Risk-Based Vulnerability Management with an Eye for Data Science

There is a saying that “hindsight is 20/20.” In the world of cyber security, the inverse is sought. Cyber security professionals spend their days and nights examining historical data, observing the current state of their networked environments, and using the combination of past and present to try to prevent future events, incidents, and breaches. The possibilities for exploit and disruption are enormous! There’s another saying that goes something like, “defenders have to protect the entirety of their data and systems to be secure; attackers need only find one, small vulnerability to achieve exploit.”(Removing the Draconian, fatalistic view of cyber security for a second,) If someone could create a crystal ball for cyber security—giving organizations a better look into the future—security pros would be able to tip the scales in their favor, and answer questions such as: What are my riskiest vulnerabilities? What are attackers after? When will an adversary target me? How?

This type of work—risk assessments, vulnerability assessments, risk modeling, adversary profiling—is not new to security, and even less so to businesses at large. But the problem is that, in cyber security specifically, a lot of guesswork and hypotheses are still mixed into the equation. This is not to say that organizations aren’t trying hard or that they lack skill. Quite the contrary. Over the years we’ve seen more data science, more machine learning, and better calculations applied to predictions. But at the end of every malicious network connection, there is a human being (or program programmed by a human being) who/that will never be 100% predictable.

I see your future...

However, one company is on a mission to build a better crystal ball. Kenna Security, co-founded by industry veterans Ed Bellis and Jeff Heuer in 2010, offer a SaaS platform that can be categorized as risk-based vulnerability management. There’s a lot packed into that categorization, so I asked Bellis and Corporate Communications Director, Dan Mellinger, what that means.

“Fundamentally,” said Bellis, “our current system of scoring and prioritizing vulnerabilities is flawed. Most companies use CVEs (Common Vulnerabilities and Exposures) and the CVSS (Common Vulnerability Scoring System) to check reported vulnerabilities and their severity ratings. But companies can’t remediate everything in the database, even just the ‘high’ or ‘critical’ vulnerabilities. The list is too big. Second, companies don’t need to fix everything; not all vulnerabilities are created equal, and neither are a company’s assets and applications. Some things matter more, and that’s specific to your company. Third, CVSS risk scores aren’t based on your organization—the impact an exploited vulnerability might have on you. Companies have to look at the entire picture to understand their risk. That’s what we’ve built at Kenna.”

The Kenna platform integrates with all the well-known vulnerability scanners (including static and dynamic application scanners), bug bounty programs, CMDBs, asset discovery and asset management tools, SIEMs, and other data sources within a customer’s environment. Kenna collects information about entities on the network and the vulnerabilities associated with them, and pairs that data with global threat and exploit information. The next step is analysis. The system looks at things like: What are attackers doing? Have weaponized exploits been observed? What’s the volume and rate of those exploits? Is malware associated with an exploit?

Using proprietary data science, Kenna automates analysis from billions of data points to determine the specific level of risk—the risk score—to the given organization based on the assets/entities present in the environment and the threats against them. The Remediation Intelligence Engine then helps each company prioritize remediation based on the likelihood of attack and potential maximum impact. Boiling it down, Bellis said, “We risk score every asset and application on a 0-1000 scale and give the customer a priority list that will help reduce the most risk with the least amount of effort. Effectively it’s ‘Here are the 10 things you should do in the order you should do them.’ This makes managing vulnerabilities and reducing risk more manageable than, ‘here are a thousand things you need to do and they’re all critical!’”

How are we doing?

Mellinger then explained that, while individual risk is the most important thing for cyber resiliency, Kenna’s customers will soon be able to benchmark performance and remediation metrics (N.B. Boards of Directors like to know how the company is faring versus others in the space. Thus, the output may be helpful in your next board presentation). The platform, rolling out in early 2020, will allow customers to benchmark based on their overall risk score and mean-time-to-remediation against their industry averages.

Of course, companies can also benchmark by vertical and company size. “A Fortune 20 bank won’t have the same risk profile as a community bank,” explained Mellinger, “so taking company size into account may turn out to be more important than industry, in some cases.”

In addition to the commercial platform, Kenna recently launched its Exploit Prediction Scoring System (EPSS), a free, open source tool that uses 16 variables to predict the likelihood of a vulnerability being exploited in the wild within a 12-month period. EPSS was created in collaboration with leading data scientists and researchers from academia to find correlations between vulnerabilities and their exploitability. It analyzes the characteristics of a vulnerability that led to exploitation, which the project team believes makes it more reliable and accurate than any other tool available. The press release refers to the EPSS as a “weather-like forecasting tool for the cybersecurity community.”

More accurate threat predictions

Over the years we’ve seen security tools incorporate more data and machine learning to become more accurate and efficient. At its core, machine learning is predicated on good data science, and Kenna has hung its hat on data science as the foundation of its offerings. The company doesn’t appear to use a lot of fancy gimmicks to sell its products; instead, they focus on continuous improvement in data collection, predictive modeling, and analytics. If the goal of the cyber security team is to continually decrease organizational risk by more accurately predicting threats to remediate them in a timely, prioritized manor (and I posit that this, rather than Secure All the Things is, in fact, the goal of cyber security teams), then Kenna Security is about as close as you’re going to come to a crystal ball.

Bellis and Mellinger assured me that companies who see their demo are hooked. Thus, if reducing risk is in your purview (and I think it should be), give the team at Kenna a call and let us know if it improves your cyber security future.