Risk-based Vulnerability Management (RBVM) in a Cloud-native World

Nir Dagan, DevSecOps Engineer
Nir Dagan, DevSecOps Engineer
April 8, 2024

The cloud provides businesses and users with many advantages, including agility, scalability, connectivity, advanced services and an improved ability to secure business and personal assets. However, these advantages can also introduce challenges related to the protection of organizational IT infrastructure. Fast deployment of applications at cloud speed means an ever-changing environment where workloads appear and disappear in a matter of minutes. Cloud services provide great business functionality but also increase the organizational attack surface, and improved connectivity enables attackers to connect to systems that were once much harder to reach. This is especially true when considering vulnerability remediation and management. 

When addressing vulnerability management in the cloud, as opposed to confronting this challenge in on-prem infrastructure, security professionals should consider two main elements: 

  1. The connectivity of systems in the cloud requires us to reassess the risk that a vulnerable system possesses. Seamless connectivity and integration, clear benefits of cloud infrastructure, also mean that when a system is exploited the impact may extend beyond what the system does or the type of data it holds, as there are new ways to reach other cloud resources from an exploited workload. Lateral movement can indeed happen in on-premise systems as well, but the cloud introduces an entirely new set of techniques making the exploit much easier for malicious actors. 
  2. Resources can appear and disappear in a matter of minutes in the cloud, changing the way asset inventory processes are conducted. The cloud indeed offers advantages since asset inventory can now be achieved using the CSP APIs, whereas on-premise shadow IT is a complex problem. However, the velocity at which resources change in the cloud requires organizations to adapt. For vulnerability management, this means that vulnerabilities may not be identified or addressed. 

Considering these differences, security teams must ensure that their cloud RBVM security platform is capable of executing the following functions:  

  • Assessing all IT assets across the organization including ever-changing cloud infrastructure. In the cloud, assets should be continuously scanned by querying the cloud for any configuration change. Assets in the cloud also include the IaC code, and a strong RBVM platform should be able to assess and assign risk to this type of infrastructure. 
  • Assigning risk to vulnerabilities while considering not only the CVSS score but the actual likelihood of exploitation. This entails integrating additional data sources such as EPSS and threat intelligence.
  • Providing information on the effective privileges a system or service holds. The RBVM platform should use this information and change the impact score on that system. For example, a workload on cloud infrastructure might have an identity and associated privileges that grant it access to different cloud resources. The impact of exploitation on this type of workload is different from the impact on a similar workload without the associated identity, and the platform should provide this information and adjust accordingly.
  • Pointing to the vulnerability source and not just to the instance where the vulnerability was found. In the cloud-native world, the source of a vulnerability is not the workload itself but the code that created it. Workloads are created and destroyed with different deployment tools that take configuration code to create these types of resources. 
  • Providing automation and processes for a growing amount of vulnerabilities. Technologies such as containers enable consistent and scalable deployment of software in different environments. Each container has a base operating system, which provides a consistent environment for the software to run on. However, this also means that hundreds of containers - all with base operating systems and large amounts of vulnerabilities - can run on a single server. Add to that cloud configuration issues, and it quickly becomes apparent that the number of vulnerabilities increases by an order of magnitude. 
  • Prioritizing vulnerability remediation with context. A cloud RBVM platform should consider more than just the assigned severity when prioritizing the vulnerability for remediation. The platform should map the IT infrastructure to the organizational structure and business context for a comprehensive assessment. 
  • Consolidating vulnerability alerts according to shared attributes. This is especially important when different security detection products point to the same vulnerability. A cloud RBVM system should be able to identify such duplications and group them into a single ticket. 
  • Processing all vulnerabilities on the cloud and on-premise. The platform should gather data from any system that identifies vulnerabilities across the different pipelines and should be able to provide a consolidated view of all the vulnerabilities, even those that are identified by other security products.

Cloud innovation must come hand in hand with next-generation, agile security solutions that can easily adapt to the changing environment. With broader attack surfaces and the sheer number of vulnerabilities discovered in cloud environments, RBVM platforms are a necessity for forward-thinking organizations. By leveraging automation and cloud-native technology, these platforms can effectively manage these challenges without compromising business objectives.