As companies struggle with finding and closing off the paths that attackers could use to infiltrate and compromise their IT environments, security providers are rushing to offer security posture management — also known as exposure management — capabilities in their products.
Security posture management firm Cymulate announced in June a threat exposure management platform that takes data from a variety of sources — including an inventory of the company's assets, its vulnerabilities, potential attack paths, and adversaries tactics — to create a measure of risk. Last week, exposure management firm Tenable announced the release of identity-focused features in its Tenable One platform that can analyze Active Directory and Azure AD instances to find identity-based weaknesses, such as overpermissioned accounts, orphaned users, and anomalous identities.
Giving companies the ability to analyze combined vulnerability and identity data from the current corporate IT environment is a critical part of measuring exposure, says Nico Popp, chief product officer at Tenable.
"If you bring vulnerability management and identity exposure together, then you can actually do really interesting things," he says. "The two together let you really allow us to think as an attacker moving laterally across your environment to basically reach your most important assets."
Exposure management is a relatively young industry segment that has taken off, driven by predictions from analyst firms, such as Gartner, that companies will shift from vulnerability management, attack-surface management, and privileged-account management to the more holistic capability of managing their exposure to threats.
For organizations, exposure management promises better ways to secure their changing information technology environments as attacks evolve. Focusing on vulnerabilities and weak identities, as well as validating the threats that certain weaknesses represent, can help firms tackle the most critical security issues before they are exploited.
Combining a variety of data — such as the severity of the vulnerabilities, the value of the affected assets, and an attacker's ability to utilize an exploited system — allows companies to better gauge risk, says Erik Nost, a senior analyst in the security and risk group at Forrester Research.
"Organizations are all looking to inventory what they have and provide some perspective as to what they need to worry about," he says. "With attack path analysis, organizations can understand how attacks could be chained, how a vulnerability in an asset might relate to a certain family of malware, and if there are identities that live on this box that, if compromised, could then allow attackers to move to other boxes."
Exposure Focuses Increasingly on Identity
While vulnerability management firms have a natural evolution to exposure management, identity management and privileged access management (PAM) providers are increasingly transitioning as well. Typically, exposure management has been about vulnerabilities and misconfigurations, but many companies still have weaknesses due to overentitled accounts or users with a lot of standing privileges.
These are vulnerabilities as well, says Grady Summers, executive vice president of product at SailPoint Technologies.
"For so long, identity management was viewed as this compliance thing," he says. "But now customers are saying, 'Can you show me all the overentitled access or the orphaned access or uncorrelated access?' They're just realizing they had this blind spot to it."
Attack surface management and attack simulation companies are likely to shift their focus to exposure management as well. Cymulate, formerly a breach and attack simulation company, has shifted to continuous threat exposure management (CTEM), an acronym coined by Gartner, as a way of extending its focus on the attack surface and validation of vulnerabilities, says Carolyn Crandall, chief security advocate for Cymulate.
"Now security teams are getting hit by more threats ... [exposure management] helps them get ahead of the attackers by better prioritizing the vulnerabilities that need remediation," she says. "There's much more pressure now to do testing ... [to see whether] we get the outcomes we expected, and if not, how do we quickly understand those and then change?"
Adding Attack Paths Validates Threats
A key component of exposure management is validating that particular vulnerabilities are both reachable and exploitable by attackers. To determine whether a critical asset is at risk, companies have been focusing on constructing the potential path an attacker could take through the environment, using vulnerabilities in different systems to reach an end goal. Such attack paths validate that the combination of vulnerability scanning, analyzing permissions and identities, and measuring the criticality of assets results in a measurable risk.
A common attack path might involve compromising a Web server using an exploit for Log4j, escalating privileges, and then accessing a database. Using simulations to determine whether that attack is viable helps organizations prioritize patching and the implementation of new controls, says Mike DeNapoli, a cybersecurity architect and director at Cymulate.
"We can re-create this attack in a production-safe way — actually run it and determine, 'Is this merely viable, but we have controls that will compensate for these gaps?' or, 'Is this validated and this is an attack path that a threat actor could use?'" he says.
Often, compromising identity is a shorter way to achieve the same end, which is why it is so important to exposure management, says Tenable's Popp.
"If there is a very important customer database managed by Nico, and Nico is a privileged user but his identity has a lot of weaknesses — maybe his password is on the Dark Web, or maybe he doesn't have MFA [multifactor authentication] — then that's a risk," he says. "If Nico gets compromised, which is a pure identity attack, then my customer database will get compromised because the attacker, who can now pose as Nico, can fully access my customer database."