Kenna Security

We catch up on the latest developments of the Exploit Prediction Scoring System aka EPSS with co-creators Sasha Romanosky and Jay Jacobs.


Exploit Prediction Scoring System - Now With Live Data

Exploit Prediction Scoring System

We tackle a hotly contested debate as old as cybersecurity itself: does releasing exploit code do more harm than good?

Establishing Defender Advantage w/ Cyentia Institute

We interview Collin Boyce, Chief Information Officer for the City of Tucson, Arizona and discuss his process of turning impossible ideas into real projects that achieve meaningful results.

 Collin Boyce, CIO of Tucson, AZ teaches us how he turns impossible ideas into reality. 


How CIOs Get Things Done

Dive into a quick history of the CVE List as we kick off a quarterly update that tracks the progress of new CVEs issued.

Counting CVEs

We discuss and add some quantifiable data to a hot-button issue in the cybersecurity industry: responsible disclosure of vulnerabilities and exploits.

We discuss and add some quantifiable data to a hot-button issue in the cybersecurity industry: responsible disclosure of vulnerabilities and exploits.


Vulnerability Disclosure and Responsible Exposure

Continuing our miniseries into Risk, Measured: we go back to statistics class and discuss some of the characteristics of good metrics to help people understand what you should be looking for when you want to meaningfully quantify cybersecurity phenomena, program performance, or anything really.

Continuing our miniseries into Risk, Measured: we go back to statistics class and discuss some of the characteristics of good metrics to help people understand what you should be looking for when you want to meaningfully quantify cybersecurity phenomena, program performance, or anything really.


Risk, Measured: 7 Characteristics of Good Metrics

Sometimes a number is just a number. Context - the information and environment around the number - is what really matters. We discuss how this concept holds especially true in vulnerability management and risk scoring.

Sometimes a number is just a number. Context - the information and environment around the number - is what really matters. We discuss how this concept holds especially true in vulnerability management and risk scoring.


Why Vulnerability Scores Can’t Be Looked At In A Vacuum

We discuss the general lack of defensive perspectives in cybersecurity media and culture, how that impacts perceptions and decision making, and what we can do about it.

We discuss the general lack of defensive perspectives in cybersecurity media and culture, how that impacts perceptions and decision making, and what we can do about it.


More Blue Team Voices

We discuss the application of power law distributions in cybersecurity.

We discuss the application of power law distributions to cybersecurity.

Risk, Measured: Power Laws and Security

We look at the phenomena of exploit code moving from traditional and cybersecurity-centric databases like Exploit-DB and Metasploit and instead being published on Github. Is Github becoming a de facto database for exploit code?

Github as a Source for Exploits?

Kenna Security recently celebrated its 10-year anniversary on Dec. 10th, 2020; so we decided to do what we do best and take a data-based (and rare) review of the top vulnerabilities from the past decade, year-by-year.

A Walk Down Vulnerability Lane

We discuss the security and privacy of connected gifts this holiday shopping season.

Are Your Presents Spying On You?

We welcome a special guest from VMware Carbon Black to discuss the state of cloud infrastructure and security, primarily through the lens of vulnerability management today, tomorrow, and far into the future.

The Future of Cloud Security w/ VMware Carbon Black

Jerry Gamblin gives us a pre-thanksgiving primer for Amazon AWS re:Invent 2020, which will be held from Nov. 30 - Dec 18th on a computer monitor near you.

re:Invent'ing 2020

We discuss the sixth and latest report in our ongoing dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 6: The Attacker-Defender Divide looks at exploitation events from 2019 to analyze the momentum shifts between cybersecurity hackers and the teams defending organizations from attack.

The Attacker-Defender Divide w/ Cyentia Institute 

Will Docker’s download rate limits kill containers as we know them today?

The Death Of Containers As We Know Them?

We discuss the fifth report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 5: In Search of Assets at Risk.

In Search Of Assets At Risk w/ Cyentia Institute

We discuss the challenges managing risk in 3rd party code from things like Open Source Software libraries.

Managing 3rd Party Code Risk

We discuss the fourth report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 4: Measuring What Matters In Remediation.

Measuring What Matters w/ Cyentia Institute

We discuss the evolution of cybersecurity metrics and reporting to Boards of Directors.

Reporting Risk To The Board

We discuss the third report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 3: Winning the Remediation Race looks at (1) how quickly and (2) how many vulnerabilities a given organization can handle. Answering two key questions: Can organizations remediate all of the new vulnerabilities in their environments? If not, can organizations remediate all of the new High-Risk vulnerabilities in their environments?

Winning The Remediation Race w/ Cyentia Institute

Today on Security Science, we have a special around the virtual table with some of the biggest names in cybersecurity discussing a wide range of topics like securing remote workers, whether companies are really moving to the cloud, and the impact of the 2020 presidential election. 

