RSA 2020 Recap: It’s Time to Say Goodbye to Traditional Vulnerability Management

Another RSA Conference is in the books! 

The show never fails to serve as a fantastic opportunity to get some quality time with real-world security pros, including our customers and partners, and this year was no different—even with a burgeoning public health concern. 

In true Kenna Security style, we came prepared for this year’s conference with some exciting content and flare, including an announcement about Kenna’s rapid growth over the past couple of years and a research-packed session hosted by our CTO and co-founder, Ed Bellis. Ed also spent some time with the Security Weekly podcast at the show, discussing what it really means to move into modern vulnerability management.  

Of course, there was plenty of action on the show floor itself—nowhere more so than at Kenna’s swanky booth, which aptly invited folks to join the “Right Fight Club.” Over four days, my colleagues and I had hundreds of conversations with attendees about vulnerability management—the good, the bad, and the ugly. And as we chatted with attendees at the booth last week, there were several concerns that seemed to play like a broken record. 

What We Heard:“We can’t seem to make sense of our scanner data.”

If you’re in a large organization, this is going to be a painful problem. Scanner data will come at you in massive quantities and you may not always be able to interpret it with speed and efficacy. Yes, some scanner vendors try to offer a degree of context to the data, but that context often relies heavily on static scoring schemas like CVSS. When your ship is full of holes, you have to plug those that can sink the ship. Unfortunately, it’s not always clear which holes are the ones that could let the most water on board. Likewise, organizations are struggling to find confidence in vulnerability scoring that doesn’t take into account how vulnerabilities are being exploited in the real world. 

What We Heard: “I don’t want to waste time patching things that aren’t actually posing a threat.”

Overreacting to a benign vulnerability is almost as defeating as underreacting to threatening one, and unfortunately, it happens all too often when you’re flying blind on the true state of vulnerabilities in your enterprise. There’s enough tension as it is between demand and resources; your vulnerability management strategy doesn’t be adding fuel to the fire. 

What We Heard: “I’m struggling to prove to my boss and my boss’s boss that we’re actually managing risk effectively.” 

Even if you are effectively managing your company’s vulnerabilities, it’s a moot point if you can’t prove it. Vulnerability management requires evidence and justification: Why are we patching this? Why aren’t we patching that? What does this score mean? Why has our score changed by this amount? Right now, there’s a massive need for effective reporting and careful education. Patching everything is simply not viable. If you’re going to make the case not to patch something, you better be able to give a reason for it. And if you’re going to present numbers to the higher-ups, you have to be able to explain what those numbers mean in their language. 

The fact that these concerns kept popping up in our conversations on the show floor suggests to me that our industry is still very much stuck in a traditional approach to vulnerability management, and security teams are growing tired of singing the same tune over and over. And if you find yourself uttering any of the above statements, it’s probably time to say goodbye to traditional vulnerability management and say hello to risk-based vulnerability management. 

Didn’t get a chance to swing by the Kenna both at RSAC 2020 and want to see Modern Vulnerability Management in action? Then book a demo and of our experts will be happy to help