Security Science

The first in a multi-part dive into the Prioritization to Prediction (P2P) research series by Kenna Security and The Cyentia Institute - guests Ed Bellis and Wade Baker discuss P2P Volume 1 which quantifies the performance of vulnerability prioritization and remediation strategies for the very first time.

Want more detail than Shodan queries? Need to figure out which devices have that new critical vuln and are exposed to the internet? Creator of Intrigue.io, Jcran discusses his creation and touches on the topics of digital fingerprinting and discovery tools.

The first episode in a Security Science mini-series called Risk, Measured - Kenna's Chief Data Scientist, Michael Roytman discusses the theory and components used to measure risk.

Recorded during the early days of the pandemic in 2020, Covid-19 thrust the concept of Zero Trust architectures into the security mainstream. Researcher, Builder, Hacker, Traveler, and Kenna's head of Security and Compliance, Jerry Gamblin discusses Zero Trust and the realities of the work required to truly adopt the architecture, probably bursting a few bubbles along the way.

In the very first episode of Security Science the Father of Risk-Based Vulnerability Management, Ed Bellis walks us through the history of Vulnerability Management. From the dark times before the CVE list and open-source scanners to the capabilities of today's best performing vulnerability management programs.

We discuss why the promise of automating cybersecurity has yet to be fully realized.

CVE data is often misinterpreted. Jerry Gamblin discusses why that is and what to look for to get the most out of CVE data.

We hop on the line with the Cyentia Institute to discuss our latest joint research, Prioritization to Prediction, Volume 8: Measuring and Minimizing Exploitability. The new report reveals that exploitability for an organization can, in fact, be measured and reveals the best strategies to minimize it.

We tackle a hotly contested debate as old as cybersecurity itself: does releasing exploit code do more harm than good?

We interview Collin Boyce, Chief Information Officer for the City of Tucson, Arizona and discuss his process of turning impossible ideas into real projects that achieve meaningful results.

Dive into a quick history of the CVE List as we kick off a quarterly update that tracks the progress of new CVEs issued.

We discuss and add some quantifiable data to a hot-button issue in the cybersecurity industry: responsible disclosure of vulnerabilities and exploits.

Continuing our miniseries into Risk, Measured: we go back to statistics class and discuss some of the characteristics of good metrics to help people understand what you should be looking for when you want to meaningfully quantify cybersecurity phenomena, program performance, or anything really.

Sometimes a number is just a number. Context - the information and environment around the number - is what really matters. We discuss how this concept holds especially true in vulnerability management and risk scoring.

We discuss the general lack of defensive perspectives in cybersecurity media and culture, how that impacts perceptions and decision making, and what we can do about it.

We discuss the application of power law distributions to cybersecurity.

We look at the phenomena of exploit code moving from traditional and cybersecurity-centric databases like Exploit-DB and Metasploit and instead being published on Github. Is Github becoming a de facto database for exploit code?

We look at the phenomena of exploit code moving from traditional and cybersecurity-centric databases like Exploit-DB and Metasploit and instead being published on Github. Is Github becoming a de facto database for exploit code?

Kenna Security recently celebrated its 10-year anniversary on Dec. 10th, 2020; so we decided to do what we do best and take a data-based (and rare) review of the top vulnerabilities from the past decade, year-by-year.

Kenna Security recently celebrated its 10-year anniversary on Dec. 10th, 2020; so we decided to do what we do best and take a data-based (and rare) review of the top vulnerabilities from the past decade, year-by-year.

We discuss the security and privacy of connected gifts this holiday shopping season.

We discuss the security and privacy of connected gifts this holiday shopping season.

We welcome a special guest from VMware Carbon Black to discuss the state of cloud infrastructure and security, primarily through the lens of vulnerability management today, tomorrow, and far into the future.

We welcome a special guest from VMware Carbon Black to discuss the state of cloud infrastructure and security, primarily through the lens of vulnerability management today, tomorrow, and far into the future.

Jerry Gamblin gives us a pre-thanksgiving primer for Amazon AWS re:Invent 2020, which will be held from Nov. 30 - Dec 18th on a computer monitor near you.

