Must-Have Expert Tips & Tricks to Implement Your CTEM Program

Happy birthday to CTEM! 

It’s been a year since Gartner first mentioned Continuous Threat Exposure Management (CTEM) in their foundational report Implement a Continuous Threat Exposure Management Program, published in July, 2022. During this past year – which was uniquely challenging from a cybersecurity perspective – putting this framework into action has become a priority across many organizations. The reason? CTEM is now considered one of the most effective methodologies to continuously reduce exposures.

How Does CTEM Help in Exposure Management?

CTEM continually assesses an organization’s entire ecosystem – networks, systems, assets, and more – to identify vulnerabilities and weaknesses. The simple goal of the framework is to reduce the likelihood of these weaknesses being exploited. It accomplishes this via a five-stage approach:

1. Scoping
2. Discovery
3. Prioritization
4. Validation
5. Mobilization

However, as we mentioned previously, implementing a CTEM program can be complex. For this post, we polled our global in-house experts and harvested their top tips and best practices on how to meet the challenges of each stage of CTEM. We mapped these tips to the different stages of CTEM with a goal of making them as actionable as possible. Here is what they have to say, broken down by stages:

Stage 1 – Scoping

Keep your business-critical assets in check. According to your vertical, see what is important to the business from both a business perspective and operational perspective and add it to your exposure management program.

– Rinat Villeval, Manager of Technical Enablement

Define a periodic automatic review of your critical assets with the main stakeholders in your organization, preferably a quarterly/half-year cadence.

– Rinat Villeval, Manager of Technical Enablement

Stage 2 – Discovery 

Get a diverse team of experts involved here in the discovery stage. Be sure to include non-security teams such as IT, DevOps, Infra, R&D, Finance and other employees who offer unique vantage points regarding vulnerabilities and exposures. 

– Menachem Shafran, SVP Product and Innovation

Leverage a wide range of discovery tools and methods to assess all resources and uncover potential weaknesses. This could mean conducting vulnerability assessments and other security audits as well as pen-testing.

– Shay Siksik VP, Customer Experience

Stage 3 – Prioritization 

Don’t forget to reduce the usage of legacy OSs, since old CVEs are still exploited in the wild. 

– Hezi Nagar, Customer Success Manager

Regularly update and patch software to close security loopholes or known vulnerabilities that cybercriminals can exploit. Establishing a regular schedule for updates and patches not only strengthens the network against current known threats, but also preemptively expands your defenses against new ones.

– Geremy Charbit, Customer Success Manager 

Prioritize based on what’s impactful in the environment and more importantly, what is impactful to your business. Don’t focus on celeb CVEs like log4j if they can’t impact your environment.

– Daniel Hochberger, Head of Customer Success

Reduce your Microsoft AD attack surface by adhering to Microsoft’s Enterprise Access Model. Identify members of high-privilege groups (Domain Control Groups) such as domain admins, enterprise admins and schema admins. Then, ensure they are all necessary. Remove the ones not required so fewer objects have complete AD control.

– Matt Quinn, Technical Director, UK

Use breach simulations to address identified risks and implement proactive measures.

– Harshad Salvi, Technical Director, India

Stage 4 – Validation

Implement continuous monitoring. Use real-time monitoring tools to keep track of network activity. The primary objective is to facilitate swift detection and response to possible threats, minimizing the window of opportunity for attackers and potentially averting a full-blown breach. Continuous monitoring also helps gain insights into patterns and trends of network activity that may otherwise go unnoticed.

– Geremy Charbit, Customer Success Manager

Once you have made improvements, validate to ensure that the changes you’ve made actually work continually.

– Gali Rahamim, Customer Success Manager 

Stage 5 – Mobilization 

The mobilization stage is where all relevant teams come together. It’s crucial for all teams involved – security, DevOps, DevSecOps, IT, R&D and any others – to be aligned. They need to all be on the same page and aware of why security is requesting a given remediation. To do this, security needs to justify the other teams’ effort by explaining the risk and the potential impact of changes requested on the business. Providing teams with a to-do list isn’t good enough. You need to sit with the relevant teams and talk about the WHY so that they have a proper understanding of the goal of each remediation.

– Shay Siksik, VP Customer Experience

Implement risk accountability policies. This can be implemented on an enterprise-wide level and personal level; incorporate risk-based thinking, conduct recurring workshops.  Educate employees about phishing attacks and safe internet practices, dark web tours, risk-awareness around working with GPT tools, password discipline, etc.

– Geremy Charbit, Customer Success Manager

It’s important to ensure accurate expectations for capacity and SLAs. Make sure to be on the same page in terms of what non-security teams can handle when it comes to remediations and delivery times.

– Shay Siksik, VP Customer Experience

Set up steering committees to keep business-oriented stakeholders in the loop. Ensure they are continually informed and aligned with what’s happening so that they can understand the importance of teams working in sync.

– Shay Siksik, VP Customer Experience

CTEM is the Key to Efficient Exposure Reduction, Getting it Right Takes Work 

Over the past year, CTEM has proven to be super effective at continuously reducing exposures. But implementation remains tricky – demanding the right combination of technology and expertise. Leverage industry best practices to ensure that your CTEM program contributes to all the parts of your security ecosystem, offers insights that power secure-by-design programs, and enrich your overall security posture and response efficacy.