The 2016 DBIR

Karim Toubba    May 11, 2016

This month Kenna Security participated in the Verizon data breach report, and for the second year running we used our data to drive the perspective of the vulnerability section. Since then there have been some questions and criticisms of a specific subset of the data referenced in a footnote in the vulnerability section – namely the top 10 vulnerability list. I want to be clear that the criticism of the top 10 vulnerability list is fair and warranted, and we acknowledge the fact that we made a mistake. To put it simply, in an attempt to maintain vendor neutrality, the data and analysis used to generate the Top 10 list in the Verizon DBIR was very different than the analysis that was used to prioritize remediation within the Kenna platform.

The Kenna platform processes billions of pieces of vulnerability and exploit data daily for our customers, helping contextualize vulnerabilities so that security teams know what to prioritize and fix in their own environment. The data we submitted to the Verizon top 10 only used a raw subset of 3rd party exploitation data without taking any of the contextual data or our prioritization algorithms into consideration. As one of our customers constantly reminds me, “We can’t work harder anymore than we do today – we have to work smarter – and that is what your platform allows us to do.”

Looking at the much-discussed FREAK vulnerability as an example, if we had actually run the data through our platform and algorithms, it would not have risen to the level of a significant vulnerability. The Kenna platform is designed to ensure that our customers don’t prioritize a patch that could be a false positive or outlier by taking into account many variables including: volume and velocity of the exploit, exploit availability, weaponization of the exploit, whether or not that exploit has been observed as part of a greater campaign, relative priority of the asset on which the vulnerabilities sit, and over a dozen external sources. We looked at FREAK within the Kenna platform and saw that CVE: 2015-0204 had a Kenna score of 25.0372 (out of 100). This is nowhere close to even a top 10,000 vulnerability or even in the top 70% of all vulnerabilities.

I have always believed that you need to be clear about and uphold your values and this experience only underscores this belief. We at Kenna deeply value integrity in all of its forms, but especially of our data as it helps our customers “work smarter.” As we clearly did not exhibit that integrity with the top 10 results, we felt it was important to set the record straight.

Karim Toubba
CEO – Kenna Security

Leave a Reply

Your email address will not be published. Required fields are marked *