Dynamic Entity Management
In cybersecurity, Dynamic Entity Management refers to the capability to continuously identify, define, track, and apply security policies and risk assessments to any relevant "entity" within or external to an organization, as these entities evolve or emerge. It moves beyond static asset lists to a flexible and adaptive approach for managing the security posture of an ever-changing digital landscape.
Here's a detailed breakdown of what Dynamic Entity Management entails:
Core Concepts and Components:
Broad Definition of "Entity":
Unlike traditional asset management, which might focus solely on servers, endpoints, or applications, "entity" in this context is much broader. It can include:
Organizational Units: Departments, subsidiaries, business lines, specific projects.
People: Key executives, employees (e.g., privileged users), former employees, or specific threat actors.
Brands/Intellectual Property: Company names, product lines, logos, patents, trademarks.
Digital Footprint Components: Specific domains, subdomains, cloud accounts, SaaS instances, mobile apps.
Third Parties: Vendors, partners, suppliers, contractors.
Geographic Locations: Specific regions or data centers.
Events/Campaigns: High-profile marketing campaigns, mergers & acquisitions, or specific cyberattacks.
The key is that these entities are defined based on their relevance to the organization's risk profile and business operations.
Continuous Discovery and Identification:
Automated processes are in place to constantly scan and identify new or changing entities across various sources (e.g., internet scans, cloud environment APIs, dark web monitoring, public records, internal data feeds).
This ensures that these new entities are immediately brought under security management as the organization expands, adopts new technologies, or engages with new partners.
Flexible Definition and Categorization:
Users can define custom entities and their relationships. For instance, a "project entity" might encompass specific cloud instances, a unique set of employee accounts, and a particular third-party vendor.
Entities can be categorized and grouped based on their business criticality, data sensitivity, regulatory compliance requirements, or specific risk appetites.
Dynamic Association of Security Policies and Controls:
Security policies, risk assessments, monitoring thresholds, and remediation workflows are not rigidly tied to IP addresses or hostnames but are dynamically applied to these entities.
As an entity changes (e.g., a project moves from development to production, a vendor acquires a new certification), the associated security policies and monitoring intensity can automatically adapt.
This enables granular control over security based on the entity's current state and context.
Centralized Management and Contextual View:
Provides a unified platform or framework to view all defined entities and their associated security posture, risks, and compliance status.
Enables security teams to understand the aggregate risk associated with a particular project, brand, or third party, rather than just a collection of technical vulnerabilities.
Integration with Risk Appetite:
Allows organizations to associate specific risk appetite levels (e.g., "averse," "cautious," "flexible," "open") directly with defined entities.
Security ratings and alerts are then contextualized to the entity's risk appetite, ensuring that deviations from the desired posture are highlighted appropriately.
Benefits of Dynamic Entity Management:
Comprehensive Visibility: Provides a complete and up-to-date view of the entire digital ecosystem, including elements that are often overlooked in traditional asset management.
Adaptive Security: Enables security programs to be more agile and responsive to business changes, as policies automatically adapt to the evolving nature of entities.
Contextual Risk Assessment: Allows for more accurate and relevant risk assessments by understanding the business context and relationships of different entities.
Improved Resource Allocation: Directs security resources more effectively by prioritizing risks associated with critical entities.
Enhanced Third-Party Risk Management: Streamlines the onboarding, monitoring, and offboarding of vendors by treating them as distinct, manageable entities.
Better Governance and Compliance: Facilitates demonstrating compliance by tracking security posture against specific entities and their associated regulatory requirements.
Reduced Manual Overhead: Automates the tracking and categorization of entities, reducing the manual effort involved in maintaining security inventories.
Example Scenario:
An organization launches a new, high-profile product. With Dynamic Entity Management:
Define "New Product Launch" as an Entity: This entity includes the product's brand name, new marketing domains, associated cloud environments, and the third-party marketing agency involved.
