In October 2023, analyst firm Gartner® included Continuous Threat Exposure Management (CTEM) in its top ten strategic tech trends for 2024. This appears to be the next step in an evolutionary security process, as organizations must look beyond vulnerability management to truly secure a digital footprint covering SaaS applications and external tools. In a blog in August titled Big Picture, Gartner even suggested SaaS Security Posture as a place organizations could pilot their CTEM program.
CTEM isn’t a tool. It’s a five-step program that uses cybersecurity platforms and tools to help organizations prioritize against the elements that most threaten a business. Each step aligns closely with the core principles of SaaS Security, making it a logical place to start a formalized CTEM program.
This blog looks at how CTEM applies to a SaaS security scenario and follows the Purple Organization as they look to secure five different applications through the process.
Step 1: Scoping – CTEM Starts with Understanding Attack Surfaces
A CTEM program begins with a scoping process. The security team, which leads the CTEM initiative, must collaborate with business units to gain a full picture of the enterprise’s SaaS stack. As part of this process, the two groups must determine which applications are more important to the business.
Most organizations have well over 100 applications. For the purposes of illustration, we’ll follow the fictitious ACME organization, which has conducted scoping and found the company has 5 applications:
- M365
- Salesforce
- Sprout Social
- Workday
- Google Ads
Step 2: Discovery – Uncover Levels of Risk
Every SaaS application has a different level of risk. This may be due to the external value of the data in the application, the role the app plays in business operations, its complexity, or other considerations. During the Discovery phase of the CTEM process, organizations examine the apps in their stack and the associated risks.
The table below shows the level of risk the ACME organization must mitigate from their applications. Again, this is an example. Other companies may prioritize differently or use these applications in a different way.
Step 3: Prioritization – Optimize Security to Counter Threats
It is nearly impossible to fix every security issue in every application. Instead, organizations must prioritize countering the threats that they are most likely to face and the threats that will have the highest impact on their business.
For the ACME organization, that means recognizing that even though a social media takeover attack could have significant ramifications, its impact on business operations is low. Companies that sell products over social media would rate the business impact as high, and prioritize differently.
Step 4: Validate – Preparing for Attacks
With priorities in place, the security team’s next step is to validate how an attack might work and how their system might react. With SaaS applications, that means reviewing configurations to discover pathways for threat actors to access the application.
SaaS applications contain a number of settings. The ACME organization must review configurations relating to access control, data leakage, malware, and others. If misconfigurations exist that could grant access to threat actors, the security and business teams must work together to remediate the issue in a way that allows the business units to operate while securing the application.
Step 5: Mobilize – Collaboration is key
Securing SaaS applications is a collaborative process between the security teams and app owners. Business units must understand the CTEM approach and their role in it. Creating a RACI chart outlining everyone’s role will help define roles and generate buy-in to the program.
Adaptive Shield facilitates collaboration between application owners and security teams to ensure that the team is aligned in their security efforts.
Why Should Enterprises Care About CTEM?
According to Gartner, “By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach.”
CTEM pushes organizations to prioritize threats more effectively based on business impact, helping them allocate more resources where they are needed. As a continuous improvement program, it augments cyber resilience, requiring security teams and application owners to continue reassessing and reallocating their security resources.
CTEM is closely aligned with SaaS Security Posture Management (SSPM). Effective SSPM platforms prioritize security issues based on risk, and provide remediation instructions to help mitigate any issues. It fosters communication between the SaaS application owners and security teams, and mobilizes stakeholders in the event of an issue, through alerts. Organizations concerned about SaaS security while taking a CTEM approach should consider SSPM to secure the SaaS stack.
About the writer
