Runtime scans detect policy failures in 91 percent of all cases. As a result, organizations are picking up potential vulnerabilities later than expected, according to a new Sysdig report.
The Sysdig report examines the state of cloud-native security. It shows that cloud environments are more susceptible to cyber attacks than they should be. Although 70 percent of containers exist for only 5 minutes, Sysdig points out that a cloud attack typically takes 10 minutes. If lateral movement has already occurred in that 5-minute period, removing the container is no longer enough as it will have already served its purpose for an attack path.
Shift-left adoption is disappointing
A significant number of best practices are not followed by the surveyed organization. For example, 98 percent of all permissions are unused, allowing them to be used by a malicious party to gain access to sensitive data. Only 20 percent prioritize CIEM (cloud infrastructure entitlement management), making it very difficult for the majority to keep track of who may have access to specific data and applications.
Also, many organizations are simply not all that quick at detecting potential threats in their applications. Shift-left testing involves IT teams detecting problems as early as possible in the development process. This best practice is not being followed, Sysdig’s research shows. Where runtime scans result in a policy failure 91 percent of the time, for CI/CD build pipelines the same is true for only 71 percent. According to Sysdig, it should be the exact opposite: if that were the case case, problems would be detected earlier.
However, Sysdig does suggest that this discrepancy may have other explanations. For example, additional dependencies may not be included in the CI/CD scans. It is also argued that runtime checks may be more accurate, with fewer false positives leading to noise. Finally, packages are not continuously checked, as is true of middleware assumed to be secure.
From critical vulnerabilities to exploitable ones
The researchers conclude that vulnerabilities do tend to be removed more and more effectively. Critical and high-scoring vulnerabilities in use halved last year compared to 2022. However, Sysdig does make the same point we raised earlier: it’s not so much about protecting against critical vulnerabilities, but exploitable ones. A lot of high-scoring CVEs are in essence impractical and theoretical threats whereas more middle-of-the-road concerns can cause significant damage if easily exploited.
Such vulnerabilities can be detected, for example, with software from PingSafe, recently acquired by SentinelOne. This pushes security teams in a direction of focusing more on what attackers actually exploit rather than which vulnerabilities are particularly risky in theory.
Sysdig also sees that cloud security is rapidly moving beyond detection alone. Nearly 90 percent of its customer base uses its existing threat detection & response functionality on a weekly basis.
Also read: SentinelOne acquires PingSafe and takes big step in cloud security