That critical vulnerability might not be the first you should patch
Startup Rezilion suggests enterprises should change prioritization strategies
Enterprise security teams being overrun by the rising numbers of vulnerabilities uncovered each day could vastly reduce their patching workload by changing how they prioritize the flaws, according to recent research from vulnerability startup Rezilion.
Most enterprises look to the ratings given to flaws in the Common Vulnerability Scoring System (CVSS) framework, which range from 0 to 10 (with 10 being the highest) and are ranked as low and medium to high and critical, depending on the characteristics of the vulnerability.
Companies will start their remediation efforts with the vulnerabilities deemed "critical" and work their way down, said Yotam Perkal, director of vulnerability research with Rezilion.
The problem is that for many enterprises, most of the flaws don't pose a threat to them. In a study released this week, Rezilion found that about 85 percent of the vulnerabilities are not loaded into memory at these organizations, Perkal told The Register.
"If a vulnerability isn't loaded, then it's not really exploitable," he said. "If the code is not running, if you have a package that is installed on your machine but that package isn't being used by any application, then any vulnerability you have in this package is not really exploitable because you need to have something running, something loaded from memory so that it can be exploitable."
Rezilion, which was founded in 2018 and has raised $38 million in two funding rounds – including $30 million in September 2021 – sells an automated software attack surface management platform that helps organizations reduce and mitigate software flaws across cloud workloads, applications and Internet of Things (IoT) devices.
In the study, Rezilion researchers examined 20 popular container images on Docker Hub that they said collectively had been downloaded and deployed billions of times. Those images included MariaDB, WordPress, Memcached, MongoDB, Nginx and MySQL.
In addition, they looked at base operating system images from cloud providers Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform to determine how many vulnerabilities aren't applicable and which posed an actual risk.
According to Rezilion, there were more than 4,347 known vulnerabilities among the 21 container images analyzed, though testing found that on average, about 15 percent of the Common Vulnerabilities and Exposures (CVEs) were ever loaded into memory and posed a threat.
The researchers also found 6,167 known vulnerabilities in the 12 base OS images analyzed, of which 20 percent were loaded to memory.
Do you know what your org is running?
"It is clear from the analysis that 85 percent of all the discovered vulnerabilities in containers and hosts were never loaded to memory and therefore, were not exploitable," they wrote in the report. "If traditional vulnerability management approaches were used, one would spend upward of 85 percent of patching time and efforts on vulnerabilities that posed no actual risk to the environment."
Perkal said he knows what that looks like. He spent more than three years at PayPal as part of its vulnerability management team. He said the processes were mostly manual and the team didn't have time to patch everything. In addition, he added, patching isn't always a uniform or quick process. The type of vulnerability will often dictate how long mitigation will take – some can take months – and in some cases require system downtime, he said.
"Organizations have limited resources and limited capacity to deal with vulnerability management and patch management," Perkal said. "The number of vulnerabilities that are discovered and disclosed is constantly on the rise year by year. The amount of code that they've been reading is constantly rising and that is in direct relation to the amount vulnerabilities. As long as people write code, there will be vulnerabilities, and organizations just don't keep up."
It becomes an issue of math, he said.
"If you have 1,000 vulnerabilities, focus on the 200 that are actually loaded to memory," Perkal said. "Start with those, then if you have additional time and additional resources, deal with the rest, but at least start focusing on the ones that actually pose a threat, that actually matter."
The research from Rezilion, which has almost 70 employees, has attracted some critical pushback from others in the industry. Mike Parkin, senior technical engineer at Vulcan Cyber, told The Register that the startup's research is interesting but opined it might not accurately reflect the risk enterprises are dealing with.
"While it is certainly true that many vulnerabilities won't be found in any given environment, arbitrarily saying that you can ignore 85 percent of them is misleading," Parkin said. "It ignores the fact that mature organizations have a risk management process that helps them focus on the vulnerabilities that matter in their context. They may justifiably put a lower priority on the ones that are only rarely resident, and thus exploitable."
However best practice is to delete what they don't use and patch what they do, he added.
In addition, most organizations can't describe with any authority their entire server inventory, John Bambenek, principal threat researcher for Netenrich, told The Register. They can't say what parts of what software applications are loaded into memory.
"There are still Log4j-vulnerable machines out there," Bambenek said. "A 'don't worry about patching' message insures that incident responders like myself won't be empowered by technology. However, we'll continue to be enriched by it."
Perkal said that enterprises not knowing everything that is in their IT environment is a problem, but one that Rezilion's platform addresses. It has vulnerability validation and remediation capabilities and this month added Dynamic SBOM (software bill of materials) to help organizations map their software and vulnerabilities and improve the visibility into their attack surface.
- Ransomware attack sends US county back to 1977
- In record year for vulnerabilities, Microsoft actually had fewer
- Patch now: Zoom chat messages can infect PCs, Macs, phones with malware
- Software patching must work like car safety recalls, says US cyber boss
Enterprises' lack of knowledge of their environment "is a big problem. We saw that with Log4j," he said. "If you don't know what's there, you don't know that you need to patch it. There's a step before we talk about prioritization. It is knowing what you have. This is something that the Rezilion product does."
Andrew Hay, COO at security consultancy Lares Consulting, noted Rezilion's runtime analysis and Dynamic SBOM but added that "the simple fact that vulnerable software is installed, even if not running, still presents a risk."
"This vulnerable software could be launched by mistake and immediately be elevated to high risk," Hay told The Register. "The best way to reduce the attack surface area of a system is to remove software that isn't required by the system to perform its designated task."
However, the feedback that Rezilion is getting from partners – such as AWS, GitLab, Docker and Tenable – and customers has been positive, Perkal said.
"The reality is that people and organizations live in a constant risk-management scenario," he said. "They don't patch everything. They have open vulnerabilities that they don't have the manpower or the tooling to hold with SLA, so most customers that we're talking with are appreciative of the fact that they can better use their existing resources, tools and budgets to focus on vulnerabilities that are more relevant to them."®