Enterprise security teams, overwhelmed by the rising number of vulnerabilities uncovered every day, could significantly reduce their patching workload by changing how vulnerabilities are prioritized, according to a recent study by vulnerability startup Rezilion.
Most companies pay attention to the Common Vulnerability Scoring System (CVSS) rating of bugs, which range from 0 to 10 (10 being the highest level) and are classified as low and medium to high and critical depending on the characteristics of the Weak spot.
Organizations will start their remediation efforts with vulnerabilities rated “critical” and work their way down, said Yotam Perkal, director of vulnerability research at Rezilion.
The problem is that most bugs don’t pose a threat to many organizations. in one to learn Rezilion, released this week, found that about 85 percent of vulnerabilities in these organizations are not loaded into memory, Perkal said The registry.
“If a vulnerability isn’t loaded, it can’t really be exploited,” he said. “If the code doesn’t run when you have a package installed on your computer, but that package isn’t used by any application, then whatever vulnerability you have in that package isn’t really exploitable because you have to run something, something , which is loaded from memory so that it can be exploited.”
Rezilion, which was founded in 2018 and has raised $38 million in two rounds of funding – including $30 million in September 2021 – sells an automated software attack surface management platform that helps companies troubleshoot software bugs in cloud workloads, applications and to reduce and mitigate the Internet of Things (IoT) devices.
In the study, Rezilion researchers examined 20 popular container images on Docker Hub that they said were downloaded and deployed a total of billions of times. These images included MariaDB, WordPress, Memcached, MongoDB, Nginx, and MySQL.
In addition, they examined baseline operating system images from cloud providers Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform to determine how many vulnerabilities are not applicable and which pose an actual risk.
According to Rezilion, there were more than 4,347 known vulnerabilities among the 21 container images analyzed, although testing indicated that on average, about 15 percent of Common Vulnerabilities and Exposures (CVEs) were ever loaded into memory and posed a threat.
The researchers also found 6,167 known vulnerabilities in the 12 base OS images analyzed, 20 percent of which were loaded into memory.
Do you know what your organization does?
“The analysis shows that 85 percent of all discovered vulnerabilities in containers and hosts were never loaded into memory and were therefore not exploitable,” they write in the report. “If traditional vulnerability management approaches were used, more than 85 percent of the time and effort would be spent patching on vulnerabilities that pose no actual risk to the environment.”
Percal said he knew what that looks like. He spent more than three years at PayPal as part of the vulnerability management team. He said the processes are mostly manual and the team doesn’t have time to patch everything. Also, he added, patching isn’t always a uniform or quick process. The nature of the vulnerability often determines how long mitigations take — some can take months — and in some cases require system downtime, he said.
“Organizations have limited resources and limited capacity to address vulnerability and patch management,” Perkal said. “The number of discovered and disclosed vulnerabilities is increasing every year. The amount of code they read is constantly increasing and this is directly related to the amount of vulnerabilities. As long as people write code, there will be vulnerabilities, and organizations just can’t keep up.”
It becomes a matter of math, he said.
“If you have 1,000 vulnerabilities, focus on the 200 that are actually loaded into memory,” Perkal said. “Start with those, and when you have extra time and extra resources, take care of the rest, but at least focus on the ones that actually pose a threat that really matter.”
Rezilion’s research, which employs nearly 70 people, has drawn some critical opposition from others in the industry. Mike Parkin, Senior Technical Engineer at Vulcan Cyber, narrates The registry that the startup’s research is interesting, but said it may not accurately reflect the risk involved with the company.
“While it’s certainly true that many vulnerabilities aren’t found in any particular environment, it’s misleading to say that 85 percent of them can be ignored,” Parkin said. “It ignores the fact that mature organizations have a risk management process in place to help them focus on the vulnerabilities that are important in their context. You can rightly give lower priority to those that are scarce and therefore exploitable.”
But the best course of action is to delete what they don’t use and patch what they do, he added.
Furthermore, most organizations cannot describe their entire server inventory with authority, said John Bambenek, senior threat researcher at Netenrich The registry. You cannot tell which parts of which software applications are loaded into memory.
“There are still Log4j-vulnerable machines out there,” Bambenek said. “A ‘don’t worry about patching’ message ensures emergency responders like me aren’t empowered by technology. However, we will continue to be enriched by it.”
Perkal said companies not knowing everything that’s in their IT environment pose a problem, but one that Rezilion’s platform addresses. It has vulnerability validation and remediation capabilities and this month added Dynamic SBOM (Software Bill of Materials) to help organizations map their software and vulnerabilities and improve visibility of their attack surface.
Companies’ lack of knowledge of their environment “is a big problem. We saw that with Log4j,” he said. “If you don’t know what’s there, you don’t know you need to patch it. There is one step before we talk about prioritization. It’s knowing what you have. That’s something the Rezilion product does.”
Andrew Hay, COO of security consultancy Lares Consulting, mentioned Rezilion’s runtime analysis and Dynamic SBOM, but added that “the simple fact that vulnerable software is installed, even if it’s not running, is still a risk.”
“This vulnerable software could be inadvertently launched and immediately put at high risk,” Hay said The registry. “The best way to reduce a system’s attack surface is to remove software that the system doesn’t need to do its intended job.”
However, the feedback Rezilion is receiving from partners — such as AWS, GitLab, Docker, and Tenable — and customers is positive, Perkal said.
“The reality is that people and organizations live in a constant risk management scenario,” he said. “They don’t patch everything. They have open vulnerabilities that they don’t have the manpower or tools to close with SLA, so most customers we speak to appreciate the fact that they can make better use of their existing resources, tools and Budgets to focus on vulnerabilities that are more relevant to them.”®