Primer: How Epiphany Works

The Epiphany Intelligence Platform takes a “target first” perspective to identify, validate, and prioritize ways in which misconfigurations or vulnerabilities can pose risks to your business. In other words, the platform takes an asset (a device, user, or application) designated as critical to your business, then works outward to every potential risk, qualifying the validity of each path and evaluating the potential for it to be used by malicious actors. The result of this analysis is a graphical representation of different “attack paths” (in other words, ways an attacker can reach those critical assets), ranked by the following:

• Value: items of value to malicious actors and attackers.

• Resistance: controls in place to deter malicious actors.

• Complexity: the ease in which a risk can be exploited.

Additionally, the platform has a recommendations engine that highlights risks and provides guidance for eliminating or mitigating them within the attack paths. Armed with this data, teams can focus their energy on closing the biggest gaps and gradually move to the more exotic and less exploitable attack paths.

In order to do this, Epiphany has to understand:

• Identities

• Devices

• Networks

• Vulnerabilities

These troves of information are ingested and then fed into our analysis algorithms to expose and prioritize risk.

But Why These Data Sources, and What do They Do?

Epiphany must first understand the concept of an “identity” and what that identity (generally a person) can do. Think of an identity in Epiphany as a collection of information that describes:

• The attributes that define someone.

• What assets this person uses.

• What applications this person uses or has access to.

• What privileges this person has.

This information provides a picture of what capabilities someone has within an environment.

After this, Epiphany must build a map of the overall environment so that this can be correlated back to identities. This map represents the relationships between user identities and the resources within the business that the identity can access, both directly and indirectly. Implicit permissions and other structures are often not as easy to see.

At this point, the question Epiphany is trying to fundamentally understand is “how bad could it be if this person is compromised?”

With persons and permissions of an environment mapped, Epiphany finds where each person’s identities are associated with devices. Devices represent one type of “foothold” (i.e., a point where an attacker can gain access to an environment) or a mechanism where an attacker can pivot along an attack path. There are an enormous number of relationships between devices and identities in most environments, but only a small subset is valuable to Epiphany: those that can allow an attacker to progress to a target (vis-à-vis, a critical asset).

There are factors that can slow or stop an attacker from progressing to a target along an attack path. Things like antivirus, endpoint detection and response (EDR), intrusion detection systems (IDS), firewalls, and so on, represent resistance. Epiphany must understand these points of resistance to prioritize:

• How significant one risk is over another within the environment.

• Which vulnerabilities need to be addressed first to mitigate the greatest risks.

A final note on the concept of critical assets: This is simply a resource that an organization deems important to its continual function – having it degraded, destroyed, or modified in any undesired fashion has significant impact on the organization’s ability to operate. Critical assets are often subjective, and as such are defined within Epiphany by the organization’s users.