Exposure management starts with identity

While concepts like zero trust, XDR and threat intelligence are valuable in cybersecurity, the fundamental imperative today is exposure management: understanding where critical vulnerabilities lie and remediating them swiftly. To effectively manage cyber exposure, the focus must begin where the risk is the greatest — identity. More specifically, Active Directory.

The decades-old backbone of enterprise identity often suffers from outdated configurations and insufficient protection. Although it represents an environment’s most valuable assets, many organisations neglect it. Instead of cleaning it up, organisations often layer on ‘next-gen’ defences and hope for the best. But the truth is simple. You can’t manage cyber exposure if you don’t start with identity, and that means getting serious about fixing Active Directory.

The white paper titled ‘A Blueprint for De-Risking Identity’ makes this painfully clear. While organisations love to obsess over external threats and perimeter tools, the state of internal identity stores remains suboptimal: over-privileged accounts, orphaned credentials, forgotten entitlements, lack of visibility, and no governance. Consequently, organisations are surprised when attackers waltz through the front door.

Attackers, however, are well aware of weak identity hygiene within organisations. Identity serves as the critical pivot point in nearly every breach, including ransomware, APT attacks and data theft. Upon gaining initial access, adversaries escalate privileges, move laterally, and exploit the existing weaknesses within an organisation’s identity architecture. This is not a peripheral issue; it is a fundamental, core problem.

The situation is exacerbated by the rise of hybrid environments, where syncing on-premise Active Directory with cloud platforms like Azure or AWS creates new vulnerabilities. As Jamie Norton, former CISO of the Australian Taxation Office, cautions: “Carrying across potential vulnerabilities to the cloud will just increase your attack surface.” This highlights a critical point that cloud adoption does not resolve poor identity hygiene; it amplifies existing issues.

That’s exactly why the Australian Signals Directorate (ASD), alongside its Five Eyes counterparts, recently issued new guidance on detecting and mitigating Active Directory compromises. That kind of international coordination doesn’t happen for minor risks. Active Directory is under siege, and the regulators know it, even if organisational boards have yet to fully grasp it.

So, why the hesitation among security leaders? The report suggests that while many recognise the dangers, they feel overwhelmed by the sheer complexity of the problem. Identity architecture is often fragmented across silos, ownership is ambiguous, and specialised skills are scarce. Furthermore, the arduous, unglamorous and often invisible work of remediating Active Directory issues lacks inherent appeal.

Too bad. Do it anyway.

This isn’t a one-and-done exercise. As Sandeep Taileng, Information Security Leader at State Trustees, emphasises, a ‘big bang’ solution is unrealistic. Cleaning up identity stores requires a phased, pragmatic approach — starting with low-risk groups, building momentum and securing executive backing along the way. It’s security hygiene 101.

While tedious, neglecting this task – much like brushing your teeth – will inevitably lead to severe consequences. Unlike dental issues, however, the ‘rot’ in this context translates to domain-wide compromise and widespread ransomware propagation. If security leaders are unwilling to address these fundamental issues, discussions about advanced concepts like ‘zero trust’ become moot.

Exposure management isn’t just another buzz phrase; it’s a mindset shift. It demands visibility across the entire attack surface but prioritises fixing the risks that matter most. That’s why identity — and specifically Active Directory — must be step one. Without controlling access, effective protection of other assets remains impossible.

This is not just a security risk, it’s a business risk. Orphaned accounts drive up cloud licensing costs. Lack of identity governance leads to operational sprawl. Worse, it erodes trust. Ask any CISO who’s tried to explain to the board how a dormant admin account no one remembered brought the whole company down.

The white paper doesn’t pull punches and reveals a critical failing. Most organisations lack a complete inventory of access permissions. That’s indefensible. If you don’t know what you own, you can’t protect it. If you don’t know who has access, you’re already breached; you just haven’t noticed yet.

Recognising the inherent fragility of legacy systems, addressing these core issues demands collaborative buy-in across infrastructure, HR, compliance and the C-suite. Security is not about convenience, but about the imperative to safeguard the organisation, its employees and its customers.

Ultimately, exposure management’s success hinges on organisations’ management of identity. That means building inventories, enforcing least privilege, integrating HR triggers, running pen tests, auditing regularly and automating wherever possible.

While this work may not be glamorous, it is precisely how victories are achieved.

Security teams cannot sustainably focus solely on chasing alerts while ignoring the foundations. Active Directory is more than just a technical debt; it’s a live wire. Just as one wouldn’t operate critical systems on unpatched operating systems, it’s illogical to base an entire identity strategy on decades of accumulated misconfigurations. Prioritising the remediation of Active Directory is essential to de-risk core operations and establish a security posture grounded in control, not fear.

Image credit: iStock.com/Urupong