Lacework’s risk-based vulnerability management provides customers with contextual scoring to help prioritize patches. Cloud security provider Lacework has added a new vulnerability risk management capability to its cloud-native application protection (CNAPP) offering.The SaaS capability will combine active package detection, attack path analysis, and in-house data on active exploits to generate personalized vulnerability risk scores.“Lacework takes a risk-based approach that goes beyond a common vulnerability scoring system (CVSS) and looks at each customer’s unique environment, to figure out what packages are active, whether that host is exposed to the internet, whether there are exploits in the wild, etc.,” said Nolan Karpinski, director of product management at Lacework. “CVSS scores are very generic and, at times, do not pertain to every context, meaning it may or may not be bad for your environment.” Scoring is based on contextual parametersLacework’s vulnerability scoring takes into account the exposure of affected environments to the internet, whether the packages are being used, and whether they have already been exploited in the wild. Customers can tweak the weightage of these factors to align with their internal security guidelines and prioritize patching based on the scores. Additionally, the scoring focuses on workflow context received from the cloud control panel which indicates if the workload is being actively used in a private environment, production environment, development system, or a business-critical process, according to Karpinski.“These are very important contextual considerations,” said Frank Dickson, an analyst at IDC. “Suppose you have a CVS scoring of 9.8 on one vulnerability and of 7 on another. What contextual scoring will do is, maybe rank the 9.8 down a little because it’s not so exposed to the internet or doesn’t have an exploit yet. The one with a score of 7 can still be critical with either or both of those factors being high.” Lacework’s “active vulnerability detection,” which provides visibility into the actual packages being used by security teams can also eliminate the added workload with software bloats, according to Karpinski.Vulnerability scan adds extended attack path analysisWith the new capability, Lacework claims the discovery of attack paths to Kubernetes-based applications, including internet-exposed containers and open ports, to allow security teams to communicate context-based, Kubernetes-related exposures to developers.“Kubernetes is an orchestration with containers, and containers can range in architecture from a monolithic model to a combination of micro-services. This makes the Kubernetes all complex, because instead of looking into just one application, you may have to get into how thousands of containers interact with each other,” Dickson said. “Including the Kubernetes piece in the attack path analysis will really expand visibility into application packages and enable prioritization.” The new capability will power the platform dashboard with a “top risk” dropdown, providing visibility into risks across multiple domains, secrets, and attack paths to critical assets.With the new risk-based vulnerability scores, Lacework claims it can help reduce 90% of vulnerability noise to help zero in on the most critical issues.The capability is already available to the public through Lacework’s CNAPP for no added price on the subscription. Related content feature Social engineering: Definition, examples, and techniques Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs. By Josh Fruhlinger May 10, 2024 15 mins Phishing Social Engineering feature Some strategies for CISOs freaked out by the specter of federal indictments Experts at this year's RSA Conference offered strategies to help CISOs cope with the prospect of facing federal indictments over their handling of cyber incidents. By Cynthia Brumfield May 10, 2024 7 mins CSO and CISO Legal Security Practices interview Strong CIO-CISO relations fuel success at Ally CIO Sathish Muthukrishnan and CISO Donna Hart have forged a partnership steeped in Ally’s culture of radical candor that keeps the financial services firm secure and innovative. By Dan Roberts May 09, 2024 9 mins CIO CSO and CISO IT Leadership news Zscaler shuts down exposed system after rumors of a cyberattack Initially dismissing rumors, Zscaler now says it did have a system exposed but nothing important has been accessed. By Shweta Sharma May 09, 2024 3 mins Data Breach Cyberattacks PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe