Risk, Not List
Share with Your Network
At the end of March, predictive cyber risk specialist Kenna Security secured $25 million in Series C funding, led by Bessemer Venture Partners. The new investment, which brings the company’s total funding to $50 million, will finance its continued growth and expansion overseas.
In 2017, Kenna’s sales more than doubled, for the third year in a row; the number of organisations using the Kenna Security Platform grew by more than 60% to 300 worldwide; and in October
it increased its presence outside the
US, with the opening of an EMEA sales office in the UK. It has already signed one UK partner, Securelink, and hopes to recruit another 11.
James Goulding finds out more about Kenna and its UK plans from Kenna Security’s VP EMEA, Trevor Crompton.
Technology Reseller (TR): What exactly does Kenna Security do?
Trevor Crompton (TC): We use a data science approach to drag together all
of the vulnerability data residing in infrastructure wherever it is. So that’s
all the network scanner stuff, all of the application scanner stuff, all of the pen test information, any information held in Bug Bounty programmes. We draw that all together and normalise it in a single repository.
The reason we normalise it is because if you look at network scanners alone, some prioritise 0-3, some prioritise 0-5, some prioritise 0-10. When you are dealing with the millions, sometimes tens of millions, of vulnerabilities in a normal- sized infrastructure, it’s virtually impossible to figure out if one person’s 2 is the same as another person’s 6. It’s very hard to figure out the prioritisation.
So, we bring all that together; we normalise it; and then we correlate it with 15 completely unique exploit feeds, from the likes of SecureWorks, ReversingLabs and a whole bunch of others.
We are firm believers that what’s really important is the volume and velocity of attack – who is exploiting these vulnerabilities; the volume of those attacks; and whether they are increasing or decreasing. It matters whether the attack is a 14-year old in his bedroom six weeks ago or a nation state – it increases the risks associated with that particular vulnerability.
We correlate that at a terrific rate of knots, billions of vulnerabilities every 30 minutes in order to understand the risks. We then present that back to an organisation in the form of risk.
TR: How does your approach differ to that of other people operating in this area?
TC: Most organisations are list-based;
we try to move them to being risk-based. Instead of trying to work down an endless list of vulnerabilities when they are coining in faster than you can deal with them, take a risk-based approach. Look at where the risks are in various parts of your business; understand where you can accept it
and where you need to take action to remediate it.
We help customers measure risk; we help customers prioritise remediation; and, given our wealth of vulnerability expertise, we give customers the ability to predict which vulnerabilities will be weaponised on the day of their release. We have built an algorithm that mathematically looks
at a huge wealth of characteristics within vulnerabilities to understand which of those are going to be weaponised, and we can do that with about 94% accuracy.
TR: Is the market you operate in very crowded?
TC: It’s like buses. People have waited 20 years for a fix to this problem and now a few of them have come along at the same time. So, yes, we do have other people moving into this space and it is heating up quickly.
The network scanners all try to do some sort of prioritisation and the prioritisation they do is quite blocky, in as much as it’s 1-10 or 1-5 or sometimes 1-3. And they only have exploit intelligence from their own systems, which is generally ‘Has it been exploited? Yes or no’. That doesn’t really tell you what is going on. It might have been exploited once by our 14- year old in his bedroom or it might have been exploited 1,000 times an hour by a nation state.
What we think is most important is really solid exploit intelligence and correlating that at scale and at speed with the vulnerabilities that are in your infrastructure.
TR: What differentiates your offering from others in the market?
TC: It’s a few things. Firstly, our ability to do millions of vulnerabilities – our ability to scale. Our largest customer has 10 million vulnerabilities going into the platform, so we have the ability to cope with the largest and most complex infrastructures.
Secondly, we have 16 different exploit feeds. The questions we ask our exploit intel suppliers are entirely unique – they are not asked these questions by anybody else. So the feeds they supply us are entirely unique. You can’t buy them and they are not supplied by anyone else.
And thirdly, we have an ability to connect into multiple different sources of vulnerability data in your infrastructure.
A lot of organisations maybe run with a Qualys scanner in their most critical part of the business and maybe something a bit cheaper like Nessus in another part; they will have an application security solution, WhiteHat or Veracode; they may be using ServiceNow. So, there’s lots of pieces of infrastructure.
We are not looking to replace any of that. What we do is connect to all of it, draw it into one place, normalise the data and make it useful so you can actually do something with it.
TR: Who are your customers? Are they all very large organisations?
TC: We work with a very wide range of organisations. My smallest customer in Europe has probably only 100 assets.
If you have 100 assets, you probably
only devote half of one person’s time
to security. You scale your resources in
line with the number of assets you have, so the problem is the same. If I say to
you ‘You’ve only got two hours a week of somebody’s security time’ and you’ve got 460 vulnerabilities to look at, it’s just as daunting as if you’ve got 50 people and 10 million vulnerabilities. It’s a scale issue.
I think the most important thing is making sure our customers have a way
of looking at this from a risk-based perspective so they make the right decisions about what to do. We see more people log in from IT than we do from security and the reason for that is because it works. The IT team can log into our system; they can see what they need to patch; but, more importantly, they can see why they need to patch it. They can see why they need to do the few things that will make the greatest difference to their risk score.
TR: What feedback have you had from customers that are using your platform? TC: We’ve already got quite a few customers in the UK and Europe and they give a lot of different reasons for why they bought it. Primarily, they centre around: ‘We now do less, we are much more efficient and we are much more effective’; and ‘We are nailing the vulnerabilities that fill the business much earlier and much more precisely than we were previously when we were working off a spreadsheet’.
We are talking about switching from multiple spreadsheets with the mother of all pivot tables to an ability instantly to look at the risks in a business and make really solid decisions about what you are doing and why you are doing it and the ability to measure that, report on it and evidence that to management.
So, when management say ‘What
has security done for us recently?’, they don’t have conversations about Bad Rabbit, Meltdown and Spectre; they have conversations around ‘Our risk score today is 420 for the Linux part of our business. Is that acceptable to you? If it isn’t, give me more resources and I will drag that number down’. You can measure the efficacy of what we are doing.
TR: Do you operate entirely through the channel?
TC: We are 100% channel. Every business we find we take to partners and all of
our marketing budget bar Infosec will go through partners. We are totally committed to that way of business.
It’s not altruism. It’s good business sense. We have the ability to scale, the ability to reach many more customers, more quickly. The product lends itself to the channel really well because it is very straightforward to demonstrate; and it’s very easy for customers to get a fast time to value, so the partners we are working with really love it.
From our perspective, we have much more reach than we could possibly
have with our direct sales people, not to mention the ability to operate in different geographies and languages as well.
TR: Why are you launching in Europe now?
TC: The business has taken the eminently sensible approach to build a solid base of customers in the US, where the HQ is, and then move into Europe in a considered fashion.
We are building a UK business first and we have some customers in Scandinavia, some coming on board in Benelux and
a distributor in South Africa, Obscure Technologies. We will react to customers that reach out to us wherever they may be in Europe, but our focus is on building the UK, Benelux and Scandinavian business.
I am looking to recruit 12 partners
in the UK. I prefer to have really deep relationships with a smaller group of partners, rather than very transient relationships with hundreds and hundreds of partners. I like to operate with people who really understand what we are doing, really believe in what we are doing.
We are already working with Securelink across the region. They are a fantastic reseller; they are committed; they are dedicated; they really understand this space; and they provide a great managed service offering called Secure Prevent, as well as the ability for customers to buy Kenna and operate it themselves. www.kennasecurity.com