Introducing Vulnerability Management at the Workload Layer

You know that feeling you sometimes get after you’ve left the house for the day and suddenly fear you didn’t lock the door? You have two options: Turn back around to check, ensuring your home will be safe and secure while you’re gone, or leave it to chance, hoping you locked the door, but worrying all day that you didn’t…

The same situation presents itself when it comes to vulnerabilities within software-defined environments. The options? Embrace a “trust but verify” mindset by proactively monitoring for vulnerabilities, or do nothing, leaving to chance the security of company data, customer data and, as a result, the very existence of your business.

Vulnerability Management’s Role in Better Cloud Security  

With software-defined solutions as the new standard, the most likely source of security vulnerabilities now lies within the software — or workload — layer. Specifically, our friends at Veracode reported that, “…more than half of all breaches involve web applications — yet less than 10 percent of organizations ensure all critical applications are reviewed for security before and during production.”

Most often, exploitation targets an application or operating system vulnerability, but it could also target users themselves or even leverage an operating system feature to auto-execute code.

Much like how the rise of the smart home is easing our minds around questions like, “Did I lock the door?” or “Did I leave the lights on?”, deploying vulnerability management in your cloud environment equips you to know where there are weaknesses in the workload so you can mobilize defenses to protect them.

The Reality of Today’s Vulnerability Management Approaches

In practice, vulnerability management is all about monitoring the configuration on your workloads and infrastructure to detect any increase in the attack surface. But let’s get real: In order to complete a job, development teams will often circumvent the chain of command and install unauthorized packages in the base image, or worse yet, manually install packages on production environments.

Now, tracking patches in cloud environments is a tedious task. Diving a layer deeper, here’s where it really gets tricky:

Base Image Lag

New base images (Amazon Machine Images, or AMIs if you are using Amazon as your CSP) are typically made every couple of weeks, leaving servers vulnerable in between the time a vulnerability comes out and when the patch gets added to the AMI. And when it comes to widespread vulnerabilities such as Heartbleed or Shellshock, serious problems arise when the attack surface is vulnerable for too long.

Pets in the Infrastructure

There are always pets in the infrastructure (servers which are outside the immutable infrastructure paradigm). Unfortunately, these servers are often the most important servers in your environment (e.g. OpenVPN servers, jumphosts, etc.), requiring constant monitoring for packages with vulnerabilities.

Pinned Packages

Many packages are pinned for application dependency reasons which won’t get updated by infrastructure code. This leaves these packages vulnerable as well, unless regularly monitored and patched.

Each of the above examples requires expensive ops and security resources to monitor for vulnerabilities and patch advisories. In a “trust but verify” world, minimizing the attack surface when packages are installed is simply an impossible task — unless you have the right vulnerability management system in place.

That’s where automated vulnerability scans come into play — examining package information in real time to determine if and where there are vulnerable packages. When implemented at the host level, automated scans mean vulnerabilities can be identified and fixed at every step of the application lifecycle.

A proactive approach to vulnerability management — one that addresses not only vulnerability management, but all other key areas of cloud security — can protect your company’s most visible attack surfaces — your website and your applications. This can  drastically decrease the likeliness that either attack surface will be the breach point, ensuring your intellectual property is protected and invisible to attackers.

Introducing Threat Stack’s Built-In Vulnerability Management

Implementing a layered approach to cloud security — one that starts at the host level —  is exactly where Threat Stack’s Cloud Security Platform™ comes in.

Whereas traditionally companies pinned together multiple point solutions to monitor and patch vulnerabilities, the recent release of our Cloud Security Platform™ offers built-in tools for continuous vulnerability management.

With our agent installed at the host level (or the source of truth, as we like to call it), it is able to scan servers at the deepest level for maliciously installed packages.

Here’s how the Threat Stack Cloud Security Platform™ detects vulnerabilities:

  • Our agent examines the package information on the workload and tells the user whether there are vulnerable packages inside them.
  • It then organizes workflows around what is important based on common vulnerabilities and exposure (CVEs)

From this deep analysis, we can then show you the detected vulnerabilities prioritized directly on your dashboard (pictured below) so you can take fast action. 


Here’s a detailed view:


How Threat Stack’s Vulnerability Management Feature Is Different

Complete CVE Correlation

Leveraging all two million CVEs from the National Vulnerability Database, Threat Stack ensures that every package in every host is analyzed against each CVE the moment the package is released. This means we not only catch packages with vulnerabilities that were just released, we can even detect package vulnerabilities that were released many years ago.

Security Advisory Correlation

On top of correlating CVEs with package information, Threat Stack also correlates results with information from security advisory pages published by each operating system vendor. These analytics help to eliminate false positives when providing vulnerability data to the user.

Depth of Data

Threat Stack has has a complete set of data around each CVE — from the criticality to the vectors of entry and so on.  We filter the data so that only the most relevant information is passed back to the user (e.g. the network attack vector information that is presented to the user on the server page).

Bird’s Eye View of Vulnerable Servers

Threat Stack incorporates information from various subnets, security groups and VPCs that the vulnerable servers are in. This allows users to get a bird’s eye view on the EC2 security attributes of each vulnerable server.

Lightweight Agent

Threat Stack is designed to be lightweight and non-intrusive on the host, only collecting packages residing in the user space of the operating system. Our agent is designed to collect package information which is then sent to Threat Stack’s backend to perform a complete analysis.

A Complete Platform

Threat Stack correlates events and alerts from users, processes, network connections and Cloud Trail with vulnerability information so you can see the full picture. This help you answer questions like, “Are there new processes that were activated on the server with vulnerabilities?” or “Is there a wide open security group that opened between the time a vulnerable package appeared on the server and when the vulnerability was remediated?”

How To Get Started

To ensure a vulnerable package won’t be the cause of a breach in your environment, get set up with Threat Stack’s Cloud Security Platform® for complete visibility into your environment. New customers can get started for free here and current customers, please contact [email protected] to get started.