TransUnion CISO Jasper Ossentjuk believes that with the increased pace of automated and targeted attacks, InfoSec teams can only work smarter—not harder.
Find out how Jasper and his team leverage Kenna to automate key components of vulnerability management while they moved to a risk-based view that dramatically saved time, enhanced team efficacy, and equipped Jasper with high-level reporting that enabled him to share his team's results with his executive peers.
2. Executive Bios
Ed Bellis
CTO, Cofounder at Kenna
• Former CISO at Orbitz
Jasper Ossentjuk
CISO at TransUnion
• Former CISO at HSBC
2 of 18
3. TransUnion
Founded in 1968, TransUnion is a global information solutions company that serves people,
businesses and organizations around the world.
3 of 18
4. My Priorities When I Arrived
1. Evaluate the security program
(people, process, technology)
2. Create a global program
3. Address deficient areas
(e.g. vulnerability management)
4 of 18
5. The Problem
Overwhelmed with vulnerabilities
Accurate and reliable prioritization impossible given
increased cadence in data
Reporting takes…forever?
“Hill of Death”
5 of 18
6. Excel Pivot Table Process Growing Outdated
Too much time. Too much human error.
Great for vuln counts - not for risk.
Not dynamic in terms of assigning &
reassigning assets to the right owner
No threat/exploit intel applied to vuln data at
scale
6 of 18
7. Solution — Choosing Kenna
Designed for a world where there’s more data than humans
Automates the manual, tedious task of prioritization
Finite pool of resources available—optimize to attack highest risk items
Increases efficiency of entire security team – unifies SecOps * IT Ops
“We couldn’t work
harder, had to work
smarter”
SecOps IT Ops
7 of 18
8. Reporting on Risk
Enables ability to communicate risk
Even non-technical stakeholders understand it
Track and measure impact on risk over time
8 of 18
9. Before & After: Time Spent Reporting On Risk
8 hours 2 hours Seconds
9 of 18
10. Implementing Kenna: What We Learned
Aligning stakeholders to consider risk vs. numbers (and set expectations that not everything is
going to be fixed – ever)
Start with early adopters, advocates from the patching teams to collect early feedback – create
an exclusivity element to getting on board early to generate excitement
Communicate to leadership why we were moving away from old, tired method (setting new
expectations)
Culture Shift: Brought SecOps and IT Ops together by
giving them ability to patch smarter – not harder
11. The Right Use Case for Moving to Risk
You actually care (meaning you’re trying to reduce the likelihood of a breach,
not just check a compliance checkbox)
Pushing the boulder up the hill: The Struggle is Real
You need to deploy people on more important things than crunching numbers
You need to report on risk
M&A Use Case
“Better Together” – Culture Benefits
11 of 18
12. CISO Sec Ops IT Ops
How Kenna Works
Exploit Intel
10+ Threat Feeds
Enterprise
25+ Connectors
12 of 18
13. Your Job is 10x Easier with the Kenna Platform
Measure Risk Prioritize the Right Actions
Track Progress Over Time Unified View of Risk –
from CISO to Sec Ops to IT Ops
13 of 18
14. The Risk Meter Shows You the Full Picture
• Understand the risk of all your
environments
• Communicate your risk from
the Dev team to the Board
• Always know what to prioritize and remediate
– and be able to prove it
• Always know real-world threat
context for your specific vuln data
Configure for every stakeholder
14 of 18
15. Prioritize Remediation By Impact with “Fixes”
• Contextualize remediation suggestions with
your environment
• Prioritize available patches by impact
• Preview adjusted risk score before deploying
• Easily share with your remediation team
• Report risk posture (not counts)
16. Track Your Progress – Like a Stock Report
• See your risk exposure at a glance
• Easily communicate to all stakeholders
• Measure risk using custom dates
• Monitor the impact of your efforts
16 of 18
17. Powered by Exploit Intelligence
We correlate vuln scan data with a growing list of threat feeds
National Vulnerability
Database (NVD)
Open Threat Exchange (OTX)
WASC
The Exploit DB
SHODAN
Metasploit Project
Verisign iDefense
SANS ISC
CTU Intelligence
Jasper Ossentjuk self-funded his education working as a pizza delivery driver, an award winning chef and a seasonal worker in the Alaskan commercial fishing industry. He started his technology career as a consultant in the Financial Services practice at Andersen Consulting. He worked at HSBC for a dozen years where he led international teams spanning the globe. He is currently Senior Vice President and Global Chief Information Security Officer at TransUnion. Jasper graduated from the University of Arizona with a Bachelor’s Degree in Management Information Systems and from The George Washington University with a Master’s Degree in Project Management.
