KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Thank you and good morning from my side. My name is Tilman Epha, I'm the sales director for XM Cyber based in Munich, Germany. And today we speak about continuous exposure management and why a new approach with regard to vulnerability management is needed. A few words about the company, XM Cyber was founded by former intelligence officers from the Israeli intelligence service in 2016. We are headquartered in Herzliya near Tel Aviv and we were acquired in November 21, exactly on the 21st of November 21 by the Schwarz Group, better known as Lidl and Schwarz in Germany.
And we are part of their cyber strategy to reinforce especially their supply chain. But obviously we are an independent company selling to many other customers, as you can see here. One important point I want to mention is the Marsh-McLennan Cyber Catalyst. XM Cyber is one of only 15 products which Marsh recommends to bolster your IT security strategy. The reason for that is that exposures go beyond vulnerabilities. And I guess we all know that from experience, if you just concentrate on vulnerability management, you won't be successful.
And we can see that from all the daily breaches in organizations and companies. Because besides vulnerabilities, and I can tell you during proof of values, we detect really old vulnerabilities at customers. That goes down to 2017. And the reason for that is that the vulnerability management didn't identify that particular vulnerability as important. And as such, the customer didn't patch it. Then an attacker comes and he can exploit it in various ways. And I show you how that works later. We have identity issues with cached credentials, for example.
We all know that there is misconfigurations in the network. We have security controls, configuration issues. And last but not least, the active directory. In most of the POVs we commence, we detect laptops with active directory access, which can be breached by a potential attacker. The reason why a new approach is necessary can be seen here. If an attacker is able to enter into your network, and he will be able, this is for sure, right? And I guess we can all agree on that. He will find a way towards the critical assets. This is what we talk about.
So for us, it is important to protect your critical assets, your crown jewels, be it active directory, Azure AD, domain controllers, or any databases, financial systems, that you want to make sure a real potential attacker can never ever access. The attacker will be able to bypass EDR and other controls. Actually during proof of values, we detect EDR systems which are disconnected, but show in the dashboard as active.
So it can be bypassed by an attacker, and then obviously the mix of the different exploits he will detect in your network, he will use, and you can see that on the graph, how an attacker moves from A to B. At the same time, the IT security team is busy with fixing patches, right? I once had a meeting with a large automotive supplier, and the head of SOC came late into the meeting, and I asked him why he was late, and he excused, and he said that his vulnerability management said that he needs to patch 20 machines, more or less.
And that took a while, and I said, so what did you benefit now from? And he said, no, I don't benefit from it, but I have to do it, right? So you have 200,000 vulnerabilities in that particular case, and he's patching 20 machines, which doesn't lead you nowhere. The reason for that also is that you use siloed technologies, you have different dashboards from different solutions, but you don't have the overview like the attacker has it, right? And that is the reason why attacks until today are still successful.
The reason is, you don't know where you are most vulnerable to be attacked, and as you can see on the graph here, the attacker finds different machines he can exploit until he reaches a critical asset. And first and foremost, that goes through so-called choke points. This is laptops from IT employees, for example, where most attack passes go through, and we show you how to remediate those choke points, right? So our slogan is, one by one is never done. The reason for that is, every day we see a huge amount of new exploits showing up.
And as I just said, larger organizations move between a couple of hundred thousand to even more vulnerabilities in front of them, which they are not able to patch. So if you start patching vulnerability by vulnerability, this is an endless story, right? And the worst part is that most of those vulnerabilities you are patching and keep your IT security team busy with, or the IT teams, they don't lead to nowhere. This is not vulnerabilities. If you patch them, you will be protected, right?
And this disconnect between security and IT is when Gartner grew the expression of continuous threat exposure management. And the reason for that, and the approach is excellent, is that security struggles in moving forward with their IT security strategy, and the IT team is frustrated because this is never ending. It's a continuous stream of exposures they need to fix, and this is never ending. And for security, it's not going fast enough. So there's frustration on both sides, right?
And now we need to find a smarter way to improve the situation for both sides, IT security and the IT teams, which are tasked with a lot of issues and they can't or can hardly cope with, which results in the end in a deficit, which is getting worse and worse between the rate of remediation and the exposure discovery rate, right? There's more and more exposures showing up, and you can only deal with so many, or with a certain speed to remediate the issues. So a smarter approach is needed, and that can be seen here.
What we do is we identify, obviously, the common vulnerabilities, and also through your risk-based vulnerability management, vulnerabilities in the wild. This is growing and growing and growing, and very hard to deal with, right? I guess we can all agree with that one. So you need to validate what is important and what is less important, so to say. So you drill down into the exploitable exposures. You need to understand which of the exploits are indeed exploitable, because if you remember, I said 75% of the vulnerabilities people keep patching are not leading to a critical asset.
So this is mostly dead ends, and this keeps the IT team busy. So you drill down into the really exploitable exposures, and then you build an ATT&CK graph around it towards the critical assets, as we have seen on an earlier slide, right? The famous ATT&CK graph, which is pretty unique in XM Cyber. We have 30 patents globally on that solution, and that's why it's unique.
So by now, we have reached a reduction of 75% just by identifying the right devices and machines which can be exploited. And now comes the exciting part of XM Cyber's solution, that you drill even further down. And before you take pictures, there's one more coming here. The famous choke points, right? I mentioned earlier. So this is machines where most of the ATT&CK passes we can identify go through. And the result is, if you keep patching those choke points, which is usually just a few machines in your network, you have a 90% further reduction of the workload.
