Not all vulnerabilities are created equal
What if you could better understand risk within the context of your environment to prioritize what needs fixing?
Vulnerability management with risk-based prioritization
Gain continuous monitoring of the vulnerabilities that pose the greatest risk to your unique cloud environment.
Fix your riskiest vulnerabilities before it is too late
Have a never-ending list of vulnerabilities to patch? Limit your attack surface with a vulnerability management solution that enables you to focus on what matters most, early in the development cycle.
Periodic scans are not enough
What if you could have a consistent cloud vulnerability management policy that applies throughout your development pipeline and ensures visibility throughout?
Fixing issues in production is too late
What if you could find and fix vulnerabilities during the build process to reduce cost and lost productivity?
Continuous vulnerability management
We surface your vulnerabilities sooner and help you to prioritize them better, giving you more freedom to develop, build, and innovate.
-
From point in time to continuous
Actively watch for exploit vectors by continually assessing container images, hosts, and language libraries for new vulnerabilities.
-
From laundry list to prioritized list
Understand which vulnerabilities pose the greatest risk in the context of your unique environment so you can fix the most impactful ones.
-
From time wasted to time well spent
Reduce toil in production and correct issues in build time by making vulnerability data more accessible to developers.
Manage vulnerabilities from build through runtime
By correlating runtime and risk data, we help you find and fix the most critical vulnerabilities faster.
Collect more data, with and without agents
- Gain quick visibility into vulnerability risks across your active cloud workloads.
- Scan and detect vulnerabilities across active hosts, containers, and application language libraries on AWS using agentless workload scanning functionality.
- Combine agentless workload scanning with easily maintained agents for deeper analysis, continuous workload monitoring, and behavior based anomaly detection.
Prioritize for your unique environment
- Surface publicly known risks on operating system packages and language libraries with our combination of public and commercial vulnerability data sources.
- Prioritize the most exploitable risks with Exposure Polygraph. Visualize the potential attack path from the internet all the way to EC2 instance. We tie together multiple attack vectors, including vulnerabilities, network reachability, exposed secrets, and IAM roles.
- Understand the impact on your unique environment with Lacework vulnerability risk scoring, which accounts for vendor scores, prevalence, CVSS scores, and internet exposure.
Scan Continuous Integration (CI) pipelines
- Check container images in build time with a plug-and-play inline scanner that integrates with a CI or with developer tools such as Jenkins, Travis CI, or Github Actions.
- Perform fast and low latency scans of container images on-demand or every 15 minutes using our auto-polling capability.
- Provide detailed information to create remediation tickets for developers.
Monitor container image registries
- Continuously monitor all images in your registries for vulnerabilities.
- Integrate the Lacework platform scanner with public registries to continuously scan container images for vulnerable packages and language libraries.
- Use proxy scanner to scan private registries and ensure sensitive applications and container images have minimal public access. We offer both auto-poll and registry notifications.
Block risky containers from production
- Govern and enforce what is allowed to run on a cluster using our integration with the Kubernetes admission controller.
- Block or notify when container images do not meet security standards prior to production.
- Deploy the Lacework Admission Controller Webhook and proxy scanner in each Kubernetes cluster to inspect new images prior to deployment.
“Lacework has given the market a new, better, and more secure option for agentless scanning – the privacy and least privilege elements were essential for us to deploy this solution across our environment.”
Charly Vitrano
Director of Security Operations
“Lacework helps us to identify the critical vulnerabilities and then make a decision. For instance, we often have to decide whether it is really justified to alter a configuration, or if we can push it to an upcoming release.”
Karsten Tedesco
Senior System and Product Expert, Molecular Health
Read Case Study
FAQs
How is vulnerability management different in the cloud?
Cloud environments are dynamic, with short container lifespans and new code deploying daily, if not continuously. Identification, assessment, prioritization, management, and remediation are different in the cloud compared with on-premises data centers or end-user devices, requiring purpose-built solutions.
Vulnerability management solutions include a set of capabilities to identify, assess, prioritize, manage, and remediate vulnerabilities. Yet in dynamic cloud environments – with typical container lifespans of mere hours and new code deploying daily, if not hourly or continuously – each component of that workflow differs significantly from vulnerability management for on-premises data centers or end-user devices.
- Identification is different. Network and authenticated scans won’t work with the cloud. You need to scan code early and often, within the developer workflows, and also correlate and assess what gets deployed to production.
