Kenna Security is now part of Cisco

|Learn more
Contact Us
Talk to an Expert
Request a demo

Vulnerability Management Maturity Part Two: Training Day

Aug 20, 2020
Jason Rolleston
Chief Product Officer

Share with Your Network

It’s safe to say that most modern enterprises live and breathe data. But not all data is created equal. Take, for example, the data used in early stage vulnerability management programs. 

Go beyond CVSS

Sure, they use data. When their scanners detect a vulnerability, it gets added to a spreadsheet. To estimate the risk that the vulnerability poses, they use the Common Vulnerability Scoring System (CVSS). Never mind that the system doesn’t actually measure risk of exploitation: For years CVSS was as good as it got. (CVSS, by the way, approximates ease of exploit and the impact of exploit. It does not measure the risk that a vulnerability will be exploited.) In fact, many vulnerabilities with high CVSS scores pose little to no risk of exploitation or weaponization.

The quality of a vulnerability management program is directly related to its ability to accurately quantify whether a vulnerability has been weaponized in the past, or is exploitable in the future. And while CVSS might not be the appropriate tool, there is data that can be harnessed to protect corporate networks. 

Pull in the right data 

When a hacker deploys an attack, or when a vulnerability is exploited by security researchers interested in creating a proof of concept, it creates a record – usually in server logs, but these can be found in other places. 

Rather than relying on the theoretical risk of a vulnerability, data scientists can examine how hackers have operated in the past to detect well-worn behavioral patterns. Kenna Security intakes data from a sprawling list of sources, including scanners, penetration testing results, bug bounty programs, databases of vulnerabilities and exploit intelligence, and multiple threat intelligence feeds processed in real time.  

Evaluate and score vulnerabilities

We’ve learned that certain vulnerabilities are more likely to be exploited than others. Certain variables, like which vendor made the application a vulnerability affects, or whether a proof-of-concept exploit has been published, tend to be more indicative of future weaponization than other variables. Conversely, a vulnerability that can lead to memory corruption in an asset is less likely to be weaponized. 

All of these factors can be harnessed to quantify the risk any individual vulnerability poses to an organization. In aggregate, these risks can be used to create an overall risk score for an entire enterprise or for segments of it. 

And you have RBVM

This process is known as risk-based vulnerability management, or RBVM. It has some interesting effects. Our research shows that with the right data, it can drive down risk more thoroughly than other rubrics. For example, some enterprises have protocols under which vulnerabilities with CVSS scores above 7 are patched. Data science suggests, however, that many vulnerabilities above that threshold pose little risk of exploitation. While some vulnerabilities that fall below that threshold pose even greater risk to the organization. 

RBVM is the insight that enables truly modern vulnerability management. But to get the benefits of RBVM, organizations need a tool that can operationalize these insights.

To learn more about Modern Vulnerability Management and see where you are in the maturity curve talk to one of our experts.

Share with Your Network

Read the Latest Content

Risk-Based Vulnerability Management

Analysts Agree: Risk-Based Vulnerability Management a Priority for 2021

Taking a risk-based approach to vulnerability management has always been our priority, and lately the industry has followed suit. Now in a new blog listing Gartner’s Top 10 Security Projects for 2020-2021, it’s clear that Gartner thinks it should be a priority for you, too. For a sense of why RBVM is a top priority…

Risk-Based Vulnerability Management

Are You Taking a Modern Vulnerability Management Approach to Cybersecurity?

One of my favorite quotes of all time is the definition of insanity. While there are several variations, they all boil down to doing the same thing over and over again but expecting different results. While these words can certainly apply to a wide range of topics, for me they are particularly reflective of the…




Are The Feds Going New School?

As much as the headlines of a new bill in Washington grabbed my interest with a twinkle of hope, it turns out in some ways this may be a step away from a new wave of information sharing. It appears to promote information sharing regarding security breaches between the private sector and the government by blanketing companies with protections such as…

Sign up to get the latest updates

© 2021 Kenna Security. All Rights Reserved. Privacy Policy.