This ESG Lab Review was commissioned by Kenna Security and is distributed under license from ESG. © 2018 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Abstract

This ESG Lab Review documents hands-on testing of the Kenna Security Platform for cyber risk management. We focus on how the Kenna Security Platform enables organizations to work cross-functionally to prioritize and mitigate cyber risk.

The Challenges

One challenge that continues to plague IT organizations is overcoming the lack of cybersecurity skills. As ESG’s annual IT spending intentions survey reveals, the global cybersecurity skills shortage is only getting worse. In 2018, 51% of respondents state their organization has a problematic shortage (see Figure 1), up from 45% in 2017.1 With the ever-growing amount of internally and externally generated data that SOC and IT analysts must analyze to uncover and resolve threats quickly, keeping skill sets up to date remains difficult. The skills gap threatens the ability of organizations to maintain effective security controls and minimize risk.

Figure 1. Top Ten Areas of IT Skills Shortage

Source: Enterprise Strategy Group

The ever-increasing volume and velocity of cyber-attacks can overwhelm the cybersecurity team. Effective vulnerability management—aggregating data, prioritizing action, distributing work—is driving the need for greater efficiency and automation. CISOs who grasp the impact of the skills shortage should consider investing in developing skills and seeking

1 Source: ESG Master Survey Results, 2018 IT Spending Intentions Survey, December 2017.

22%

23%

24%

25%

25%

25%

26%

26%

33%

51%

Storage administration

Network administration

Mobile application development

Business intelligence/data analytics

Compliance management, monitoring and reporting

Application development

Data protection (i.e., backup and recovery)

Server/virtualization administration

IT architecture/planning

Cybersecurity

In which of the following areas do you believe your IT organization currently has a problematic shortage of existing skills? (Percent of respondents, N=620, multiple responses

accepted)

ESG Lab Review

Prioritizing Cyber Risk: Kenna Security Platform Date: April 2018 Author: Jack Poller, Senior Validation Analyst

Enterprise Strategy Group | Getting to the bigger truth.™

Lab Review: Prioritizing Cyber Risk: Kenna Security Platform 2

© 2018 by The Enterprise Strategy Group, Inc. All Rights Reserved.

products that improve operational efficiency. This may be why, according to ESG research, 36% of organizations stated that improving security and risk management was one of their top justifications for IT investments.2

The Solution: Kenna Security Platform

The Kenna Security Platform is a SaaS solution that provides organizations with a clear insight into their cyber risk. Kenna Security designed the platform to measure risk with the goals of informing the organization on the most important risks, guiding the right people to remediate the risks, and helping executives understand the risks represented by the assets fundamental to the running of their business.

The platform integrates data from a number of different threat intelligence feeds, vulnerability scanners, including Qualys, Nessus, and Rapid7, and asset databases. The Kenna Security Platform applies machine learning and data science to the correlated data set to determine a comprehensive risk score for every asset and vulnerability exposure.

The risk score provides an objective measure of risk, and enables the organization to answer questions such as:

• Which are the most critical vulnerabilities in the environment that could be exploited? • Which threat is most likely to be successful, and what is the impact of that threat? • How does the organization manage its limited resources to address vulnerabilities? • With the massive amount of data and risk to the organization, how does IT focus time, attention, and resources to

effectively zero-in on what to do next? • What is the impact of current and future activities on risk exposure?

Kenna Security continuously updates the platform and integrates new connectors which provide the raw data for risk assessment and enable risk management. The platform includes a REST API, enabling security analysts to connect to asset inventories, vulnerability scanners, and other data sources. Table 1 shows the variety of Kenna Security Platform connectors.

Table 1. Kenna Security Platform Connectors

Vulnerability Management

Application Security Ticketing

Qualys VM OpenVAS Qualys WAS WhiteHat Sentinel ServiceNow Ticketing Tenable Nessus Beyond Security Checkmarx Netsparker Atlassian JIRA Rapid7 Nexpose Outpost24 Rapid7 AppSpider Trustwave Hailstorm BMC Remedy

Tripwire Tenable Security Center Portswigger Burp Imperva WAF CMDB BeyondTrust Tenable IO HP Fortify BugCrowd ServiceNow CMDB

McAfee Vulnerability Manager Tanium IBM AppScan WhiteHat Source Discovery

Metasploit Veracode BlackDuck Nmap w3af HP WebInspect

Source: Enterprise Strategy Group

2 Ibid.

Lab Review: Prioritizing Cyber Risk: Kenna Security Platform 3

© 2018 by The Enterprise Strategy Group, Inc. All Rights Reserved.

The Dashboard and Risk Meters

ESG Lab reviewed the Kenna Security Platform by following a typical use case for a security analyst. First, we navigated to the dashboard, as shown in Figure 2. The dashboard was populated with four risk meters, measuring the risk for all assets, executive laptops, non-windows systems, and point of sale systems. The dashboard layout and risk meters are flexible, and can be organized around any combination of assets or users, enabling security analysts to create meters for each single or group of assets, processes, or people.

Figure 2. Kenna Security Platform Dashboard

Source: Enterprise Strategy Group

Kenna Security’s risk meter correlates external Internet exploit and breach data with varied vulnerability data, providing an objective, quantifiable measure of risk. The vulnerability and asset scoring algorithm relates vulnerability data to near-real-time successful exploitations across 20,000 organizations, trends in vulnerabilities across 2 million assets, and freshly updated ExploitDB, Metasploit, black hat exploit kits, and Shodan data. The risk score calculation takes into account organization-specific data, such as the importance of the asset (Is the asset exposed to the internet or does it contain sensitive data), asset and business process priorities, dates, and SLAs.

Risk meters can be defined for any group of objects including assets and vulnerabilities, and provide a simple and quick method for comparisons between groups. By incorporating both breach and exploit intelligence, Kenna predicts which vulnerability on each asset is the most likely to be exploited. Risk scores are recalculated as new data arrives, enabling the organization to adjust their security and defensive posture in real time based on the current threat environment, including aggregate hacker behavior.

The Kenna Security Platform dashboard enabled us to quickly compare and prioritize groups. With a risk score of 660, the non-Windows systems group had the least risk, while the executive laptops group, with the maximum score of 1,000, represented the group with the greatest risk.

Next, ESG Lab selected the Reporting button on the executive laptops risk meter. This brought up the risk report for the group represented by the risk meter, as shown in Figure 3. The comprehensive, customizable report provided both current and historical data regarding all objects included in the risk meter. Current information included totals for the number of assets, vulnerabilities, and fixes. Historical data was graphed to show changes over time in risk score, number of active assets, and open vulnerabilities.

Lab Review: Prioritizing Cyber Risk: Kenna Security Platform 4

© 2018 by The Enterprise Strategy Group, Inc. All Rights Reserved.

The report provided information both to enable prioritization and for managerial and executive oversight, including categorizing current risk information by risk level, assets, asset tags, operating systems, risk scores, number of fixes per asset, number of unique open CVEs, number of ports/services per asset, oldest open vulnerability, and more.

Figure 3. Risk Meter Report

Source: Enterprise Strategy Group

In addition to reactive reporting, the Kenna Security Platform provides proactive information through exploit prediction. Applying advanced machine learning to its extensive and growing database of vulnerabilities and exploits, the platform provides a prediction on the probability that malicious actors will develop exploits to take advantage of newly disclosed vulnerabilities.

Using the latest data, Kenna Security daily predicts which of the latest crop of vulnerabilities will be exploited, with a claimed 94% accuracy. Future prediction technology will include both a prediction about the probability of exploit development and a prediction for the time frame—an exploit will be created in the next week, month, quarter, etc.

Exploit predictions, which are made as soon as vulnerabilities are published, are factored into risk scores. For example, Kenna Security might predict that there is a very high probability of an exploit being created against a SQL Server vulnerability. However, if there are no assets in the organization running SQL Server, the risk score for that vulnerability will be low.

Exploit predictions provide guidance about which new vulnerabilities may affect the organization, enabling the security team to proactively address the exploit and patch vulnerabilities before they become a risk.

