Vulnerability Management at Scale | Lacework

Vulnerability management with risk-based prioritization

Gain continuous monitoring of the vulnerabilities that pose the greatest risk to your unique cloud environment.

Solving Challenges

Fix your riskiest vulnerabilities

Have a never-ending list of vulnerabilities to patch? Limit your attack surface with a vulnerability management solution that enables you to focus on what matters most, early in the development cycle.

Not all vulnerabilities are created equal

Not all vulnerabilities are created equal

What if you could better understand risk within the context of your environment to prioritize what needs fixing?

Periodic scans are not enough

Periodic scans are not enough

What if you had a single view into vulnerabilities, misconfigurations, and compliance violations throughout the software development lifecycle?

Fixing issues in production is too late

Fixing issues in production is too late

What if you could find and fix vulnerabilities during the build process to reduce cost and lost productivity?

Guided Tour

See environment from lens of attacker

Start Tour
Feature Brief

Attack path analysis

Read Here
Benefits

Continuous vulnerability management

We surface your vulnerabilities sooner and help you to prioritize them better, giving you more freedom to develop, build, and innovate.

Learn more about Polygraph®

  • From point in time to continuous

    Actively watch for exploit vectors by continually assessing container images, hosts, and language libraries for new vulnerabilities.

  • From laundry list to prioritized list

    Understand which vulnerabilities pose the greatest risk in the context of your unique environment so you can fix the most impactful ones.

  • From time wasted to time well spent

    Reduce toil in production and correct issues in build time by making vulnerability data more accessible to developers.

Our Approach

Manage vulnerabilities from build through runtime

By correlating runtime and risk data, we help you find and fix the most critical vulnerabilities faster.

Collect more data, with and without agents

  • Gain quick visibility into vulnerability risks across your active cloud workloads.
  • Scan and detect vulnerabilities across active hosts, containers, and application language libraries on AWS using agentless workload scanning functionality.
  • Combine agentless workload scanning with easily maintained agents for deeper analysis, continuous workload monitoring, and behavior based anomaly detection.

Learn more about
Data collection: Agentless and Agent

Attack path analysis

Prioritize for your unique environment

  • Surface publicly known risks on operating system packages and language libraries with our combination of public and commercial vulnerability data sources.
  • Prioritize the most exploitable risks with Exposure Polygraph. Visualize the potential attack path from the internet all the way to EC2 instance. We tie together multiple attack vectors, including vulnerabilities, network reachability, exposed secrets, and IAM roles.
  • Understand the impact on your unique environment with Lacework vulnerability risk scoring, which accounts for vendor scores, prevalence, CVSS scores, and internet exposure.

Exposure Polygraph Overview – Watch Video

Scan Continuous Integration (CI) pipelines

  • Check container images in build time with a plug-and-play inline scanner that integrates with a CI or with developer tools such as Jenkins, Travis CI, or Github Actions.
  • Perform fast and low latency scans of container images on-demand or every 15 minutes using our auto-polling capability.
  • Provide detailed information to create remediation tickets for developers.

Monitor container image registries

  • Continuously monitor all images in your registries for vulnerabilities.
  • Integrate the Lacework platform scanner with public registries to continuously scan container images for vulnerable packages and language libraries.
  • Use proxy scanner to scan private registries and ensure sensitive applications and container images have minimal public access. We offer both auto-poll and registry notifications.

Block risky containers from production

  • Govern and enforce what is allowed to run on a cluster using our integration with the Kubernetes admission controller.
  • Block or notify when container images do not meet security standards prior to production.
  • Deploy the Lacework Admission Controller Webhook and proxy scanner in each Kubernetes cluster to inspect new images prior to deployment.
Cloud Security Fundamentals

FAQs

How is vulnerability management different in the cloud?

Cloud environments are dynamic, with short container lifespans and new code deploying daily, if not continuously. Identification, assessment, prioritization, management, and remediation are different in the cloud compared with on-premises data centers or end-user devices, requiring purpose-built solutions.

Vulnerability management solutions include a set of capabilities to identify, assess, prioritize, manage, and remediate vulnerabilities. Yet in dynamic cloud environments – with typical container lifespans of mere hours and new code deploying daily, if not hourly or continuously – each component of that workflow differs significantly from vulnerability management for on-premises data centers or end-user devices.

