Your business is constantly evolving. But how do you know where the weak spots are or which ones actually matter? In a fast-moving environment, understanding your vulnerabilities before attackers do is critical.
In this episode, Anh Pham, Director of Penetration Testing and Security at Trava, breaks down why more businesses are moving toward Continuous Threat Exposure Management (CTEM). Anh explains the five key components of CTEM, how to tell if your business is ready to implement it, and what’s pushing organizations to take a more active, ongoing approach to cybersecurity.
Key takeaways:
- Why CTEM outperforms traditional point-in-time testing
- The five components of CTEM and how they work together
- How evolving threats and expanding attack surfaces demand continuous validation
Ready to dive deeper into the continuous process? Get more info on CTEM and why it’s important here: https://travasecurity.com/ctem-explained
Episode highlights:
(00:00) CTEM explained simply
(02:38) How CTEM differs from point-in-time testing
(04:29) The five components of a CTEM approach
(09:25) When to adopt CTEM
Episode Transcript
[00:00:00] Anh Pham: Every day there’s thousands and thousands of data in an identifiable tool and it’s just not feasible to go look through them all. So CTEM really helps security teams focus on what’s exploitable today and what can really lead to a compromise in the environment asset.
[00:00:19] Jara Rowe: Gather around as we spill the real tea on cybersecurity minus all the confusing jargon. I’m your host, Jara Rowe, and this podcast is where we cut through the confusion and get the truth about security and compliance. This is a podcast from Trava Security. So lately there’s been a lot of talk about one and done cybersecurity and compliance, but one thing I know for sure is that threats change too quickly to really have that mindset. So on this episode, we’re going to dive into CTEM and how it’s an ongoing approach that identifies and manages exposures continuously. And I have one of my coworkers on here to help us talk about that. Hey, Anh.
[00:01:08] Anh Pham: Hey, Jara. Thanks for having me.
[00:01:11] Jara Rowe: Yeah, no problem. So just in case this is someone’s first time listening to you on the podcast, please introduce yourself.
[00:01:19] Anh Pham: Sure. Hi everyone. My name is Anh Pham. I’m currently the Director of Penetration Testing and Security here at Trava Security. I’ve been in the industry for about 12 years coming up now, mostly in security engineering and operations. I’ve been at Trava for the last four years helping to mature our security and GRC program and now leading our pen team.
[00:01:41] Jara Rowe: All right, fantastic. So I’m going to go ahead and dive into it. So I mentioned it already, but we really don’t know what it means. So what is CTEM in plain language?
[00:01:53] Anh Pham: Sure. So CTEM stands for continuous threat exposure management. It basically is a structured and ongoing approach or framework to finding and fixing security exposures that actually matter to an organization’s environment and assets. The two key words here are continuous and exposure. So that really is what separates CTEM now from traditional frameworks. It’s ongoing and needs to be practiced all the time, and it is focused on weaknesses that actually matter.
[00:02:27] Jara Rowe: Weaknesses that matter. That’s important. So CTEM stands for continuous threat exposure management?
[00:02:36] Anh Pham: Yes.
[00:02:37] Jara Rowe: All right. So how is CTEM different from traditional point-in-time testing?
[00:02:46] Anh Pham: I mean you pretty much described the major difference. Right? So traditional point-in-time testing is pretty much like a snapshot. It’s done once a year. It’s very static in nature. It’s very report heavy, meaning findings get dressed up and included in a one-time report, get delivered, and then nothing is being done to follow up on those findings. CTEM sort of shifts the mindset a little from that static approach to approaching security more proactively. So instead of doing a test once a year or once a quarter, you now have a repeatable process that you create to make sure that it matches the way your environment changes and the speed that your environment is changing. So if your environment changes a lot, you’re now testing a lot. If your environment changes slower, you’re now testing slower. But the point is to continuously validate your exposure and weaknesses to make sure that you don’t leave anything open for attackers at any point.
[00:03:48] Jara Rowe: Okay, yeah, that totally makes sense. So what are some examples of point-in-time testing just so people are familiar with what we’re talking about?
[00:03:58] Anh Pham: Sure. I think the biggest example, one of the most commonly seen examples, is a single annual penetration test. So companies are familiar with that. It’s a planned exercise that happens once a year involving multiple teams that is coordinated. Another example is maybe an annual audit of an environment like an assessment or similar. So very point-in-time and static. And then occasional vulnerability scanning that is running in the environment.
[00:04:29] Jara Rowe: So what are the main components of a CTEM approach?
