Here the common reasons why you need a fresh approach to vulnerability management in the cloud from Alert Logic:
The Cloud is Dynamic
Standing up servers in a physical data center takes time. Depending on the complexity of your environment, it can take several days to incorporate a new server into your network. This gives you plenty of lead-time to ensure your new assets are within the scope of your vulnerability management tool–this is not the case in the cloud.
The cloud is dynamic by design and allows you to scale out your environment at an incredible pace. With the advent of continuous deployment processes (also known as DevOps), entire divisions of multinational organizations can have new servers–instances in cloud-speak–with dynamic IP addresses in a matter of hours.
Legacy security tools are not built to handle this level of fluidity. Cybersecurity tools built for the much slower paced physical data center will not keep up with changes that can occur automatically in the cloud.
Context is everything
Context is defined by Merriam-Webster as the interrelated conditions in which something exists or occurs. The concept of context relates to everything we do. Context helps us understand the importance of one thing over another.
For instance, an email from your manager that reads “Swing by my office when you get a chance.” following a contentious project meeting has a different meaning than when it arrives after a lunch during which you both discussed getting tickets for next week’s baseball game. Without context, you would respond to both emails with equal priority even though one is much more important than the other.
This same principle holds true when we talk about security vulnerabilities. Every instance in your cloud environment will have vulnerabilities at some point. They key is to put these vulnerabilities into the right context. For example, if your vulnerability management tool identifies 100 servers that have the shellshock vulnerability but two of those house your customer database, you are going to want to tackle those first since the potential impact of those assets being compromised is significant.
Now, say there are 10 of the vulnerable instances are not exposed to the Internet. Resolving the vulnerability on those servers automatically becomes less important. If your vulnerability management tool does not apply the lens of context over the vulnerabilities it identifies, then you are going to have a hard time deciding which asset to tackle first.
Configuration in Cloud
About a year ago, Code Spaces was making a name for itself in the developer community. Today Code Spaces no longer exists, taken out by a devastating compromise that forced them to shut down. Attackers zeroed in on their poor credential policy and gained control of the company’s Amazon control panel, kidnapping the entire business and demanding ransom for its release.
When Code Spaces didn’t comply, the attackers made good on their threats and systematically deleted all of the companies EC2 instances, backups, S3 buckets, and more. Code Spaces’ story is a cautionary tale not only about the importance of keeping your servers free from vulnerabilities but also ensuring your configurations do not leave you exposed to a potential attack.
The problem is that legacy vulnerability management tools do not understand cloud configurations, so they cannot provide the visibility needed to find the weak spots in cloud configurations. Could Code Spaces have been saved if they had a tool that identified the lack of multi-factor authentication or IAM roles in their environment? Who knows, but it wouldn’t have hurt.
Vulnerability Management in the Cloud on Nessus :
For vulnerability management in the cloud, Nessus delivers specific capabilities to address the challenges outlined above. For example:
Scan for vulnerabilities in cloud instances.
Because of shared security responsibility models, it’s important that you scan for vulnerabilities in cloud instances. You can run Nessus natively in the cloud to scan for software flaws and Tenable makes it easy to access and launch Nessus from popular cloud providers like Amazon Web Services and Microsoft Azure.
Use agents to scan dynamic assets.
Both Nessus Cloud and Nessus Manager include the ability to use agents. You can script the deployment of Nessus Agents so they install automatically with new cloud instances and use them to track and monitor for vulnerabilities as new instances are spun up.
Audit for configuration issues.
Securely configuring your cloud environment is your responsibility. For example, are you enforcing a strong password policy or do you flag accounts that haven’t been used in more than 90 days? To help, Nessus comes with pre-built templates for auditing the configuration of popular cloud providers. We have an on-demand webcast that covers what Nessus provides for Amazon, Microsoft and Rackspace clouds in more detail. Our director of research Mehul Revankar has also written a number of detailed blog articles on what’s available in Nessus.
Effective risk-based vulnerability management requires a strong process mapped directly to these five Cyber Exposure phases:
DISCOVER : Identify and map every asset across any computing environment.
ASSESS: Understand the cyber exposure of all assets, including vulnerabilities, misconfigurations and other security health indicators.
PRIORITIZE: Understand exposures in context to prioritize remediation based on asset criticality, threat context and vulnerability severity.
REMEDIATE: Determine which exposures to fix first and apply the appropriate remediation or mitigation technique.
MEASURE: Calculate, communicate and compare Cyber Exposure and key maturity metrics to drive risk reduction.
For more reference: https://www.tenable.com/solutions/vulnerability-management