CTEM: The First Proactive Security Innovation in 20 Years

Summer 2021

It was in the summer of 2021, in the middle of COVID. Isolation and testing remained in effect, the offices were closed, and we all worked out of our living rooms. Brad LaPort, a veteran Gartner analyst and I were on a content project, talking about why the market was missing out on a new category to encapsulate the disparate exposure data and derive actionable insights. Then the conversation carried on with Mitchell Schneider, a prominent Gartner analyst covering Threat and Vulnerability Management. We were debating about what we should call this new category. Is it Cyber Exposure Management? Threat Exposure Management? Or maybe, Cyber Threat Exposure Management? Then Jonathan Nunez nailed it and added “Exposure Management” in the 2022 Hype Cycle. Gartner put its own spin on the “Continuous” nature of the program. Of course, more debates followed with Jonathan whether CTEM is a process or a product. It is all history.

Breaking Security Silos

NopSec grew up as an offensive security company before launching our SaaS product, so our lenses and thought process are quite different from many traditional security software companies. My partners, Michelangelo Sidagni and Shawn Evans, always advocate the mentality of “think like a hacker.” We do so to break and exploit the weakest exposures before building the best security software that truly solves the data overload and silo problems. 

Enterprises, large or small, on average own between 20 and 100+ security tools. Over the years, security teams had acquired these point solutions to solve specific problems and use cases. Point solutions have gained scale and adoption in the first phase of cyber innovation. In its second phase, the overwhelming amounts of data and alerts generated by those security tools are the main challenges that enterprises are facing. It is no longer a tooling problem, it is a data problem. 

If you ask a data scientist what’s her worst data science problem, she might say not having enough data. In enterprise security today, we have the opposite problem, too much data, created by siloed tools from siloed teams. Remediation processes and workflows are designed and very much centered around security tooling, not built upon managing enterprise risk exposures at the holistic level. This story may not be unfamiliar to you: remediation teams are instructed to apply fixes based on Tenable findings, or Wiz findings or Veracode findings. Each scanning tool has its own methods of defining severity levels. This method fails to take into account critical broader environmental context such as: 

• Threat levels
• Asset criticality
• Countermeasures and controls in place
• Business impacts

This lack of context renders this scanner-centric approach to exposure management as fundamentally flawed. It reminds me of the parable of the blind men and the elephant.

Why Now

In the last 20 years, there have been tons of innovations in the “Active” and “Reactive” Security spaces. Think how Palo Alto reinvented firewalls, how Crowdstrike reinvented anti-virus, how eSentire created MDR, how SIEM and SOAR were created. Furthermore we have XDR, CSPM, and many other application-centric products. On the other hand, when you look at the “Proactive” security space, the volume and pace of innovations are significantly lagging. Renaud Deraison invented Nessus, the first version of open source vulnerability scanner in 1998,  other flavors of scanners followed suit for infrastructure, applications or containers. You may say EASM is a new and novel category to give enterprises an outside-in view of the exposure. Instead, I would argue passionately that EASM is an evolution of what had been invented by ISS in the late 90’s. Categorically, scanners (whether outside-in or inside-out, infrastructure or apps) and pentesting (whether automated or powered by humans, simulation or emulation), have been the main solutions offered for Proactive security in the last two and a half decades. 

Our world has changed. The ways we use infrastructure, compute, and develop software have forever changed in the time of digital transformation. However, the way we analyze and remediate cyber exposure remains the same. We do annual pentests. We run weekly vulnerability scans, download the results into csv files, slice and dice the potential risks (pivot tables help) into sub spreadsheets, and send them over to the IT folks to fix. Then the whack-a-mole games begin. Rinse and repeat in the cloud, API, DAST and SAST space. 

I want to pause and ask ourselves, as a collective community, have we been focusing on the wrong things all along? Fixing everything is not the end goal and is not humanly achievable. The prioritizing of what to fix in the context of risk is a crucial step in exposure management. Simplistic prioritization can rely on CVSS or EPSS. Sophisticated prioritization requires an algorithmic approach creating multi-dimensional data models to analyze threats, assets and environment controls to truly contextualize risk and exposures. Many folks are tempted to rush into remediation workflow automation without proper analysis or prioritization of what to fix. Yes, you may fix the wrong things really fast, but you’ll still be exposed. 

Attackers think in graphs, defenders think in lists. To “think like a hacker” and gain the upper hand in the fight, we need to drop spreadsheets, stay on the forefront of data science, and search for the insights that are hidden in the data from those disparate tools. Insights give us the power to know where our risks are and to take action with confidence.

Where the Future Leads

We all crave visibility and control. Technological innovations that automate the data aggregation, normalization and enrichment, provide data-driven algorithmic decision support, and automate human workflows, are leading us closer to a place with better visibility and control. The CTEM market will continue evolving and remaining fragmented. There will be four types of vendors wearing the CTEM hats in the many years to come: 

• Scanning vendors (Tenable, Armis) will embrace third party ingestion. Scanning vendors will continue fighting the scanning market share, the ability to ingest non-competitive 3rd party scan data (not Qualys or Claroty in this case) will offer expansion opportunities and stickiness with “good enough” offerings. 
• SOAR workflow vendors (Vulcan, Brinqa) will be light on algorithmic prioritization, but heavy on EPSS and analyst workflow, and will become niche SOAR players for remediation use cases.
• Pure data vendors (Kenna/Cisco, Avalor) will continue to take the analytic approach to solve the data challenges. Some vendors may lack innovation in contextualizing risks for each customer across full tech stacks due to the data model limitations. Other data vendors may expand to logs or other adjacent use cases.
• Offensive data vendors will continue innovating by expanding the exposure types to include mis-configuration, identity and privilege access, and vulnerability data from full tech stacks, visualizing the target relationship, training the algorithmic models with offensive expertise, and using emulation techniques to prioritize and visualize the path of least resistance from an attacker’s view. 

Other predictions? CTEM will stay more risk conscious and cyber leaders will focus on building Proactive Exposure Management in a mature cyber program. Who said “prevention is dead”? The old truth never dies – an ounce of prevention is worth a pound of cure. What else? More vendors will hop on the CTEM train, for better or worse, relevant or stretching.

We might be ahead of our times, six years ago Josh Zelonis at Forrester put us as a disruptor on the VRM map. We are grateful for making our unique contribution to this market shift, and creating a category and market awareness above the noise. In the end, what matters the most is less about categories, but solving real problems for customers. 

Stay tuned with our #ProactiveCyber blog series.