Assign Risk Appetite: The organization might assign an "Open" risk appetite for the new product's development speed (accepting some inherent risk for rapid deployment) but a "Cautious" appetite for its brand reputation and customer data.
Automated Monitoring: The system continuously discovers and tracks all digital assets associated with this "New Product Launch" entity. It actively monitors for:
Are any sensitive data exposed in the new cloud environments?
Phishing attempts or impersonations of the new product's brand name.
Vulnerabilities were found on the marketing domains.
Security posture changes of the third-party marketing agency.
Dynamic Alerting: A high-priority alert is triggered immediately if a critical data leak is detected in the cloud environment (violating the "Cautious" appetite for data). If a minor vulnerability is found on a marketing domain (within the "Open" appetite for rapid deployment), it might be logged for later review or auto-remediated.
In essence, Dynamic Entity Management allows an organization to actively manage the security of its entire dynamic universe of digital elements, ensuring that its security strategy is always aligned with its current business context and risk tolerance.
ThreatNG, as an all-in-one external attack surface management, digital risk protection, and security ratings solution, is exceptionally well-suited to help an organization use Dynamic Entity Management. Its core capabilities directly support the continuous identification, tracking, and risk assessment of diverse entities, ensuring security policies and monitoring efforts dynamically adapt as these entities evolve or emerge.
External Discovery: ThreatNG performs purely external, unauthenticated discovery using no connectors. This is fundamental to Dynamic Entity Management because it allows ThreatNG to automatically identify and bring any new or evolving external entities into scope. For instance, if an organization launches a new product line with a dedicated brand name and associated web properties, ThreatNG's external discovery can immediately find the new domains, subdomains, and cloud exposures related to that brand, effectively onboarding "the new product brand" as a dynamic entity for security management. This ensures that entities that emerge or change are continuously monitored and assessed from an attacker's perspective.
External Assessment: ThreatNG's comprehensive external assessment ratings provide the granular data necessary for dynamically assessing the risk posture of various entities. ThreatNG can perform all the following assessment ratings:
Web Application Hijack Susceptibility: This score analyzes external web application parts to identify potential entry points for attackers. If a "project entity" involves a newly deployed web application, ThreatNG's assessment would dynamically provide a hijack susceptibility score for that specific application, feeding into its overall risk profile and triggering alerts if it falls outside the project's defined risk tolerance.
Subdomain Takeover Susceptibility: ThreatNG evaluates this using external attack surface and digital risk intelligence that incorporates Domain Intelligence, analyzing subdomains, DNS records, and SSL certificate statuses. For a "brand entity," ThreatNG would continuously monitor for subdomain takeover susceptibility across all associated subdomains. If a critical marketing subdomain linked to the brand entity becomes vulnerable, ThreatNG's assessment would immediately highlight this deviation for the brand, enabling rapid remediation.
BEC & Phishing Susceptibility: Derived from Sentiment and Financials Findings, Domain Intelligence, and Dark Web Presence. For a "key executive" entity, ThreatNG would continuously assess their susceptibility to BEC and phishing, providing a dynamic risk score. If new compromised credentials associated with that executive are found on the dark web, their BEC & Phishing Susceptibility score would automatically increase, highlighting a dynamic shift in the risk posture of that entity.
Brand Damage Susceptibility: Derived from attack surface intelligence, digital risk intelligence, ESG Violations, Sentiment and Financials, and Domain Intelligence. For a "product line entity," ThreatNG would monitor for factors contributing to brand damage, such as negative news mentions or lawsuits. A sudden spike in negative sentiment related to the product line would dynamically increase its brand damage susceptibility, alerting relevant stakeholders to a shift in that entity's risk posture.
Data Leak Susceptibility: Derived from external attack surface and digital risk intelligence based on Cloud and SaaS Exposure, Dark Web Presence (Compromised Credentials), Domain Intelligence, and Sentiment and Financials. For a "cloud project entity," ThreatNG would continuously assess for data leak susceptibility based on its cloud and SaaS exposure. If new, publicly accessible cloud storage containing sensitive data is discovered for that entity, its data leak susceptibility rating would dynamically adjust, prompting immediate action.
