Exception Management
Exception Management in cybersecurity is a formalized, highly controlled process for temporarily deviating from established security policies, standards, or baseline configurations for a specific period or set of assets. It is a necessary governance function that allows an organization to temporarily accept a known, quantifiable risk to meet critical business or operational requirements.
Purpose and Need
Security policies are designed to be comprehensive and prescriptive, but real-world operational needs often necessitate exceptions.
Enabling Business Operations: A common need for exception management arises when a critical, legacy application cannot be patched immediately due to compatibility issues, or when a development team requires temporary, privileged access that violates standard access control rules to perform urgent maintenance.
Controlling Known Risk: Instead of ignoring a violation, the exception management process brings the risk under a formal review and approval structure. This turns an unmanaged vulnerability into a managed and accepted risk.
Core Elements of a Formal Exception Process
A robust exception management program ensures that deviations are not treated as permanent policy waivers but as temporary, conditional grants of risk.
Justification and Documentation: The requesting party must provide a clear and compelling business rationale for the exception and specify why the standard security control cannot be met. The specific vulnerability or policy violation must be meticulously documented.
Risk Quantification: Security and risk teams must formally assess the potential impact and likelihood of the exception's associated risk. This often involves modeling risk using quantitative (monetary) or qualitative (high, medium, low) terms.
Compensating Controls: Crucially, the process requires defining compensating controls—alternative security measures put in place to mitigate the risk that the standard control would have addressed. For example, suppose multi-factor authentication (MFA) is exempted for a system. In that case, a compensating control might be restricting access to that system only via a highly monitored, internal-only virtual private network (VPN).
Defined Sunset Date: All exceptions must have a mandatory expiration date (a "sunset date"). This ensures the risk is not perpetually accepted and forces a mandatory re-review or remediation effort.
Formal Approval: The exception must be reviewed and approved by individuals with the appropriate authority, often including the asset owner, the security team, and, for high-risk exceptions, executive management.
Exception Management is fundamentally a governance activity that allows organizations to balance the strict requirements of security with the dynamic needs of the business.
ThreatNG's capabilities are specifically designed to manage and document exceptions to security policies through its Policy Management (DarcRadar) feature, which provides granular control over the investigation and risk-scoring processes. This allows an organization to define and manage deviations from its security policy formally.
ThreatNG's Role in Exception Management
Policy Management (DarcRadar)
The core functionality for Exception Management resides within ThreatNG’s Policy Management solution, DarcRadar. The platform's Exception Management feature provides granular control over which issues are investigated.
Formalizing Exceptions: Instead of ignoring a known risk, an organization can use the Exception Management feature to record and manage the policy deviation. This transforms an accepted risk from an informal understanding into a controlled, documented element of the security posture.
Granular Control Example: If a company needs to temporarily use an outdated, non-HTTPS-redirecting website (a vulnerability flagged in the Cyber Risk Exposure assessment) for a short marketing campaign, they can use DarcRadar to create a specific exception for that particular subdomain. The exception can target only the lack of automatic HTTPS redirect for a defined period, preventing the platform from continuously flagging it as a "High" risk in reports. At the same time, the business's need is met.
External Discovery and External Assessment
ThreatNG’s assessments provide the precise, technical findings that necessitate or validate an exception.
Identified Known Vulnerabilities: If ThreatNG’s Data Leak Susceptibility assessment uncovers an Identified Known Vulnerability at the subdomain level, and the vulnerability affects a mission-critical but unpatchable legacy system, an exception is necessary. ThreatNG provides the exact asset and vulnerability identifier needed to create a granular exception in DarcRadar.
Subdomain Takeover Susceptibility: If ThreatNG validates a "dangling DNS" state (e.g., a CNAME record pointing to an inactive resource on a Heroku or Vercel platform), and the legal team has confirmed the resource is scheduled for deletion within two weeks, an exception can be set with a two-week sunset date.
Continuous Monitoring and Reporting
ThreatNG's continuous functions ensure exceptions are temporary and correctly reflected in the overall risk picture.
Continuous Monitoring: This feature ensures that the expected risk is not forgotten. Once the sunset date of an exception is reached, Continuous Monitoring will immediately reassess the asset. If the original finding (e.g., the expired SSL Certificate) is still present, it will be reactivated in the system's risk rating.
Reporting: ThreatNG's Security Ratings (A-F) and Prioritized Reports will reflect the impact of the exception. During the exception period, the asset's risk score is modified (based on the compensating controls defined in DarcRadar), ensuring that executives and technical teams understand the managed risk without the exception dominating the top risk list.
Investigation Modules and Intelligence Repositories
These modules provide the context to justify or reject an exception and to define compensating controls.
ThreatNG Helping Example (Compensating Controls):
An exception is requested for an exposed SSH port (a finding in Subdomain Intelligence) for a specific, temporary administrative task.
ThreatNG's IP Intelligence is used to verify that the exposed SSH port is restricted to a known, whitelisted country location and ASN. This acts as the compensating control (network-based access restriction), which is then formally documented in DarcRadar's exception record.
Intelligence Repositories (DarCache Vulnerability): The DarCache Vulnerability integrates context, such as KEV (Known Exploited Vulnerabilities). If an exception is requested for an unpatched server, and DarCache shows the vulnerability is actively being exploited in the wild (KEV) and a Verified Proof-of-Concept Exploit exists, the security team would use this context to deny the exception request due to the extreme, proven risk.
Cooperation with Complementary Solutions
The formalized nature of ThreatNG’s Exception Management can enhance cooperation with other systems.
Working with IT Service Management (ITSM) Solutions: ThreatNG can automatically share the creation or expiration of an exception with a complementary ITSM solution (e.g., ServiceNow). When an exception is approved in DarcRadar, ThreatNG creates a corresponding ticket in the ITSM system with the justification and sunset date. This ensures that the operational side uses the ITSM ticket to schedule the required remediation work before the exception expires.
Working with Log Management and Monitoring Systems: If an exception is granted for a highly monitored asset, ThreatNG can share details of the compensating controls (e.g., the required WHOIS Privacy for a specific domain) with a complementary logging system (e.g., Splunk, Datadog). The monitoring system can then use this policy information to create high-priority alerts for any attempt to bypass the defined compensating controls, thus maintaining control over the managed risk.