[00:04:33] Anh Pham: So there are five main components of CTEM, and again, they are a repeatable cycle. So the first one is scoping. Prior to doing anything within a CTEM framework, you need to understand your assets, your attack surface, and your crown jewels: your intellectual property, what are the things that you need to protect, what you have in your environment that needs to be protected.
The second component is discovery. In this phase, you focus on identifying vulnerabilities and weaknesses across all of those assets and attack surfaces. So now that you know what you have in your environment, you need to go and hunt and find vulnerabilities on those things that you have.
The third component or third phase is prioritization. In this phase, you basically take the results of the second phase and the first phase together and combine them. So from the first phase you have an overview of your environment, your assets, what are critical assets, what are noncritical, all of that. And then in the second phase you have a list of weaknesses and vulnerabilities. Now in this third phase, you combine them together to really narrow down to a list of exposures that affect your most critical assets and also can lead to real penetration into your environment.
Once you have that, then you move on to the fourth component, which is validation. This is fairly straightforward. Now that you have a list of narrowed-down exposures that you want to focus on, in this phase you actually perform testing on them to validate that your theory or your assessment is valid and the exposure can lead to compromise.
And then the fifth phase is really the final part, the final component of CTEM, which is mobilization. So in this phase, you take everything that was identified as real exposures or exposures that matter, that have been validated and can actually be exploited, and fix them. So now that you have all of that value, you focus on fixing them and then the entire cycle repeats again.
[00:06:35] Jara Rowe: All right. That sounds like a lot of important things for sure. So I feel like I’ve already heard some of the reasons to the question I’m about to ask you next, but why are companies moving toward CTEM? What pressures and risks are really driving organizations to adopt this approach?
[00:06:59] Anh Pham: Sure. So there are a few big drivers that really drove the creation of this framework and are also driving many companies to adopt it. So the first one is that threat actors are evolving even faster than before because of the explosion of AI. We already see practice of malicious actors using AI to increase the speed and complexity of their attacks. Static point-in-time testing and security just doesn’t work anymore.
Attack surface is exploding. Not only that, we have remote work environments now. I think we’re moving into global workforces. So a lot of companies are employing from abroad, outside the country, in multiple countries, using a multitude of SaaS apps. Mostly they don’t rely on a static one-location data center anymore. So your attack surface is just big and wide, and you need to continuously make sure that your attack surface is protected.
I think we’re also seeing more and more leadership wanting to focus on active security instead of a pretty dashboard with some numbers. And maybe the pressure is coming from regulation and compliance and maybe not pure security. But either way, we see that more people are taking security more seriously. Leadership are wanting more accurate reporting of security posture.
And then the last one that I think is driving this is that security teams are already stretched pretty thin. Right? In most organizations, every day there’s thousands and thousands of data in an identifiable tool and it’s just not feasible to go look through them all. So CTEM really helps security teams focus on what’s exploitable today and what can really lead to a compromise in their environment and assets.
[00:09:01] Jara Rowe: Yeah, for sure. So let me see if I can recap some of these. So some of the pressures include AI helping the bad guys, the fact that we are more global, our attack surface is larger, and the teams are just stretched thin with all of the regulation changes and things like that. So we are seeing more companies move into continuous approaches now.
[00:09:24] Anh Pham: Correct.
[00:09:25] Jara Rowe: All right. So how should a business know if they’re ready to adopt CTEM?
[00:09:33] Anh Pham: For most businesses, they probably should start thinking about adopting CTEM after they have established a foundation for their security program. So they have started implementing controls into their environment. They have started running some basic vulnerability scans or have conducted penetration tests for the first time and have started fixing results. That’s probably the best time to start thinking about adopting and incorporating CTEM phases into their security framework. Even if they don’t start with all five phases, it’s better to start adopting some of those phases and start doing them more continuously.
[00:10:10] Jara Rowe: Yeah, that sounds great. Okay, so we’ve talked about CTEM. I feel like I have a better understanding, but I’m going to recap this a little bit before I let you go. Okay? All right. So CTEM again stands for continuous threat exposure management. It is an approach that companies are starting to move more into as we move away from one-and-done and point-in-time testing as our environments change and grow because we’re working on our software or the cloud or something. Is that correct?
[00:10:48] Anh Pham: That is correct. Perfect summarization.
[00:10:50] Jara Rowe: Yeah. Perfect. Okay. So listeners, Anh and I are actually going to continue this conversation. We’re going to dive a little bit more into how CTEM is put into action. So if you haven’t already, please make sure you subscribe so you can catch part two. Thanks for your time, Anh.
[00:11:11] Anh Pham: Thanks for having me.
[00:11:13] Jara Rowe: And that’s the Tea On Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.