Around the Virtual Table with Chris, Jeremiah & Ed

We discuss the Exploit Prediction Scoring System (EPSS), the first open, data-driven framework for assessing vulnerability threat: that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure.

The Exploit Prediction Scoring System (EPSS)

We discuss the second report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction, Volume 2: Getting Real About Remediation picks up on the overall vulnerability landscape analysis from Volume 1 and dives deep into the vulnerability landscape from within actual enterprise networks (a little over 500 of them to be exact).

Getting Real About Remediation w/ Cyentia Institute

How does the spread, detection, and response to viruses like COVID-19 compare with cybersecurity practices today? In the second episode of our Risk, Measured series we talk to special guest, Northeastern University Assistant Professor, Sam Scarpino about how Epidemiology relates to cybersecurity.

Risk, Measured: Epidemiology for Cybersecurity

We chat about the state of everyone’s favorite buzz technology: Threat Intelligence with our favorite internet fingerprinter, Kenna’s head of research, Jcran. Joining us is a special guest, longtime pentester, infamous internet listener, and founder of GreyNoise Intelligence, Andrew Morris.

Longtime pen-tester, security advisor, internet-listener, and the Founder of GreyNoise Intelligence, Andrew Morris.

Andrew 

Morris

The State of Threat Intelligence w/ GreyNoise

We discuss the infamous cybersecurity gathering that gets canceled year-after-year, DEF CON. Guiding us along this journey to nowhere is everyone’s favorite security guru and serial DEF CON non-presenter, Jerry Gamblin.

DEF CON Was Actually Canceled (sort of)

Both the bane and salvation of security teams, and the start of a month-long fix cycle for IT teams, Microsoft's Patch Tuesday is a consistent reminder that nothing keeps us more secure than good old fashioned cyber-hygiene. Kenna Security's Head of Research, Jcran walks us through his Patch Tuesday ritual and gives us some tools, tips, and tricks along the way.

Patch Tuesday Rituals with JCran

Picking up where we left off on the history of vulnerability management, Ed Bellis walks us through the history of risk-based vulnerability management (RBVM) to current times and the near future.

A Chronological Journey Through Risk-Based Vuln Management

Year after year we read about millions of unfilled cybersecurity jobs as incidents increase and Twitter experiences one of the most public cyber meltdowns in history. We talk with data scientist extraordinaire, Michael Roytman about whether Machine Learning can fill the cybersecurity skills gap.

We talk with data scientist extraordinaire, Michael Roytman about whether Machine Learning can fill the cybersecurity skills gap.

Can ML Solve the Cybersecurity Skills Gap?

The first in a multi-part dive into the Prioritization to Prediction (P2P) research series by Kenna Security and The Cyentia Institute - guests Ed Bellis and Wade Baker discuss P2P Volume 1 which quantifies the performance of vulnerability prioritization and remediation strategies for the very first time.

Analyzing Vulnerability Remediation Strategies w/ Cyentia Institute

Want more detail than Shodan queries? Need to figure out which devices have that new critical vuln and are exposed to the internet? Creator of Intrigue.io, Jcran discusses his creation and touches on the topics of digital fingerprinting and discovery tools.

Intrigue In Discovery and Digital Fingerprinting

The first episode in a Security Science mini-series called Risk, Measured - Kenna's Chief Data Scientist, Michael Roytman discusses the theory and components used to measure risk.  

Touching on the definitions, current and future data sources, responsibilities of security teams, characteristics of bad models, and much more, this is a definite must listen for anyone interested in measuring cyber risk.

Risk, Measured: Components of Cyber Risk

2020's global Covid-19 pandemic has yet again thrust the concept of Zero Trust architectures into the security mainstream. Researcher, Builder, Hacker, Traveler, and Kenna's head of Security and Compliance, Jerry Gamblin discusses Zero Trust and the realities of the work required to truly adopt the architecture, probably bursting a few bubbles along the way.

Building Zero Trust is Hard

In the very first episode of Security Science the Father of Risk-Based Vulnerability Management, Ed Bellis walks us through the history of Vulnerability Management. From the dark times before the CVE list and open-source scanners to the capabilities of today's best performing vulnerability management programs. 

A Brief History of Vulnerability Management

The Team

Research

Cybersecurity shouldn’t be a black box. Security Science aims to demystify cybersecurity with education combined with a dose of entertainment. We will tap a mix of experts to tackle the gamut of security topics - from the (mis)use of AI to deep analysis of specific vulnerabilities - grounding out each episode with measurable outcomes or joking around when there is a lack thereof. New episodes every other Wednesday.

Episodes