Cyber Defense Advisors

NIST Cybersecurity Framework (CSF) and CTEM – Better Together

It’s been a decade since the National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework (CSF) 1.0. Created following a 2013 Executive Order, NIST was tasked with designing a voluntary cybersecurity framework that would help organizations manage cyber risk, providing guidance based on established standards and best practices. While this version was originally tailored for Critical infrastructure, 2018’s version 1.1 was designed for any organization looking to address cybersecurity risk management.

CSF is a valuable tool for organizations looking to evaluate and enhance their security posture. The framework helps security stakeholders understand and assess their current security measures, organize and prioritize actions to manage risks, and improve communication within and outside organizations using a common language. It’s a comprehensive collection of guidelines, best practices, and recommendations, divided into five core functions: Identify, Protect, Detect, Respond, and Recover. Each function includes several categories and subcategories, notably:

Identify – Understand which assets need to be secured.
Protect – Implement measures to ensure assets are properly and adequately secured.
Detect – Set up mechanisms to detect attacks or weaknesses.
Respond – Develop detailed plans for notifying individuals affected by data breaches, recent events that might jeopardize data, and regularly test response plans, to minimize impact of attacks.
Recover – Establish processes to get back up and running post-attack.

(Want to learn more about CSF 1.1’s 5 steps? Download our NIST CSF checklist here!)

Changes to CSF 2.0, with a Focus on Continuous Improvement

In February 2024, NIST released CSF 2.0. The goal of this new version is to help CCSF become more adaptable and thus widely adopted across a wider range of organizations. Any organization looking to adopt CSF for the first time should use this newer version and organizations already using it can continue to do so but with an eye to adopt 2.0 in the future.

2.0 brings with it some changes; among other advancements, it adds in “Govern” as a first step, because, according to ISC.2.org, “the CSF’s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders must consider alongside others such as finance and reputation. The objectives are to integrate cybersecurity with broader enterprise risk management, roles and responsibilities, policy and oversight at organizations, as well as better support the communication of cybersecurity risk to executives.”

It also has an expanded scope, it’s more clear and user-friendly, and most importantly (for the purposes of this article anyway), it strongly focuses on emerging threats and zero’s-in on a continuous and proactive approach to cybersecurity via the newly added Improvement Category in the Identify Function. Taking a continuous approach means organizations are encouraged to assess, reassess, and then update cybersecurity practices on a regular basis. This means organizations can respond faster and with better accuracy to events for reduced impact.

CSF and CTEM – Better Together

Today, there are multiple actionable frameworks and tools designed to work within the parameters of the high-level CSF guidelines. For example, the Continuous Threat Exposure Management (CTEM) is highly complementary to CSF. Released in 2022 by Gartner, the CTEM framework is a major shift in how organizations handle threat exposure management. While CSF provides a high-level framework for identifying, assessing, and managing cyber risks, CTEM focuses on the continuous monitoring and assessment of threats to the organization’s security posture – the very threats that constitute risk itself.

CSF’s core functions align well with the CTEM approach, which involves identifying and prioritizing threats, assessing the organization’s vulnerability to those threats, and continuously monitoring for signs of compromise. Adopting CTEM empowers cybersecurity leaders to significantly mature their organization’s NIST CSF compliance.

Prior to CTEM, periodic vulnerability assessments and penetration testing to find and fix vulnerabilities was considered the gold standard for threat exposure management. The problem was, of course, that these methods only offered a snapshot of security posture – one that was often outdated before it was even analyzed.

CTEM has come to change all this. The program delineates how to achieve continuous insights into the organizational attack surface, proactively identifying and mitigating vulnerabilities and exposures before attackers exploit them. To make this happen, CTEM programs integrate advanced tech like exposure assessment, security validation, automated security validation, attack surface management, and risk prioritization. This aligns perfectly with NIST CSF 1.1, and provides tangible benefits across all five core CSF functions:

Identify – CTEM demands that organizations rigorously identify and inventory assets, systems, and data. This often turns up unknown or forgotten assets that pose security risks. This enhanced visibility is essential for establishing a strong foundation for cybersecurity management, as outlined in the Identify function of the NIST CSF.
Protect – CTEM programs proactively identify vulnerabilities and misconfigurations before they can be exploited. CTEM prioritizes risks based on their actual potential impact and their likelihood of exploitation. This helps organizations address the most critical vulnerabilities first. What’s more, CTEM-dictated attack path modeling helps organizations reduce the risk of compromise. All this dramatically impacts the Protect function of the CSF program.
Detect – CTEM requires continuous monitoring of the external attack surface, which impacts CSF’s Detect function by providing early warnings of potential threats. By identifying changes in the attack surface, such as new vulnerabilities or exposed services, CTEM helps organizations quickly detect and respond to possible attacks before they cause damage.
Respond – When a security incident occurs, CTEM’s risk prioritization stipulations are what help organizations prioritize response, ensuring that the most critical incidents are addressed first. Also, CTEM-mandated attack path modeling helps organizations understand how attackers may have gained access to their systems. This impacts the CSF Respond function by enabling organizations to take targeted actions to contain and eradicate the threat.
Recover – CTEM’s continuous monitoring and risk prioritization plays a crucial role in the CSF Recover function. CTEM enables organizations to quickly identify and address vulnerabilities, which minimizes the impact of security incidents and speeds up recovery. Also, attack path modeling helps organizations identify and address weaknesses in their recovery processes.

The Bottom Line

The NIST Cybersecurity Framework (CSF) and Continuous Threat Exposure Management (CTEM) program are truly brothers in arms – working together to defend organizations against cyberthreats. CSF provides a comprehensive roadmap for managing cybersecurity risks, while CTEM offers a dynamic and data-driven approach to threat detection and mitigation.

The CSF-CTEM alignment is especially evident in how CTEM’s focus on continuous monitoring and threat assessment comes together seamlessly with CSF’s core functions. By adopting CTEM, organizations significantly enhance their compliance with CSF – while also gaining valuable insights into their attack surface and proactively mitigating vulnerabilities.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.