Human resources

Focus resources on fixing the most threatening vulnerabilities: research • The Register

Enterprise security teams overwhelmed by the growing number of vulnerabilities discovered every day could significantly reduce their patching workload by changing the way they prioritize flaws, according to a recent study by vulnerability startup Rezilion.

Most companies rely on the ratings assigned to vulnerabilities under the Common Vulnerability Scoring System (CVSS), which range from 0 to 10 (10 being the highest rating) and are categorized as low and medium to high and critical, depending on the characteristics of the vulnerability.

Companies will start remediation efforts with vulnerabilities deemed “critical” and move forward, said Yotam Perkal, director of vulnerability research at Rezilion.

The problem is that for many companies, most vulnerabilities do not pose a threat to them. In a study published this week, Rezilion found that around 85% of vulnerabilities are not loaded into memory in these organizations, Perkal said. The register.

“If a vulnerability isn’t loaded, it’s not really exploitable,” he said. “If the code doesn’t run, if you have a package installed on your machine but that package isn’t used by any application, then any vulnerability you have in that package isn’t really exploitable because you need to have something running, something loaded from memory so that it can be operated.”

Rezilion, which was founded in 2018 and raised $38 million in two funding rounds — including $30 million in September 2021 — sells an automated software attack surface management platform that helps organizations to reduce and mitigate software vulnerabilities on cloud workloads, applications, and the Internet of Things (IoT).

In the study, Rezilion researchers looked at 20 popular container images on Docker Hub that they believe had been downloaded and deployed billions of times. These images included MariaDB, WordPress, Memcached, MongoDB, Nginx, and MySQL.

In addition, they reviewed base operating system images from cloud providers Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform to determine how many vulnerabilities are not applicable and which pose a real risk.

According to Rezilion, there were over 4,347 known vulnerabilities among the 21 container images scanned, although testing revealed that on average, around 15% of common vulnerabilities and exposures (CVEs) were already loaded into memory and constituted a threatens.

The researchers also found 6,167 known vulnerabilities in the 12 base operating system images analyzed, 20% of which were loaded into memory.

Do you know what your organization performs?

“It is clear from the analysis that 85% of all vulnerabilities discovered in containers and hosts were never loaded into memory and were therefore not exploitable,” they wrote in the report. “If traditional vulnerability management approaches were used, more than 85% of remediation time and effort would be spent on vulnerabilities that posed no real risk to the environment.”

Perkal said he knew what it looked like. He spent over three years at PayPal as part of its vulnerability management team. He said the processes were mostly manual and the team didn’t have time to fix everything. Plus, he added, patching isn’t always a smooth or quick process. The type of vulnerability will often dictate the duration of mitigation – some can take months – and in some cases will require system downtime, he said.

“Organizations have limited resources and limited capacity to handle vulnerability management and patch management,” Perkal said. “The number of vulnerabilities discovered and disclosed is constantly increasing year on year. The amount of code they have read is constantly increasing and this is directly related to the amount of vulnerabilities. As long as people are writing code, there will be vulnerabilities and organizations simply won’t follow.”

It becomes a question of mathematics, he said.

“If you have 1,000 vulnerabilities, focus on the 200 that are actually loaded into memory,” Perkal said. “Start with those, then if you have more time and extra resources, take care of the rest, but at least start focusing on the ones that really pose a threat, that really matter.”

The research from Rezilion, which has nearly 70 employees, has drawn critical reactions from other industry players. Mike Parkin, senior technical engineer at Vulcan Cyber, said The register that the startup’s research is interesting, but felt it might not accurately reflect the risk companies face.

“While it’s certainly true that many vulnerabilities won’t be found in any given environment, arbitrarily saying you can ignore 85% of them is misleading,” Parkin said. “It ignores the fact that mature organizations have a risk management process that helps them focus on the vulnerabilities that matter in their context. They may rightly give lower priority to those that are only rarely resident. , and therefore usable.

However, the best practice is to remove what they don’t use and fix what they do, he added.

Additionally, most organizations cannot authoritatively describe their entire server inventory, said John Bambenek, senior threat researcher for Netenrich. The register. They cannot tell which parts of which software applications are loaded into memory.

“There are still machines vulnerable to Log4j,” Bambenek said. “A ‘don’t worry about patches’ message ensures that incident responders like me won’t be empowered by technology. However, we will continue to learn from it.”

Perkal said companies not knowing everything in their IT environment is a problem, but Rezilion’s platform solves it. It has vulnerability validation and remediation capabilities and this month added Dynamic SBOM (software bill of materials) to help organizations map their software and vulnerabilities and improve visibility into their attack surface.

Companies’ lack of knowledge about their environment “is a big problem. We’ve seen it with Log4j,” he said. “If you don’t know what’s there, you don’t know you need to fix it. There’s a step before you talk about prioritization. It’s about knowing what you have. It’s something what the Rezilion product does.”

Andrew Hay, COO of security consultancy Lares Consulting, noted Rezilion and Dynamic SBOM’s runtime analysis, but added that “the mere fact that vulnerable software is installed, even if it doesn’t not execute, always presents a risk”.

“This vulnerable software could be launched by mistake and immediately elevated to high risk,” Hay said. The register. “The best way to reduce a system’s attack surface is to remove software that is not required by the system to perform its designated task.”

However, the feedback Rezilion receives from partners — such as AWS, GitLab, Docker, and Tenable — and customers has been positive, Perkal said.

“The reality is that people and organizations live in a constant risk management scenario,” he said. “They don’t fix everything. They have open vulnerabilities that they don’t have the manpower or the tools to manage with SLAs, so most customers we talk to appreciate that they can better use their existing resources, tools and budgets to focus on the vulnerabilities most relevant to them.”®