Grove Information Systems

Kenna Security - Vulnerability Risk Mitigation

Powered by Cyber Risk Context Technology, the platform leverages data science to accurately track, measure and predict real-world exploit activity across the enterprises’ global attack surface. With Kenna, security and IT Operations teams can finally align to proactively manage the vulnerabilities that matter most.

Features

• Ingest data from any vulnerability or application scanner
• Prioritise high-risk vulnerabilities based on live exploit intel
• Align IT and security efforts with business objectives
• No more spreadsheets!

Benefits

• Automated vulnerability analysis and prioritisation improves productivity
• Actionable remediation data increases efficiency
• Objective risk scoring improves collaboration between departments
• Real-time visibility into the organisation’s risk
• Metrics enable teams to monitor and measure risk reduction efforts
• Quantifiable data enables executives to make informed investment decisions

£6 a device

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pwitheridge@groveis.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

150942642954290

Contact

Philip Witheridge
+44 207 493 6741
pwitheridge@groveis.com

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Kenna works by processing existing vulnerability scanner data and applying it's own risk modelling to make the process of remediation a simpler one. ; ; It therefore works most major vulnerability scanners eg. Nessus, Qualys, as well as integration into ticketing systems such as Servicenow and Jira
• Cloud deployment model:
  • Private cloud
  • Hybrid cloud
• Service constraints: None that we know of
• System requirements: Browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Priority 1: Responded to within 1 min.; Priority 2: Responded to within 1 hour.; Priority 3: Responded to within 3 hours; Priority 4: responded to within 8 hours; ; Calls outside of business hours will be responded to within 30mins
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Base Support: Helpdesk / remote problem diagnosis and support.; Best-effort 'Ask the expert' assistance.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Online training exists as does onboarding documentation. ; Onsite or remote training can be provided if required.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Reports can be created and subsequent report data can be exported via CSV
• End-of-contract process: The contract includes full access to the system. Additional features can be enabled at a further cost such as app security

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: It renders on mobile, but does not have a specific mobile optimised version.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: They can create, query, update, search vulnerabilities, assets.; They can create, query, update, delete users, roles; They can search, query fixes and fixes groups; They can query asset groups
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: No
• Customisation available: Yes
• Description of customisation: The dashboard can be customised as well as the risk meters and what are included in them; Anyone with the relevant security permission/role can customise

Scaling

• Independence of resources: Kenna Utilises cloud scaling and automatically scales as and when needed

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Kenna

Staff security

• Staff security clearance: Staff screening not performed
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: In-house
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: No
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: This can be achieved either by exporting from a custom report to a csv, or directly from the API.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 24/7
• Approach to resilience: Information available on request
• Outage reporting: Email Alerts, there may be more but not know at this time

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
• Other user authentication: Kenna also supports singles sign on using SAML authentication.
• Access restrictions in management interfaces and support channels: Kenna implements levels of access privileges or roles called Role-Based Access Control, so that users can be assigned only the permissions they need to perform their respective functions. By default, no access to front and back-end services is granted to any employee and access is granted based only on operational need and at the Least Privilege necessary to perform the duty.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Need answer
• ISO/IEC 27001 accreditation date: Need answer
• What the ISO/IEC 27001 doesn’t cover: Need answer
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: Not known at this time
• PCI DSS accreditation date: Not known at this time
• What the PCI DSS doesn’t cover: Not know at this time
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • SSAE 16 Type II
  • Certified for HIPAA compliance
  • AES-256 (data at rest) and SSL/TLS (data in transit)
  • PCI-DSS
  • ISO/IEC 27001:2005
  • HIPAA

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: SSAE16
• Information security policies and processes: ISO/IEC 27001:2005

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Our code is tested via static analysis and dynamic scanning prior to; being deployed to our production environment. All code is deployed; using Reduced Attack Surface deployment, and we use generic; exception handling to help prevent information disclosure attacks.; Source code is also kept in a code repository with versioning controls.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: Security patches deployed within 24 hours, and minor patches within; 48 hours of public release and verification testing.; • Built-in platform protection and implementation controls to reduce risk; from common web-based threats, such as cross-site scripting attacks; (XSS) and cross-site request forgery (CSRF).; • Centralized logging and alerting.; Regularly scheduled vulnerability scanning using proprietary,; commercial and open-sourced tools. Full vulnerability management; and remediation using Kenna.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Regularly scheduled vulnerability scanning using proprietary,; commercial and open-sourced tools. Full vulnerability management; and remediation using Kenna.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: We have a documented incident response process, with personnel; available on a 24x7 basis to respond to information protection; incidents. We will notify company of an information protection incident; affecting their data within twenty-four hours of becoming aware of the; incident. If a security incident were to occur, we’d be willing to share; audit logs with the affected company for review.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  The solutions and services we offer to G Cloud procurement organisations typically require new skill sets for which we provide employment and follow on mentorship training and growth opportunities.

Pricing

• Price: £6 a device
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: 30 day POC

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pwitheridge@groveis.com. Tell them what format you need. It will help if you say what assistive technology you use.