What is the proper way to evaluate a vulnerability's potential impact to your ☁️ environment? It is through the lens of a risk framework or being able to calculate the true risk of that vulnerability to your security posture.
Today's 🧵 will examine different aspects of risk:
Severity or Magnitude:
This is the traditional way in which vulnerability mgmt tools have trained security professionals to think of risk - CVSS score or how bad a vulnerability is to a system gets grouped into Critical, High, Medium, & Low severity vulns for orgs to address
The problem with that is your avg medium-sized business generates 500+ public cloud security alerts daily, with a good percentage of those being critical & high. Since most businesses face resource shortages and can't find enough SMEs, remediating these is impossible.
So here are some other ways to evaluate risk -
Reachability (Attack Paths ID): along which attack path would a threat actor traverse the network to reach a vuln in order to exploit it; can it be accessed - 97% of vulnerabilities aren't reachable. Which TTPS would be used?
Exploitability: are there exploits in the wild already? What is the deployment footprint look like of those exploits? Can the threat actor actually exploit the vulnerability, i.e. in log4shell is it loaded in memory and processes & can they make the JNDI - LDAP connection.
Context (Attack Path Analysis): In order to ID the full attack path, you need context of cloud, network, & host-based alerts to determine the full chain of TTPs a threat actor might follow as they exploit an env. Vuln, malware, exposed secrets, misconfigs all need evaluation.
Business context: Cloud-native tagging, data identification & classification of what data is on what systems and its importance to the business, and compliance regulatory requirements and corresponding controls all need to be taken into account when evaluating a vulnerability.
Blast impact or radius: If the worst case scenario were to occur and the vulnerability were exploited how much damage could the attacker do? What other systems are at risk of infection due to the compromise of that singular asset and its vulnerability.?
As we can see properly evaluating vulnerability management, detection and response is the task of a platform that can help you manage risk a mile deep on this inch wide topic of basic vuln mgmt in the ☁️ .
Constantly adding features & identifying more risk types when we can't even address the fundamental risk in our ☁️ envs is not the answer. Properly eval risk ID'd in our current cloud sec tech is. Demand more of your CNAPP platforms in terms of surfacing alerts that matter!
If you want to find our more about how @deepfence adds a risk lens to malware, CSPM, CWPP, and secret scans and reduces alert fatigue within the ☁️ , reach out and schedule a 15-min demo with @ryancsmith2222 our Head of Product today!
go.deepfence.io/15-minute-demo
Deepfence
@deepfence
Securing your apps in production across the entire cloud native continuum – clouds, Kubernetes, containers, serverless, and more