Blog

A primer on Kenna and truly predictive (and now patented) vulnerability management

As we at Kenna work hard to expand our pioneering technology in risk-based vulnerability management, we recently received good news. We were granted a patent for our exploit prediction capabilities. It’s a great recognition of our leadership in using data science to advance the cybersecurity industry, and it acknowledges the insight and innovation behind our platform.

I want to take this moment to thank my co-inventors, Chief Data Scientist Michael Roytman, and Jeff Heuer, Kenna’s co-founder, and design director. Without them, this would not have been possible, and their contributions have been invaluable as we all team up on risk.

And another thanks to the engineers on the Kenna team, who worked hard to get this up and running earlier this year, and have continuously taken data science to turn it into actionable intelligence for our customers.  

The final patent can be found here. If you don’t feel like reading it, here’s the TL:DR version:

We use machine learning to predict, from the moment a vulnerability is released, if an exploit will be released for it later, and whether or not that exploit will be used in attacks.

There’s a lot to unpack there, so I’ll explain why this matters and what differentiates us in the market.

  1. Machine learning has a steep learning curve. It involves teaching a box made of silicon chips and electrical impulses how to do something intelligent. In our case, that something is recognizing when a vulnerability is likely to become weaponized.
  2. Machine learning takes a lot of time and a lot of data to output actionable results. To train a machine, we’ve developed models of how and when vulnerabilities are exploited. We then run thousands upon thousands of observations through those models to help us fine-tune our platform. All of this takes a lot of time, and as the first out of the gate, we’re light-years ahead of competitors and we’re only getting better as we grow.
  3. Our platform is data-source agnostic. This is one of the defining differentiators for us. It means Kenna clients can benefit from the broadest range of data sources available, which ultimately increases the number of observations feeding into our machine learning algorithm, and offers a greater variety of observations to match real-world conditions.
  4. We show our work. There are a lot of companies out there that claim to have machine learning and predictive capabilities. Not all of them do. We offer a high degree of transparency when it comes to our methods. Employees, data scientists, competitors, and customers can learn about the factors that go into our machine learning algorithm here. We even worked with the Cyentia Institute to take a look at the effectiveness of our predictive model against common remediation strategies using the entire database of CVE’s. It wouldn’t be possible without this patent. We think this builds trust, (and, in the case of our competitors, a little envy). What we do isn’t magic, it isn’t marketing. It’s data science. Customers can see exactly how our methods work, so they know exactly what they are getting.
  5. Our effectiveness is validated. Third party researchers have crunched the numbers, and they know our methods work. Kenna’s exploit prediction model offers huge improvements in effectiveness and efficiency over the usual vulnerability remediation strategies used by many enterprises today.

 

Here’s an example of our work in action: On October 5th, The Kenna Platform predicted that CVE-2018-14847, which targeted MicroTik routers, would have an exploit developed with a high degree of confidence. Five days later, our prediction turned to reality and an exploit was made public.

Kenna’s prediction tools are built around a central insight: risk does not come from vulnerability, it comes from attackers actually using it. Companies are inundated with vulnerabilities on their networks, and many are just treading water, because new vulnerabilities are discovered faster than they can remediate them.

The ability to predict which vulnerabilities will be weaponized is vital, because very few actually are. The ability to predict is, simply put, the only way companies can get ahead of attackers.