Which vulnerability to fix first? Kenna Security has the answer

Kenna's vulnerability management platform is designed to prioritize the most dangerous vulnerabilities. Here's how it works.

Unlocked circuit board / security threat
Thinkstock

It’s an unintentional and inconvenient truth that as networks grow and expand, so does the potential attack surface. With more users, clients and systems, the potential beachhead for attackers to exploit can quickly grow beyond the ability for most companies to manage. In the past, CSO has reviewed defensive tools like traffic monitoring applications that can unmask the presence of an ongoing attack, or deception tools meant to trip up attackers who ferret their way past perimeter security. Vulnerability management platforms, by contrast, help to identify and fix potential attack paths before an attacker can exploit them.

Every organization of any size is going to begin collecting vulnerabilities. Everything from an unpatched server to a misconfigured firewall, and literally everything in between, could and probably does contain vulnerabilities. The trick is discovering them, evaluating which could do the most harm, and fixing them as quickly as possible. While it would be easy to just say that you are going to try and fix everything, the reality is that most organizations likely have thousands upon thousands of vulnerabilities, or potentially even more, with new ones opening and getting discovered every day. Fixing them sequentially, with no consideration as to their severity or potential impact on an organization, could leave a network critically unprotected for months or years, and squander resources working on minor problems in the meantime.

Kenna Security's vulnerability management platform is designed to prioritize the most dangerous vulnerabilities that could potentially harm a protected network. In a nutshell, it monitors most major threat feeds, and compares that data with assets inside a protected network. That way, certain threats can be eliminated altogether. Perhaps there are no assets inside a network that a popular threat can attack, or perhaps they have all been patched and are no longer vulnerable to it. Threats are also prioritized based on their potential impact. A client system with a vulnerability at a receptionist’s desk may not be as critical as a database or mail server with the same problem, for example.

kenna homepage John Breeden II/IDG

The Kenna Security vulnerability management platform collects threat data from many sources and compares it with actual network assets, showing at a glance which vulnerabilities need to be immediately fixed, which can wait, and which may be under imminent threat.

On the flipside, Kenna can also elevate threats based on current events occurring outside of a network which could potentially harm internal clients. For example, systems that are vulnerable to a specific strain of ransomware would be elevated by Kenna if an active campaign featuring that ransomware is launched somewhere in the world.

The Kenna platform is deployed in a software as a service (SaaS) model, where users pay a yearly subscription fee to log into the secure site that collects their specific vulnerability data. The data collected by Kenna is used to improve security across the platform, so the more organizations that purchase it, the more threats it will likely encounter. Currently, Kenna tracks over two billion vulnerabilities worldwide, and the number grows daily.

How the Kenna platform works

The first part of the Kenna platform are ten live threat intelligence feeds, including one created by the company that monitors new vulnerabilities found by Kenna clients. That all happens with no user interaction required. But the second part, which ties those vulnerabilities to real assets within a protected network is what makes the platform so useful.

Kenna makes no scanners of its own, instead relying on whatever existing network scanners are already deployed. There are 26 connector programs that allow Kenna to control those scanners and collect the data. They include all the major players in that market like Tripwire, Qualys, ServiceNow, CheckMarx, IBM and others. Adding a connector is extremely easy. Each of the programs features a company logo that is clickable on the main connectors page. We added a McAfee scanner by simply specifying the user name and password for the scanner.

kenna connectors John Breeden II/IDG

Unlike most vulnerability programs tied to a specific product or service, the Kenna platform works with just about any internal network scanning tool.

Once the connectors are up and running, Kenna can parse the data from the threat feeds and the internal network scanners in a variety of ways. From the top-level, you get an overview of network health in terms of vulnerabilities. That may look a bit like a nightmare scenario, until you realize that these are vulnerabilities, not active threats, though some can be quite dangerous. Kenna does a great job of explaining why certain vulnerabilities are given the highest priorities (normally because there is an active threat campaign out there in the world and critical assets that are vulnerable to it sitting in the internal network).

Clicking on any of the vulnerabilities in the test network showed the exact problem, well explained. Sometimes the fix was relatively easy, such as servers needing the latest security patch. Others were a bit more complicated, but explained well in the interface. If multiple fixes were available, Kenna recommended one, but also provided information about alternative fixes if administrators wanted to try something different.

kenna how to fix John Breeden II/IDG

In addition to identifying the top vulnerabilities, Kenna explains in detail how they can be fixed. The platform also integrates with any trouble ticketing system, so critical fixes can be assigned to IT teams, and then verified once complete to ensure that all holes have been plugged.

Following the step-by-step fixing process would be helpful for security teams that want to do everything themselves, but Kenna also seamlessly integrates into most trouble ticketing systems. This brings up the possibility that someone in an organization could be assigned the role of vulnerability manager, assigning IT teams to remediate vulnerabilities through such a system. And then when the ticketing system reported that the problem was fixed, Kenna could trigger a new scan to verify that the patch worked and was successfully applied to all instances within the network.

The data can also be sorted into groups for easier monitoring, or for a division of labor for very large organizations with multiple IT teams. We divided our fictional company into several groups including marketing and sales teams, database servers, critical infrastructure and others. Once separated in that way, each group got its own vulnerability score for easy management. And if you drill down far enough, each individual asset also has its own score.

kenna individual asset score John Breeden II/IDG

Every asset gets its own vulnerability score within Kenna, and groups can be configured to help better manage overall risk.

There are a few other nice features that make Kenna a powerful, preventative tool against threats. For one, administrators can assign hard triggers to certain assets, such as if any vulnerability is ever found on computers assigned to the CEO or other executives, or on critical assets like database servers with proprietary information. Vulnerability scores can also be set to ignore any assets that have disappeared from the network, such as virtual machines that were decommissioned without ever being reported. In that case, vulnerability scores for its group won’t rise based on machines that may no longer exist, but can resume if a missing asset suddenly reappears.

kenna predict fix value John Breeden II/IDG

The Kenna vulnerability platform shows graphically how much each potential fix will have on network risk, letting IT teams decide how to prioritize their limited time and resources.

Because trying to defend everything is almost like defending nothing, organizations can instead deploy the Kenna platform to find, rank and prioritize vulnerabilities, letting limited IT resources go where they are most needed. Fixing potential problems before they can become true threats is the best possible solution, and Kenna makes that seemingly impossible task relatively easy to accomplish. It would make a powerful addition to any defensive cybersecurity arsenal.

More on vulnerability management:

Copyright © 2017 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline