Cloud security provider Lacework has added a new vulnerability risk management capability to its cloud-native application protection (CNAPP) offering.
The SaaS capability will combine active package detection, attack path analysis, and in-house data on active exploits to generate personalised vulnerability risk scores.
“Lacework takes a risk-based approach that goes beyond a common vulnerability scoring system (CVSS) and looks at each customer’s unique environment, to figure out what packages are active, whether that host is exposed to the internet, whether there are exploits in the wild, etc.,” said Nolan Karpinski, director of product management at Lacework. “CVSS scores are very generic and, at times, do not pertain to every context, meaning it may or may not be bad for your environment.”
Scoring is based on contextual parameters
Lacework’s vulnerability scoring takes into account the exposure of affected environments to the internet, whether the packages are being used, and whether they have already been exploited in the wild. Customers can tweak the weightage of these factors to align with their internal security guidelines and prioritise patching based on the scores.
Additionally, the scoring focuses on workflow context received from the cloud control panel which indicates if the workload is being actively used in a private environment, production environment, development system, or a business-critical process, according to Karpinski.
“These are very important contextual considerations,” said Frank Dickson, an analyst at IDC. “Suppose you have a CVS scoring of 9.8 on one vulnerability and of 7 on another. What contextual scoring will do is, maybe rank the 9.8 down a little because it’s not so exposed to the internet or doesn’t have an exploit yet. The one with a score of 7 can still be critical with either or both of those factors being high.”
Lacework’s “active vulnerability detection,” which provides visibility into the actual packages being used by security teams can also eliminate the added workload with software bloats, according to Karpinski.
Vulnerability scan adds extended attack path analysis
With the new capability, Lacework claims the discovery of attack paths to Kubernetes-based applications, including internet-exposed containers and open ports, to allow security teams to communicate context-based, Kubernetes-related exposures to developers.
“Kubernetes is an orchestration with containers, and containers can range in architecture from a monolithic model to a combination of micro-services. This makes the Kubernetes all complex, because instead of looking into just one application, you may have to get into how thousands of containers interact with each other,” Dickson said. “Including the Kubernetes piece in the attack path analysis will really expand visibility into application packages and enable prioritisation.”
The new capability will power the platform dashboard with a “top risk” dropdown, providing visibility into risks across multiple domains, secrets, and attack paths to critical assets.
With the new risk-based vulnerability scores, Lacework claims it can help reduce 90% of vulnerability noise to help zero in on the most critical issues.
The capability is already available to the public through Lacework’s CNAPP for no added price on the subscription.