Say Goodbye to Kenna — Say Hello to Local Models at Scale

Written By Ed Bellis

Last week, Cisco announced the End of Life of Cisco VM (Kenna Vulnerability Management), a company and product I spent the better part of 13 years building. Needless to say, this brought me through the whole range of emotions, but it also served as a great way to reflect on that time.

The early days were both exciting but also very hard. I cofounded Kenna Security (yes, Kenna was the last of 3 company names) with Jeff Heuer back in 2010 out of a pain point I was experiencing directly as the CISO of Orbitz. We knew prioritization was becoming the problem in vulnerability management and data was a way to solve this. But there was no such thing as “Risk Based Vulnerability Management” back then. Most people were scanning and praying, trying to use CVSS as best as possible but falling behind. We had some dumb luck along the way, running into a treasure trove of data around exploitations working with Roger Thornton and Jaime Blasco in the early days. This really helped begin to establish RBVM as a market, and before you knew it we had identified a number of data sources to help prioritize these issues for our customers.

Building a business is full of challenges but also incredibly exciting. As we grew and took on more customers, it was rewarding to see your product used by some of the largest enterprises in the world in positive ways that helped them solve real challenges. I will never forget getting a text from a large retail and healthcare CISO telling me they had finally achieved their risk based goals as an org and were celebrating internally. Even if they would continue to improve those in the years to come, it was a great milestone and I felt personally part of it.

Along the way we began to see the challenges broaden and evolve for our customers. Vulnerability management programs were now starting to broaden to exposure management, looking at all different types of security weaknesses. We also started to hear, “it’s great that you can quantify the likelihood of this vulnerability being exploited somewhere, but what about me?”. These same customers had begun to collect a lot of valuable data in SIEMs and security data lakes. Data that could prove to be very valuable when constructing predictive models of vulnerabilities and weaknesses. But we weren’t in the professional services field, so building custom solutions wasn’t in the cards for us. As a product company, we would have had to train and maintain thousands of models side by side, and at that time the MLops infrastructure and tooling wasn’t there yet.

Then along came Cisco. As a founder this was truly exciting. The opportunity to expose your product that you built to an entire new world of customers. Customers who in some cases, had never even heard of you before. We met with some of the folks there like Al Huger, and knew this would be a great home for our customers, our product, and our people. Unfortunately, it didn’t work out that way. Many of those folks left Cisco, and when tough decisions had to be made, Kenna and its customers were on the chopping block. Seeing the writing on the wall internally, it pained me but I knew it was time for me to go.

I took some time off to reflect and spend time with my family (and maybe a few baseball games too). Along the way I started talking to Michael and Jay (and jcran), about what was next. It became apparent that we could take our learnings and the evolution of this space and do what customers had asked but we couldn’t deliver on before. But creating a market isn’t easy. I swore I would never do it again but… 


Here we are. At Empirical Security we aren’t building Kenna 2.0. We are building to where this market and problem are heading. How do I completely manage all of my security exposures, and how do I do that with data, evidence, and science, not dogma. We’re no longer answering the question of what risks are out there in the wild – we all know that, we understand it, we’ve done it. We’re answering a question that’s never been answered before: what risks pose a threat to YOU, your organization, based on your unique characteristics?

We have several Fortune 500 companies in the design partner stage, and things are moving much faster than they ever did at Kenna. We’re excited to continue.

Ed Bellis
Next

New Features: Critical Indicators & Known Exploitation Calendar Heatmap