Armed with these new capabilities, Tenable users will be equipped to see everything, predict what matters most and act to address cyber risk so they can effectively align their cybersecurity initiatives with business objectives.
"How secure are we?"
It sounds like a simple question, but security pros know arriving at an accurate answer is anything but simple. For example, consider the following:
- Only 53% of all organizations have a holistic understanding of their attack surface.1
- On average, an enterprise must address more than 870 vulnerabilities impacting 960 assets — each and every day.2
- Fewer than half of security leaders can frame the impact of cybersecurity threats within the context of a specific business risk.1
Calculating and communicating cyber risks in a language that non-technical business leaders can understand is hard. And it becomes even more difficult when your attack surface dramatically expands. Digital transformation and the current work-from-home economy have converged to cause a surge in new and different types of assets connecting to your organization — a trend that is likely to continue for the foreseeable future. This is the challenge we at Tenable are working to solve to help you align your cybersecurity initiatives with core business objectives.
Our vision? To take you beyond traditional vulnerability management with a Cyber Exposure Management platform that enables you to see and continuously assess your modern attack surface, predict which vulnerabilities pose the greatest business risk and act with confidence to effectively reduce risk. The ability to see, predict and act are foundational to a strong Cyber Exposure Management practice.
Today, we announce a series of new and exciting capabilities to help you better manage, measure and reduce cyber risk across your modern environments. Taken together, these new capabilities represent the three core pillars of our Cyber Exposure Management platform.
Achieving visibility across your entire attack surface is job No. 1 for cybersecurity professionals. There are many good reasons why asset inventory and assessment are at the top of many security frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Center for Internet Security (CIS) Controls. It's critical for you to be able to discover and assess all assets across your attack surface, including cloud instances and operational technologies (OT). New SEE capabilities include:
- Frictionless Assessment for Amazon Web Services (AWS). Over the past 20 years, Tenable has pioneered both active scanning with Nessus and passive monitoring with Nessus Network Monitoring to provide the most comprehensive view inside your organization. Now, we have unveiled Frictionless Assessment, which is a groundbreaking approach to analyzing cloud assets without the need to deploy scanners, agents or any other software. This new sensor technology uses cloud-native services to continuously maintain inventories and reassess instances without interruption. You can gain visibility into your exposures as new vulnerabilities are published and your cloud environment changes, all without having to manage scan schedules, credentials or agents. Frictionless Assessment will be available in Tenable.io later this quarter and will support AWS EC2 instances at launch.
- Tenable.ot Integration for Tenable.io. Tenable.io now fully supports Tenable.ot to deliver unified visibility, security and control of converged and distributed IT/OT environments. As cloud becomes a more attractive, efficient and cost effective way of securing OT environments, Tenable.io users can obtain a single view of security issues for all IT, cloud, web app and OT vulnerabilities — and deliver relevant information to the right stakeholders at the right time. You can also take advantage of pre-configured dashboards to provide a complete picture of OT cyber risk. This integration is available today.
Predict What Matters
Security teams are overwhelmed by vulnerabilities. It doesn't help that vulnerability prioritization processes based on the Common Vulnerability Scoring System (CVSS) rate more than half of all new vulnerabilities as high or critical severity. Yet, Tenable Research finds that public exploits are available for only 7% of these Common Vulnerabilities and Exposures (CVEs) and only a fraction are used in attacks. Threat intelligence coupled with business context and data science can help you anticipate which vulnerabilities are most likely to be exploited on which assets. New PREDICT capabilities include:
- Exposure.ai. As the foundation to Tenable's predictive technologies, Exposure.ai continuously analyzes more than 20 trillion aspects of threat, vulnerability and asset information using machine learning algorithms to predict critical exposure points before they can be leveraged in an attack. Exposure.ai powers Predictive Prioritization (introduced in 2019) and Predictive Scoring (detailed below) to help you focus on the security issues that matter most. Exposure.ai is available today and powers Tenable.io, Tenable.sc, Tenable.ot and Tenable Lumin.
- Predictive Scoring. One of the key challenges facing security professionals is finding a way to obtain a richer set of data from assets for which they lack admin credentials, either due to operational challenges or organizational silos. While the simple answer to this problem is for an organization to mandate 100% authenticated scan coverage, the reality is that many types of assets cannot be assessed with credentials or even with local agents. In fact, according to Tenable Research, security organizations have credentials for only 40% of the assets they scan. This creates a visibility gap, as unauthenticated scans can examine only publicly visible information and are unable to provide detailed information about assets. Tenable Research reveals that authenticated scans detect 45x more vulnerabilities than external, unauthenticated scans. To solve this visibility gap, Predictive Scoring infers the potential exposure of assets assessed by unauthenticated scans. How does it do this? By leveraging the Exposure.ai data lake to identify similar assets assessed by authenticated scans based on OS, device type and open ports detected, and by using machine learning algorithms to evaluate the criticality of vulnerabilities found on those similar assets. This helps to guide security teams to identify and improve visibility to areas of potentially high risk. Predictive Scoring will be available in Tenable Lumin later this quarter.
Act to Address Risk
Once you know and prioritize your exposures, you have to take action. This means deciding whether to remediate or mitigate if remediation isn't an option. But don't forget about maturing your overall processes to identify any shortcomings or gaps in your security hygiene to drive improvement. Peer benchmarking and the ability to communicate cyber risk in a clear and concise language is essential. New ACT capabilities include:
- Remediation Maturity. Timely remediation of high risk and critical security issues is a differentiating attribute of security organizations. Attackers have a seven-day window to exploit a vulnerability before a defender is even aware they are vulnerable, so security teams need to step up their game. Remediation Maturity is a new capability in Tenable Lumin that helps you measure the speed and efficiency of remediating vulnerabilities and compares your process maturity against external peers and Tenable best practices. The combination of Assessment Maturity (measuring the frequency and depth of your assessments) coupled with Remediation Maturity is a real game-changer for security teams looking to optimize their processes. Remediation Maturity is available in Tenable Lumin today.
- Mitigations. For some assets, timely remediation of security issues may not be possible. For others, remediation might be too costly or break service-level agreements. Mitigations is a new capability in Tenable Lumin to help you evaluate alternatives to remediations. It provides an inventory showing which of your assets have endpoint security controls so you have a more complete and accurate picture of your exposure and helps you understand whether mitigating controls are deployed and operating as expected. Mitigations will be available in Tenable Lumin later this quarter.
Take the Next Step
We will be discussing these and many other exciting capabilities at EDGE WEEK 2020, October 5-9. Register now for an entire week of cybersecurity thought leadership, original research and hands-on training. I hope you will join us!
In addition, please reserve your spot now for our upcoming webinar, "See, Predict, Act: Innovative Approaches for Overcoming Cyber Risk," at 2:00pm ET on October 28, where we will be providing a more in-depth overview and demo of each of the new capabilities discussed today. Looking forward to seeing you there! In the meantime, check out this page to learn more about this exciting launch.
1 "The Rise of the Business-Aligned Security Executive," a commissioned study conducted by Forrester Consulting on behalf of Tenable, August 2020. Base: 416 security leaders with responsibility over cybersecurity/security strategy and budgets.
2 "Vulnerability Intelligence Report," Tenable Research, November 2018.