Brian Martin, Director of Product Management at Integrity360, discusses the benefits of Continuous Threat Exposure Management and how it will become mainstream in the cybersecurity realm.
Continuous Threat Exposure Management (CTEM) is a term first coined by Gartner to describe a proactive approach to managing the full attack surface’s exposure. It was identified in the analyst’s top ten list of Strategic Technology Trends for 2024.
The list aims to identify cutting-edge approaches that will enable organisations to better protect their assets, generate value, and achieve business goals. While AI rather predictably took the top slot, CTEM came in second.
Unlike AI, however, CTEM is not a technology but a programme. It specifies a set of processes that can be used to assess and manage the exposure of the business on a continuous basis. It stems from threat exposure management, which sought to improve vulnerability management by focusing attention not just on dealing with vulnerabilities but identifying and managing the risk of all exposures in the attack surface as a whole.
Therefore, threat exposure management addresses three key areas: vulnerability management, attack surface management, and continuous control testing. CTEM adds the continuous model of scoping out the categories of exposure, prioritising what is most important to remediate, and testing and validating on an ongoing basis. Continuous Threat Exposure Management is a macro control that never ends.
It is continuously vigilant for understanding the attack surface, its exposures, and the never-ending evolution of the exposure profile of organisations in the complex, evolving attack surface of modern organisations.
Why Continuous Threat Exposure Management is a sea change
CTEM advances the concept of threat exposure because it is pre-emptive and continuous in nature. It identifies threats that might be exploited and evaluates how this might occur by using simulations to explore, understand, and disrupt attack paths. This is a valuable tactical approach, given how quickly adversaries can now chain multiple exposures together.
As the name suggests, it’s also continuous, so it enables the business to gain a much greater awareness of the attack surface, which it can protect 24×7 and immediately detect when new exposures emerge. In fact, Continuous Threat Exposure Management is such a game changer that by 2026, Gartner predicts that organisations that use CTEM to prioritise security spend will be three times less likely to suffer a breach.
However, implementing CTEM is not without its challenges. To start with, the business will need to devise and roll out a CTEM programme, which is a five-step process: scoping, discovery, prioritisation, validation, and mobilisation.
Gartner recommends the business begin by scoping the attack surface to help formulate its risk profile. This should focus not just on traditional vulnerabilities and exposures but also potential exposure over other channels such as social media, the dark web, and human or organisational risk.
This stage is followed by discovery, which sees these threats and vulnerabilities documented in an inventory. This inventory is then prioritised accordingly, requiring an understanding of how internal and external exposures might be exploited both individually and in combination. Such analysis will reveal high-risk and high-volume attack paths.
The fifth and final step sees the mobilisation of resources to tackle and remediate those high-priority exposures identified during the other stages. Exposures that form a critical step as part of numerous attack paths can constitute choke points that, if addressed, can significantly reduce the exposure risk profile of the affected organisations.
Issues to be aware of
It’s important that the business moves sequentially through these phases because a common failing is the improper inventory of the estate, whether IT, IoT, and/or OT.
All too often, scoping sees teams skip over the inventory stage, treating both as one and the same. To avoid this problem, the advice is to focus on the risk of the exposure and its possible impact but bear in mind that the impact could have other repercussions.
The scoping and inventory phases should also be viewed as continuous because the risk profile of the business will change due to variables such as the addition of new technologies, M&A activity, etc. Therefore, the scope is never set in stone and requires reconsideration through numerous iterations in the Continuous Threat Exposure Management lifecycle.
In order to make the programme function smoothly, various tools and techniques can be used, but the array available can be confusing and add to the cybersecurity stack. External Attack Surface Management (EASM), Cyber Asset Attack Surface Management (CAASM), Attack Path Mapping (APM), Digital Risk Protection (DRP), Vulnerability Assessment (VA), and continuous control testing are all different aspects of implementing CTEM. However, convergence in this space is expected to see these capabilities integrated and offered over a single platform, helping to pave the way for wholesale adoption.
Why CTEM’s time has come
Uptake is also likely to be driven by the continued expansion of the threat spectrum and the acceleration of attacks executed using AI. Both will see a proliferation that could overwhelm IT and security teams.
Such unprecedented assaults will make the business case for a more proactive approach that can identify the exposures that pose the greatest threat to business assets and the pressing need to prioritise response and remediation. Continuous Threat Exposure Management helps solve the problem of exposure overload to help prioritise finite remediation resources on the exposures that present the most risk to negative outcomes.
But CTEM also confers a number of advantages over and above traditional vulnerability management and threat exposure management. It’s inclusive of all assets, irrespective of where they are housed, monitors internal and external exposures, providing an attacker’s eye view, and prioritises remediation to focus on the most threatening attack vectors, ensuring mitigation is swift and effective.
As CTEM creates a feedback loop, it drives continuous improvements to and bolsters the security posture into detection and response and overall security governance.
This approach can filter out the noise and hone in on the most concerning exposures relevant to that particular business. By increasing the effectiveness of remediation, resources are conserved while still significantly reducing risk.
It’s this ability to prevent overload and boost defensive efforts regarding enterprise-specific threats and exposures that promises to catapult CTEM into the mainstream in 2024.
