3 Challenges in Building a Continuous Threat Exposure Management (CTEM) Program and How to Overcome Them

If you’re a cybersecurity professional, you’re probably familiar with the sea of ​​acronyms our industry has become obsessed with. From CNAPP, to CWPP, to CIEM and many others, there seems to be a new initialism being born every day.

In this article, we’ll take a look at another trending acronym – CTEM, which stands for Continuous Threat Exposure Management – ​​and the often surprising challenges that come with seeing a CTEM program through maturity. While the concept of CTEM isn’t exactly new, after making its print debut in July 2022, we are now at a point where many organizations are starting to try to operationalize the programs they have been running. the last few months. And when organizations start executing their carefully designed plans, they may encounter some unexpected challenges which can lead to setbacks.

What is Continuous Threat Exposure Management (CTEM)?

But first, to back off, let’s quickly review what CTEM is and isn’t.

Continuous Threat Exposure Management is not a technology and you can’t go to a vendor hoping to find a CTEM solution (or, at least not with just one tool). In contrast, CTEM is a continuous 5-stage program or framework intended to help organizations monitor, evaluate and reduce exploitation rates and validate that their analysis and improvement processes are optimal. According to a Gartner® report, “The goal of CTEM is to have a consistent, actionable security posture improvement and improvement plan that business executives can understand and architecture teams can act upon.” (Gartner, July 21, 2022, Implementing a Continuous Threat Exposure Management (CTEM) Program)

Download our new whitepaper, Building a Modern Exposure Management Programand find:

• Why critical vulnerability is not the same as risk
• Different types of exposure impact an organization’s security posture
• Key foundations of a modern exposure management program designed for the evolving risk landscape
• And much more!

What is the Purpose of CTEM?

The Gartner report further states, “Technology-centric attack surfaces and vulnerability self-assessment projects generate infrequently actionable reports and long lists of generic fixes. Vulnerability management programs rarely keep up with the aggregate volume of their own organizations, leading to a rapidly evolving attack surface.” . (Gartner, July 21, 2022, Implementing a Continuous Threat Exposure Management Program (CTEM)) These factors, coupled with other key drivers, such as the difficulty in maintaining a security posture over time amid a growing attack surface, mean that traditional approaches to holistically ensure security are growing less effective over time.

According to Gartner, “The goal of CTEM is to have a consistent, actionable security posture improvement and improvement plan that business executives can understand and architecture teams can act upon.” (Gartner, July 21, 2022, Implementing a Continuous Threat Exposure Management (CTEM) Program). When properly implemented, CTEM can help organizations continuously improve their security posture by identifying and remediating potentially problematic areas before they can be exploited by attackers.

3 Challenges Toward a CTEM Confluence

Very pleasant. So what are you waiting for?

Stand; setting up a CTEM program is a great initiative – but there are some implementation challenges that need to be addressed for successful execution. Taking them into account earlier in the implementation phase can save time and frustration later.

Challenge 1 – Getting non-security and security on the same page

He well known fact that IT/infrastructure/DevOps/application teams, etc. and the security team don’t always use the same language; this is problematic in many ways but when implementing a new program or venture this disconnect can become even more problematic. In implementing CTEM, this can lead to a lack of understanding of who on the non-security team owns what, and misalignment with SLA expectations, among other issues.

The problem here is that it can be difficult to communicate needs fully, especially when the team is stuck with the “URGENT!” projects – and, for them, CTEM is just one of those projects. This lack of understanding can prevent them from actually doing what needs to be done.

How to fix – From the earliest stages, bring stakeholders from non-security teams into the conversation. It’s not enough just to give them a to-do list. Instead, sit down with them and explain the goals you are trying to achieve so they have a proper understanding of what is being done. Ask for their input and find out what they need from you or other teams in the organization to make their lives easier. Plus, sharing cyber attack news with them will make them more aware of the business impact they can have, and how it really relates to their part of the business.

Challenge 2 – Seeing a bird’s eye view

A comprehensive CTEM program covers many different areas, from Cloud, to AD, to software vulnerabilities, to network security, and basically everything else. Each is in its own silo and has its own owner, their own tools, and their own list of problems to fix. CTEM’s goal is to unify everything into one holistic view with all the other informing areas. In practical terms, that means aggregating all of the information and using it to understand priorities and responsibilities.

But gaining a basic understanding is challenging because each of these areas requires different expertise. The last thing you want is to have a program that you painstakingly built and executed but failed to understand the risks each area presents – or worse yet, forgot to include certain problem areas.

How to fix – Define someone as a “main person” – the only person who can take a bird’s eye view and become a high-level expert at understanding how all the areas covered blend together and influence one another. This person doesn’t need to have a piecemeal understanding of how each tool works or what each category of security concern covers, but they need to be able to understand the whole big picture so they can fully and accurately ensure that all areas are accounted for and continually addressed by qualified professionals. deep and nuanced expertise.

Challenge 3 – Overcoming diagnostic overload

Coming back to that point about all the different areas covered in CTEM; Another important aspect to note is that since they all have their own tools, they all generate alerts. So while the main goal of CTEM is to streamline all the information that comes from the tool, one notable by-product is just a lot of extraneous noise.

How to fix – Accept the fact that fixing everything is nearly impossible, which means you need to prioritize and be as efficient as possible. To do this, focus on the scopes and exposures that are most likely to be exploited by attackers and those that can cause the greatest business impact. It may help to take a “crawl, walk, run” approach, that is, start with small steps aiming at a small scope and scaling up as your program grows more mature. (Want to make CTEM meetings easier? Get this checklist of handy tips for streamlining CTEM here.)

Conclusion

According to Gartner, “By 2026, organizations that prioritize their security investments based on continuous exposure management programs will be three times less likely to experience a breach.” (Gartner, July 21, 2022, Implementing a Continuous Threat Exposure Management (CTEM) Program) And we feel it’s huge. Hopefully, by working out a few potential kinks along the way, your organization will be ready to face CTEM smoothly.

Notes: This article was written and contributed by Shay Siksik, VP Customer Experience at XM Cyber.