Security analysts can include exploit predictions in reports for managerial oversight, and can be especially useful to answer the question “what are we doing about this” when a vulnerability receives major press attention and publicity, such as the recent meltdown and spectre CPU vulnerabilities.

Next, ESG Lab selected View Top Fixes, which brought up the top fixes panel shown in Figure 4. This panel shows the measurable change to risk for each potential risk mitigation action. Risk scores—both before and after mitigation—account

Lab Review: Prioritizing Cyber Risk: Kenna Security Platform 5

© 2018 by The Enterprise Strategy Group, Inc. All Rights Reserved.

for more than just threats; the scores consider active exploits of threats, threat exploit consequences, and object priorities, among other variables. Thus, the top fixes show which risk mitigation activities will result in the greatest reduction of measurable risk, enabling the security analyst to appropriately prioritize activities to maximize return on effort.

Figure 4. Risk Meter Top Fixes

Source: Enterprise Strategy Group

The Kenna Security Platform identified the top fix as applying a patch for Java on Apple Mac OS. While this activity would affect only four of the 76 assets in the group, it would reduce the entire group’s risk score from 1,000 to 993, and would provide the largest reduction in risk of any fix for any of the 607 vulnerabilities identified across the 76 assets.

Tabs on the top fix pane provided more details on the diagnosis, consequence, solution, CVEs, and assets affected by the fix, ensuring the analyst has the information required to dispatch the fix action to the appropriate team. Fixes can be sent by email, exported to a CSV file, or directly dispatched through the two-way integration with ServiceNow.

ESG Lab clicked on the ServiceNow Ticket button, which popped up a prepopulated ServiceNow ticket form, as shown in Figure 5.

Figure 5. Dispatching with the ServiceNow Connector

Source: Enterprise Strategy Group

Lab Review: Prioritizing Cyber Risk: Kenna Security Platform 6

© 2018 by The Enterprise Strategy Group, Inc. All Rights Reserved.

The platform can also be configured to trigger an alert when there is a disagreement between the ticketing system and the scanner (i.e., when the ticket is closed, but the asset still suffers from the vulnerability).

The Homepage and Asset, Vulnerability, and Fix Details

Next, ESG Lab clicked the home button, which brought up the homepage, and provided tabs for Assets, Vulnerabilities, and Fixes, as shown in Figure 6. Each tab provides a comprehensive list of all objects of the particular type.

The Assets list provided the score, locator, OS, and tags. The Vulnerabilities list provided the vulnerability score, vulnerability name, description, tags, and color-coded labels for source, fix availability, ease of exploitation, whether it’s malware exploitable, remote code execution, and use in active Internet breaches. The Fixes tab provided detailed information on each fix, as described previously for top fixes.

Figure 6. The Homepage: Asset, Vulnerability, and Fix Details

Source: Enterprise Strategy Group

Clicking on the blue arrow to the right of an asset or vulnerability provided additional information in additional windows, enabling the security analyst to investigate the intricate details of vulnerabilities, the assets they affect, and the fixes for those vulnerabilities.

The Kenna Security Platform provides for the ability to perform bulk actions on groups of objects. Individual and bulk actions include setting priorities, adding or removing tags, marking the object as active or inactive, and assigning an owner.

Next, ESG Lab used the comprehensive search and filter facility to refine the list of objects of interest. The breadth of search and filter options is shown in Figure 7. At the top of the homepage is a set of six pre-configured search filters, covering Top Priority, Active Internet Breaches, Easily Exploitable, Malware Exploitable, Popular Targets, and Zero-Day Vulns. The search filters are live—as soon as the search filter is applied, the displayed list of objects and the filter counts are updated. The search filters are also additive—each new search filter is applied to the already filtered list.

Any search filter can be saved as a group, turning the group of objects into a risk meter. Search filters and the resultant risk meters are live objects, and are updated as soon as new information becomes available.

Lab Review: Prioritizing Cyber Risk: Kenna Security Platform 7

© 2018 by The Enterprise Strategy Group, Inc. All Rights Reserved.

The comprehensive search filters enable the security analyst to define risk meters for various groups of objects of interest. These risk meters can then be used for comparison, reporting, and prioritizing activities.

