Lacework’s risk-based vulnerability management provides customers with contextual scoring to help prioritize patches. Cloud security provider Lacework has added a new vulnerability risk management capability to its cloud-native application protection (CNAPP) offering.The SaaS capability will combine active package detection, attack path analysis, and in-house data on active exploits to generate personalized vulnerability risk scores.“Lacework takes a risk-based approach that goes beyond a common vulnerability scoring system (CVSS) and looks at each customer’s unique environment, to figure out what packages are active, whether that host is exposed to the internet, whether there are exploits in the wild, etc.,” said Nolan Karpinski, director of product management at Lacework. “CVSS scores are very generic and, at times, do not pertain to every context, meaning it may or may not be bad for your environment.” Scoring is based on contextual parametersLacework’s vulnerability scoring takes into account the exposure of affected environments to the internet, whether the packages are being used, and whether they have already been exploited in the wild. Customers can tweak the weightage of these factors to align with their internal security guidelines and prioritize patching based on the scores. Additionally, the scoring focuses on workflow context received from the cloud control panel which indicates if the workload is being actively used in a private environment, production environment, development system, or a business-critical process, according to Karpinski.“These are very important contextual considerations,” said Frank Dickson, an analyst at IDC. “Suppose you have a CVS scoring of 9.8 on one vulnerability and of 7 on another. What contextual scoring will do is, maybe rank the 9.8 down a little because it’s not so exposed to the internet or doesn’t have an exploit yet. The one with a score of 7 can still be critical with either or both of those factors being high.” Lacework’s “active vulnerability detection,” which provides visibility into the actual packages being used by security teams can also eliminate the added workload with software bloats, according to Karpinski.Vulnerability scan adds extended attack path analysisWith the new capability, Lacework claims the discovery of attack paths to Kubernetes-based applications, including internet-exposed containers and open ports, to allow security teams to communicate context-based, Kubernetes-related exposures to developers.“Kubernetes is an orchestration with containers, and containers can range in architecture from a monolithic model to a combination of micro-services. This makes the Kubernetes all complex, because instead of looking into just one application, you may have to get into how thousands of containers interact with each other,” Dickson said. “Including the Kubernetes piece in the attack path analysis will really expand visibility into application packages and enable prioritization.” The new capability will power the platform dashboard with a “top risk” dropdown, providing visibility into risks across multiple domains, secrets, and attack paths to critical assets.With the new risk-based vulnerability scores, Lacework claims it can help reduce 90% of vulnerability noise to help zero in on the most critical issues.The capability is already available to the public through Lacework’s CNAPP for no added price on the subscription. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe