18+ Threat Intel Feeds Power Modern Vulnerability Management
Share with Your Network
One question we often get from customers or prospective clients is why we use 18+ threat feeds and exploit intelligence feeds? Seems excessive, right? Why not just 4 or 5 feeds? Or 10? Why do we use more than 18 threat feeds and exploit intelligence feeds to power the Kenna.VM modern vulnerability management platform?
The answer is simple: coverage breadth and depth. You need lots of feeds to cover all of the threat and vulnerability data categories. A small number of feeds leaves you with less than stellar coverage. You just can’t get good coverage (breadth) with a small number of feeds. For a visual breakdown of this idea, check out the chart below that our Security Research Team created (and which is heavily used within Kenna) that shows the different threat and vulnerability data categories.
Threat Intelligence and Vulnerability Categories
Feeds and categories defined
Let’s dive into Kenna’s definition of a threat intelligence feed: it’s the sum of all the information we collect from a single source. For example, Reversing Labs and Exodus Intelligence are both feeds. And our definition of a threat or vulnerability category is exactly what it sounds like: a “category” of threat and/or vulnerability data. Chatter and Exploit Databases are examples of categories.
A feed can provide data on one to six threat or vulnerability categories, but more commonly a feed will only supply data for one category. So to achieve comprehensive coverage, you need multiple feeds. Without an adequate amount, you won’t have enough coverage to provide high fidelity risk prioritization throughout the CVE lifecycle.
These threat and vulnerability categories vary in their relative importance to each other in their ability to predict vulnerability risk and in their utility in predicting risk at different points in the CVE lifecycle (i.e. CVE Named, CVE Score Assigned, Exploit Released, and Exploitation in the Wild). For example, the category “chatter” is extremely important in helping to score a vuln in the early stages of the CVE lifecycle and becomes less important as other categories of threat and vulnerability data become available.
Optimizing your risk prioritization
One of the basic tenets of Kenna is that risk scores are dynamic and they can change over time. To get the best possible risk prioritization at every stage of the CVE lifecycle you need to cover all the threat or vuln categories we have listed. Failing to do so diminishes your ability to significantly prioritize risk during part of the CVE lifecycle.
Quick exercise: let’s assume we have six feeds and we cover all of the threat vuln categories. We’re good, right? We have full coverage of all categories and are firing on all cylinders? Actually, no. In this scenario, we have breadth but are lacking in depth. To make up for this, we need to make sure each threat or vuln category is deeply covered by our feeds as well.
The potency of modern vulnerability management
To do this, we use Kenna Security’s data science. The beauty of Kenna.VM’s machine learning models is that we know which vulns were successfully exploited, so we can measure the predictive accuracy of our scoring algorithms and contextual data. For those that are familiar with the power of Kenna Security’s modern vulnerability management platform, that accuracy is 94%.
Every single feed invited into Kenna.VM has been rigorously tested using machine learning models to see if it improves our predictive accuracy – and if it doesn’t pass muster, it won’t be added to the mix.
18+ intelligence feeds—and many more?
Hopefully now, it’s clear why we at Kenna rely on more than 15 intelligence feeds; to achieve the breadth and depth of contextual threat and vulnerability intelligence so that our predictive risk scoring algorithms are as precise and accurate as possible.
You may still be wondering why not even more feeds? Our security research team is always looking at and evaluating new feeds. In fact, just last year we added a feed that bolstered our risk prediction capabilities in the early stages of the CVE lifecycle with a wealth of Pre-NVD chatter information (certain types of chatter occur before a CVE is published to the NIST NVD database). And our research team consistently partners with our feed providers to improve their data (breadth and depth of category coverage) to enhance vulnerability risk scoring.
Rest assured, we at Kenna are always on the hunt for the next feed and improved contextual information that can bring even more valuable insight to your modern vulnerability management solution.
To see how our threat and exploit intelligence feeds works request a demo today