Using CTEM to Engage in Scoping, Discovery, and Prioritization of Cyber Challenges

By: Brian Moran

January 16, 2024

Plenty of cybersecurity solutions will tell you what needs to be done, but knowing why (and how) is just as important. As businesses look to improve their level of cyber resilience, a growing number are embracing the concept of Continuous Threat Exposure Management (CTEM), a term recently coined by Gartner.

CTEM is a process, rather than a specific solution, and—as its name implies—it focuses on helping organizations improve their security posture through the continuous management of threat exposure. In short, CTEM enables businesses to determine not just what they need to do, but why they need to do it.  

Perhaps most importantly, CTEM helps organizations understand their needs from both a technical and a business perspective. It enables security teams to visualize where the exposures actually lie and gauge the level of risk essential business processes are exposed to, allowing them to justify new solutions and procedures (as well as changes to existing ones) and allocate downtime and budgetary spend more effectively. It also illustrates whether steps need to be taken to defend revenue, adhere to regulations, or impact the business in some other way. By framing insights in business terms, CTEM puts security and business teams on the same page, driving them toward a unified vision. 

Part one of this two-part series will walk you through the initial phases of CTEM (scoping, discovery, and prioritization) and illustrate how they can be applied in practical terms. This will help you conceptualize how to begin the CTEM process before diving into part two, which will map out the remaining steps of validation and mobilization—as well as the many ways in which these phases flow into one another.  

Phase 1: Scoping 

CTEM is an ongoing process, and tackling every part of the network at once isn’t feasible. The first step is to identify which areas of the business will fall into a CTEM cycle, and which can be tackled during a subsequent cycle. Once that determination has been made, start developing a sense of the overall security posture within the target areas, as well as what it means to have resilience in those areas.  

It’s important to know which processes are the most important. That means this isn’t just a problem for the security team: business stakeholders need to be brought in to help determine which processes are business critical. What are the “Tier 1” processes the business absolutely cannot survive without? Which of those are susceptible to a cyber attack? Once something has been identified as critical, technical stakeholders can identify the assets essential to that process, such as servers, applications, and websites. They can then be added to the essential scope of the project.  

The business side of the organization needs to be involved in scoping from the very beginning. Leaders on the business side are the ones who can answer questions like which processes are important and which are not, when and where downtime is acceptable, and which legacy systems need to be maintained (and why). Their input lays the groundwork for what the technical team will focus on during each cycle.  

Phase 2: Discovery 

You may notice that these phases overlap at times, and that’s true. Discovery is about correlating the insights of the scoping process and identifying the assets related to those business contexts. Part of that involves determining whether anything was missed during the previous and trying to limit scope creep as much as possible. While scoping defines the business process itself, discovery asks what systems, applications, and other resources support that scope—even when those objects may not appear to fall within the scope themselves. This also includes the identification of secondary and shared resources and assets that – if successfully attacked – would also render the Tier 1 process unavailable. 

What does this mean? It’s important to look at Attack Surface Management (ASM) tools to locate not just the assets that belong to critical business processes, but the other assets that could be used to gain access to them. There may be objects that would not typically be considered “Tier 1,” but which offer a direct path to a critical asset. And if an object renders a critical asset vulnerable or unusable, resolving that should be a top-tier priority. ASM and attack path mapping help defenders consider the attacker’s view and, during the discovery phase, it’s important to think like an attacker and consider what an intruder would visualize and then do with that information.  

Phase 3: Prioritization  

 Once potential vulnerabilities and weaknesses have been identified, it’s important to understand which most directly impacts the scope. That means determining which are truly dangerous, and which can be mitigated by compensating controls and which are not critical to the defense of the scope.  

For example, if 500 exposures are identified, there may be 30 that cannot be addressed with existing strategies or corrected with updates or upgrades. That doesn’t mean the other 470 should be ignored, but it may mean they can be patched or mitigated with compensating controls—or else are covered by exemptions agreed upon by business stakeholders and considered an acceptable risk. Security validation plays a significant role here, because security teams need to be able to prove that the compensating controls protecting those 470 exposures are effective in order to confidently deprioritize them.  

The remaining 30 exposures are the priority, because they have been determined to impact a specific business context that the organization lacks the controls to protect. Exposure analytics and attack path mapping can verify that existing controls are not sufficient, and the exposures need to be addressed during the current CTEM cycle.  

Moving on to Validation and Mobilization  

With the most critical vulnerabilities have been identified and prioritized, it’s time to move on to the final phases of CTEM: validation and mobilization. To learn more about what those phases entail (and how they may involve engaging in further discovery and prioritization), stay tuned for part two of this series in the coming days.  

To learn more about exposure management, check out the Cymulate whitepaper  Continuous Threat Exposure Management (CTEM): From Theory to Implementation.

Read the Whitepaper
Subscribe