Kenna Security is a vulnerability management tool you may have heard of but never used. I find it exceptionally useful, though that’s not always a universal opinion. So how does Kenna Security work, and how can you make it work better?
Kenna Security is not a vulnerability scanner. It works with your existing scanner to enrich the data and make recommendations. Using that enriched data to make decisions is key to success with Kenna.
How the product works
When you get Kenna, you continue to run scans with your existing scanner the same way you always have. You create an account on your scanner for Kenna to use and give it API access. Then Kenna syncs with your scanner once a day, or less frequently if needed, pulling in your data, comparing it with the previous data, and adding scoring. There’s some additional work that takes place overnight, so it can take 24 hours after your scan completes for your data to completely stabilize in Kenna.
Kenna’s scoring is the key to the product. Rather than rely on a static CVSS score or similar method, Kenna rates vulnerabilities based on what current threat intelligence says about how much attackers are using them. CVSS is like potential. Some vulnerabilities never achieve their potential. Others seem to overachieve. They may not do much, but if they do one thing well and reliably, attackers will use it. Logic says these overachievers deserve some attention. Kenna helps you find and address them.
Kenna’s sales pitch
Kenna tells you that if you fix its high-severity vulnerabilities instead of what your scanner deems high-severity, you get double the benefit for half the work. But I don’t think they do a very good job of explaining why that is.
Realistically, only around 30% of the vulnerabilities in your network are actually useful to an attacker. Kenna argues you don’t have to fix that remaining 70 percent. By downscoring the underachievers, you cut down how many vulnerabilities you need to address. Plus, by upscoring the overachievers, you take those popular low-severity vulns out of your attackers’ toolkits. This forces them into using less reliable exploits that may not get them as much. Realistically, they’re more likely to move on to someone else instead.
So with Kenna, you get a smaller list of vulnerabilities you need to fix, and it makes a bigger difference.
This is controversial. In my day, we fixed everything. But I only had to take care of 500 systems. A few years ago I worked with a poor soul who was responsible for patching 50 thousand systems. He had to take care of 100x as many systems as me, and they gave him lower quality tools than I had. I was good at patching. He had a reputation for being really bad at it. Well, when my employer took my tools away in 2009 and gave me worse tools, I got worse at patching too. But I had a small enough number of systems that I could make up for it by working harder. That doesn’t scale to 50,000.
If we accept that we’re not going to get a 100% success rate on every patch we deploy, Kenna can find the ones that are going to make a difference, and then help us find the ones that deserve remedial action.
How Kenna Security scoring works
Kenna rates each vulnerability based on its threat intelligence and gives it a score between 0 and 100. Kenna then rates each asset based on its worst vulnerability. So if a system’s highest vulnerability has a score of 100, the system gets a score of 1000. If its highest vulnerability has a score of 10, the system gets a score of 100. The severity matters, not the number. If the system has one or a million vulnerabilities with the same score of 10, the system gets a score of 100.
Your overall Kenna score appears to be an average of your systems’ risk scores.
If you want to drive your Kenna score down quickly, fix all of your vulnerabilities that have a Kenna score of 100. Then work through the vulnerabilities with scores in the 90s, then 80s.
Some Kenna employees will tell you to look at your highest-scored systems and fix the vulnerabilities on those. That will improve your Kenna score, but if you have a centralized system for deploying patches, it’s easier to look at patches rather than systems.
Generally speaking, you can find a problem with any single vulnerability management statistic. If we’re deploying updates with a reasonable degree of success and our MTTR is trending down, I don’t fret if the risk score jumps around a bit. Keep doing the right things, and the stats will all catch up with you.