Why ‘Better Data Matters’ For Vulnerability Intelligence And Risk Ratings

Risk Based Security (RBS) provides organizations with vulnerability intelligence, breach data intelligence and risk ratings. RBS offers extensive vulnerability and threat intelligence data, which allows organizations to more effectively manage their cyber-risks.

Established in 2011, RBS has customers around the globe, including large enterprises, nuclear power plants and medical device manufacturers. At RSA 2020, Expert Insights met with Jake Kouns, RBS’ CEO and co-founder, to talk through the RBS platform, the trends they’re seeing in vulnerabilities at the moment, and why having the best possible data for risk management is so important.

‘Built with data at the core’

Kouns describes RBS as first and foremost a data aggregation company. “We’ve always believed that better data matters,” he tells me. “With better data, you can make better risk decisions.”

RBS collects masses of data on vulnerabilities in hardware and software products. They track anytime a company has a data breach, and then try to contextualize that data as much as they can.  “We explore the who, what, why, when, where, how, anything we can find!” Kouns tells me. “By far we have the most comprehensive data out there. It sounds cocky to say it, but it’s true!”

The data they gather comes from a huge variety of places, Kouns explains. This includes news articles, data gathered from social media and online forums, or the deep web. Researchers then dive deeper into the data they gather, adding metadata and important information. They will also look at their customers’ platforms and search for vulnerabilities, identifying areas where they should look to update versions or plug security gaps.

This aggregated data is then pulled into threat intelligence feeds, where it’s used to power the three services that RBS offers customers, vulnerability intelligence, breach intelligence and risk ratings. These are delivered as subscription services.

“The data we collect is powerful,” Kouns tells me. “On the vulnerability side, we’re helping people move beyond just vulnerability scanning, we’re helping people to actually figure out what products are causing the most security problems, and what vendors don’t seem to care about security, and are putting you at risk for a data breach.”

“On the breach side, we’re helping companies to figure out what they should invest their money in. For a hospital in England, and a retail company in the US, there’s different things that are causing data breaches, and so there are different things that you should focus on.”

“What we do can be a lot! But really, it’s all about data, and helping companies to make better decisions.”

Why Better Data is Better Security

For Kouns, the importance of having the most powerful data to inform decision making cannot be overstated. He sees the overreliance on weak or incomplete data sets as being one of the major problems in the industry currently.

“Pretty much every vendor, especially in vulnerability management, is using data that’s freely provided by the US government,” Kouns explains. “The vendors will put some metadata on it, but the source is free, and pretty much all security vendors will use that. But it’s missing 73,000 vulnerabilities. Last year, they missed 8000 vulnerabilities.”

“I use the analogy of a doctor.  Why would you go to a doctor that said to you ‘I can’t diagnose 33% of all these known issues?’ The approach we’re taking is giving people all the data, and then giving them the tools to prioritize the issues that they need to fix.”

Data Insights

The RBS platform collects masses amounts of data on breaches and vulnerabilities, giving them a unique insight into the types of vulnerabilities organizations are struggling with. Kouns tells me one of the major problems they see is that there’s just too many vulnerabilities for organizations to manage in the most effective way.

“Last year was the worst year for data breaches,” Kouns says. “We tracked over 7000 vulnerabilities and 15 billion records that were lost. That means all the money that we’re spending, all the stuff that we’re doing, isn’t working.”

“Even for the best intentioned, smartest people, there’s just too much coming up. It’s also money and time to fix. So, it’s hard to point fingers at companies, and tell them they’re doing specific things wrong.”

Kouns says the rapid changes in technologies are another hurdle for organizations to overcome. Technologies change very quickly, and organizations are constantly looking at new vendors to work in complex different environments. “As a security person,” he says, “You end up just playing this whack-a-mole game. You’re trying to do your best, but it’s a bad game to play.”

Kouns also points out that while scanning organizations for vulnerabilities is helpful, what’s more important is vulnerability intelligence, mapped to your organization’s assets.

“What we’re trying to tell people is, if you spend time on understanding your assets and a vulnerability comes out, you can take action and do analysis on day one.”

“When you take a risk-based approach to fixing vulnerabilities, it’s the best foundation, and the most important foundational investment you can make.”

Thinking of implementing a vulnerability intelligence and risk management platform?

 Kouns’ advice to customers thinking of implanting a solution like Risk Based Security is to make sure that they look internally at their own networks and vendors.

“One of the things I continue to hear,” Kouns says. “Is that sometimes people don’t take the time to figure out their own assets. I think you have to. I think as a security professional; you have got to take the time to figure out what you have in your company and only then can you start to figure out what you need to do.”

“No matter what, every company needs to understand themselves, understand their assets, and that will really help them to figure out the right course of action.”

To find out more about Risk Based Security, visit: https://www.riskbasedsecurity.com/