Close Menu
    Trending
    Wednesday, April 29
    Cybersecurity

    What to Search for in an Publicity Administration Platform (And What Most of Them Get Improper)

    CarterBy No Comments7 Mins Read
    What to Look for in an Exposure Management Platform (And What Most of Them Get Wrong)

    Each safety staff has a model of the identical story. The quarter ends with lots of of vulnerabilities closed. The dashboards are bursting with inexperienced. Then somebody in a management assembly asks: “So, are we actually safer now?”

    Crickets.

    The room goes quiet as a result of an sincere reply requires context – which is one thing that patch counts and CVSS scores have been by no means designed to supply. Publicity administration was created to supply this context – to bridge the hole between remediation efforts and precise threat discount. The market has responded with a flood of platforms claiming to ship it.  But the query safety leaders are asking is: which publicity administration platform truly does present it?

    On this article, I’ll break down the 4 dominant approaches to publicity administration, clarify what each can and might’t ship, and lay out 5 analysis standards that assist you separate platforms constructed to cut back threat to your distinctive enterprise and surroundings from platforms constructed to report on threat within the wild. 

    4 Approaches, 4 Architectures

    Most publicity administration platforms fall into one among 4 classes, every formed by how the seller constructed (or pieced collectively) the platform and the way it processes knowledge.

    1. Stitched portfolio platforms are the product of acquisition(s). A vendor buys level options – cloud safety, vulnerability scanning, identification analytics, and so on. – and bundles them beneath its personal model. In these platforms, every product retains its personal knowledge mannequin and discovers its personal subset of exposures. The seller might then unify the exposures in a shared console, and that may appear to be integration. However in apply, every module nonetheless operates by itself knowledge and produces its personal findings, with little correlation or interconnection between them.
    2. Information aggregation platforms ingest findings out of your current scanners and third-party instruments. Then they normalize the information and current it in a unified interface. These platforms can solely work with what they obtain. Which means if ingested findings are disconnected, there’s no method to correlate how one publicity may allow the following.
    3. Single-domain specialist platforms go deep in a single space: cloud misconfigurations, community vulnerabilities, identification exposures, and exterior assault floor. They ship robust outcomes, however solely of their particular area of experience. They run into challenges when exposures in a single area chain into exposures in one other area, and the platform has no method to mannequin that relationship.
    4. Built-in platforms are constructed from scratch to find and correlate a number of publicity sorts – credentials, misconfigurations, CVEs, identification points, cloud configurations – in the identical engine. The platform builds a digital twin of the surroundings and maps how attackers can transfer laterally from one publicity to the following  – throughout on-prem, cloud, and hybrid boundaries.

    5 Questions That Reveal What a Platform Can Really Do

    The structure behind every of the 4 approaches has actual penalties for what your staff can see, validate, and act on. How do you inform the distinction if you’re evaluating? Begin by asking these 5 questions:

    1. What number of publicity sorts can it uncover – and the way deeply does it analyze each?

    CVEs account for roughly 25% of the exposures that attackers exploit. Misconfigurations, cached credentials, extreme permissions, and identification weaknesses make up the remaining. Stitched portfolios are restricted to what every acquired product was constructed to search out. Aggregators can solely normalize what their feeds present. Single-domain platforms cowl only one slice of the pie. An built-in platform ought to cowl each current and (particularly) rising publicity sorts – like AI workloads and machine identities – natively.

    And protection alone does not inform you sufficient. What the platform truly is aware of about every publicity issues simply as a lot. A platform that ingests findings from third-party instruments is restricted to the metadata these instruments gather – their exploitability situations, their remediation steerage, their analysis. A platform that discovers exposures natively controls each layer of knowledge for every discovering, from exploitability to repair. In case your platform cannot see sure publicity sorts, you’ve blind spots. If it sees them however lacks depth, you are working with noise.

    2. Can it map attack paths across environments?

    Some stitched products show attack paths. Those paths are derived from network topology and based on connectivity alone. The platform never models how an attacker would actually move laterally from one exposure to the next. Aggregators produce no paths at all, just normalized lists of disconnected findings.

    The real test is whether the platform can trace paths across environment boundaries. An attacker who captures cloud credentials on-prem can bypass every cloud-native defense – because the path started outside the cloud platform’s visibility. An external-facing vulnerability may look low-priority in isolation, but if it maps to an internal entity with a path to a critical asset, it’s an emergency. Most platforms can’t draw those connections. They scan each environment on its own and leave the gaps between them uncharted. 

    3. Does it validate exploitability?

    Most platforms check one or two conditions per exposure, limited by the metadata they store for each finding and the information they collect from each entity in your environment. But true validation means testing multiple conditions: Is the vulnerable library loaded by a running process? Is the port open and reachable? The platform should deliver binary answers – exploitable or not, reachable or not, path to critical assets or not – all grounded in your actual environment, not general assumptions.

    4. Does it factor in security controls?

    A CVSS 9.8 vulnerability blocked by a firewall cannot be used for lateral movement…because it’s blocked. A 5.5 identity exposure with a direct path to a domain controller is an emergency. Platforms that ignore firewalls, MFA, EDR, and segmentation can leave your team chasing findings that carry no real risk – and missing the ones that actually threaten your critical assets. If security controls aren’t part of the attack path analysis, your prioritization is pointing you in the wrong direction, and you’re still exposed.

    5. How does it prioritize?

    Prioritization should answer one question: Does this exposure put a critical asset at risk? Score-based ranking ignores your unique environment. Asset-tag-based ranking ignores the assets on the blast radius of an exposure. Assumed-path ranking never validates exploitability. All three of these can overwhelm IT teams because none of them connect findings to what the business actually needs to protect. 

    Effective prioritization starts with your critical assets and works backward. The platform needs to prove that the exposure is exploitable, that an attacker can reach it, and the path leads to something the business can’t afford to lose. When a platform maps all of that in one graph, choke points emerge – places where one fix eliminates multiple attack paths. In large enterprise environments, that narrows the priority list to about 2% of all exposures.

    What This Means for Your Team

    The choice of platform architecture determines how secure your environment will be – and how your team spends its time getting there. Stitched and aggregated platforms can leave teams scrambling to reconcile their findings across tools, fighting with IT over remediations that may not reduce risk, and chasing exposures that lead to dead ends. Single-domain platforms deliver depth in one area but leave blind spots across the rest of the attack surface.

    An integrated approach eliminates that overhead. It correlates exposures into validated attack paths, factors in the controls you’ve got in place, and identifies the fixes that eliminate the most risk with the fewest actions. When a remediation closes a choke point, continuous exposure management platforms update the graph in real time. That way, you know that exposures that once looked urgent now lead nowhere, and your priority queue always reflects current risk.

    When your exposure management platform can validate exploitability, model security controls, and map every viable path to your critical assets – you can answer the question from the opening of this article (Are we actually safer?) with an honest yes!.

    Note: This article was thoughtfully written and contributed for our audience by Maya Malevich, Head of Product Marketing at XM Cyber.

    Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to learn extra unique content material we submit.

    Share.

    Related Posts

    Leave A Reply