Black Hat USA 2018: The Year of “Risk-Based”
Black Hat USA 2018 is now in the books. As usual, spending a week in Las Vegas was fun, exciting, educational, and eventful. Black Hat never disappoints on any of those fronts! In addition to the sessions, vendors, and parties, there were, of course, a few unofficial “hacker games”; major wireless provider networks went down for some time and there was the occasional attendee walking around with a WiFi Pineapple in his backpack to capture the smartphones of unsuspecting users. But overall, we got through the week relatively unscathed.
The Risk-Based Trend
Perhaps the biggest thing that stood out in my mind from this year’s Black Hat USA conference was the prevalence of the term risk-based. Similar to IoT in years past, every vendor seemed to work the term into their headline, even if it didn’t really look like it fit. And the reason is simple; the market is beginning to understand that prioritizing security activities based on arbitrary methods like the number of vulnerabilities, threat events, and malware samples is far less effective than prioritizing based on actually measuring the risk each specific component presents to the organization. Arguably, there’s no greater fit for the term risk-based than in the world of vulnerability management.
Kenna Security was just as trendy as everyone else. We touted our risk-based prioritization for vulnerability management to help security teams efficiently and effectively manage their organization’s risk posture. But unlike most other vendors, this is not new language or a new idea for us – it’s what we were built on, and haven’t wavered from, since day one. The other thing that sets us apart as an organization, and at Black Hat in particular, is the amount of evidence we can offer to back up our claims. Whether visiting our booth in the Business Hall, or attending the Kenna session, Those Don’t Matter! Effective Prioritization through Exploit Prediction, attendees were treated to a detailed explanation, with quantitative evidence, of how Kenna’s employment of machine learning and data science help organizations prioritize vulnerabilities based on risk.
How to Verify the Claims
When faced with these market conditions, where every vendor wants to assert that they help you score your vulnerabilities based on risk, it’s important to know how to distinguish between them. Even if the vendor has a good reputation and a known brand name, dig into the details of their claims. Some things to verify:
- When they talk about risk scoring, what is it based on?
- What do they use as the basis for their machine learning?
- When they claim that they use data science, how? Is it a bunch of human beings trying to keep up with the volume and velocity of attacks, or do the human beings simply supplement a well-honed algorithmic data model that can deliver a specific metric for every one of your vulnerabilities in a matter of seconds?
- Can they deliver efficiency and coverage metrics to explain how you can use the model to tune your prioritization activities to your specific environment?
- When they claim predictive capabilities, can they prove the accuracy of their model? In case you’re wondering, Kenna’s predictive model is 94 percent accurate!
So with this year’s Black Hat over and gone, we need to look beyond the parties and glitz, and instead remember the lessons we learned and the technology we saw that will help maximize the risk posture of our organizations. But as with any event, also remember to take everything you heard with a grain of salt. Don’t just take any vendor’s word at face value; test them and make them prove their claims. That will help you make the right decision for your organization to maximize the efficiency and effectiveness of your security teams to minimize your organization’s exposure to risk.
Learn more about the Kenna Security Exploit Prediction Model, or read our recent research report, Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies.