Threat Management

The Emerging CTEM Opportunity for MSSPs

The cybersecurity landscape is changing rapidly. The number and sophistication of cyberthreats are growing rapidly, which already is putting pressure on organizations that are finding themselves more prone to attacks. Throw in the rapid adoption by bad actors of generative AI, automation technologies and as-a-service initiatives and the picture can look bleak.

The evolving threat environment has organizations adopting more holistic approaches to cybersecurity, transitioning away point products and toward platform-based and tightly integrated solutions that enable them to be more proactive — essentially doing what they can to keep the bastards out rather than dealing with them after they get in.

Such approaches come with all sorts of acronyms, such as CNAPP (cloud native application platform protection), IAM (identity and access management) and its cousin CIAM (customer identity and access management), and CWPP (cloud workload protection platform).

Continuous Threat Exposure Management (CTEM): What Is It?

A new one has emerged over the past year — CTEM, or continuous threat exposure management, is a “program that surfaces and actively prioritizes whatever most threatens your business,” according to Gartner, which coined the term. Accordingly, typical risk reduction programs look at infrastructure and software vulnerabilities but struggle to keep up with the ever-changing attacks surfaces in nontraditional IT environments like the cloud and SaaS applications.

CTEM takes in all these areas and pulls in business needs, organizations’ internal teams, and risk impacts, finding threat exposures and assessing the likelihood of a successful attack.

As laid out by Gartner, CTEM is a comprehensive five-step continuous program rather than a product. It includes many of the usual technologies and services, including penetration testing, red teaming, patch management, asset inventory and threat intelligence.

“If you are an MSSP worth your salt, you are doing most of these things already,” said Chris Gonsalves, vice president of research at Channelnomics.

The Five Steps of CTEM

The five steps are:

  • Scoping falls in line with both internal and external attack surface management, with security teams detailing what assets the organization has and where they are, vulnerable points of attack, what’s exposed and what the company most needs protecting.
  • Discovery is a deeper dive after scoping. Security teams identify both visible and hidden assets, counterfeit assets, misconfigurations and vulnerabilities and assess the business risk and potential impact they carry.
  • Prioritization means taking what’s been learned in discovery and identifying assets with the highest values and prioritize them by such measures as urgency, available controls and the level of risk they pose to the business. It also helps find gaps in security, including detection and logging.
  • Validation enables defenders to see if a vulnerability can be exploited, analyze potential lines of attack and determine if the security controls in place can protect the business. This where pen testing and red teaming can be used, as well as integrated solutions like breach and attack simulation (BAS) and security control validation (SCV).
  • Mobilization is where the security teams ensure that all business stakeholders play a role in security. Organizations can rely only on automated processes. Mobilizing individuals throughout the company to take down hurdles that could hinder the plans created in the first four steps, from streamlining approval processes to implementing mitigation procedures.

The goal of CTEM is to create a consistent and actionable security posture remediation and improvement plan.

“It’s important to think of this as a circle and not a line,” Gonsalves said, noting the ever-changing nature of the cyberthreat landscape. “Once you do all those steps, you need to go back through them. All of this is dynamic. You can set it and forget it. It’s a continuous process.”

The MSSP Opportunity

The introduction of CTEM into the cybersecurity discussion opens up an opportunity for MSSPs that can offer such a service. A holistic and comprehensive approach to security is something that organizations are looking for at a time when not only are the complexity of cyberattacks increasing but so are the chances of becoming a victim.

According to IBM, the average cost of a data breach this year was $4.45 million, a 15% jump over three years ago. Organizations are ready to spend to avoid this, with 51% of companies planning to increase their security investments.

That said, not many end-user organizations have the capability and capacity to adopt CTEM in a meaningful way. MSSPs’ value is in their role as trusted advisor and defender, and that value is enhanced by the CTEM approach.

“MSSPs, as InfoSec force multipliers, are the ones best positioned to turn the concept of CTEM into real strategy and tactics for their clients,” Gonsalves said.

And many already have pulled together CTEM service offerings that include a range of services, including external asset discovery, scanning for vulnerabilities and credential leaks, DNS and email scanning and on-demand and ad hoc pen testing.

Others include software bills-of-materials (SBOMs), integrating network vulnerability scanning, CSPM, DAST and SAST, API access, and compliance reporting.

CTEM Service Offerings Defined

The following are some types of CSTEM services and their definitions:

  • Breach and Attack Simulation is the use of tools to simulate real-world cyberattacks on an organization's network, systems and applications. The primary purpose of BAS is to evaluate the effectiveness of an organization's security posture by mimicking the tactics, techniques and procedures (TTPs) used by attackers. This continuous and automated approach allows organizations to identify vulnerabilities and gaps in their defenses before actual attackers can exploit them. It helps in validating security controls, assessing the potential impact of a breach and enhancing the organization's incident response capabilities. BAS can be used to test the effectiveness of security measures such as firewalls, intrusion detection systems, anti-virus software and endpoint protection, as well as the awareness and response capabilities of IT and security teams.
  • External Asset Discovery is a process of identifying and cataloging the external digital assets (e.g., domains, subdomains, IP addresses) that belong to an organization. This is crucial for understanding the attack surface that is visible from outside the organization.
  • Scanning for Vulnerabilities and Credential Leaks pertains to the use of automated tools to scan systems and services for known security weaknesses, misconfigurations, and instances where sensitive credentials may have been exposed publicly.
  • DNS and Email Scanning is the process of examining Domain Name System (DNS) records and email systems to identify misconfigurations, potential vulnerabilities or indicators of phishing and email spoofing.
  • On-demand and Ad Hoc Pen Testing is penetration testing performed as needed (on-demand) or irregularly (ad hoc) to identify and exploit security vulnerabilities in systems, applications, and networks.
  • Software Bills-of-Materials (SBOMs) provides detailed lists of information about the components, libraries and modules used in building software, including their versions and dependencies. SBOMs are important for vulnerability management and license compliance.
  • Integrating Network Vulnerability Scanning is the incorporation of automated scanning tools into an organization's network to continuously or periodically search for security vulnerabilities.
  • CSPM (Cloud Security Posture Management) is a security tool or suite of tools that helps organizations automate the identification and remediation of risks across cloud infrastructures, including IaaS, SaaS, and PaaS.
  • DAST (Dynamic Application Security Testing) is a testing process that looks for security vulnerabilities in web applications by simulating attacks on them while they are running.
  • SAST (Static Application Security Testing) is a testing methodology that analyzes source code or compiled versions of code to find security vulnerabilities that can be corrected before the application is deployed.
  • API Access refers to the ability to interact with a software system or application through its Application Programming Interface (API), which allows for programmatic control or data retrieval.
  • Compliance Reporting is the process of compiling and presenting data and information to demonstrate adherence to required standards, regulations, and policies, typically for legal or regulatory purposes.

MSSP Pricing for CTEM Services

With some of these platforms, pricing is based on a per-asset basis or is tied to what services the customers want to start with. Some complete packages can run up to $1,200 a month or more, and many MSSPs offer trials, POCs or a limited number of assets for free.

Gartner first broached the idea of CTEM earlier in 2022. MSSPs have had almost two years to get programs in place. Those who haven’t may find themselves running permanently behind.