Here’s how Kenna works. Imagine that instead of spreadsheets, you could add headcount to your team using automation.And then imagine that the added manpower could consume and analyze all of your vulnerability scan data, regardless of which scanners you used.
Then imagine they were able to bring real-time context to that data by integrating with multiple threat feeds. And imagine all of this happens within minutes.That’s the power of Kenna. It gives you unbelievable insight into what vulnerabilities you should prioritize first, helping you truly understand your company’s risk posture.
The Risk Meter is the interface that allows you to do all of this.
It allows you to group all of your assets, and see Risk Scores for each of them. Those scores are the product of both your internal vulnerability scan data, as well as what’s happening “in the wild” due to integrated threat intelligence.
It enables you to immediately pinpoint top priorities, as well as active Internet breaches, easily exploitable targets, and popular targets.Having Kenna on your side ensures that you’re not only able to remediate what matters, but to have the data behind you to prove that you’re taking the right actions.You can configure the Risk Meter for each stakeholder on you team—so everyone has access to the information they need.
With Fixes, you can understand both what you should remediate, as well as how.
Access the latest information around available patches and receive contextualized remediation for your asset groups (as well as overall assets). These suggestions can be prioritized and sorted to display key remediation insights such as the highest risk reduction, patches containing the most CVEs and the most assets affected. Fixes also responds to any filtering that happens on the dashboard, so you can filter based on remediations for vulnerabilities containing active internet breaches, or those that are easily exploitable.
You can also preview how much your risk score will be adjusted by applying the patch before actually deploying. This ensures that you are fixing the most critical vulnerabilities first.
Once a fix is applied, remediation can be confirmed upon subsequent scan.
With Fixes, you have the ability report on the overall risk (not just counts) to other team members, as well as to upper management. Non-technical stakeholders can also see at-a-glance which group of assets have weaknesses and what steps your organization is taking to address these.
One of the things that makes Kenna truly unique is our ability to help you measure and report on your risk.
For a group of assets, you can see that you can easily see the trendline of both the risk score and the vulnerability count over time. This gives you amazing insight into the impact on your risk as you close the vulnerabilities that are most critical.
We also give you the ability to view your progress like a “stock report”—seeing the highest and lowest risk score over time, including last week and last month, as well as giving you a general trend-line for the risk associated with a group of assets.
This kind of reporting is suitable for everyone—for the development team, for the CISO, all the way up to the board of directors. There’s really never been another way to see risk at a glance like this.
The way we arrive at the Risk Meter score is through the integration with real-time threat feeds. This is how we’re able to tell you exactly what to prioritize, because we can compare your unique environment with what we know is happening in real-time.
We integrate with 10 intelligence sources including:
Dell SecureWorks CTU (helps to determine whether active internet breaches exist)
Open SIM providers like OTX (helps to determine whether active internet breaches exist)
And the following commercial threat feed providers:
National Vulnerability Database (network vuln database)
WASC Public vulnerability database (web application vulnerability database
SHODAN Public vulnerability database (web application vulnerability database)
The ExploitDB - Public exploit database (exploit database)
Metasploit Public exploit database (exploit database) - tells if exploit is in the wild/published; framework you can buy that hacks for you; runs the exploit
SANS Internet Storm Center (public vulnerability database) - Includes patch information
Verisign iDefense (zero-day threat feed) - Tells you if you’re vulnerable to things not yet in NVD
[https://www.risk.io/threat-intelligence]