Only Half of Cloud Vulnerabilities Pose Actual Security Threats, Finds Rezilion Study
Enterprise security teams focusing more than half of time and budget on vulnerabilities that pose little risk
Beersheba, Israel, February 27, 2020
Rezilion, the autonomous cloud workload protection platform, today announced the results of a comprehensive vulnerability analysis, concluding that only half of the vulnerabilities in cloud containers ever posed a threat.
Rezilion analyzed the top 20 most popular container images on DockerHub using their Validate product and discovered that 50% of vulnerabilities were never loaded into memory and therefore did not pose a threat, regardless of Common Vulnerability Scoring System (CVSS) scores and despite vast resources in budget and manpower spent on patching or mitigation. Please view a copy of the report here.
By triaging vulnerabilities using a continuous adaptive risk and trust assessment (CARTA) approach and then prioritizing treatment of those that pose an actual risk, companies can significantly reduce their security budgets or free up manpower to focus on other critical issues.
According to IDC, enterprises are spending 7-10% of their security budget on vulnerability management as daily operations become increasingly more dependent on cloud services. Vulnerability scanners overload and confuse security teams with mountainous results that would be impossible to patch all at once. The existing prioritization practices such as CVSS provide no notable reduction of breaches in organizations with mature vulnerability management programs. Firms with good security posture are equally breached by known vulnerabilities as those with poor security posture.
Gartner recommends in their Implement a Risk-Based Approach to Vulnerability Management report (Gartner subscription required) that “security and risk management leaders should rate vulnerabilities on the basis of risk in order to improve vulnerability management program effectiveness”. Gartner also predicts that “by 2022, approximately 30% of enterprises will adopt a risk-based approach to vulnerability management” and “by 2022, organizations that use the risk-based vulnerability management method will suffer 80% fewer breaches.”
“A vulnerability is only as dangerous as the threat exploiting it and in some instances during our research, we found the figure dropped to as low as 2%. By focusing on actual vs. perceived risk, we found the security industry has been unnecessarily exaggerating the number of vulnerabilities security teams must address, which has dangerous ramifications to the cloud security landscape,” said Shlomi Boutnaru, CTO and co-founder, Rezilion. “A continuous adaptive risk and trust assessment-based approach reduces friction and overhead by identifying vulnerabilities running in memory and then prioritizing treatment to those that don’t have mitigations or compensating controls such as white-listing, network segmentation, or intrusion detection systems.”
Gartner, “Implement a Risk-Based Approach to Vulnerability Management,” Prateek Bhajanka, Craig Lawson, 21 August 2018
Rezilion is an autonomous DevSecOps platform that automates manual security bottlenecks – making security as agile as DevOps. Founded by serial cybersecurity entrepreneurs Liran Tancman and Shlomi Boutnaru, Rezilion secures vast environments with minimal manpower by integrating security into existing DevOps and IT automation workflows. To learn more visit https://www.rezilion.com/