Assessment is different. The software bill of materials for your application replaces ‘vulnerability pack upgrades’ and is your new source of truth. - Prioritization is different. You need to understand the internet exposure of assets, contraindicating risks like compliance violations and overly-permissive IAM privileges, and even whether that vulnerable package is actually being executed by that application!
- Management and remediation are different. Since the system you’re patching is immutable (eg. container images or Amazon Machine Images (AMIs), vulnerability findings need to be easily accessible by development teams so they can rebuild images with patches quickly.
All of these differences require a fundamentally different approach to vulnerability management in the cloud, and you need a purpose-built solution to solve these challenges.
Why is vulnerability management crucial for an organization?
Traditional security tools cannot keep up with the growing volume of vulnerabilities in the cloud. Vulnerability management solutions can close visibility gaps by preventing the exploitation of software vulnerabilities that put your data at risk. They can also uncover ample lists of CVEs.
Vulnerabilities, both known and unknown, are growing with the increased usage of open source software. In dynamic cloud environments, traditional security tools cannot keep up with the volume of vulnerabilities. Without a vulnerability management solution, you could have visibility gaps that leave the door open for exploitation of software vulnerabilities and put your data at risk.
In addition, many vulnerability management solutions are able to uncover ample lists of CVEs, but a lack of runtime context and skilled resources can make it challenging to discern the true risks within your unique environment.
What is the vulnerability management process?
Continuously identify, assess risk, and remedy high-risk vulnerabilities with a four-step process: scan and identify your assets for vulnerabilities; evaluate the impact and prioritize; treat and patch via remediation, mitigation, or patch management; and measure and report with regular assessments.
In order to continuously identify, assess risk, and remedy high-risk vulnerabilities, there are four steps to take in the vulnerability management process.
Scan and Identify Vulnerabilities
The first step is to identify which assets are considered high value and critical to assess for vulnerabilities throughout your cloud infrastructure. Define each asset that you’d like to assess with your vulnerability management solution, choose the right method of scanning for each asset type and begin scanning your assets.
Evaluate and Prioritize Vulnerabilities
Once the vulnerabilities have been identified from your scans, the next step is to assess the level of impact, exploitability, and risk posture of each asset, so that you can prioritize which vulnerabilities to focus on.
The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of software vulnerabilities and their risk scores provide a good approximation of the relative importance of vulnerabilities. However, it’s important to understand the potential business impact of the affected system to your organization itself. One indicator you can use to assess the level of impact is to gauge how many images are affected by a vulnerability. For example, a high-severity vulnerability present on hundreds of running containers should likely be fixed before a critical vulnerability that only shows up in a couple of containers.
With so many vulnerabilities to patch, it’s critical to consider the exploitability of a vulnerability. The key factor for exploitability is to determine whether an asset is exposed to the internet. Your solution should be able to gauge if a workload configuration is exposed to the internet and then factor in internet exposure as part of the risk score. Ideally, this value is available as a filter for prioritization as well. In addition, when thinking about prioritization for containers, you should target the images that are actually deployed in production. By correlating vulnerability risk data with runtime observations, you can better prioritize which vulnerabilities to fix first.
Treat and Patch Vulnerabilities
The third step is to take action on the identified vulnerabilities. This can be done via remediation, mitigation or patch management, or not taking an action at all.
For high-risk vulnerabilities, remediation typically requires upgrading the vulnerable package in a code repository. Vulnerability mitigation reduces the potential impact of an exploit while the vulnerability remains in your environment. This means that the vulnerable parts of an asset receive security patches because a fix is not yet available or cannot be taken at that time. When the vulnerability poses a low risk or no risk, then it’s possible that no action is taken at all.
Measure and Report on Vulnerabilities
Conducting regular assessments is vital in understanding how well your vulnerability management practice and patch management process are performing.
The assessment or report summarizes key findings regarding assets, security flaws, and overall risk to the organization. Common KPIs include the measurement of scan coverage and patch turnaround times. For example, scan coverage refers to the percentage of assets that have complete and accurate data available. Patch turnaround times can include the measurement of mean time to detect, mean time to remediate, the rate of issue recurrence, and a look at how these numbers change over time. It is also valuable to measure the weighted rate of risk, which summarizes the identified vulnerabilities and compares them to the criticality of the data connected to those vulnerabilities.
Related Pages
Explore these related topics
Resources & Insights
- Vulnerability Management
Ready to see us in action?
Spot unknowns sooner and continuously watch for signs of compromise. Take us on a test drive to see for yourself.