Vulnerability management isn’t working for cloud security: Here’s how to do it right
Three things in life are seemingly guaranteed: death, taxes and high-profile cloud security breaches. But there is no reason why public cloud or hybrid cloud breaches must remain so stubbornly persistent.
The fact is that we understand why these incidents keep occurring: managing risk and vulnerabilities within dynamic cloud environments isn’t easy. The difficulty of this challenge is magnified by the competitive imperative to migrate to the public cloud quickly. It is further compounded by the fact that the practices, policies and tools at our disposal are often holdovers from an era where on-premises computing reigned supreme.
So how do we solve this problem? It begins with a better vulnerability management system, a refocused commitment to cloud application security best practices and a realignment of our current security posture with the specific requirements of the cloud.
The limitations of traditional vulnerability management
The principles of vulnerability management are straightforward: it’s a process for identifying, analyzing, remediating or mitigating and reporting on security threats within systems and software. Vulnerability assessments are conducted periodically to evaluate the existing security posture and help inform any necessary changes to the vulnerability management action plan.
A comprehensive and well-executed vulnerability management system is essential for managing and treating threats and minimizing attack surfaces.
In addition to following vulnerability management best practices, organizations also need the right support solutions.
Scanning is perhaps the best-known vulnerability management tool, as it plays a high-profile role in cloud and hybrid cloud security. If you want to mitigate threats, it’s important to analyze your security environments with frequency. Automated scans are a popular tool for this job, as they work quickly, are repeatable and easy to use.
However, conventional vulnerability scans also come with some significant drawbacks:
- They often miss active threats that are outside their database or that represent a level of complexity beyond their capability
- They create false positives, which can cause the radar of defenders to become less sensitive to critical threats
- They may also provide a false sense of security – if the scanner didn’t pick anything up, we may just assume things are fine.
Even when a vulnerability scan works as intended and identifies a cataloged threat, the job is only half-done. Understanding the scope of the threat and placing it within the right context in terms of criticality and impact on business operations is a much more difficult task, which a conventional scanner can’t help with because it lacks the necessary depth and complexity.
Scanning is not analogous to penetration testing, which goes far beyond the identification of surface-level threats. Penetration testing identifies vulnerabilities and exploits them, giving a much richer picture of the state of a security environment – one that details all of the damage an attacker could do should a breach occur.
Let’s walk through a practical example of the limitations of conventional management approaches in cloud environments.
As mentioned above, cloud environments are highly dynamic and ephemeral – the average lifespan of a container is just hours. Securing containers via conventional tools such as scanners is difficult and sometimes impossible. Scanners often cannot identify containers due to their ephemeral nature. Complicating matters further, if a scanner is able to identify a running container, it typically will offer little in the way of assessment. Without an IP address or SSG log-ins, a credentialed scan can’t be run.
A different approach to vulnerability management
While traditional vulnerability management is ill-suited for some of the core challenges of cloud security, there are some simple changes organizations can make to solve this problem. The most impactful, perhaps, is simply implementing more powerful and cutting-edge tools to help secure systems and software.
Breach and attack simulation (BAS) platforms represent one such option. A BAS solution works by launching a series of non-stop, simulated attacks against a security environment. These simulations replicate the likely attack paths and techniques used by APTs and other adversaries.
Like penetration testing, these tools extend beyond mere threat identification. BAS tools identify security gaps and show the potential damage that exploits would cause, giving a much fuller picture into the true state of how vulnerabilities are being managed.
Unlike manual penetration tests, however, these tools work in an automated and continuous fashion. BAS platforms that are designed to work in cloud and hybrid environments are perfectly designed to secure ephemeral objects. Unlike for traditional vulnerability management tools, to BAS platforms the dynamism of the cloud presents little difficulty. In addition to identifying threats and outlining possible damage, BAS platforms also provide prioritized remediation guidance – something that more limited tools do not.
For these reasons, organizations seeking to modernize their vulnerability management processes may find deploying a BAS solution to be one of the fastest and most effective measures for improving cloud security.
The takeaway
If we are ever going to make high-profile cloud security breaches a rarity, it’s imperative to create vulnerability management processes that reflect the actual challenges organizations face. Choosing the appropriate tools is a key component of that transition.
By moving on from more limited approaches that struggle to deal with dynamic environments, enterprises can quickly improve cloud and hybrid security – and help ensure that they won’t be reading about themselves when the next public data breach occurs.