Continuous Threat Exposure Management (CTEM): Why It’s Necessary and How to Achieve It

Written in Partnership with CyberRisk Alliance

Beyond Vulnerability Management

Old-fashioned vulnerability management may no longer fit the bill. Paul Wagenseil explains how continuous threat exposure management (CTEM) discovers, prioritizes, and validates potential risks and aligns remediation with business goals and compliance frameworks.

Despite organizations spending billions of dollars on cybersecurity over the past two decades, data breaches, ransomware and other successful attacks are not abating. If anything, they seem to be getting worse.

It may be time for a new approach to cybersecurity that doesn’t try to patch every vulnerability and thwart
every threat. This approach would identify the most crucial issues and account for business needs as well as the likelihood of compromise and its potential impact.

This way, the most pressing vulnerabilities could be mitigated with maximum efficiency and minimum business disruption. The goal of risk elimination could be replaced with the more realistic goal of risk reduction.

In July 2022, Gartner came up with the concept of “continuous threat exposure management” (CTEM), a program that looks holistically at cybersecurity risks within the context of business policies, feasibility of mitigation and likelihood of occurrence.¹

“A CTEM program is an integrated and iterative approach to prioritize and mitigate threats and exposures emerging from any asset or tech stack that is part of your evolving attack surface. Continuous refinement of an enterprise’s security posture is a sustainable benefit of any successful CTEM initiative,” explains Seemant Sehgal, Founder & CEO at BreachLock. “It includes tools like PTaaS [penetration testing as a service], ASM [attack surface management], continuous pen-testing and red-teaming.”

CTEM also emphasizes clear communication from CISOs and security personnel to executives and stakeholders so that the process of threat minimization can be aligned with organizational goals. Ultimately, the effect of CTEM may be to make a CISO’s job, and the security programs the CISO runs, mesh better with the priorities of an organization as a whole. If CTEM is implemented properly, C-suite executives who want to better understand cybersecurity can understand the CISO’s role more clearly, rendering the CISO’s communications and efforts more effective and collaborative overall.

“The intention is to make the investment in resolving [vulnerabilities and threats] more palatable to the board, as well as directing that investment to business-contributing fixes that reduce threat exposure risk and improve the resiliency of the organization,” wrote Gartner analyst Pete Shoard in a 2023 white paper.²

CTEM Explained

Gartner defines CTEM as “a pragmatic and systemic approach [that] organizations can use to continually evaluate the accessibility, exposure and exploitability of digital and physical assets.”

Quoted in a Gartner blog post, analyst Jeremy D’Hoinne used plainer terms:

“Continuous threat exposure management is a pragmatic and effective systemic approach to continuously refine priorities and walk the tightrope between two modern security realities. Organizations can’t fix everything, nor can they be completely sure what vulnerability remediation they can safely postpone.”³

CTEM is not vulnerability management on steroids. Vulnerability management is a reactive process that assesses how to remediate known vulnerabilities. By contrast, CTEM takes the initiative to scope out, discover, prioritize, validate, and remediate vulnerabilities and other potential threats before they become problems.

The idea is to continuously, cyclically reassess and re-analyze an organization’s security posture and risk exposure, determining what may be vulnerable and then assessing how many of those vulnerabilities pose true threats. It’s an ongoing, routine process rather than a rushed reaction to sudden incidents.

If vulnerability management is like taking your car to the garage when the engine starts sounding funny, then CTEM is like the maintenance and check-ups that aircraft mechanics perform before every commercial airline flight.

How Exposure Management Fits into CTEM

Exposure management a fairly new term describing a process by which a particular issue or vulnerability can be assessed, prioritized and determined to be a threat. CTEM places exposure management into a continuous cycle.

Exposure management has three components: determining the attack surface, determining the ease of exploitability, and determining the validity of the threat. Attack Surface Management (ASM) tools are crucial to achieving the first goal, and vulnerability management the second.

Sehgal explains that exposure-management validation should have three goals:

1. Confirm that an exposure can be exploited, identify the potential attack pathways, and determine the likelihood of the exploit
2. Determine the potential impact the exploit might have
3. Determine whether proposed solutions will truly remediate the threat

“Validation is extremely important to better understand the criticality of the threat,” Sehgal says. “Each organization needs to determine the minimum level of accuracy that will convince all stakeholders to remediate, which will dictate the tool selection or solution used for remediation.”

Why CTEM and exposure management are necessary

To extend the aircraft-maintenance analogy, an organization that continuously finds and fixes cybersecurity issues before they become bigger problems is going to have a more efficient security culture than one that only reacts to incidents and known threats.

Sehgal emphasized that CTEM works well at scale because it helps eliminate inefficiencies and duplication.

“Large enterprises with heavy workloads that span across large IT environments might need quick security testing, resulting in a large number of vulnerabilities. However not all of them have the same impact on your business,” Sehgal says. “A CTEM program aids in prioritizing risk reduction efforts and efficiently allocating resources where they’re most needed.”

“A CTEM program needs to continuously align with governance, risk, and compliance (GRC) mandates and factor its material impact on attributes such as classification of an asset or information that are part of an organizations business attack surface, Sehgal says. “Regulatory compliance impact is evaluated based on how an impacted asset aligns with legal and industry standards. CTEM can also map a potential exposure to relevant regulation requirements such as GDPR, HIPAA, PCI-DSS and prioritize it accordingly.”

A rigorous, clearly understood CTEM program helps justify the high cost of effective cybersecurity, Gartner’s Shoard explained in 2023.