Cyber Risk Exposure: Considers parameters from the Domain Intelligence module (certificates, subdomain headers, vulnerabilities, and sensitive ports), Code Secret Exposure, Cloud and SaaS Exposure, and compromised credentials. For a "third-party vendor entity," ThreatNG would continuously calculate its cyber risk exposure. If a significant vulnerability is detected on one of the vendor's internet-facing systems, the vendor's cyber risk exposure score would dynamically increase, alerting the organization to a potential supply chain risk from that specific entity.
Supply Chain & Third Party Exposure: Derived from Domain Intelligence (Enumeration of Vendor Technologies from DNS and Subdomains), Technology Stack, and Cloud and SaaS Exposure. ThreatNG's ability to enumerate vendor technologies and assess cloud exposure directly contributes to dynamically managing "third-party entities." For example, if a critical software vendor (an entity) integrates a new cloud service that introduces a significant exposure, ThreatNG would detect this change and dynamically update that vendor's supply chain exposure rating.
Mobile App Exposure: ThreatNG evaluates an organization’s mobile apps' exposure through discovery in marketplaces and for specific content like Access Credentials and Security Credentials. For a "mobile application entity," ThreatNG continuously assesses its exposure. If a new app version is released and contains unintentionally exposed access credentials, ThreatNG dynamically updates the entity's risk profile, highlighting the new exposure.
Reporting ThreatNG provides various reporting options, including Executive, Technical, Prioritized (High, Medium, Low, and Informational), Security Ratings, Inventory, Ransomware Susceptibility, and U.S. SEC Filings. ThreatNG's enhanced ability for users to define and measure their security ratings according to their risk appetite down to the granular level means these reports can be dynamically generated per entity. For instance, a report for a specific "project entity" can show its real-time security rating and list prioritized risks based on that project's unique risk appetite. It allows project managers and security teams to view the dynamic risk posture relevant to their specific area.
Continuous Monitoring ThreatNG offers continuous monitoring of all organizations' external attack surface, digital risk, and security ratings. This constant vigilance is paramount for Dynamic Entity Management. As entities change (e.g., a new cloud environment is spun up for a project, a vendor updates their infrastructure), ThreatNG immediately detects these changes. This ensures that the security posture of dynamically managed entities is always up-to-date, and any deviations from their defined risk appetite or policy are flagged in near real-time, enabling proactive management of the entity's risk.
Investigation Modules ThreatNG's investigation modules provide deep insights into the components of dynamically managed entities, allowing for detailed analysis and validation of their security posture.
Domain Intelligence: Includes Domain Overview, DNS Intelligence, Email Intelligence, WHOIS Intelligence, and Subdomain Intelligence.
Example of ThreatNG helping: For a "subsidiary entity," ThreatNG's Subdomain Intelligence can dynamically discover all associated subdomains, their HTTP responses, headers, and technologies. If a critical subdomain of the subsidiary changes its server header to reveal sensitive information, ThreatNG identifies this, updating the subsidiary entity's risk profile and triggering a specific alert.
Sensitive Code Exposure: Discovers public code repositories and investigates their contents for sensitive data such as Access Credentials, Security Credentials, Configuration Files, and Database Exposures.
Example of ThreatNG helping: If a "development team entity" has a new public code repository, ThreatNG's Sensitive Code Exposure would dynamically scan it for exposed API keys (e.g., Stripe API key, Google API Key, AWS Access Key ID). The discovery of such a key would directly impact that team's entity risk score, prompting an immediate automated response to revoke the key and alert the team lead.
Cloud and SaaS Exposure: Identifies Sanctioned Cloud Services, Unsanctioned Cloud Services, Cloud Service Impersonations, and Open Exposed Cloud Buckets, as well as various SaaS implementations.
