"Most audits that I went through, including PCI, required the organization to define their risk tolerance in a security policy and then the org needed to adhere to it. At my prior job, we had a Vulnerability Management policy and we embedded the Kenna risk scores in it and defined an SLA for certain scores. If we did not do that then we would have to follow whatever the CVSS requirement was by the regulator. Audits actually became much easier with Kenna because using the risk based methodology is better in the long run."
- Katie Conners, Kenna CSE and former Fortune 500 Vulnerability Program Manager
Many customers approach PCI compliance believing that the PCI guide provides a set of hard and fast rules, but in reality they are recommendations which offer a starting point. Using the Kenna scoring methodology for PCI Compliance will help you meet your compliance obligations more quickly and efficiently.
From the PCI guide:
“All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, including applications that have been validated to PA-DSS. The PCI DSS assessment should verify the PA-DSS validated payment application is properly configured and securely implemented per PCI DSS requirements. If the payment application has undergone any customization, a more in-depth review will be required during the PCI DSS assessment, as the application may no longer be representative of the version that was validated to PA-DSS.”
The first thing to keep in mind is that PCI compliance is asset-based, not vulnerability-based, meaning it is focused on remediating the vulnerabilities found on assets which fall under the PCI purview. Therefore, the first step in meeting PCI compliance is determining which assets are in scope. Next, as a company, you must adopt a remediation policy that will satisfy auditors. The PCI guide uses the CVSS scoring system as one basis for building remediation policies. It suggests that scores of CVSS 4 and above are considered a PCI “fail” and require fixing, but customers have the choice to create a policy that uses a different scoring methodology and this is where the Kenna scoring methodology will greatly help out.
Kenna uses realtime intelligence to predict the likelihood of exploitation and with this data, helps you prioritize vulnerabilities that are actually risky. CVSS only measures severity and as a result, there are many more vulnerabilities with a CVSS 2 score of 4+ than there are in the same range of vulnerabilities using the Kenna score. Kenna uses a 100 point scale so you can compare the difference in your own platform by checking the vulnerability count for CVSS 4-10 and then checking the count based on the Kenna score of 40-100. There will be even more vulnerabilities to remediate if you use CVSS 3 (see "CVSS3: When Every Vulnerability Appears To Be High Priority").
Customers can and do implement remediation policies using Kenna scoring. However, the phrase "PCI Compliance" should be reserved for PCI Qualified Security Assessors (QSA). Kenna can provide guidance on how to use Kenna for PCI compliance, but Kenna is not in a position to guarantee compliance as that depends on your organization's policy and actions. Kenna lives in PCI DSS Requirement #6 and there are many requirements that need to be met in order to receive a clean Report On Compliance (ROC). Customers choosing to use the Kenna scoring methodology for PCI compliance will need to follow the steps below and document their decision. This will become supporting evidence for answers to a QSA around your chosen risk methodology, vulnerability scoring and risk tolerance.
- Determine which assets are in scope
- are they sufficiently segregated or do you have a flat network?
- Decide on the risk methodology you will use and create a documented and approved policy
- Will you use Kenna score? What is the lowest Kenna score you will require fixing to be compliant?
- Will you stick with CVSS score? Reporting and Top Fixes in Kenna will not function with this methodology because it is based on the Kenna score, but you can still group the assets in scope for PCI.
- Identify PCI assets in Kenna with tags from your scanning or asset management tool.
- Create a risk meter in Kenna for those assets based on how you identify them
- Require patching based off of your risk score methodology (what is the lowest score you require fixing?)
- Create SLA rules to assist with enforcing the patching policy in line with PCI remediation guidelines.
Note: While there is a vulnerability filter in Kenna called "PCI Related", this comes from PCI vulnerabilities in a cardholder data environment and is based on information from the Qualys Knowledge Base. It is based on CVSS of 4 and above and will not be applicable for non-Qualys scanners. This flag does not tell you whether an asset is in scope. Analysis specific to your organization is needed to confirm which assets are in scope and your policy dictates which vulnerabilities must be remediated.