Lacework’s risk-based vulnerability management provides customers with contextual scoring to help prioritize patches. Cloud security provider Lacework has added a new vulnerability risk management capability to its cloud-native application protection (CNAPP) offering.The SaaS capability will combine active package detection, attack path analysis, and in-house data on active exploits to generate personalized vulnerability risk scores.“Lacework takes a risk-based approach that goes beyond a common vulnerability scoring system (CVSS) and looks at each customer’s unique environment, to figure out what packages are active, whether that host is exposed to the internet, whether there are exploits in the wild, etc.,” said Nolan Karpinski, director of product management at Lacework. “CVSS scores are very generic and, at times, do not pertain to every context, meaning it may or may not be bad for your environment.” Scoring is based on contextual parametersLacework’s vulnerability scoring takes into account the exposure of affected environments to the internet, whether the packages are being used, and whether they have already been exploited in the wild. Customers can tweak the weightage of these factors to align with their internal security guidelines and prioritize patching based on the scores. Additionally, the scoring focuses on workflow context received from the cloud control panel which indicates if the workload is being actively used in a private environment, production environment, development system, or a business-critical process, according to Karpinski.“These are very important contextual considerations,” said Frank Dickson, an analyst at IDC. “Suppose you have a CVS scoring of 9.8 on one vulnerability and of 7 on another. What contextual scoring will do is, maybe rank the 9.8 down a little because it’s not so exposed to the internet or doesn’t have an exploit yet. The one with a score of 7 can still be critical with either or both of those factors being high.” Lacework’s “active vulnerability detection,” which provides visibility into the actual packages being used by security teams can also eliminate the added workload with software bloats, according to Karpinski.Vulnerability scan adds extended attack path analysisWith the new capability, Lacework claims the discovery of attack paths to Kubernetes-based applications, including internet-exposed containers and open ports, to allow security teams to communicate context-based, Kubernetes-related exposures to developers.“Kubernetes is an orchestration with containers, and containers can range in architecture from a monolithic model to a combination of micro-services. This makes the Kubernetes all complex, because instead of looking into just one application, you may have to get into how thousands of containers interact with each other,” Dickson said. “Including the Kubernetes piece in the attack path analysis will really expand visibility into application packages and enable prioritization.” The new capability will power the platform dashboard with a “top risk” dropdown, providing visibility into risks across multiple domains, secrets, and attack paths to critical assets.With the new risk-based vulnerability scores, Lacework claims it can help reduce 90% of vulnerability noise to help zero in on the most critical issues.The capability is already available to the public through Lacework’s CNAPP for no added price on the subscription. Related content news CISA inks 68 tech vendors to secure-by-design pledge — but will it matter? CISA’s pledge drew some big names, but the impact on software security could be limited. Meanwhile the org has extended its comment period on the CIRCIA cyberattack reporting law. By Jon Gold May 10, 2024 4 mins Regulation Technology Industry Security Practices news Google Chrome gets a patch for actively exploited zero-day vulnerability Details of the use-after-free memory vulnerability were not publicly released, but Google says it’s aware an exploit for the bug exists. By Lucian Constantin May 10, 2024 3 mins Threat and Vulnerability Management Zero-day vulnerability Vulnerabilities news Dell data breach exposes data of 49 million customers The company says the breach compromised non-critical customer data and involved no sensitive personal or financial information. By Shweta Sharma May 10, 2024 3 mins Data Breach Hacking feature Social engineering: Definition, examples, and techniques Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs. By Josh Fruhlinger May 10, 2024 15 mins Phishing Social Engineering PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe