What is continuous threat exposure management?

Erin K. Banks and Spencer EnglesonMay 15, 20244 min read

If you’re not familiar with continuous threat exposure management (CTEM), no need to worry — this industry term is fairly new to the security market. CTEM sets out multiple stages or practices to help you understand ALL your threat exposures and address the highest risks so you can reduce your mean time to remediate. Let’s break down the five stages that provide a more complete understanding of your threat exposure.  

Stage 1: Scoping

Align on the attack surfaces to secure. This first stage helps you understand the risk and the overall impact this area has on your business. This activity ensures all stakeholders agree on what is important within each of their areas and the overall organization. It is important to note that scoping can change over time based on your business needs and as the business grows.

Stage 2: Discovery

Identify all the assets and their level of risk within the attack surface. This process helps you focus not only on the physical assets like networks, software, and hardware; but also on risks, misconfigurations, and vulnerabilities. Examples of this discovery include host vulnerabilities, Kubernetes vulnerabilities, cloud posture risks, Kubernetes posture risks, attack paths, identity risks, as well as others. We leave discovery with a better understanding of (1) all the assets within our scope and (2) all the risks affecting those assets.

Stage 3: Prioritization

Determine the risks and threats that need to be addressed first. This step ties together the assets discovered in stage 2 and the scoping that was agreed to in stage 1. Once the highest priorities are identified, a plan can be developed to address them.

Stage 4: Validation

Understand how attacks could happen and their impact. Is there full-circle clarity around how our assets can be breached, what information would be compromised if the asset were breached, the necessary response actions that will need to be taken, and is there enough protection in place? 

Stage 5: Mobilization

Ensure all teams are working together and implement the playbook by assigning, communicating, and monitoring remediation efforts and their timelines. You can not put the plan into action without getting the stakeholders and security teams on the same page and working together. 

Why CTEM matters for unified cloud security

CTEM is an important part of the cloud security discussion because it establishes a framework that includes multiple stakeholders. Security is a team sport and the more that we can get various teams to come together and align on the risk and threats associated with assets, the more we can achieve as an organization. For example, does the production environment have greater risk than our development environment? Do golden images that have been used within the last two weeks have higher priority than those within the last two months? What if they are in the production environment? Getting this alignment helps the company stay focused to achieve greater success with their cloud environment.

CTEM also helps with asset sprawl and how these assets perform in a cloud environment because, at times, it is hard to truly understand what you have in the cloud. Cloud resources are constantly created, deployed, modified, and destroyed. The attack surface is constantly changing and can be incredibly difficult to keep track of. Implementing this framework should help the stakeholders understand the boundaries with the greatest risk and help contain the sprawl.

Managing resources (assuming you know all of them) means aligning associated risk. Without alignment across stakeholders, success will become more difficult to achieve. What if the CTEM framework is not implemented and one organization considers the development environment more important than production? How will the security team be able to protect it when their assessment is not the same?

The CTEM framework was developed to help organizations that are looking for a way to start navigating their cloud environments and reduce risk and threat exposure. The cloud happens fast — and security needs to follow suit. CTEM works best in cloud environments due to the extremely high rate of change. Cloud resources are created, mutated, and destroyed constantly, and security risks change right along with them. Analysts can't work off of vulnerability scan or posture evaluation results from last week when instances are only active for a few hours before being terminated and replaced. This is why Lacework is building real-time risk evaluation and threat exposure management capabilities into the platform to help customers understand the scope of their cloud, discover risks and threat exposures, prioritize issues for remediation, validate the impact of a potential compromise, and mobilize remediation efforts in conjunction with product teams and resource owners — continuously. To see how the Lacework platform helps you reduce risks and stop threats fast, start your free trial here.


Suggested for you