A Wannacry Post That Doesn’t Make Me Want To Cry

Ed Bellis    May 17, 2017

OK, admittedly, I am the last one who wanted to write Yet Another Post About WannaCry. There’s a ton of noise out there about the topic, both good and bad. As a CISO, I loathed all the “me too” coverage and “if you just bought our product you’d be safe” pitches following big security incidents. But this isn’t that post…

Let me back up a little. On Friday we were seeing all the news reports about the outbreak of the Wannacry ransomware around the globe. It became clear this was tied back to the vulnerabilities exposed via Shadow Brokers that were patched by Microsoft in the MS17-010 advisory. The exploits themselves were already out and available and we, like many others, had ranked the risk of these vulnerabilities very highly. As the news spread along with the ransomware, we began to see an overwhelming number of customers quickly conducting searches across their Kenna instances to identify everywhere they may be exposed. This got me thinking: how will customers prioritize this and where does it fit in with the rest of the work they have ahead of them? My first instinct was to go to the data and see if there was anything we could glean.

I wanted to understand where did these set of vulnerabilities fall in risk ranking versus the rest of our customers’ open vulnerabilities. I also wanted to know if it was truly something they should be addressing right away, and how these same enterprises would fare without our data. Were we adding anything here, or were we just a fast and convenient search mechanism to find what they were looking for? I had Michael Roytman and our data team see if they could help answer these questions.

The data, was in fact, interesting enough to change my mind on writing this post. First, I see a lot of articles written out there saying “just patch your $expletive, these have been available for 2 months!”. To be clear, 60 days to patch in the enterprise is far from unusual. It doesn’t surprise me to see un-patched systems still for these vulnerabilities. The proliferation of infection via SMB is certainly more unusual, but far from shocking. Even more unusual was Microsoft issuing an update for an out-of-support operating system. At Kenna, we recently surpassed the 1 billion open vulnerabilities under management mark. So of those 1 billion plus vulnerabilities, where does this one fall in our risk scoring?

As I mentioned earlier, we ranked these vulnerabilities very high, 100 out of 100 to be exact. But, as I also mentioned, so did everyone else, including CVSS–so big deal. What I really wanted to know is, does this help to prioritize the right remediation?

Out of those 1 billion vulnerabilities, 259,451,953 are either a CVSS score of 9/10. Not only is that over a quarter of all the vulnerabilities we see in scans, it’s also entirely unmanageable – even for the over 300+ enterprises this represents collectively. As the saying goes, if everything is a priority then nothing is.

CVSS Distribution

Next we compared that to using the Kenna risk meter score, where 9,675,000 / 1,000,000,000+ vulnerabilities in our platform have a score of 100. That’s less than 1% prioritized.

Interestingly enough, not only is there less noise at this of level of precision, but this chart also does a good job of showing the power law that is represented in cyber security risk.

Now, to be clear, this isn’t magic. It’s just using a data-driven risk-based approach to remediation–something I obviously have a biased view of, but hey, our numbers are growing and I’m no longer a special snowflake.

Leave a Reply

Your email address will not be published. Required fields are marked *