How Transunion Moved toa Risk-Based View of VM

Executive Bios

Ed BellisCTO, Cofounder at Kenna• Former CISO at Orbitz

Jasper OssentjukCISO at TransUnion• Former CISO at HSBC

2 of 18

TransUnionFounded in 1968, TransUnion is a global information solutions company that serves people, businesses and organizations around the world.

3 of 18

My Priorities When I Arrived

1. Evaluate the security program (people, process, technology)2. Create a global program3. Address deficient areas (e.g. vulnerability management)

4 of 18

The Problem

Overwhelmed with vulnerabilities

Accurate and reliable prioritization impossible given increased cadence in data

Reporting takes…forever?

“Hill of Death”

5 of 18

Excel Pivot Table Process Growing Outdated

Too much time. Too much human error.

Great for vuln counts - not for risk.

Not dynamic in terms of assigning & reassigning assets to the right owner

No threat/exploit intel applied to vuln data at scale

6 of 18

Solution — Choosing KennaDesigned for a world where there’s more data than humans

Automates the manual, tedious task of prioritization

Finite pool of resources available—optimize to attack highest risk items

Increases efficiency of entire security team – unifies SecOps * IT Ops

“We couldn’t work harder, had to work smarter”

SecOps IT Ops

7 of 18

Reporting on Risk

Enables ability to communicate riskEven non-technical stakeholders understand itTrack and measure impact on risk over time

8 of 18

Before & After: Time Spent Reporting On Risk

8 hours 2 hours Seconds

9 of 18

Implementing Kenna: What We LearnedAligning stakeholders to consider risk vs. numbers (and set expectations that not everything is going to be fixed – ever)

Start with early adopters, advocates from the patching teams to collect early feedback – create an exclusivity element to getting on board early to generate excitement

Communicate to leadership why we were moving away from old, tired method (setting new expectations)

Culture Shift: Brought SecOps and IT Ops together by giving them ability to patch smarter – not harder

The Right Use Case for Moving to RiskYou actually care (meaning you’re trying to reduce the likelihood of a breach, not just check a compliance checkbox)

Pushing the boulder up the hill: The Struggle is Real

You need to deploy people on more important things than crunching numbers

You need to report on risk

M&A Use Case

“Better Together” – Culture Benefits

11 of 18

CISO Sec Ops IT Ops

How Kenna WorksExploit Intel

10+ Threat FeedsEnterprise

25+ Connectors

12 of 18

Your Job is 10x Easier with the Kenna Platform

Measure Risk Prioritize the Right Actions

Track Progress Over Time Unified View of Risk –from CISO to Sec Ops to IT Ops

13 of 18

The Risk Meter Shows You the Full Picture• Understand the risk of all your

environments• Communicate your risk from

the Dev team to the Board

• Always know what to prioritize and remediate – and be able to prove it

• Always know real-world threat context for your specific vuln data

Configure for every stakeholder

14 of 18

Prioritize Remediation By Impact with “Fixes”• Contextualize remediation suggestions

with your environment• Prioritize available patches by impact • Preview adjusted risk score before

deploying• Easily share with your remediation team• Report risk posture (not counts)

Track Your Progress – Like a Stock Report• See your risk exposure at a glance• Easily communicate to all

stakeholders• Measure risk using custom dates• Monitor the impact of your efforts

16 of 18

Powered by Exploit IntelligenceWe correlate vuln scan data with a growing list of threat feeds

National Vulnerability Database (NVD)

Open Threat Exchange (OTX)

WASC

The Exploit DB

SHODAN

Metasploit Project

Verisign iDefense

SANS ISC

CTU Intelligence

Q & A