Today, Lacework announced the addition of host vulnerability monitoring to the Lacework platform. Ephemeral and immutable compute have changed the economics and velocity of building software, but traditional security approaches have failed to keep up. This includes deciphering which of the millions of known vulnerabilities actually pose a risk to the hundreds of software packages running on thousands of hosts and containers scaling in the cloud.
By utilizing data collected by the Lacework agent and processed in the platform, Lacework’s beta customers of this feature reported saving between 10 and 20 hours of toil a month via the ease of self-served vulnerability scanning in development, and telemetry that removes manual toil of determining which vulnerabilities increase risk vs those that can be ignored.
Lacework’s Active Host Vulnerability Monitoring Update Introduces:
- Monitoring for Ephemeral Hosts at Scale: Telemetry to distill and focus on vulnerabilities in ephemeral and immutable infrastructure.
- A Pre-Flight Check API: Scan a host image (e.g., AWS AMI) for known vulnerabilities before deploying to a live environment.
- Scanning for Active Vulnerabilities: Connect known CVEs with active packages on hosts for live visibility to active packages with associated vulnerabilities.
- Support for CI/CD and Infrastructure-as-Code Integrations: Tighten the feedback loop and shift security left by integrating the Lacework API into GitHub, GitLab, Jenkins, and other workflows. Scroll down for more details.
- Reporting Designed to Help Security Teams Focus on What Matters: Shift security right with tailored reports on new active CVEs, and know definitively when a patch has been applied.
- An Updated CLI: CLI updates for self-serve vulnerability scanning and data and a new vulnerability dashboard.
Conduct Comprehensive Vulnerability Checks
Making full use of the National Vulnerability Database as well as vulnerabilities uncovered by our own research team, Lacework Labs, the Lacework platform now checks every package against more than two million CVEs. By checking every package against the full library of CVEs and known threats, we not only catch packages with vulnerabilities that were just released, but we can also even detect package vulnerabilities that were released many years ago. Combined with Lacework’s ability to find and alert on anomalies, this new capability means that Lacework can provide unparalleled detection for known and unknown threats.
Know the Difference Between Vulnerability and Being Vulnerable
A vulnerability is a weakness in a software system. Organizations become vulnerable when a vulnerability is exploited in an attack that leverages that vulnerability. Modern cloud security is about balancing risk and reward. While having a vulnerability isn’t great, the risk factor increases significantly once the vulnerability is in production.
“The world changes and new vulnerabilities show up all the time,” said Abner Germanow, VP of Product Marketing at Lacework. “If a new vulnerability in an active package of a critical component of your business were discovered, but not yet exploited in your environment, wouldn’t you want to know? Any solution you rely on should be able to calculate the difference between that active vulnerability and an inactive vulnerability or non-critical component and modulate alerts accordingly.
Germanow continued, “There are lots of point products that can scan for vulnerabilities. What’s different about what Lacework is doing is that we don’t just tell you that a vulnerability is present on a particular machine. We have done the math to tell you whether or not that vulnerability is present on an active package, on an online host (or container), the risk score of the CVE, while giving you the ability to search and filter based on the deployment target attributes like “external IP.” Slicing and dicing is so much more fun than wading through PDFs. For customers scaling thousands of hosts with hundreds of active and inactive packages each, multiple cloud accounts, and the entire CVE database… it’s a ridiculous amount of data that needs to be processed. You would never inflict that amount of data on a private datacenter, but in the cloud, Lacework can do it. Welcome to the cloud generation of security.”
Better Vulnerability Outcomes
Pundits estimate that 24% of organizations have hosts missing high-severity patches in the public cloud, and the problem could be much worse for larger enterprises. While assessing a recent environment, Lacework discovered 51,000 vulnerabilities present across a multi-cloud infrastructure. At the current patch rate for most environments, it would take decades to patch all those vulnerabilities (average time to patch in the cloud is 38 days).
Using Lacework’s new host vulnerability monitoring scans, the security team leader was able to quickly determine that those vulnerabilities were related to 2,800 actual hosts. And of those hosts, those vulnerabilities could be traced to 78 images that needed to be repaired. With the new scope of work reduced to a manageable level, the security and DevOps teams were able to address the gaps in less than a week.
3 Clicks to Know the Fix with Lacework’s Active Host Vulnerability Monitoring
With Host Vulnerability reports, teams can quickly understand their host vulnerabilities by severity level and rapidly assess what needs to be addressed in the environment. In the example below, the user can quickly see that of the assessed hosts, nine of them had fixable vulnerabilities.
Lacework’s Vulnerability Assessment Report
Within the report, you can see that Machine ID 1676 has 65 vulnerabilities. Exploring further, users can click on the ‘More Details’ prompt to get specific information on individual vulnerabilities. Upon clicking, the detail link will call the specific vulnerability information including severity, relevant details about the vulnerability and its potential impact, as well as the recommended remediation to patch and address the vulnerability.
CVE Details and Recommendations
Armed with this information, security and DevOps teams have everything they need to comprehend, prioritize, and address fixes in just three clicks.
Host Vulnerability Alerts
Lacework’s console raises alerts when vulnerabilities are detected during a host assessment. At launch, the Lacework platform supports alerting to any routing channel like Slack, Jira, Pager Duty, and others of the following scenarios:
- A new software vulnerability within monitored hosts for a defined severity level
- A known software vulnerability within monitored hosts for a defined severity level
- A software vulnerability severity change within monitored hosts
- A software vulnerability patch status change within monitored hosts
Lacework Provides Security at the Speed of DevOps with New Technical Integrations
DevOps bridges the gap between development, operations, and IT services teams with an eye towards maximum velocity and efficiency. Lacework is committed to providing easy access to tools that help DevOps implement the right DevOps process at the right time. Continuous integration, delivery, and continuous deployment help developers and testers ship the software faster and more safely in a structured environment.
As part of today’s announcement, Lacework is also highlighting a growing number of technical integrations. In addition to delivering alerts with just-in-time notifications integrated into existing workflows, Lacework is proud to highlight these technical integrations to help empower teams to operate at the speed of DevOps:
Terraform Provider Lacework
Chef Lacework Cookbook
Active Host Vulnerability Monitoring Adds to a Powerful Incident Detection Platform:
Lacework’s data-driven approach to security has always been known for finding early indicators of compromise and using UEBA to detect anomalous behavior at the earliest point. That’s what makes the platform so strong when it comes to discovering “unknown-unknowns.” This helps the Lacework platform identify attacks like zero-days before a CVE is even published.
With the addition of Host Vulnerability Monitoring, Lacework can alert on active known vulnerabilities in your environment. When conducting an investigation into an event, teams need to quickly identify what happened to that machine and identify the blast radius of any potential attack. Traditionally, getting information on those vulnerabilities and that activity meant that teams had to pull that data from different systems, monitoring tools, and logs. With Lacework, that context is available in just a few clicks saving valuable time and yielding better results in an investigation.
Built from the ground up to protect applications in the cloud, including serverless, containers, and Kubernetes workloads, and streamlines security for software teams building on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP), the Lacework platform processes cloud security and vulnerability information at scale for customers around the globe.
Photo via Gizmodo