have a look at the 5 stages of CTEM and how they can be tweaked to meet the ever-evolving needs of the cloud:

Scoping – With the complexity of the cloud, understanding the attack surface is imperative. Your cloud attack surface encompasses cloud applications and services, as well as the data from the platforms plus the people who are able to access this data. As opposed to your on-prem attack surface, the cloud lacks a traditional “perimeter” which makes scoping it more challenging.

Discovery – This stage identifies and classifies cloud resources, misconfigurations, vulnerabilities, and potential threats based on the scope which was defined above. Included in this stage is performing an assessment of the overall exposures across multi-cloud environments with a goal of evaluating risk profiles. 

Prioritization – In this stage, exposures are analyzed to weigh the level of known threat they’ve posed ‘in the wild’ and exploitability in your environment, as well as how they compromise cloud resources. This step is crucial, because large organizations uniformly find that there are far more exposures than they’ll ever be able to fix. Why? Partly because of sheer volume, and partly because their environments are constantly changing – new assets, users, software, configuration settings, and more.

Validation – The validation stage looks at how attacks can occur and the likelihood of their occurrence. This step can leverage a variety of tools for different uses. In some cases, validation is performed to enable prioritization, as in Stage 3 above. In other cases, validation can be valuable in continually testing security controls or to automate periodic pen testing.

Mobilization – This stage, which in a sense serves as the facilitating factor for the entire framework, is where you make sure everyone is on the same page and understands their role and responsibilities within the context of the program. This is especially crucial in the cloud, as there are just so many more moving parts, when compared to on-prem. Mobilization is optimized when all teams involved in remediation have clarity around the risk reduction value of any remediation effort, as well as reporting to show the overall trend of improvements made to security posture over time. 

End-to-end Exposure Management Across Cloud too!

Cloud environments are complex, and as a corollary, create a lot of risk. That’s why it’s critical to build a strategy to fix the most critical exposures and stop attacks before they happen. By extending CTEM to the cloud, organizations can finally reduce risk and improve security posture in a meaningful and impactful way.


Want to learn more about CTEM for the Cloud? Check out how XM Cyber helps you focus on high-impact risks across multi-cloud and hybrid environments.

Batya Steinherz

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.