Exposure management and validation play an important role in strengthening an organization’s security capabilities, providing an attacker’s view of security vulnerabilities and insight into how well security controls and processes function when those weaknesses are targeted. It’s a critical part of continuous threat exposure management (CTEM), a program designed to optimize an organization’s short-term and long-term security posture through an ongoing process of scoping, discovery, prioritization, validation, and mobilization.
As CTEM practices become increasingly widespread, security vendors have rushed to position themselves as exposure management providers — but a closer examination reveals that many of them have adopted a partial approach. It isn’t enough to know that vulnerabilities exist. Modern businesses need to know which vulnerabilities actually matter to them — and which ones to fix first.
The Critical Role of Validation
Too many vendors ignore the role played by validation — a critical step that allows organizations to filter the hundreds (even thousands) of exposures revealed by various misconfiguration and vulnerability scanning solutions into a contextualized and prioritized list. Validation enables security teams to determine whether a vulnerability actually represents a threat, or whether compensating controls are effective at keeping would-be attackers at bay. By pinpointing the most pressing threats for security teams, validation helps organizations address the most dangerous threats first, rather than getting bogged down in a seemingly endless list of vulnerabilities.
It isn’t enough for vendors to repackage the same old vulnerability management technology under a different name — CTEM without validation cannot effectively determine whether an exposure is actually exploitable in an organization’s specific environment. For example, when the Log4J vulnerability was revealed, many organizations rushed to patch their public-facing production web server. But quickly patching a production server without proper testing can be risky, with the potential for unintended service outages. With the help of validation, the organization could instead ensure that compensating controls — such as a Web Application Firewall (WAF) — are able to detect and prevent requests attempting to exploit the Log4J vulnerability. This would keep the organization protected while providing the infrastructure team with the time they need to thoroughly test the patch before rushing it into production.
These prioritization capabilities are a big deal for today’s organizations, many of which have limited security expertise and manpower. The ongoing cybersecurity skills gap has made it difficult to hire experienced talent, which means technology that makes life easier for existing employees can have an outsized impact. By automatically testing potential exposures, security validation allows security teams to direct their time and resources to the areas where they are needed the most. Security validation provides the context security teams need to determine which exposures attackers can actually leverage — enabling them to respond accordingly.
Validation Enables Timely Remediation
CTEM is on the rise as organizations look for ways to continuously improve their security capabilities amid today’s constantly evolving threat landscape. But it’s critical to remember CTEM that doesn’t correlate exposure prioritization with full security validation is effectively just a half-measure. The true risk of any potential threat can only be understood within the proper context — and that means knowing which attack paths are feasible and whether existing security controls address them. By incorporating validation into exposure management, organizations can ensure their security teams are focusing on the most pressing threats first, remediating dangerous exposures before attackers have the opportunity to exploit them.
Authored by: David Kellerman, Field CTO, Cymulate
