The 3 Key Ingredients to Getting CTEM Right

As a CISO with over 25 years of experience across diverse industries, I’ve seen the limitations of traditional vulnerability management firsthand. It’s often a compliance-driven, check-the-box exercise that spreads resources thin instead of prioritizing them based on actual risk. Incomplete data, riddled with false positives, further hinders our ability to identify and mitigate threats effectively. This leaves organizations with too much to fix effectively – and worse, it means they don’t know what’s putting them at risk. 

Enter Continuous Threat Exposure Management 

Gartner recognized these shortcomings and introduced the Continuous Threat Exposure Management (CTEM) framework to revolutionize how we approach security. CTEM moves beyond simply patching vulnerabilities based on CVSS scores. It empowers us to:

• Prioritize efforts: Focus resources on the exposures that pose the most significant risk to the organization.
• Break down silos: Integrate various exposure types, including identity, cloud, and on-premises environments, to gain a comprehensive view of the entire attack surface.
• Make informed decisions: Prioritize and respond to threats based on a complete and accurate understanding of exposures.

The People, Processes, and Tools You’ll Need 

With CTEM, you finally have what security teams have always wanted from their Vulnerability Management program but have never been able to get: the playbook attackers will run against your environment. With the comprehensive visibility into attack paths and the exposures that pose the greatest risk granted by CTEM, you know the precise paths an attacker would take to do the most damage. This means you can now mobilize your scarce resources to focus on the exposures that matter the most to reduce your risk of cyber-attacks impacting your business.

But getting CTEM right takes work. It’s not an easy or simple undertaking and therefore it requires assembling the right elements in the right measure. To successfully implement CTEM, you’ll need the right people, processes, and technology. I’ll break down each one of these elements here.

Which People Are Involved in CTEM? 

The first element of a successful CTEM program is the people. A CTEM program is only as effective as the teams running it. As you integrate CTEM into your organization, make sure to involve:

• Security Operations: This team is tasked with operating CTEM technologies, discovering and reacting to findings, and reporting on and driving remediation efforts.
• Security Engineers and Architects: This team should design and coordinate efforts to reduce strategic exposures.
•  Red and Blue Teams: These respective teams leverage CTEM data to report on broad exposure data and react to urgent issues, such as new choke points highlighting major environmental risks.
• Governance, Risk, and Compliance: The GRC team will deal with executive reporting on Key Performance and Risk indicators specifically enabled by CTEM, such as reduction in the number of choke points, reduction in overall risk, and mean time to detect/repair exposures.

What Processes Are Involved in CTEM? 

The next most important part is your processes. You will want to avoid implementing a new capability that merely points to more problems without making sense of them. For CTEM to work as designed, you need to distill all of that enriched exposure information into actionable tasks to drive actual risk reduction. That will require enhancing and creating various processes, including:

• Continuous Monitoring: Implement automated tools and processes to continuously monitor the attack surface for new exposures. Remember, this includes identity issues, weblogs, and other exposure types beyond traditional vulnerability management and patching.
• Risk-Based Prioritization: Develop a process for prioritizing exposures based on their potential business impact (blast radius) and likelihood of exploitation.
• Collaboration and Communication: Establish clear communication channels and processes for sharing threat intelligence and coordinating response efforts across teams. This includes ticket system integration and CMDB enrichment with systems like Jira and Service Now.

What Tools Are Involved in CTEM? 

The last part are the technologies/tools involved. Let’s start by setting one thing straight – CTEM is NOT a technology. It’s a framework. 

As we said in a recent blog:

“CTEM is not a purchasable product any more than Zero Trust is. It isn’t a magic bullet software solution that instantly bolsters your defenses. Instead, it’s a comprehensive cybersecurity framework, a best practice approach and a way of thinking about security holistically. 

What’s more, CTEM can actually leverage security tools you might already own, guiding you to integrate them into a cohesive strategy. While specific software might be used within a given implementation of a CTEM program, CTEM is ultimately an ongoing process of discovery, validation, and adaptation – ensuring your defenses stay ahead of the curve.”

So if that’s the case, what types of tools can be used to implement CTEM? 

This is a loaded question, as each of the 5 stages of CTEM – Scoping, Discovery, Prioritization, Validation, and Mobilization – should be implemented with the right tools for the job. Here is a quick overview of what can be used for each stage (meanwhile, you can read this article for a deeper dive into the tools to use for each one). 

Scoping: 

• Spreadsheets 
• Configuration Management Databases (CMDBs), 
• Software Asset Management (SAM) and Hardware Asset Management (HAM)
• Data Security Posture Management (DSPM) tools to provide valuable insights by analyzing assets and prioritizing those that need the most protection

Discovery:

• Vulnerability scanning tools
• Cloud Security Posture Management (CSPM) 

Prioritization:

• Attack path mapping tools
• External threat intelligence platforms 

Validation:

• Automated Security Validation tools 
• Penetration testing

Mobilization:

• Ticketing systems like Jira or Freshworks, to streamline the remediation process
• Email notifications to communicate urgent issues and updates to stakeholders
• Security Information and Event Management (SIEM) to quickly identify and respond to threats
• Playbooks to outline remediation steps for common vulnerabilities

With the right Exposure Management platform, you can address all 5 stages and get a unified view of exposures across various environments, including cloud, on-premises, network architecture, and identity systems to more efficiently adopt and maintain the Continuous Threat Exposure Management (CTEM) framework.

Putting it all Together to Get CTEM Right

Resources are always limited, and exposures are ever-abundant. But when implemented properly with the right elements in place, CTEM can help organizations focus on what truly matters by providing a thoughtfully tested and validated risk-based approach to continuous exposure management. This approach not only enhances your team’s ability to manage exposures but will empower you to adapt with agility to the ever-changing threats that lay ahead.