New approach for Vulnerability Scanning: the Clone Wars!
1. Challenges with traditional vulnerability scanners
Let's face it, vulnerability management at scale needs effort and is time-consuming for security teams. The pace of new vulnerabilities is increasing: around 50 per day in 2018, and for example, in the month of July 2018, Microsoft shipped patches for 53 vulnerabilities and Adobe for 112.
Furthermore, the time to exploitation and widespread attacks is reducing, putting even more time pressure on security teams. Remediation is a long process and not always very easy to automate, so we need to reduce the burden of the assessment phase.
The challenges come from having scanning windows in order to minimize business impact, from the time it takes to scan. Then prioritization, risk analysis, and remediation can take place, but we need accurate results sooner and faster.
2. Approaches to reduce the impact of vulnerability scanning
Being a mature market, vulnerability management vendors have come out with solutions to minimize the impact of scanners:
- Advanced scan scheduling. It is possible today to granularly define scanning periods with non-contiguous time windows without starting over. Moreover, we can parameter the aggressiveness of the scanners.
- ScanLess scanning. In order to have continuous vulnerability assessment without having to actually scan, we keep a fingerprint of each system, so that when a new vulnerability comes in, we can check against the fingerprinting. It is like having a CMDB without having to build and maintain it.
- Shift-left scanning. In the age of DevOps and short-lived containers, we are enabling vulnerability testing during the Build and Ship phases instead of the Ops phase. So, when new vulnerabilities are detected, they are going to be patched in the next version of the build. Great approach for containers with a short shelf life for instance, but all services and packages need to be on a short-lived (continuous) CI/CD.
3. Here comes the Cloud, enabler of Clone&Scan
Cloud infrastructures have changed the way enterprises manage infrastructure. The pay per use with almost unlimited capacity enable different ways of accelerating business delivery.
What if we could build a new approach to vulnerability management, using the power of the cloud?
Thinking out of the box made us achieve a new approach: Clone&Scan. Using the API of the cloud providers (actually this is also possible with hypervisors), cloning instances is relatively simple, using mostly an API call. Depending on the cloud provider, sometimes this can be harder but we have workarounds for most of them.
Therefore, we can, in a fully automated way, on a regular basis (daily for instance):
- Clone an instance without performance impact
- Put the clone in a sandboxed or testing environment within the customer infrastructure
- Scan the clone more deeply and more aggressively in order to spare time (pay per use), e.g. the Clone Wars
- Get the results and erase the clone
On top of the advantage of being touchless on production instances, we do not even need credentials of the production instances, hence increasing security and segregation of duties: the clone can be launched with one-time random credentials generated on the fly (for example an SSH key).
This is a unique approach from Outpost24, tailored for cloud infrastructures such as AWS, Azure, and Google Cloud Platform, so why not give it a try?