Recommended
More Related Content
Similar to How TransUnion Moved to a Risk-Based Approach for Vulnerability Management
Similar to How TransUnion Moved to a Risk-Based Approach for Vulnerability Management (20)
Recently uploaded
Recently uploaded (20)
How TransUnion Moved to a Risk-Based Approach for Vulnerability Management
- 1. How Transunion Moved to a Risk-Based View of VM
- 2. Executive Bios Ed Bellis CTO, Cofounder at Kenna • Former CISO at Orbitz Jasper Ossentjuk CISO at TransUnion • Former CISO at HSBC 2 of 18
- 3. TransUnion Founded in 1968, TransUnion is a global information solutions company that serves people, businesses and organizations around the world. 3 of 18
- 4. My Priorities When I Arrived 1. Evaluate the security program (people, process, technology) 2. Create a global program 3. Address deficient areas (e.g. vulnerability management) 4 of 18
- 5. The Problem Overwhelmed with vulnerabilities Accurate and reliable prioritization impossible given increased cadence in data Reporting takes…forever? “Hill of Death” 5 of 18
- 6. Excel Pivot Table Process Growing Outdated Too much time. Too much human error. Great for vuln counts - not for risk. Not dynamic in terms of assigning & reassigning assets to the right owner No threat/exploit intel applied to vuln data at scale 6 of 18
- 7. Solution — Choosing Kenna Designed for a world where there’s more data than humans Automates the manual, tedious task of prioritization Finite pool of resources available—optimize to attack highest risk items Increases efficiency of entire security team – unifies SecOps * IT Ops “We couldn’t work harder, had to work smarter” SecOps IT Ops 7 of 18
- 8. Reporting on Risk Enables ability to communicate risk Even non-technical stakeholders understand it Track and measure impact on risk over time 8 of 18
- 9. Before & After: Time Spent Reporting On Risk 8 hours 2 hours Seconds 9 of 18
- 10. Implementing Kenna: What We Learned Aligning stakeholders to consider risk vs. numbers (and set expectations that not everything is going to be fixed – ever) Start with early adopters, advocates from the patching teams to collect early feedback – create an exclusivity element to getting on board early to generate excitement Communicate to leadership why we were moving away from old, tired method (setting new expectations) Culture Shift: Brought SecOps and IT Ops together by giving them ability to patch smarter – not harder
- 11. The Right Use Case for Moving to Risk You actually care (meaning you’re trying to reduce the likelihood of a breach, not just check a compliance checkbox) Pushing the boulder up the hill: The Struggle is Real You need to deploy people on more important things than crunching numbers You need to report on risk M&A Use Case “Better Together” – Culture Benefits 11 of 18
- 12. CISO Sec Ops IT Ops How Kenna Works Exploit Intel 10+ Threat Feeds Enterprise 25+ Connectors 12 of 18
- 13. Your Job is 10x Easier with the Kenna Platform Measure Risk Prioritize the Right Actions Track Progress Over Time Unified View of Risk – from CISO to Sec Ops to IT Ops 13 of 18
- 14. The Risk Meter Shows You the Full Picture • Understand the risk of all your environments • Communicate your risk from the Dev team to the Board • Always know what to prioritize and remediate – and be able to prove it • Always know real-world threat context for your specific vuln data Configure for every stakeholder 14 of 18
- 15. Prioritize Remediation By Impact with “Fixes” • Contextualize remediation suggestions with your environment • Prioritize available patches by impact • Preview adjusted risk score before deploying • Easily share with your remediation team • Report risk posture (not counts)
- 16. Track Your Progress – Like a Stock Report • See your risk exposure at a glance • Easily communicate to all stakeholders • Measure risk using custom dates • Monitor the impact of your efforts 16 of 18
- 17. Powered by Exploit Intelligence We correlate vuln scan data with a growing list of threat feeds National Vulnerability Database (NVD) Open Threat Exchange (OTX) WASC The Exploit DB SHODAN Metasploit Project Verisign iDefense SANS ISC CTU Intelligence
- 18. Q & A
Editor's Notes
- Jasper Ossentjuk self-funded his education working as a pizza delivery driver, an award winning chef and a seasonal worker in the Alaskan commercial fishing industry. He started his technology career as a consultant in the Financial Services practice at Andersen Consulting. He worked at HSBC for a dozen years where he led international teams spanning the globe. He is currently Senior Vice President and Global Chief Information Security Officer at TransUnion. Jasper graduated from the University of Arizona with a Bachelor’s Degree in Management Information Systems and from The George Washington University with a Master’s Degree in Project Management.
