Many organizations are still failing to tackle Log4j – here’s why:

Couldn’t attend Transform 2022? Check out all the top sessions in our on-demand library now! Look here.


Of all the vulnerabilities discovered in recent years, one that stands out among the cloud is Log4j. When the vulnerability was first identified in December 2021 after researchers discovered a remote code execution exploit in the Apache Log4j library, it became clear that billions of devices using Java were at risk.

While much of the uproar over Log4j has subsided, many organizations are still struggling to completely eradicate the vulnerability.

New research released by attack surface management provider, Cycognitofound that 70% of companies that previously covered Log4j in their attack surface still struggle to patch Log4j vulnerable assets and prevent new instances of Log4j from re-emerging in their IT stack.

Some companies are even seeing their exposure to Log4j increasing. Twenty-one percent of organizations with vulnerable assets reported a threefold digital percentage growth in the number of exposed Log4j vulnerable assets in July compared to January.

Above all, the findings indicate that the Log4j debacle is far from over and will continue to haunt organizations that are unwilling to proactively manage their attack surface and patch exposed systems.

Is Log4j still a threat?

About a month ago, the US Cyber ​​Safety Review Board’s report renewed interest in Log4j and attempted to parse the true long-term impact of the vulnerability.

One of the report’s key findings was that Log4j is an “endemic vulnerability” that “remains deeply embedded in systems.”

The authors suggested that one of the main issues is that security teams are often unable to identify where vulnerable software is in the environment.

For senior security operations analyst at Forrester, Allie Mellen, the issues around reducing Log4j come down to companies that don’t have an extensive software inventory.

“Without an accurate inventory of where the feature is being used, it can be challenging to track down every single application using it in the enterprise,” says Mellen.

Once an organization has a software inventory, it can start working on patching vulnerable systems. With Log4j classified as a CVSS 10 vulnerabilityit should be a top priority for security teams.

“CISOs need to collaborate with application security teams, risk management teams, and cross-functionality with IT and development teams to prioritize patching Log4j,” she said. “There are many competing priorities for these teams, but Log4j should be at the top of the list given the effects it has on the ecosystem.”

While there are limited public examples of breaches occurring as a result of Log4j, there are some examples of significant damage being caused. Criminals have used the vulnerability to hack into Vietnam’s crypto trading platform ONUSdemanding a ransom of $5 million and the data is leaking of nearly 2 million customers online.

In any case, Log4j provides attackers with an entry point they can use to exploit web applications and gain access to high-value personally identifiable information (PII) and other details.

A new look at attack surface management

The key to identifying and patching vulnerable Log4j systems lies in using a scalable approach to attack surface management, with the ability to discover exposures at scale and at the rate that new apps and services are introduced by users to the environment. being added.

This is a task that legacy approaches to vulnerability management with limited automation are ill-equipped to tackle.

“Log4j is one of the worst [vulnerabilities] of recent years, if not the last decade. Organizations struggle to eradicate it, even if they have huge teams. Why? Because of the legacy, input-based, non-scalable approach,” said Rob Gurzeev, CEO of Cycognito. “That non-scalable approach is an old mindset when it comes to managing external attack surfaces, where scan tools don’t scan often or deeply enough into assets. Simply put, external attack surfaces are too large and amorphous for the status quo EASM [external attack surface management] solutions.”

Gurzeev noted that the external attack surface is constantly changing as organizations deploy new Software-as-a-Service (SaaS) applications, with Log4j impacting not only old systems but also newly deployed systems.

The Attack Surface Management Market

One of the solution categories emerging to address vulnerability management of externally-facing assets is attack surface management.

Providers like Cycognito are addressing the challenges of attack surface management with solutions that can automatically scan the attack surface to provide security teams with greater transparency about systems with vulnerabilities.

These solutions then provide security teams with threat intelligence that they can use to identify the most vulnerable and risky assets.

As more organizations look for scalable vulnerability management solutions, Frost & Sullivanestimates that the global vulnerability management market will reach a valuation of $2.51 billion by 2025.

In the past 12 months alone, security providers including: Cycognito ($100 million) JupiterOne ($70 million), Bishop Fox ($75 million) cyber pawn ($27 million), and censys ($35 million) all closed major funding rounds for attack surface management.

Other competitors in the market include: Microsoft Defender Remote Attack Surface Management and Mandiant Advantage Attack Surface Managementthat aim to improve a security team’s ability to identify vulnerabilities and misconfigurations that compromise business data.

The mission of VentureBeat is a digital city square for tech decision makers to gain knowledge about transformative business technology and transactions. Learn more about membership.