KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Thank you. Thank you. And good morning from my side. Yeah. My name is Stillman Iffa. I'm the sales director for exome cyber based in Munich, Germany. And today we speak about continuous exposure management and why a new approach with regard to vulnerability management is needed. A few words about the company, EXIM Cyber was founded by former intelligence officers from these a Israeli intelligence service in 2016. We are headquartered in near Tel Aviv and we were acquired in November 21 exactly on the 21st of November 21 by the Schwartz group, better known as Li and Schwartz in Germany.
And we are part of their cyber strategy to reinforce especially their supply chain. But obviously we are an independent company selling to many other customers as you can see here. One important point I want to mention is the Marsh McLennan Cyber Catalyst. XM Cyber is one of only 15 products, which Marsh recommends to bolster your IT security strategy. The reason for that is that exposures go beyond vulnerabilities. And I guess we all know that from experience, if you just concentrate on vulnerability management, you won't be successful.
And we can see that from all the daily breaches in organizations and companies because besides vulnerabilities, and I can tell you during proof of values, we detect really old vulnerabilities at customers. Yeah, that goes down to 2017. And the reason for that is that the vulnerability management didn't identify that particular vulnerability as important and as such the customer didn't patch it. But then an attacker comes and he can exploit it in in various ways. And I show you how that works Later. We have identity issues with cashed credentials.
For example, we all know that there is misconfigurations in the network. We have security controls, configuration issues. And last but not least, the active directory in most of the POVs we commence. We detect laptops with active directory access, which can be breached by a potential attacker. The reason why a new approach is necessary can be seen here if an attacker is able to enter into your network and he will be able, this is for sure, right? And I guess we can all agree on that. He will find a way towards the critical assets. This is what we talk about.
So for us it is important to protect your critical assets, your crown jewels, be it active directory, Azure are the domain controllers or any databases, financial systems that you want to make sure a real potential attacker can never ever access. The attacker will be able to bypass EDR and other controls. Actually during proof of values, we detect EDR systems which are disconnected, but show in the dashboard dashboard as active so it can be bypassed by an attacker. And then obviously the mix of the different exploits he will detect in your network.
He will use, and you can see that on the graph how an attacker moves from A to B. At the same time the IT security team is busy with fixing patches, right? I once had a meeting with a large automotive supplier and the head of SOC came late into the meeting and I asked him why he was late and he excused and he said that his vulnerability management said that he needs to patch 20 machines more or less. And that took a while. And I said, so what did you benefit now from? And he said, no, I, I don't benefit from it but I have to do it right?
So you have 200,000 vulnerabilities in that particular case and he's patching 20 machines, which doesn't lead you nowhere. The reason for that also is that you use siloed technologies, you have different dashboards from different solution, but you don't have the overview like the attacker has it, right? And that is the reason why attacks until today are still successful. The reason is you don't know where you are most vulnerable to be attacked. And as you can see on the graph here, the attacker finds different machines he can exploit until he reaches a critical asset.
And first and foremost that goes through so-called choke points, this is laptops from IT employees for example, where most attack passes goes through and we show you how to re, re remit remediate those choke points, right? So our slogan is one by one is never done. The reason for that is every day we see a huge amount of new exploits showing up and as I just said, larger organizations move between a couple of hundred thousands to even more vulnerabilities in front of them, which they are not able to patch.
So if you start patching vulnerability by vulnerability, this is an endless story, right? And the worst part is that most of those vulnerabilities you are patching and keep your IT security team busy with or the IT teams, they don't lead to nowhere. This is not vulnerabilities. If you patch them, you will be protected, right? And this disconnect between security and it is when garner grew the expression of continuous threat exposure management.
And the reason for that and the approach is excellent, is that security struggles in moving forward with their IT security strategy and the IT team is frustrated because this is never ending. It's a continuous stream of exposures they need to fix and this is never ending. And for security it's not going fast enough. So there's frustration on both sides, right?
And now we need to find a smarter way to improve the situation for both sides, IT security and the IT teams which are tasked with a lot of issues and they can't or can hardly cope with which results in the end in a deficit which is getting worse and worse between the rate of remediation and the exposure discovery rate, right? There's more and more exposure showing up and you can only deal with so many or with a, with a certain speed to re remediate the issues. So a smarter approach is needed and that can be seen here.
What we do is we identify obviously the common vulnerabilities and also through your risk-based vulnerability management vulnerabilities in the wild. But this is growing and growing and growing and very hard to deal with, right? I guess we can all agree with that one. So you need to validate what is important and what is less important, so to say. So you drill down into the exploitable exposures, you need to understand which of the exploits are indeed exploitable because if you remember I said 75% of the vulnerabilities keep people keep patching are not leading to a critical asset.
So this is mostly dead ends and this keeps the IT team busy. So you drill down into the really exploitable exposures and then you build an attack graph around it towards the critical assets as we have seen on an earlier slide, right? The famous attack graph, which is pretty unique in exome cyber. We have 30 patents globally on on that solution and, and that's why it's, it's unique. So by now we have reached a reduction of 75% just by identifying the right devices and machines which can be exploited.
And now comes the exciting part of XM cyber solution that you drill even further down and before you take pictures, there's one, one more coming here. The famous choke points, right? I mentioned earlier. So this is machines where most of the attack passes we can identify goes through. And the result is if you keep patching those choke points, which is usually just a few machines in your network, you have a 90% further reduction of the workload.
