The attack surface around cloud-native applications and services is expanding rapidly and traditional cloud-focused security tools aren’t able to keep up with such dynamic environments, according to Steve Carter, co-founder and CEO of vulnerability and
exposure management company
Nucleus Security.
The problem is that current cloud security offerings generate partial and fragmented point-in-time snapshots that can’t be easily used to understand or prioritize risks, and they generate a lot of duplicate alerts. In addition, scanners don’t deliver the visibility needed to address security vulnerabilities in these high-scale settings.
“Security for cloud environments brings a new layer of complexity in comparison to traditional IT,” Carter told MSSP Alert. “Using microservices is at the core of flexible scalability and rapid innovation. However, that also makes cloud-native assets short-lived – ephemeral – as they are deployed across changing environments and evolve to new versions.”
Security teams need to migrate away from fragmented scanning assessments and adopt continuous risk exposure management that’s driven by the business’ requirements, he said, adding that Nucleus this week is offering such capabilities to organizations and the vendor’s broad channel ecosystem, including MSSPs.
Mapping Assets, Managing Risks
The Sarasota, Florida-based company is expanding its security platform with its new Cloud-Native Vulnerability Exposure Management (VEM) solution, which supports more than 135 cloud asset types and cloud security connectors. Nucleus also introduced Adaptive Contexts, a method for mapping cloud-native assets to manage risks.
“Cloud security needs a paradigm shift, from scanning ephemeral assets, vulnerabilities, and misconfigurations to managing risk in a longer-lasting context,” the CEO said. “We wanted to enable security teams with ongoing cloud-native exposure management that facilitates business-driven risk prioritization and mitigation at scale.”
Containers First
Adaptive Contexts is key to addressing those ephemeral risk findings by using business demands to connect them to assets to visibility across the dynamic environments. This initial release of Adaptive Contexts addresses container images and workloads and will expand in the future to other cloud-native models.
Using Adaptive Contexts, security teams can understand where an asset’s risk comes from, whether it’s a container workload, container image, or base image, according to the company. It automates the matching between assets.
The business context of the asset lets teams know what remediation action to take and who should take it.
“By correlating container images across repositories, versions, and runtime environments to identify risks throughout the CI/CD [continuous integration/continuous development] pipeline, teams have a production risk context when prioritizing remediation in the development environment,” Carter said. “This shift-left, risk-based remediation effectively prevents critical exposures from reaching production.”
Nucleus was founded in 2019 by ex-Defense Department (DoD) security experts and now has more than 400 customers in both the private and public sectors, including Motorola, MasterCard, the U.S. Energy Department, Paychex, and Cisco.
A Central Hub for Data
It competes with the likes of
ServiceNow,
Vulcan Cyber, and
Brinqa and differentiates by enabling organizations and MSSPs to pull in assets and vulnerability data from hundreds of sources into a single place.
“By prioritizing risks with threat intelligence and asset context, Nucleus lets federal agencies and enterprises identify critical exposures, cut through the noise, and significantly reduce remediation time,” Carter said.
It also is a channel-first vendor, with all of its sales going through partners. The company “was designed from the beginning to enhance the efficiency and effectiveness of MSSPs in managing vulnerability and risk information for their clients,” the CEO said. “Nucleus engineers have backgrounds in large enterprises and MSSP vulnerability management teams.”
Leading with MSSPs
When the founders – which include COO Scott Kuffer and Chief Engineer Nick Fleming – left the DoD to launch Nucleus, they understood the need to quickly scale the business to reach modern enterprises and meet their cloud security demands. Opening those doors as a startup wasn’t going to be easy.
“We set out with a deliberate strategy on the product and business sides to embrace MSSPs and other partners to help extend our reach and put our solution in the hands of experts who could immediately recognize and extol the benefits we provide for their customers,” Carter said.
