Rezilion, the autonomous cloud workload protection platform,
today announced the results of a comprehensive vulnerability analysis, concluding that only half of the vulnerabilities in cloud
containers ever posed a threat.
Rezilion
analyzed the top 20 most popular container images on DockerHub and discovered
that 50% of vulnerabilities were never loaded into memory and therefore did not
pose a threat, regardless of Common Vulnerability Scoring System (CVSS) scores
and despite vast resources in budget and manpower spent on patching or
mitigation. Please view a copy of the report here.
By
triaging vulnerabilities using a continuous adaptive risk and trust assessment
(CARTA) approach and then prioritizing treatment of those that are commonly
targeted, companies can significantly reduce their security budgets or free up
manpower to focus on other critical issues.
According to IDC, enterprises are spending 7-10% of their security budget
on vulnerability management as daily operations become increasingly more
dependent on cloud services. Vulnerability scanners overload and confuse
security teams with mountainous results that would be impossible to patch all
at once. The existing prioritization practices such as CVSS provide no notable reduction of breaches in
organizations with mature vulnerability
management programs. Firms with good security posture are equally breached by
known vulnerabilities as those with poor security posture.
Gartner recommends in
their Implement a Risk-Based Approach to
Vulnerability Management report (Gartner
subscription required) that "security and risk management leaders should rate
vulnerabilities on the basis of risk in order to improve vulnerability
management program effectiveness". Gartner also predicts that "by 2022, approximately 30% of
enterprises will adopt a risk-based approach to vulnerability management" and
"by 2022, organizations that use the risk-based vulnerability management method
will suffer 80% fewer breaches."
"A vulnerability is only as
dangerous as the threat exploiting it and in some instances during our
research, we found the figure dropped to as low as 2%. By focusing on
actual vs. perceived risk, we found the security industry has been
unnecessarily exaggerating the number of vulnerabilities security teams must
address, which has dangerous ramifications to the cloud security landscape,"
said
Shlomi Boutnaru, CTO and co-founder, Rezilion. "A continuous adaptive risk
and trust assessment-based approach reduces friction and overhead by
identifying vulnerabilities running in memory and then prioritizing treatment
to those vulnerabilities commonly targeted by hackers as well as any that don't
have mitigations."