Meaning in reality, once an attacker enters into your network, be it through the DMM set and other ways, the attacker will not be able to reach any of your critical assets. And this is obviously a continuous project, right? You can't do it once. So we run 24 by seven by just exploring the telemetry data on the devices, not sending any malicious code through your network. So this is not automated pen testing.
Yeah, we do a tech pass management in a very unique way without sending any exploits through your network. So there is no false positives, we don't kill any applications, et cetera. So your IT team will very much appreciate the use of our solution because no additional false positives, no alarms, just concentrate on what you need to do first and foremost and be successful in reality, it looks pretty much like this.
That's a marketing slide obviously because you don't have all your critical assets in in one domain usually, but the critical asset is flagged in DIA one shape while all the other devices in in a round shape, right? So you can identify immediately your critical assets, active directory, domain controller, we can detect by ourselves any critical databases, et cetera. You have to flag in XM cyber as a critical asset acid. And now what we do is we start our simulation and we show you how a real attacker and it's just a simulation, right?
Because we know what is exploitable on which machine and we show you one of the possible attack passes towards a critical asset, but there might be many more. And before we actually show a real attack pass, customers are at times really amazed when they see which machines communicate with which, right? They were not aware that there is open connections between different different devices or even from branch offices in different countries towards the headquarter.
Yeah, we have seen that after APUC in the branch office, they forgot to close firewall ports, et cetera. And, and that happens in in real life, right? So this is one of the possible attack passes we have shown. Now there is additional passes we can identify five, we have also dead ends. If you see the highest severity vulnerability, this will be reflected in your vulnerability management as the highest severity vulnerability, but it's a dead end. It it doesn't lead to your critical assets, right? Or one particular critical asset.
So what IT teams do is they keep patching and patching, but this was obviously a dead end. But we have identified now the choke points in this particular case here. It's two devices which have the most possible attack passes, two towards critical assets. And this is what you patch. So this is the low hanging fruits, right? It's very simple. It reduces the workload so heavily that even the IT teams appreciate the solution so much because they can now laser focus on the vulnerabilities. And when I say vulnerability, I don't mean CVEs.
I mean all the, the exploits we saw on on one of the earlier slides, right? So your patch now the two devices and most of your network can't be exploited by a real attacker. And that looks on our dashboard pretty much like this in the aftermath. So blue is a color which indicates that a real attacker could identify the device but not breach it. Red obviously means he can detect and bridge it. Gray means he cannot even detect it. So with one glance into the dashboard, you can immediately identify if there is any risk to your crown jewels or not.
And believe me, none of our customers has a gray dashboard or just blue, right? This is not reality and there's no a hundred percent in IT security and we know that for sure, but we can ensure that a real attacker cannot reach your critical assets and you just, and, and this is not really a marketing slide, I mean it looks like, but in reality it reduces the workload so heavily that just 2% of exposures need to be remediated to avoid a real and serious attack. So on the dashboard of a customer, it looks pretty much like this. We show you the domains.
We have enrolled a small piece of software, a sensor, and in the cloud we connect through API calls, right? And then we, we show you your different domains and machines and we identify a security score. Usually customers when we start an engagement, they actually start somewhere in the fs. FF zero is the lowest score and a 100 the highest. And then you start working and usually you come up to AC score. And at the latest stage it varies between A and C. And this is what you see on the right hand side. So this is a, a customer with 24,000 sensors deployed in Barden, Wittenberg, Germany.
By the way, when you ask about size, that might be an interesting point. The owner of our company has deployed over 550,000 sensors. We have a couple of customers with more than 100,000 sensors and and we have also customer with only a thousand sensors or so.
Yeah, when we talk about supply chain attack, you can assume that there is a lot of smaller suppliers which deliver goods to automotive, to retailers, et cetera. And those companies want to ensure that a supply chain attack is not possible. So before and after you concentrate on the choke points and your network gets secure, your security score rises. And this is obviously a 24 by seven operation, which you can always monitor on the dashboard. Sure enough means We're running against time.
Okay, I'll be done quickly. So the good thing is now comes to life and IT security and the IT teams are happy and, and they share lunch in in the canteen together suddenly and are good friends because the processes are aligned and less painful for the IT teams. And one last slide I want to show you because that's important. This is where XM cyber shows its beauty. It's on one hand on the operational side and in particular obviously ransomware readiness is, is understood after that presentation.
I hope at least also it's early in the day, but OT security, many of our customers have a production environment and there is a lot of it before ot, right? And this can be hmis that can be jump boxes, you still see them, right? And we can protect those assets before real attacker can actually jump from from IT into the OT environment. And I want to point out a few business cases here. One is the digital transformation. You might have thought about. We have a customer in the UK and they were starting their digital transformation by integrating services into the cloud GCP in this case.
And they always had to deploy a service and then pen tested and they spent hundred of thousands of dollars on pen testing and it led to nowhere with EXIM cyber. We continuously monitor this process and can ensure that only people who should have access, have access. And so ensure a smooth digital transformation. Cyber risk reporting, we have sold it reports we provide for the management supply chain. I explained shortly, we ensure that no supplier breaches your network. And also interesting is m and a.
You want to make sure if you acquire a organization that you don't grant access to your active directory when they have ad password passwords littered around their place, right? So before you integrate an acquisition, you can make sure that their network security is up to speed. And with that, thank you very much and enjoy your day.
