ESG's Jon Oltsik talks with Karim Toubba of Kenna Security about SOAPA and Cybersecurity. This is part 1 of a 2-part series.
Read the related ESG Blog: SOAPA Video with Kenna Security (Part 1)
Jon: Welcome back the SOAPA video series. I'm here with the CEO of Kenna Security, Karim Toubba. Welcome, Karim.
Karim: Thank you.
Jon: Nice to see you. So let me start with a question that plague me when I look at your space. Vulnerability management, vulnerability scanning is one the oldest practices in security operations. Now, we're talking about SOAPA which is relatively new, so what's going on there that there're new requirements?
Karim: Yeah, it's quite interesting. Vulnerability management has been around for quite some time, 15, almost bordering on 20 years. The practice of vulnerability scanning full stack from network host all the way up to the application has been around and is quite mature. What's immature is how people deal with that data, how do they process what's now millions of vulnerabilities, how do they look at it through the lens of risk, and then how do they take action on it from remediation perspective.
Jon: And how they've been doing this? Did they write the wrong code? Did they have multiple scanners? I mean, they have that information so how do they turn that into action?
Karim: Typically, what they've been doing is, especially historically, they've been building their own infrastructure, writing their own applications, putting it in a database. That's the most sophisticated end of the spectrum. The least sophisticated, believe it or now, and there are large companies doing this today, they put the data in spreadsheet with macros enabled, scripts, maybe some thread intel data imported in there to then drive remediation. So the spectrum of maturity really varies depending on the organization, and also depending on the amount of technology and experience that they have.
Jon: And we wonder why people are getting data breach.
Karim: It is interesting.
Jon: So what do you bring? What's new that Kenna does that we haven't done in the past?
Karim: So what we really do is really sort of put structure around this problem through three lenses, if you will. The first of which is, we take the data and normalize it across any and all scanners, full stack from network host all the way up to the application level vulnerabilities for static and dynamic scanners, but also from the end point to the network all the way through to servers and into femoral systems in the cloud. And then we look at it through the lens of risk which is great from a business perspective because both security operations people all the way up to executives and then ultimately up to boards are desperate for a common lexicon to talk about vulnerabilities as opposed to just talking about Equifax breach and the associated struts vulnerability, they want to understand something around the common language like risk.
Jon: And it seems to me that this is where we get to SOAPA that integration is a part of this because you're integrating all the vulnerability scanners, and then on the backend you're integrating this with threat intelligence. Is that correct?
Karim: Correct. We're careful to call exploit intel not threat intel. Our distinction really is largely the fact that we're really not worried about the who, we worried about the how. So what's the volume and velocity with which these vulnerabilities full stack are being exploited in the wild, not inside of your network but what are people doing across the world, what tools are they using with which they're exploiting the data, which vulnerabilities are weaponized which is oftentimes a leading indicator of significant volume increase of these vulnerabilities in the wild.
Jon: Okay. So let's talk turkey here. SOAPA is all about operational efficiency because we don't have enough people, so how do we make our people more productive? So how does Kenna make my security operations team more productive?
Karim: Yeah, it's interesting. And we make not only security operations team more productive but IT ops.
Karim: And what's really been fascinating over the progression of us in the market over the last five years is really watching that sort of relationship between security and IT. You and I've been in security for a long time.
Jon: Long time.
Karim: And what's always interesting to me is when we walk into organizations, there's this tension that exists because we in the security world find the overwhelming majority of the problems. But if you think about the remediation path, patch a system, upgrade and open source stack, rewrite code, we don't own the remediation. Security typically owns things like network, filtering devices, maybe endpoint technology. And what we've seen is there's this tension where we find all the problems, run down the hall and then the IT or the DevOps or the application developers that they're baby's ugly. And so what's really happening here is we're now enabling a much more focused perspective and a lens with which organizations are now driving the most highest order prioritized remediation. And that enables us to really transform that relationship and allows security organizations to really now come and work with IT operations, instead of against them, to focus them on the things that matter.
Jon: So if I'm getting this right, I've got thousands of vulnerabilities...
Karim: Typically millions.
Jon: Millions of vulnerabilities?
Jon: I don't know what to do. You're looking through your magic...
Karim: That's right.
Jon: ...backend, machine learning, exploit intelligence and saying, "These are the five things you should focus on. Now you can work better, the security team can work better with IT ops."
Karim: Correct. And if you do, this is how much you'll reduce your risk score by, and then you can track that risk over time to understand the performance of the entire team, not just security but their IT counterparts that are now collaborating on reducing risk for the organization in a meaningful way that's making an impact efficacy.
Jon: Wow. You're hitting on some good points because I believe in 2018 getting this security team and the IT ops team working together should be a priority for all of organizations, certainly for CISOs but for all organizations.
Karim: That's right.
Jon: Good stuff. Can you stick around for part two of the video?
Karim: Would be happy to.
Jon: All right, great. Well, look at our website for more on SOAPA.