Tenable CEO on What's New in Cyber Exposure ManagementAmit Yoran Shares Why Tenable Has Doubled Down on Analytics and OT Security
Tenable wants to help the cybersecurity industry move away from traditional vulnerability management that's focused on giving customers a list of vulnerabilities. The company has instead embraced cyber exposure management to help customers understand where they're exposed, what that means from a risk perspective and how they can effectively manage and reduce their risk, CEO Amit Yoran says.
The Washington D.C.-area company has therefore expanded its purview to help customers assess their exposure not only in traditional IT environments but also in cloud environments, Active Directory deployments, operational technologies and elsewhere, Yoran says. It's imperative that organizations realize their attack surface is much larger and more complex than it used to be, he says (see: Tenable to Buy Bit Discovery to Find More Vulnerable Assets).
"The vulnerability management market has never been hotter and has never had a more strategic seat at the table," Yoran says. "You're seeing a lot of new entrants into the market, but I'm extremely confident that we produce the highest-quality data in the market by a long stretch."
During an Information Security Media Group interview at Black Hat USA 2022, Yoran shared his company's biggest bets around cyber exposure management and how that sets Tenable apart from the competition.
Tenable has stepped up analytics in areas such as attack path management to help security practitioners answer complex questions from management and the board, Yoran says. These analytics help customers determine which vulnerabilities are the most exploitable as well as identify the most efficient path for an adversary to access an organization's key assets, he says.
Embracing analytics has allowed Tenable to move away from providing customers with a long list of vulnerabilities, instead helping them determine the most effective way to prioritize security spending, Yoran says. Tenable leveraged its February acquisition of Cymptom to help businesses understand what the broad attack surface looks like and where they're most susceptible to compromise.
"We think we're well positioned, thanks to the accuracy of the data we provide, the coverage of the customers' attack surface we provide and the sophistication of the analytics that we have powered up," Yoran says.
From an OT perspective, Tenable communicates with devices in native protocols to identify them, see how they're configured and what they're connected to, and to passively monitor the environment from an attack detection and network monitoring perspective. The size and growth rate of the OT market presents a big strategic opportunity for Tenable going forward, Yoran says.
Tenable's understanding of IT risk and environments sets the company apart from pure play OT vendors that attempt to secure critical assets but lack visibility across the entire attack surface, Yoran says. The company's capabilities in everything from external attack surface mapping and attack path analytics to unified reporting and role-based access controls allow Tenable to deliver more robust OT protection.
"Security is more like a kaleidoscope, where you can't answer a question about the security of your OT environment if you don't also understand the security of your IT environment," Yoran says. "Having an OT solution that doesn't also understand the risk of IT is strategically incomplete. You have to understand identities and directory services in order to understand the security of your IT and OT."
Context and Competitive Landscape
Tenable wants to provide customers with more context around what threat actors are exploiting in the wild to both refine and leverage the analytics capabilities the company has honed, Yoran says. Tenable must have context around what's mission-critical in a customer's organization to help clients truly understand their risk and exposure rather than just add to their cyber noise, he adds.
Tenable has spent more on vulnerability management-focused R&D over the past half-decade than its two closest competitors combined, which has allowed the firm to deliver differentiated capabilities, Yoran says. Unlike competitors who have expanded their offerings to include everything from logging and SIEM to EDR and managed security services, Yoran says Tenable has remained laser-focused on risk.
"The three primary vulnerability management vendors have three very different strategies and they've been on divergent paths for a long time," Yoran says. "For us, the key to success has been and will continue to be that focus on helping people assess and understand risk."
Staying Away From Patch Management
Tenable rival Qualys has bet big on patch management, debuting an offering that's tightly integrated with the company's existing vulnerability management capabilities to cut the time between detection and patching. But Yoran doesn't see patch management as a smart investment since vulnerability management is handled by an independent audit team that can't actually change the IT environment.
The auditors that handle vulnerability management aren't typically responsible for server and desktop configuration, Yoran says. In addition, most enterprises have already made strategic investments in patch management tools such as Microsoft's SCCM or IBM's BigFix and would prefer that vulnerability management companies focus on tight integrations with patch management tools and ServiceNow workflows.
"In the enterprise market, we haven't seen that as a demand from our customers," Yoran says. "They would rather have us integrate with the strategic bets they've already made."
Using Business Rather Than Tech Metrics
CISOs find themselves in very different places when it comes to the maturity of their own application security and cloud security programs, and Yoran says Tenable has focused on helping them tie together different components of their security programs. Bringing data points together will help CISOs create a narrative around enterprise and cyber risk management that corporate leadership can understand.
Yoran urges CISOs to move away from metrics such as time to address flaws on Windows severs versus Linux servers when talking to corporate executives. Those findings won't mean much to them, he says. Rather, he believes CISOs must focus on creating narratives that are easily understood by the rest of the organization.
"CISOs need to think about cyber exposure management as something that they can build a program around," Yoran says. "They can leverage our platform to really help their companies quantify, characterize and define risk."