Why CTEM is the efficiency boost your security team needs

Just when you thought you had a handle on all of the cloud security acronyms, along comes another one: CTEM, or continuous threat exposure management. CTEM is worth paying attention to because it has the potential to significantly boost the efficiency of security teams. 

A couple of weeks ago, we blogged about CTEM, what the framework is, and why it matters for cloud security. Now, we want to explain how this all applies to the Lacework platform and the work we’re doing to make you love this platform even more. We decided the best way to do that is to interview Spencer Engleson, Product Manager for the CTEM individual capabilities like continuous CSPM, and Andy Schneider, Field CISO, on the impact of CTEM and why it differentiates us. 

Q: Do you think many organizations have heard about CTEM, and if not, why?

Spencer: I imagine the acronym may be new but the concept is not. The idea is to move from periodic or scheduled scans to collect risk data to an event-driven risk evaluation system, then to couple that real-time awareness of risk with standard operating procedures to triage, prioritize, assign, and manage ongoing remediation efforts.

Andy: The term itself will be new for many, but as Spencer said, the concept is not.  Technology has transformed from “few but big change events” back in the days to “frequent but small change events.” Therefore we need to continuously monitor changes and surface risks deriving from those incremental changes.

Q: Could each of you share your thoughts on the value that CTEM provides for security practitioners?

Spencer: It’s basically an efficiency boost. So many security teams that I’ve worked with struggle with inaccurate risk findings because they’re working off of stale data, and I’ve yet to find the security team that can apply any remediation they want to production assets. We as security professionals need tools that focus on real risk and that integrate with remediation owners’ — typically product and site reliability engineering (SRE) teams — technology and processes. That leads to less wasted effort and faster remediation times.

Andy: Security teams, specifically their processes and tools, are usually detached from the infrastructure operations teams and their processes. Once an issue is found, it might already be outdated or the dangerous change is detected too late. CTEM can help create a sync between those teams and find issues early in the lifecycle.

Q: What struggles are you hearing from customers that you think CTEM can address?

Spencer: Visibility, risk identification, remediation prioritization, and remediation management. Many security teams we work with had poor visibility into cloud workloads, resources, and configurations prior to deploying Lacework. There’s also been a proliferation of threat vectors in cloud environments, and it can be challenging to identify and contextualize different types of risks. That same proliferation of threats has made prioritizing remediation efforts even more difficult. Finally, assigning, tracking, and verifying remediations is a tough combination of project management and influence with remediation owners.

Andy: The sooner you can detect a risk and address it, the more sustainable the remediation will be. Many security teams are drowning in alerts and things they should fix. Without proper prioritization, it’s even more difficult to remediate what actually matters. On top of that we should not forget the human element. The best skilled employees will introduce less risks. If I make a risky change to my infrastructure and I’m alerted early, I will be able to remediate and also learn from it. The later I’m made aware of any mistakes, the less effective my learning will be.

Q: Spencer, can you tell me about the “continuous visibility” functionality that we are implementing within the Lacework platform?

Spencer: For most security teams, cloud environments, while fast-moving, are surprisingly iceberg-y: the invisible far outweighs the visible. Cloud environments these days frequently encompass dozens or even hundreds of cloud accounts spread across multiple cloud service providers. As a security practitioner, it can be a struggle just to know what you’re responsible for securing. The Lacework Continuous Visibility feature dives beneath the surface by monitoring cloud activity logs to detect when resources are created, mutated, and destroyed. When we see a resource create or mutate event, we go and fetch the new configuration for that resource, and when a resource is destroyed we mark it as tombstoned. This gives us a rich understanding of resources, changes, and their lifecycle, and allows us to track the state of a given resource over time. Resources from all accounts across all CSPs are presented in the Lacework single resource inventory, making it easy to filter, sort, and find resources, their risks, configuration history, and trends over time.

Q: Andy, can you tell me the impact this functionality will have on our customers?

Andy: The latest Mandiant M-Trends 2024 report reveals two trends. First: Most intrusions are still not detected by companies and second: attackers move faster. Having continuous visibility helps to remove the attacker's advantage. They will have less time to find holes that they can misuse. This will slow them down and also increase the likelihood to detect them.  

What is “continuous visibility”? 

At Lacework, we believe that time is security’s number one adversary. But how can we beat the clock when the time it takes to assess an environment, identify risks, triage, and mobilize remediation efforts is typically measured in days, weeks, or months, while cloud deployments and infrastructure changes are continuous? We’re solving these problems with near real-time monitoring and risk identification, tracking the lifecycle of risks across domains, and outcome-focused security initiatives that align product, SRE, and security team goals.

Want to learn more about how we’re helping security teams move faster? Check out our on-demand demo.