Upload
kenna
View
79
Download
0
Embed Size (px)
Citation preview
How Transunion Moved toa Risk-Based View of VM
Executive Bios
Ed BellisCTO, Cofounder at Kenna• Former CISO at Orbitz
Jasper OssentjukCISO at TransUnion• Former CISO at HSBC
2 of 18
TransUnionFounded in 1968, TransUnion is a global information solutions company that serves people, businesses and organizations around the world.
3 of 18
My Priorities When I Arrived
1. Evaluate the security program (people, process, technology)2. Create a global program3. Address deficient areas (e.g. vulnerability management)
4 of 18
The Problem
Overwhelmed with vulnerabilities
Accurate and reliable prioritization impossible given increased cadence in data
Reporting takes…forever?
“Hill of Death”
5 of 18
Excel Pivot Table Process Growing Outdated
Too much time. Too much human error.
Great for vuln counts - not for risk.
Not dynamic in terms of assigning & reassigning assets to the right owner
No threat/exploit intel applied to vuln data at scale
6 of 18
Solution — Choosing KennaDesigned for a world where there’s more data than humans
Automates the manual, tedious task of prioritization
Finite pool of resources available—optimize to attack highest risk items
Increases efficiency of entire security team – unifies SecOps * IT Ops
“We couldn’t work harder, had to work smarter”
SecOps IT Ops
7 of 18
Reporting on Risk
Enables ability to communicate riskEven non-technical stakeholders understand itTrack and measure impact on risk over time
8 of 18
Before & After: Time Spent Reporting On Risk
8 hours 2 hours Seconds
9 of 18
Implementing Kenna: What We LearnedAligning stakeholders to consider risk vs. numbers (and set expectations that not everything is going to be fixed – ever)
Start with early adopters, advocates from the patching teams to collect early feedback – create an exclusivity element to getting on board early to generate excitement
Communicate to leadership why we were moving away from old, tired method (setting new expectations)
Culture Shift: Brought SecOps and IT Ops together by giving them ability to patch smarter – not harder
The Right Use Case for Moving to RiskYou actually care (meaning you’re trying to reduce the likelihood of a breach, not just check a compliance checkbox)
Pushing the boulder up the hill: The Struggle is Real
You need to deploy people on more important things than crunching numbers
You need to report on risk
M&A Use Case
“Better Together” – Culture Benefits
11 of 18
CISO Sec Ops IT Ops
How Kenna WorksExploit Intel
10+ Threat FeedsEnterprise
25+ Connectors
12 of 18
Your Job is 10x Easier with the Kenna Platform
Measure Risk Prioritize the Right Actions
Track Progress Over Time Unified View of Risk –from CISO to Sec Ops to IT Ops
13 of 18
The Risk Meter Shows You the Full Picture• Understand the risk of all your
environments• Communicate your risk from
the Dev team to the Board
• Always know what to prioritize and remediate – and be able to prove it
• Always know real-world threat context for your specific vuln data
Configure for every stakeholder
14 of 18
Prioritize Remediation By Impact with “Fixes”• Contextualize remediation suggestions
with your environment• Prioritize available patches by impact • Preview adjusted risk score before
deploying• Easily share with your remediation team• Report risk posture (not counts)
Track Your Progress – Like a Stock Report• See your risk exposure at a glance• Easily communicate to all
stakeholders• Measure risk using custom dates• Monitor the impact of your efforts
16 of 18
Powered by Exploit IntelligenceWe correlate vuln scan data with a growing list of threat feeds
National Vulnerability Database (NVD)
Open Threat Exchange (OTX)
WASC
The Exploit DB
SHODAN
Metasploit Project
Verisign iDefense
SANS ISC
CTU Intelligence
Q & A