- Here’s how Kenna works. Imagine that instead of spreadsheets, you could add headcount to your team using automation. And then imagine that the added manpower could consume and analyze all of your vulnerability scan data, regardless of which scanners you used. Then imagine they were able to bring real-time context to that data by integrating with multiple threat feeds. And imagine all of this happens within minutes. That’s the power of Kenna. It gives you unbelievable insight into what vulnerabilities you should prioritize first, helping you truly understand your company’s risk posture.
- The Risk Meter is the interface that allows you to do all of this. It allows you to group all of your assets, and see Risk Scores for each of them. Those scores are the product of both your internal vulnerability scan data, as well as what’s happening “in the wild” due to integrated threat intelligence. It enables you to immediately pinpoint top priorities, as well as active Internet breaches, easily exploitable targets, and popular targets. Having Kenna on your side ensures that you’re not only able to remediate what matters, but to have the data behind you to prove that you’re taking the right actions. You can configure the Risk Meter for each stakeholder on you team—so everyone has access to the information they need.
- With Fixes, you can understand both what you should remediate, as well as how. Access the latest information around available patches and receive contextualized remediation for your asset groups (as well as overall assets). These suggestions can be prioritized and sorted to display key remediation insights such as the highest risk reduction, patches containing the most CVEs and the most assets affected. Fixes also responds to any filtering that happens on the dashboard, so you can filter based on remediations for vulnerabilities containing active internet breaches, or those that are easily exploitable. You can also preview how much your risk score will be adjusted by applying the patch before actually deploying. This ensures that you are fixing the most critical vulnerabilities first. Once a fix is applied, remediation can be confirmed upon subsequent scan. With Fixes, you have the ability report on the overall risk (not just counts) to other team members, as well as to upper management. Non-technical stakeholders can also see at-a-glance which group of assets have weaknesses and what steps your organization is taking to address these.
- One of the things that makes Kenna truly unique is our ability to help you measure and report on your risk. For a group of assets, you can see that you can easily see the trendline of both the risk score and the vulnerability count over time. This gives you amazing insight into the impact on your risk as you close the vulnerabilities that are most critical. We also give you the ability to view your progress like a “stock report”—seeing the highest and lowest risk score over time, including last week and last month, as well as giving you a general trend-line for the risk associated with a group of assets. This kind of reporting is suitable for everyone—for the development team, for the CISO, all the way up to the board of directors. There’s really never been another way to see risk at a glance like this.
- The way we arrive at the Risk Meter score is through the integration with real-time threat feeds. This is how we’re able to tell you exactly what to prioritize, because we can compare your unique environment with what we know is happening in real-time. We integrate with 10 intelligence sources including: Dell SecureWorks CTU (helps to determine whether active internet breaches exist) Open SIM providers like OTX (helps to determine whether active internet breaches exist) And the following commercial threat feed providers: National Vulnerability Database (network vuln database) WASC Public vulnerability database (web application vulnerability database SHODAN Public vulnerability database (web application vulnerability database) The ExploitDB - Public exploit database (exploit database) Metasploit Public exploit database (exploit database) - tells if exploit is in the wild/published; framework you can buy that hacks for you; runs the exploit SANS Internet Storm Center (public vulnerability database) - Includes patch information Verisign iDefense (zero-day threat feed) - Tells you if you’re vulnerable to things not yet in NVD [https://www.risk.io/threat-intelligence]