Jerry Gamblin gives us a pre-thanksgiving primer for Amazon AWS re:Invent 2020, which will be held from Nov. 30 - Dec 18th on a computer monitor near you.

We discuss the sixth and latest report in our ongoing dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 6: The Attacker-Defender Divide looks at exploitation events from 2019 to analyze the momentum shifts between cybersecurity hackers and the teams defending organizations from attack.

We discuss the sixth and latest report in our ongoing dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 6: The Attacker-Defender Divide looks at exploitation events from 2019 to analyze the momentum shifts between cybersecurity hackers and the teams defending organizations from attack.

Will Docker’s download rate limits kill containers as we know them today?

Will Docker’s download rate limits kill containers as we know them today?

We discuss the fifth report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 5: In Search of Assets at Risk.

We discuss the fifth report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 5: In Search of Assets at Risk.

We discuss the challenges managing risk in 3rd party code from things like Open Source Software libraries.

We discuss the challenges managing risk in 3rd party code from things like Open Source Software libraries.

We discuss the fourth report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 4: Measuring What Matters In Remediation.

We discuss the fourth report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 4: Measuring What Matters In Remediation.

We discuss the evolution of cybersecurity metrics and reporting to Boards of Directors.

We discuss the evolution of cybersecurity metrics and reporting to Boards of Directors.

We discuss the third report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 3: Winning the Remediation Race looks at (1) how quickly and (2) how many vulnerabilities a given organization can handle. Answering two key questions: Can organizations remediate all of the new vulnerabilities in their environments? If not, can organizations remediate all of the new High-Risk vulnerabilities in their environments?

We discuss the third report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction volume 3: Winning the Remediation Race looks at (1) how quickly and (2) how many vulnerabilities a given organization can handle. Answering two key questions: Can organizations remediate all of the new vulnerabilities in their environments? If not, can organizations remediate all of the new High-Risk vulnerabilities in their environments?

Today on Security Science, we have a special around the virtual table with some of the biggest names in cybersecurity discussing a wide range of topics like securing remote workers, whether companies are really moving to the cloud, and the impact of the 2020 presidential election.

Today on Security Science, we have a special around the virtual table with some of the biggest names in cybersecurity discussing a wide range of topics like securing remote workers, whether companies are really moving to the cloud, and the impact of the 2020 presidential election.

We discuss the Exploit Prediction Scoring System (EPSS), the first open, data-driven framework for assessing vulnerability threat: that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure.

We discuss the Exploit Prediction Scoring System (EPSS), the first open, data-driven framework for assessing vulnerability threat: that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure.

We discuss the second report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction, Volume 2: Getting Real About Remediation picks up on the overall vulnerability landscape analysis from Volume 1 and dives deep into the vulnerability landscape from within actual enterprise networks (a little over 500 of them to be exact).

We discuss the second report in our multi-part dive into the Prioritization to Prediction research series by Kenna Security and The Cyentia Institute. Prioritization to Prediction, Volume 2: Getting Real About Remediation picks up on the overall vulnerability landscape analysis from Volume 1 and dives deep into the vulnerability landscape from within actual enterprise networks (a little over 500 of them to be exact).

How does the spread, detection, and response to viruses like COVID-19 compare with cybersecurity practices today? In the second episode of our Risk, Measured series we talk to special guest, Northeastern University Assistant Professor, Sam Scarpino about how Epidemiology relates to cybersecurity.

How does the spread, detection, and response to viruses like COVID-19 compare with cybersecurity practices today? In the second episode of our Risk, Measured series we talk to special guest, Northeastern University Assistant Professor, Sam Scarpino about how Epidemiology relates to cybersecurity.

We chat about the state of everyone’s favorite buzz technology: Threat Intelligence with our favorite internet fingerprinter, Kenna’s head of research, Jcran. Joining us is a special guest, longtime pentester, infamous internet listener, and founder of GreyNoise Intelligence, Andrew Morris.

We chat about the state of everyone’s favorite buzz technology: Threat Intelligence with our favorite internet fingerprinter, Kenna’s head of research, Jcran. Joining us is a special guest, longtime pentester, infamous internet listener, and founder of GreyNoise Intelligence, Andrew Morris.