  • Identification is different. Network and authenticated scans won’t work with the cloud. You need to scan code early and often, within the developer workflows, and also correlate and assess what gets deployed to production.
    Assessment is different. The software bill of materials for your application replaces ‘vulnerability pack upgrades’ and is your new source of truth.
  • Prioritization is different. You need to understand the internet exposure of assets, contraindicating risks like compliance violations and overly-permissive IAM privileges, and even whether that vulnerable package is actually being executed by that application!
  • Management and remediation are different. Since the system you’re patching is immutable (eg. container images or Amazon Machine Images (AMIs), vulnerability findings need to be easily accessible by development teams so they can rebuild images with patches quickly.

All of these differences require a fundamentally different approach to vulnerability management in the cloud, and you need a purpose-built solution to solve these challenges.

Why is vulnerability management crucial for an organization?

Traditional security tools cannot keep up with the growing volume of vulnerabilities in the cloud. Vulnerability management solutions can close visibility gaps by preventing the exploitation of software vulnerabilities that put your data at risk. They can also uncover ample lists of CVEs.

Vulnerabilities, both known and unknown, are growing with the increased usage of open source software. In dynamic cloud environments, traditional security tools cannot keep up with the volume of vulnerabilities. Without a vulnerability management solution, you could have visibility gaps that leave the door open for exploitation of software vulnerabilities and put your data at risk.

In addition, many vulnerability management solutions are able to uncover ample lists of CVEs, but a lack of runtime context and skilled resources can make it challenging to discern the true risks within your unique environment.

What is the vulnerability management process?

Continuously identify, assess risk, and remedy high-risk vulnerabilities with a four-step process: scan and identify your assets for vulnerabilities; evaluate the impact and prioritize; treat and patch via remediation, mitigation, or patch management; and measure and report with regular assessments.

In order to continuously identify, assess risk, and remedy high-risk vulnerabilities, there are four steps to take in the vulnerability management process.

Scan and Identify Vulnerabilities
The first step is to identify which assets are considered high value and critical to assess for vulnerabilities throughout your cloud infrastructure. Define each asset that you’d like to assess with your vulnerability management solution, choose the right method of scanning for each asset type and begin scanning your assets.

Evaluate and Prioritize Vulnerabilities
Once the vulnerabilities have been identified from your scans, the next step is to assess the level of impact, exploitability, and risk posture of each asset, so that you can prioritize which vulnerabilities to focus on.

The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of software vulnerabilities and their risk scores provide a good approximation of the relative importance of vulnerabilities. However, it’s important to understand the potential business impact of the affected system to your organization itself. One indicator you can use to assess the level of impact is to gauge how many images are affected by a vulnerability. For example, a high-severity vulnerability present on hundreds of running containers should likely be fixed before a critical vulnerability that only shows up in a couple of containers.

With so many vulnerabilities to patch, it’s critical to consider the exploitability of a vulnerability. The key factor for exploitability is to determine whether an asset is exposed to the internet. Your solution should be able to gauge if a workload configuration is exposed to the internet and then factor in internet exposure as part of the risk score. Ideally, this value is available as a filter for prioritization as well. In addition, when thinking about prioritization for containers, you should target the images that are actually deployed in production. By correlating vulnerability risk data with runtime observations, you can better prioritize which vulnerabilities to fix first.

Treat and Patch Vulnerabilities
The third step is to take action on the identified vulnerabilities. This can be done via remediation, mitigation or patch management, or not taking an action at all.

For high-risk vulnerabilities, remediation typically requires upgrading the vulnerable package in a code repository. Vulnerability mitigation reduces the potential impact of an exploit while the vulnerability remains in your environment. This means that the vulnerable parts of an asset receive security patches because a fix is not yet available or cannot be taken at that time. When the vulnerability poses a low risk or no risk, then it’s possible that no action is taken at all.

Measure and Report on Vulnerabilities
Conducting regular assessments is vital in understanding how well your vulnerability management practice and patch management process are performing.

The assessment or report summarizes key findings regarding assets, security flaws, and overall risk to the organization. Common KPIs include the measurement of scan coverage and patch turnaround times. For example, scan coverage refers to the percentage of assets that have complete and accurate data available. Patch turnaround times can include the measurement of mean time to detect, mean time to remediate, the rate of issue recurrence, and a look at how these numbers change over time. It is also valuable to measure the weighted rate of risk, which summarizes the identified vulnerabilities and compares them to the criticality of the data connected to those vulnerabilities.

Ready to see us in action?

Spot unknowns sooner and continuously watch for signs of compromise. Take us on a test drive to see for yourself.

Watch Demo