Recently, VMware SVP of Security Product, Tom Corn was joined by Jason Rolleston, Chief Product Officer at Kenna Security, to discuss best practices for bridging the gap between information security and IT teams within the context of the new VMware Carbon Black Cloud Workload Protection product. Integral to this mission is finding a way to enable both teams to operate in the context that they are familiar with while agreeing upon a single source of truth. This is exactly what the integration of Kenna Security’s vulnerability intelligence into Carbon Black Cloud and vCenter seeks to do.
Attendees of the webinar asked a number of really important questions—questions that we have seen pop up in the field, too. So, to continue the conversation (and potentially answer a question or two that you may have yourself), we thought it would be helpful to do a quick Q&A below to cover off on some key points of the integration.
If you missed the webinar, it’s not too late. You can catch it on-demand here.
Q: What other information is available in the Kenna Risk Score that is available in the Carbon Black and vCenter consoles?
The answer to this question is two-fold, really. First, there’s a lot of tremendously valuable context in the Kenna information that is fully integrated into Carbon Black. This information aims to show you not just which vulnerabilities you should be concerned about but why you should be concerned about them.
Second, the Kenna Risk Score itself factors in a lot of information. Kenna taps into more than 15 threat and exploit intelligence feeds that they have selectively curated with firms. This data includes things like which malware families or signatures have leveraged a specific CVE as part of a successful exploitation, exploits that we see part of common exploit kits, if a CPU was used for an exploitation of a specific CVE, and more. Anything that is scored very high in Kenna will have some combination of these. Within Workload, you can understand in plain english the rationale behind the score. This type of context helps your team have confidence in the score.
Q: How are OS-level and app-level vulnerabilities presented to the infrastructure teams within the solution?
Both of these things are being surfaced. What your infrastructure team sees inside vCenter is a new tab for all of the Carbon Black capabilities, which shows a full inventory correlated against what they have enabled with Carbon Black—where you have rogue systems, etc. You’ll see alerts surfacing around vulnerabilities and a dashboard around vulnerabilities that will show you your machines and where you may have an OS-level or app-level vulnerability that has a very high score due to a critical vulnerability that also has an exploit.
The benefit here is that the infrastructure team isn’t flipping to another console—they are staying inside the management console that they’re already in. We’ve designed the UI in a way that is consistent with the experience and process of vCenter.
And it’s important to note, too, that with this approach, the infrastructure team isn’t dealing with ten thousand vulnerabilities at the end of the quarter, but rather the two or three vulnerabilities that have popped up that day that happen to be critical to address.
Q: Does Kenna’s analytics also score zero day vulnerabilities? If so, is this based on predictive modeling?
Kenna has built a predictive model based on a wealth of data on successful exploitations over the past few years. This data science approach allows Kenna to create predictions for a new vulnerability (i.e. a zero day) on whether or not it is likely to become exploitable. The way this manifests itself in the Kenna Risk Score is a higher score. A vulnerability that is predicted to be exploitable will have an increased score, and that score will continue to increase even more as soon as Kenna sees any evidence of exploitation. Ultimately, this prediction element allows us to elevate new vulnerabilities that are likely to become a real risk to your organization.
Q: Is everything you’ve presented here available today?
Yes, everything is available today!
Q: Should users log into Kenna or VMware Carbon Black to obtain this information? Which platform should the infrastructure teams be provided access to for remediation?
The Kenna Risk Score shows up within the VMware Carbon Black Cloud console, so your information security team can see this information within the context of everything else they are monitoring. The information simultaneously shows up in the vCenter console, so your infrastructure teams can see the information they need within the context of the workflow they are accustomed to. Each team can operate in the console they need to, but both teams work off the same source of truth.