Figure 7. Searching, Filtering, and Building Risk Meter Groups

Source: Enterprise Strategy Group

Since risk meters can be defined for vulnerabilities as well as assets, risk meters can be used to keep security analysts up to date on the latest threats and vulnerabilities that may affect their organization or their assets.

The platform engenders additional threat awareness through the global threat graph, provided as a pullup from the bottom of the dashboard. The graph, shown in Figure 8, plots threat type against changes in threat volume. The horizontal axis shows low volume targeted threats on the left, increasing to high volume automated attacks on the right. The vertical axis shows decreasing threat activity on the bottom, and increasing threat activity on the top. The size of the bubble indicates the magnitude of change, and hovering over a bubble provides details on the threat.

Figure 8. Global Threat Graph

Source: Enterprise Strategy Group

Lab Review: Prioritizing Cyber Risk: Kenna Security Platform 8

© 2018 by The Enterprise Strategy Group, Inc. All Rights Reserved. www.esg-global.com contact@esg-global.com P.508.482.0188

© 2018 by The Enterprise Strategy Group, Inc. All Rights Reserved.

Why This Matters

As organizations continue to grapple with a gap in cybersecurity skills, next-generation cybersecurity tools will help analysts to keep up with continuously expanding assets and vulnerabilities. The volume and velocity of new vulnerabilities and threats limit a security analyst’s ability to quickly identify, prioritize, and mitigate vulnerabilities. This is exacerbated by the skills gap, and places the organization’s information assets at significant risk.

ESG Lab reviewed the capabilities of the Kenna Security Platform. We verified that analysts could quickly zero-in on the assets representing the greatest risk to the organization. More importantly, the platform enabled us to understand exactly which fixes to apply to provide the greatest reduction in risk exposure with the least amount of effort.

ESG Lab verified that using the platform’s comprehensive search and filtering tools enabled us to quickly group assets. The risk meters, which provided objective, quantifiable measures of risk, increased operational efficiency by making it easy to compare and prioritize risk mitigation among different groups.

The Bigger Truth

CISOs are realizing that combating the ever-increasing volume and velocity of threats and vulnerabilities requires investment in tools and methodologies that enable their security professionals to become more efficient. Automation, orchestration, machine learning, and artificial intelligence can focus highly trained personnel on addressing the most critical issues to reduce risk, along with providing more time for critical decision making and strategic planning.

Kenna Security built its SaaS platform to enable the security analyst to measure and prioritize risk for any group of assets or vulnerabilities within the organization. A set of rich search filters enables the analyst to quickly group assets, with the aggregate group risk represented by a risk meter. Risk scoring accounts for internal priorities and SLAs, asset vulnerabilities, threat intelligence from multiple sources, near-real-time breach data, trends in vulnerabilities, and active exploits culled from ExploitDB, Metasploit, blackhat exploit kits, and Shodan, among others.

ESG Lab verified that the Kenna Security Platform dashboard provides an at-a-glance overview of the organization’s current risk profile, displaying the risk of each group as a risk meter. This enables the security analyst to quickly zero-in on the group of objects that represents the greatest risk to the organization. The risk meter links directly to the top fix groups, which automatically identify which actions will provide the greatest amount of risk reduction with the least effort, enabling security analysts to automate the prioritization of risk and federate the mitigation efforts across the organization.

ESG Lab validated that the Kenna Security Platform helps organizations overcome the cybersecurity skills gap by turning the chaos of thousands of data points from threat and exploit intelligence feeds and vulnerability scanners into an organized, searchable environment that automatically measures risk and helps prioritize risk mitigation efforts. Organizations that want to move beyond simple risk reporting and gain operational efficiency while prioritizing and maximizing return on risk mitigation efforts should investigate the Kenna Security Platform.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

The goal of ESG Validation reports is to educate IT professionals about information technology solutions for companies of all types and sizes. ESG Validation reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objectives are to explore some of the more valuable features and functions of IT solutions, show how they can be used to solve real customer problems, and identify any areas needing improvement. The ESG Validation Team’s expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments.