The 5 Phases of Continuous Threat Exposure Management

According to Gartner, Continuous Threat Exposure Management (CTEM) is a practice that focuses on continuously identifying, assessing, and mitigating security threats and vulnerabilities in an organization's IT environment. The goal is to provide ongoing visibility into potential risks and vulnerabilities to respond faster to cyber risks. In many ways, CTEM is an evolution of vulnerability management, or “risk based vulnerability management” (RBVM).

As opposed to RBVM, Continuous Threat Exposure Management places a greater focus on real-time and ongoing monitoring, threat landscapes and attacker behavior, and the use of automation to mobilize and remediate threats.

The Five Phases of CTEM

1. Scoping

The first phase of CTEM involves security teams identifying the infrastructure that needs to be analyzed and protected. In this phase, security teams should work with the business to identify the most critical assets and resources, both internal and external-facing. As part of scoping, security teams should ideally identify the correct owners of infrastructure and assets, such as code repositories, cloud infrastructure, and more.

2. Discovery

The discovery phase of CTEM is when you discover risks, vulnerabilities, misconfigurations, and threats for the assets and resources in scope. Many tools and techniques can be used in this phase to automate discovery- and ideally you can implement continuous threat and vulnerability monitoring across the entire scope environment.

3. Prioritization

The prioritization phase of a CTEM process helps organizations focus their resources and decide what to fix first. Vulnerability prioritization is critical given that most companies have a backlog of vulnerabilities that is bigger than what they can address in total. Ideally, security teams have context at their fingertips that make prioritization easy, combining business logic and contextualized vulnerability data to understand the potential impact of any detected threat.

4. Validation

In the validation phase, you confirm that the vulnerability can be exploited, analyze the potential attack paths that could be carried out, and identify existing mitigation and remediation plans. This phase may consist of attack simulations, additional scans and reviews of systems, and manual analysis of vulnerabilities.

Validation is very difficult without understanding the root cause of vulnerabilities. Oftentimes, security and development teams conduct a lengthy back and forth in the validation phase to understand how to act on detected vulnerabilities. When the root cause of issues are identified, validation becomes much easier as teams know exactly what to fix in order to mitigate risk.

5. Mobilization

The mobilization is the step where security works with the business to carry out remediation and treatments for validated exposures and risks. This requires the help of product owners, developers, and other IT stakeholders who may be responsible for making the actual fixes: deploying patches, changing code, configuring resources differently, and more.

Mobilization may take the form of assistive and automated remediation actions, depending on the risk validated and the resources in scope.

Get a demo

Technologies that can help with CTEM

As mentioned, Continuous Threat Exposure Management (CTEM) is a business practice and not an off-the-shelf technology you can buy. That said, there are many technologies that you should consider when building a CTEM practice.

  • Remediation platforms: remediation may be the most challenging aspect of CTEM, which is why remediation platforms that can unify risks, identify the root cause, and orchestrate the fix are critical to making CTEM happen from end to end.
  • Application Security Posture Management (ASPM): ASPM platforms can help unify all vulnerabilities found across your company’s natively built applications, where exposures can be hard to discover, prioritize, and validate.
  • External Attack Surface Management (EASM): using an automated external attack surface management platform can help continuously identify resources that may be vulnerable and open to attackers, making the prioritization and validation stages easier.
  • Cloud Native Application Protection (CNAPP): if you have any cloud workloads, using a CNAPP platform will automate the discovery and prioritization of cloud vulnerabilities for continuous visibility
  • Application Security Testing: AppSec scanners like software composition analysis (SCA), dynamic application security testing (DAST), and more are essential for identifying application vulnerabilities and exposures.
  • Breach and attack simulation (BAS): breach and attack simulation platforms can help with validation by carrying out simulated attacks that mimick actual known attaker tactics, techniques, and procedures
  • Vulnerability assessment: traditional vulnerability scanners are another essential tool for discovering vulnerabilities across different kinds of assets: from IoT and mobile devices, to workstations, servers, and more.

Dazz Related Resources

Related Posts

Unified Remediation vs. Risk-Based Vulnerability Management (RBVM)

Unifying Remediation: What it means, why it’s important, and why point solutions don’t work

What is Cloud Security Remediation?

What is DevSecOps?

What is Application Security Posture Management? (ASPM) – FAQs

What is a CNAPP?

See Dazz for  yourself.

Get a demo

United States
Palo Alto
2345 Yale St.
Palo Alto, CA 94306

Israel
Tel Aviv
30 Ibn Gabirol St.
Tel Aviv, Israel 6407808

Get a demo
Legal Hub

2024 © Dazz. All rights reserved.