Example of ThreatNG helping: For a "specific project entity" using cloud services, ThreatNG's Cloud and SaaS Exposure would dynamically identify any newly configured open exposed cloud buckets or unsanctioned SaaS solutions. If an open bucket is found, the project's entity risk score would be updated, and an alert would be triggered to the project owner to address the exposure.
Intelligence Repositories (DarCache) ThreatNG's continuously updated intelligence repositories (DarCache) are crucial for enriching the dynamic risk assessment of entities with real-time threat context.
Compromised Credentials (DarCache Rupture): This repository identifies compromised credentials. For an "employee group entity" (e.g., sales team), ThreatNG would dynamically check for compromised credentials associated with their email domains. If new compromised credentials are found, the entity's risk profile would be updated, and a password reset could be automatically triggered for affected individuals.
Ransomware Groups and Activities (DarCache Ransomware): Tracks over 70 Ransomware Gangs. For an "industry vertical entity," ThreatNG could dynamically assess its susceptibility to new ransomware campaigns based on intelligence from DarCache Ransomware. This enables targeted security awareness campaigns or enhanced defensive postures for organizations within that vertical.
Vulnerabilities (DarCache Vulnerability): Provides a holistic and proactive approach to managing external risks and vulnerabilities, including NVD, EPSS, KEV, and Verified Proof-of-Concept (PoC) Exploits.
Example of ThreatNG helping: For a "critical application entity," ThreatNG's DarCache KEV would dynamically flag if any vulnerabilities actively being exploited in the wild are found on that application. This real-time threat context would immediately elevate the critical application entity's risk score, demanding urgent attention for patching or mitigation.
Complementary Solutions ThreatNG's capabilities for Dynamic Entity Management can be powerfully combined with other security solutions to create a more integrated and automated security ecosystem.
ThreatNG and Governance, Risk, and Compliance (GRC) Platforms: ThreatNG provides dynamic risk assessments and security ratings for various entities, tailored to specific risk appetites.
Example of ThreatNG helping: ThreatNG reports a significant increase in Supply Chain & Third Party Exposure for a newly onboarded "critical vendor entity."
Example of ThreatNG and complementary solutions: This dynamic risk update from ThreatNG can automatically trigger a review process in the GRC platform for that specific vendor. The GRC platform can then generate a compliance report, assign ownership for due diligence, and update the organization's overall vendor risk posture, ensuring that risk management for that entity is always aligned with compliance requirements.
ThreatNG and Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG provides real-time alerts on the changing risk posture of dynamically managed entities.
Example of ThreatNG helping: ThreatNG identifies a "Critical" Data Leak Susceptibility associated with a "project entity" due to exposed cloud data containing PII.
Example of ThreatNG and complementary solutions: The SOAR platform ingests this entity-specific alert from ThreatNG and automatically initiates a tailored playbook. This playbook might involve suspending access to the exposed cloud resource, notifying the project owner and legal team, and launching a forensic investigation, all based on the specific impact to that defined project entity.
ThreatNG and Identity and Access Management (IAM) Systems: ThreatNG can identify compromised credentials and email intelligence for individual entities or groups.
Example of ThreatNG helping: ThreatNG's Dark Web Presence discovers compromised credentials for a specific "executive entity."
Example of ThreatNG and complementary solutions: This intelligence from ThreatNG can be fed into the IAM system, which then automatically triggers a forced password reset and mandates multi-factor authentication for that executive's account. This ensures that the identity posture for key individuals is dynamically secured in response to external threats.
ThreatNG and Asset Inventory / CMDB Solutions: ThreatNG dynamically discovers and categorizes external digital assets.
Example of ThreatNG helping: ThreatNG discovers a new set of domains and mobile applications associated with a "new product launch entity."
Example of ThreatNG and complementary solutions: ThreatNG can automatically push this newly discovered external entity and its associated assets into the organization's CMDB/asset inventory system. This continuously updates the CMDB with accurate external context, ensuring that all security tools that rely on the CMDB (e.g., vulnerability scanners, security policy engines) have a complete and dynamic understanding of the assets tied to each entity.