“All areas of security expenditure are under scrutiny, whether that be direct purchase of security tooling or services, or the indirect impact of security processes and procedure on the wider business,” Shoard wrote. “Metrics serve not only to prove the value that risk reduction contributes to the business, but the effort expended to improve processes to minimize business impact and disruption.”

How to Implement a CTEM Program

“There is no need to start from scratch when developing a new CTEM program,” wrote Gartner’s Shoard. “Many existing processes that offer assessment of security exposure in specific domain areas, such as vulnerability management, can be extended to provide a starting point.”

Gartner outlines a cyclical CTEM process with five repeatable steps:

1. Scoping of potential threat exposure
2. Discovery of assets and their associated risks
3. Prioritization of the most critical threats and vulnerabilities
4. Validation of whether identified risks are real
5. Mobilization to remediate validated, high-priority threats and vulnerabilities

Scoping involves defining your organization’s total potential attack surface, both internal and external — every possible way a malicious actor could attack your systems.

The scope should go “beyond the focus of typical vulnerability-management programs,” Gartner’s Kasey Panetta wrote in a 2023 blog post. “Include not just traditional devices, apps and applications but also less tangible elements such as corporate social media accounts, online code repositories and integrated supply chain systems.”³

Once the scope is defined, then the discovery process can be applied to elements within the scope, which is where exposure management kicks in. Gartner’s Panetta added that discovery processes may even expand the scope of inquiry by “identify[ing] visible and hidden assets, vulnerabilities, misconfiguration and other risks.”

“Continuous Asset discovery is central theme of many CTEM programs,” says Sehgal. “It is the starting point to determine which assets are most vulnerable to an attack, and additional attack paths that will open up if this vulnerability is exploited. Discovery should go beyond CVEs and include contextualization such as the attractiveness of an asset, the ease of exploitation, etc. This can then be followed by pentesting, for example, to see how such weaknesses respond to exploitation and what mitigation is needed.”

Then comes prioritization, a form of cybersecurity triage. Each discovered threat or vulnerability is ranked according to how likely it is to be exploited and how disruptive the impact of a successful exploit would be. Both are normal aspects of cybersecurity risk assessment.

CTEM prioritization expands the risk assessment by aligning with an organization’s overall goals. It considers the feasibility of remediating a particular threat exposure, and how disruptive the remediation itself could be in the context of business activities.

<p<“Without impact context,” warned Shoard, “the exposures may be addressed in isolation, leading to uncoordinated fixes relegated to individual departments exacerbating the current problems associated with most vulnerability management programs.”

The next step is validation, or actively checking to make sure the prioritized exposures actually do pose threats.

It isn’t just a test to see whether a threat or vulnerability exists, but also what the potential impact of that threat or vulnerability might be. This can be done through red-teaming, manual pentesting, continuous pentesting, or automated breach-and-attack-simulation (BAS).

“In a CTEM context, [validation] include the verification of a potential exposure, its prioritization, and eventually validating its mitigation” Sehgal says.

“CISOs should think of prioritization as a reordering of the exposure-management work they have to do, and validation as a filtering of that list based on what attackers would do,” wrote Shoard. “Without validation, prioritized issues remain voluminous. Put simply: validation = impact X viability.”

The final step is mobilization, or how the organization will respond to and remediate the most important threat exposures. Again, alignment with the goals of the business is paramount here, as is clear and effective communication with both security and non-security personnel.

“Communicate your CTEM plan to the security team and to business stakeholders, and make sure it’s well understood,” says Gartner’s Panetta.

Conclusion: Incorporating common sense

Many aspects of CTEM may seem like common sense, and it’s likely that similar programs have already been implemented by smart CISOs who understand human nature and how to communicate effectively with nonsecurity personnel and stakeholders. Some CISOs might not have such innate skills, so CTEM really is for them.

Security leaders should “develop a set of outcome-driven, business-tuned metrics to deliver their findings in ways that senior leadership can use to make effective decisions without having to be security specialists,” added Gartner’s Shoard. “Managing a risk doesn’t always involve removing it; in most cases risk can only be reduced, not removed.”

Part of CTEM is indeed deciding what not to fix or remediate. Asked what he would say to skeptics who might point out that CTEM leaves some threats and vulnerabilities in place, Sehgal says,” That is exactly how it should be. The fact that CTEM is an iterative process emphasizes that threats and exposures need to be prioritized and mitigated. This implies that there will always be a residual risk for any organization.”

CyberRisk Alliance (CRA) is a business intelligence company serving the high growth, rapidly evolving cybersecurity community with a diversified portfolio of services that inform, educate, build community, and inspire an efficient marketplace. Our trusted information leverages a unique network of journalists, analysts and influencers, policymakers, and practitioners. CRA’s brands include SC Media, Security Weekly, ChannelE2E, MSSP Alert, InfoSec World, Identiverse, Cybersecurity Collaboration Forum, its research unit CRA Business Intelligence, the peer-to-peer CISO membership network, Cybersecurity Collaborative, the Official Cyber Security Summit, TECHEXPO Top Secret, and now LaunchTech Communications. To learn more, visit CyberRiskAlliance.com.

About BreachLock

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing, and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!

References

1. D’Hoinne, J., Shoard, P., Schneider, M. (2022). Implement a Continuous Threat Exposure Management (CTEM) Program. Gartner.
2. Shoard, P. (2023). 2024 Strategic Roadmap for Managing Threat Exposure. Gartner.
3. Panetta, K. (2023, August 21). How to Manage Cybersecurity Threats, Not Episodes. Gartner.