Meaning, in reality, once an ATT&CKer enters into your network, be it through the DMZ and other ways, the ATT&CKer will not be able to reach any of your critical assets. And this is obviously a continuous project, right? You can't do it once. So we run 24 by 7 by just exploring the telemetry data on the devices, not sending any malicious code through your network. So this is not automated pen testing. We do ATT&CK pass management in a very unique way, without sending any exploits through your network. So there's no false positives. We don't kill any applications, etc.
So your IT team will very much appreciate the use of our solution, because no additional false positives, no alarms. Just concentrate on what you need to do first and foremost, and be successful. In reality, it looks pretty much like this. That's a marketing slide, obviously, because you don't have all your critical assets in one domain, usually. But the critical asset is flagged in diamond shape, while all the other devices are in a round shape. So you can identify immediately your critical assets. Active directory domain controller, we can detect by ourselves any critical databases, etc.
You have to flag in XM Cyber as a critical asset. And now what we do is we start our simulation, and we show you how a real attacker, and it's just a simulation, right? Because we know what is exploitable on which machine. And we show you one of the possible attack paths towards a critical asset. But there might be many more. And before we actually show a real attack path, customers are, at times, really amazed when they see which machines communicate with which.
They were not aware that there is open connections between different devices, or even from branch offices in different countries towards the headquarter. We have seen that after a POC in a branch office, they forgot to close firewall ports, etc. And that happens in real life, right? So this is one of the possible attack paths we have shown. Now there are additional paths we can identify. We have also dead ends. If you see the high severity vulnerability, this will be flagged in your vulnerability management as a high severity vulnerability, but it's a dead end.
It doesn't lead to your critical assets, right? Or one particular critical asset. So what IT teams do is they keep patching and patching, but this was obviously a dead end. But we have identified now the choke points. In this particular case here, it's two devices which have the most possible attack paths towards critical assets. And this is what you patch. So this is the low hanging fruits, right? It's very simple. It reduces the workload so heavily that even the IT teams appreciate the solution so much because they can now laser focus on the vulnerabilities.
And when I say vulnerability, I don't mean CVEs, I mean all the exploits we saw on one of the earlier slides, right? So you patch now the two devices and most of your network can't be exploited by a real attacker. And that looks on our dashboard pretty much like this in the aftermath. So blue is a color which indicates that a real attacker could identify the device but not breach it. Red obviously means he can detect and breach it. Gray means he cannot even detect it. So with one glance into the dashboard, you can immediately identify if there is any risk to your crown jewels or not.
And believe me, none of our customers has a gray dashboard or just blue, right? This is not reality. And there's no 100% in IT security and we know that for sure. But we can ensure that a real attacker cannot reach your critical assets and you just, and this is not really a marketing slide, I mean it looks like, but in reality it reduces the workload so heavily that just 2% of exposures need to be remediated to avoid a real and serious attack. So on the dashboard of a customer, it looks pretty much like this. We show you the domains.
We have enrolled a small piece of software, a sensor, and in the cloud we connect through API calls, right? And then we show you your different domains and machines and we identify a security score. Usually customers, when we start an engagement, they actually start somewhere in the Fs. F0 is the lowest score and A100 the highest. And then you start working and usually you come up to a C score and at a later stage it varies between A and C. And this is what you see on the right hand side. So this is a customer with 24,000 sensors deployed in Baden-Württemberg, Germany.
By the way, when you ask about size, that might be an interesting point. The owner of our company has deployed over 550,000 sensors. We have a couple of customers with more than 100,000 sensors and we have also customers with only 1,000 sensors or so. When we talk about supply chain attack, you can assume that there is a lot of smaller suppliers which deliver goods to automotive, to retailers, etc. And those companies want to ensure that a supply chain attack is not possible. So before and after, you concentrate on the choke points and your network gets secure, your security score rises.
This is obviously a 24 by 7 operation which you can always monitor on the dashboard. The good thing is now CTEM comes to life and IT security and the IT teams are happy and they share lunch in the canteen together suddenly and are good friends because the processes are aligned and less painful for the IT teams. And one last slide I want to show you because that's important. This is where XM Cyber shows its beauty. It's on one hand on the operational side and in particular, obviously ransomware readiness is understood after that presentation, I hope at least, also it's early in the day.
But OT security. Many of our customers have a production environment and there is a lot of IT before OT, right? And this can be HMIs, that can be jump boxes, you still see them, right? And we can protect those assets before a real attacker can actually jump from IT into the OT environment. And I want to point out a few business cases here. One is the digital transformation you might have thought about.
We have a customer in the UK and they were starting their digital transformation by integrating services into the cloud, GCP in this case, and they always had to deploy a service and then pen test it. And they spent hundreds of thousands of dollars on pen testing and it led to nowhere. With XM Cyber, we continuously monitor this process and can ensure that only people who should have access have access. And so ensure a smooth digital transformation. Cyber risk reporting, we have solid reports we provide for the management. Supply chain, I explained shortly.
We ensure that no supplier breaches your network. And also interesting is M&A. You want to make sure if you acquire an organization that you don't grant access to your active directory when they have AD passwords littered around their place, right? So before you integrate an acquisition, you can make sure that their network security is up to speed. And with that, thank you very much and enjoy your day. Thank you.
