whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk Assure the board your company won t be the next data breach
Introduction A solid vulnerability management program is critical for reducing an organization s cyber risk. If you need proof, just look at the news. Heartbleed and, more recently, the WannaCry ransomware attack demonstrate how a single unpatched vulnerability can have catastrophic consequences. Counting closed vulnerabilities was never an effective method for measuring vulnerability risk and it s only getting worse as the cyber risk landscape gets ever more complex and dangerous. Today, an enterprise s data assets can be worth more than the company itself. In the wake of high-profile data breaches like those experienced by Equifax, board members are well aware that a major cyber breach can kill a big company. They don t want to know how many vulnerabilities were closed last quarter; they want assurance that they ll still be in business tomorrow. Security teams need a more mature approach to vulnerability management, one that allows them to measure and report on risk so that they can make demonstrable improvements and communicate them to the board. 2
Nobody Wins the Numbers Game Vulnerability management is traditionally treated as a numbers game. Faced with dozens of new vulnerabilities every day and lacking the resources to analyze, correlate, and prioritize remediation efforts, security teams are overwhelmed. In such an environment, the security team s best hope is to close as many vulnerabilities as possible and pray that the next major exploit doesn t target one of the millions remaining open. 99% In an attempt to achieve some order, security teams try to manage their vulnerability remediation efforts using homegrown solutions or spreadsheets. It s not unusual for organizations to manage dozens of spreadsheet files to accommodate millions of vulnerabilities, because a single Excel spreadsheet is limited to one million rows. Assets are grouped together, assigned risk levels based on the Common Vulnerability Scoring System (CVSS), and sorted by order of severity. The reports given to the board of directors might also include scanner coverage, vulnerability density, and time-to-remediation metrics. This spreadsheet approach is slow, unscalable, and impractical and it doesn t help anyone sleep better at night. According to Gartner, 99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident. Board members lack the context they need to understand the organization s risk posture which is what they really care about. They want to know where the organization stands today in terms of risk, how that compares to last month, and what progress has been made to reduce the organization s risk exposure. Meanwhile, security practitioners are plagued with uncertainty and doubt. There s no way for them to know for certain that they re addressing the right vulnerabilities. The only way to show improvement is to close more vulnerabilities next month with the same resources. 3
Two Critical Steps to a Modern Approach to Vulnerability Risk Management Fortunately, there is a better way. By taking a riskbased approach to vulnerability management, security teams can deliver meaningful reports to the board and rest assured that their efforts are actually making a difference in the organization s risk posture. Effective vulnerability risk management requires a two-fold strategy: a focus on the right priorities, and organization-wide processes to ensure optimal execution. The top issue in vulnerability management is that organizations aren t prioritizing their patching and compensating controls to align to vulnerabilities targeted by threat actors, says Craig Lawson, research vice president at Gartner. The key behind prioritization is the right metric. It must be simple, understandable, and repeatable so that the organization can monitor historical trends. The metric must take into account the criticality of your assets, the exploitability of new vulnerabilities in the wild, current exploits, and real-time hacker activity. Furthermore, this metric or risk score should serve as an actionable measurement that guides remediation efforts and resource allocation. As such, it can t be manually calculated using spreadsheets and CVSS scores. An objective risk score must be generated automatically in order to serve as a single source-of-truth for all teams and ensure that everyone is focusing on the right thing at the right time. Risk can only be effectively mitigated when the whole organization works together, toward the same goal. That means that remediation tasks are automatically assigned to the right team, be it Security Ops, IT Ops, or Dev, and that the team receives the information it needs to effectively address the risk. Everyone, at all times, should understand where the organization stands in terms of risk. With a clear and accurate picture of the organization s risk posture, security teams can report to the board with confidence, and executive management can make data-driven investment decisions. If you deal with the biggest cause of breaches and data loss first, then you ll have a better foundation to work on more difficult issues, Gartner s Lawson says. Don t stop continually inching toward improvements with a vulnerability management program, but it s more critical to reduce attack surfaces by closing the biggest risks, which are the known vulnerabilities being exploited in the wild. 4
How Kenna Security Can Help Kenna Security helps security teams effectively measure and reduce vulnerability risk by focusing on the most urgent risks first. The Kenna Security Platform, powered by Cyber Risk Context technology, tracks and predicts real-world exploitations to help organizations prioritize and align their vulnerability remediation efforts. The centralized platform unites the entire IT organization against risk by analyzing vulnerabilities in realtime, prioritizing remediation efforts, assigning remediation tasks, and continuously reporting on risk posture. Enterprises such as consumer credit reporting agency TransUnion rely on Kenna s platform to rapidly identify and remediate critical threats. By giving TransUnion s cybersecurity teams the ability to look outside their organization to understand what attackers are doing in real time, they re able to evaluate which of the masses of vulnerabilities are most likely to pose a threat. The technology then prioritizes the most critical vulnerabilities and shows the reduction of risk as a result of patching and remediation. The Kenna risk score also provides Transunion s executive management the visibility it needs to understand the organization s risk posture today, yesterday, and tomorrow. Continuous, risk-centric reporting requires minimal effort from security teams, and aligns with and informs the organization. Kenna s risk reporting scales up and down, from a very tactical perspective all the way up to senior leadership, Ossentjuk said. It s a tremendous way to convey the risk associated with our patching program, and it s fast. It used to take a full day to put together reporting using our old pivot table process, which we ve now gotten down to a couple of hours with Kenna. As a leader in cyber risk management, Kenna Security is trusted by hundreds of customers worldwide, spanning from leading banks to technology vendors, and including many Fortune 100 companies. Kenna revolutionizes how organizations manage cyber risk at scale, preparing them to confront the volume and diversity of today s advanced cyber threats. We d like to help you, too. In doing so, The Kenna Security Platform provides a single source of truth that serves as a compass for all of Transunion s risk operations, thereby significantly reducing the friction between the Security and IT Operations teams. The cultural effects of the Kenna platform are significant and far reaching. The groups on my team are much better aligned, and we work better together as a result, said Transunion CISO Jasper Ossentjuk. 5
Benefits of the Kenna Security Platform Reduce cyber risk by proactively focusing on high-risk vulnerabilities Increase IT efficiency by automating vulnerability analysis, correlation, and prioritization Obtain continuous, real-time visibility into the organization s risk posture Make data-driven investment decisions based on objective risk metrics Eliminate spreadsheets and home-grown apps with automated reports Monitor risk and measure improvement over time To learn more about aligning your organization around risk visit www.kennasecurity.com 6