One of the latest concepts in cybersecurity is continuous threat exposure management (CTEM), which was initially defined by Gartner in mid-2022 and is now advocated by more than a dozen security vendors, many of whom offer tools that can be implemented as part of CTEM or can offer assistance with setting up a CTEM program.
Not a platform or an off-the-shelf solution, CTEM is a holistic approach to cybersecurity that actively and constantly discovers, prioritizes, validates and remediates (or mitigates) vulnerabilities, misconfigurations, threats and other potential exposures. It also aligns itself with the goals of an organization as a whole, as well as with compliance frameworks.
CTEM differs from traditional vulnerability management in that it is proactive. Rather than waiting for vulnerabilities and other exposures to be publicly disclosed, CTEM seeks to find and fix them before they become problems. It continuously reexamines an organization’s security posture to determine what may be vulnerable and then verifies what poses a true threat.
That should be music to some CISOs’ ears, as there’s a growing feeling that traditional vulnerability management may have hit its limits as the addressable attack surface continues to expand, with many organizations using hundreds of applications and the number of networked devices multiplying.
Cybersecurity triage
However, CTEM does involve a certain amount of cybersecurity triage. Each discovered vulnerability or threat is assessed for potential risk as well as the impact and cost of remediation. Those exposures that are deemed low-risk — or perhaps too costly to fix — are pushed to the back of the line to be fixed later, or perhaps never.
CTEM proponents would argue that that approach is more realistic and efficient than trying to fix every potential exposure, no matter how costly or disruptive resolving the issue may be.
“Continuous threat exposure management is a pragmatic and effective systemic approach to continuously refine priorities and walk the tightrope between two modern security realities,” said Gartner researcher Jeremy D’Hoinne. “Organizations can’t fix everything, nor can they be completely sure what vulnerability remediation they can safely postpone.”
Detractors might argue that CTEM may result in deferring urgent patches that don’t fit an organization’s business goals or are not cost-effective to fix, perhaps leaving critical vulnerabilities in place. A CTEM program may be difficult to set up, as it involves implementing and coordinating different tools that are perhaps not well suited to working with each other.
One upside, however, is that many of an organization’s existing security solutions can indeed be folded into a CTEM program.
“There is no need to start from scratch when developing a new CTEM program,” wrote Gartner analyst Pete Shoard in a November 2023 white paper. “Many existing processes that offer assessment of security exposure in specific domain areas, such as vulnerability management, can be extended to provide a starting point.”
An ongoing cycle
CTEM is an ongoing, routine process, not a rushed reaction to unforeseen incidents. It also greatly widens the scope of vulnerability management and threat assessment by including in its discovery process configurations and settings, company policies and compliance frameworks, third-party code, employee network credentials, company social-media accounts, and supplier systems.
“A CTEM program needs to continuously align with governance, risk, and compliance (GRC) mandates and factor its material impact on attributes such as classification of an asset or information that are part of an organization’s business attack surface,” said BreachLock Founder and CEO Seemant Sehgal in a recent CyberRisk Alliance report.
CTEM is generally thought of as having five major stages:
1. Scoping should include an organization’s entire attack surface, known and unknown, internal and external.
2. Discovery examines everything within scope, using attack surface management (ASM) or similar tools to find vulnerabilities, misconfigurations and other exposures.
3. Prioritization ranks each discovered exposure according to risk — the likelihood and potential impact of successful exploit — as well as the feasibility and cost of remediation, including potential disruption to business.
“The goal of exposure management is not to try to remediate every issue identified nor the most zero-day threats, for example, but rather to identify and address the threats most likely to be exploited against the organization,” says the introductory Gartner CTEM white paper.
4. Validation actively checks whether a potential threat or vulnerability can actually be exploited. This verification can be done by red teams, external penetration testers, a pen-testing as a service (PTaaS) platform, or automated breach-and-attack-simulation (BAS) tools.
“CISOs should think of prioritization as a reordering of the exposure-management work they have to do, and validation as a filtering of that list based on what attackers would do,” wrote Shoard.
5. Mobilization is determining how the organization will remediate the highest-priority exposures.
As of mid-2024, it’s not yet clear whether CTEM will be widely adopted by enterprise security teams or will itself be superseded by the next big new thing. Organizations will likely need outside consulting to set up their own CTEM programs, but the payoff should be a reduction in both cybersecurity running costs and the impact of breaches.
“By 2026, organizations prioritizing their security investments based on a continuous exposure management program will be three times less likely to suffer from a breach,” says Gartner.
(Editor’s Note: This is part of a series of articles to feature the 15 Top Cybersecurity Trends of 2024 & 2025)