Why active vulnerability detection is a game changer for vulnerability risk management

Open-source software is the foundation of many cloud services and platforms. Whenever you add a new open-source component, or package, into your cloud workload, this also adds other dependent components. Over time, new security vulnerabilities may be discovered, which leaves you with a daunting challenge: determining how to continually track all your open source components, their dependencies, and their vulnerabilities.

The Lacework Polygraph® Data Platform scans all your cloud workloads, identifies all their components, and shows you which components are vulnerable. From that point, the platform suggests how to eliminate those vulnerabilities, a process often called vulnerability risk management.

Lacework recently introduced a new and unique vulnerability risk management capability: the ability to detect what software components you are running (called active) versus not running (called inactive) in your cloud workloads with flawless precision.

Our active vulnerability detection functionality uses a new agent enhancement that detects all package activity and inactivity. It continuously monitors the file system of any machine in the cloud with no visible overhead cost, and near-zero CPU+memory+data volume increases. The monitoring cost is so low that no additional agent budget is needed, and it can be run continuously everywhere.

This capability provides organizations with unprecedented visibility and insight into their cloud workloads. They can find out exactly when and where every package is running. No more guessing, manual investigations, or expensive “debug-style” or “perf-style” workload instrumentations that are problematic in production. Our code-aware agents automatically collect all this data efficiently, safely, everywhere, all the time, in production, and at cloud-scale. 

You may be surprised when you see the package activity data for your cloud workloads. Early adopter customers of active vulnerability detection have discovered that most of the packages in their cloud workloads are actually never executed anywhere, at any time.

This level of visibility is crucial because a vulnerable package that is never executed is not a security risk. In fact, a vulnerable package that is inactive (never executed anywhere anytime, is not part of the attack surface of your cloud workload: its execution cannot be hijacked, tricked into leaking sensitive data, or corrupted in any other way, because it is never executed. Therefore, as long as the vulnerable package stays inactive, it is harmless. Fixing it can be safely deprioritized.

 

To prove package inactivity, it is necessary to monitor all packages all the time, and everywhere. To the best of our knowledge, this new and differentiated capability offered by Lacework has never been available before, either in prior open-source or proprietary agents. Prior agents can track only some package activity; for instance, when monitoring processes related to network connections or traffic (as previously done by the Lacework agent), or when instrumenting workloads for debugging or performance monitoring. But such agents provide only partial monitoring, and are insufficient to prove package inactivity, which requires full package activity coverage. And of course, agentless scanning tools and platforms cannot provide this level of visibility: agentless solutions are blind to package activity.

Lacework active vulnerability detection monitors all package activity on a machine by monitoring its file system in a non-intrusive way. When a process accesses a package file in order to execute it, our agent detects this event and declares its package as active. This data is aggregated locally on the agent, and periodically sent to the Lacework cloud. A lightweight system of file indexes and caches within the agent ensures that the volume of package-activity data stays very low, and as a result, keeps costs down.The runtime instrumentation is also dynamically adjusted so that its cost is extremely low, even when files or packages are executed millions of times per hour. Periodically, the package-activity data sent by all the code-aware agents for a customer account is post-processed, aggregated, and analyzed in the Lacework backend. Customers can then securely access their own data and analysis results in their Lacework account, including through the Lacework UI.

The screenshot below illustrates how Lacework customers can query and search their package-activity data, in conjunction with other parameters already part of the Lacework platform, such as whether these packages contain vulnerabilities and their associated severities, and whether the machines with active vulnerable packages are internet-facing. The combination of all these filters within our risk-based vulnerability score means that customers can reduce 90% of vulnerability noise. It is invaluable in effectively prioritizing vulnerability remediation. Save your valuable time and resources by mitigating only vulnerabilities that pose a true risk, rather than chasing ghosts!

 

 

For instance, the Lacework customer example above shows 227 unique vulnerable packages that have never been executed from March 20 to April 6 anywhere in their entire cloud workloads, that are composed of tens of thousands of machines – a real eye opener.

As another example, here are typical results from another customer account, broken down by severity: