Q&A: Tenable provides security for code, clouds and containers through AWS
As cloud innovations drive the proliferation of new technologies at an ever-increasing scale, the rapid pace of development and deployment can often come at the cost of effective security protocol. In a market so reliant on vulnerable data, developers and security professionals are sharing learnings and working together to prevent against risk and bridge process gaps for good.
Nathan Dyer (pictured), senior product marketing manager at Tenable Inc., spoke with Jeff Frick (@JeffFrick), host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the AWS Marketplace and Service Catalog Experience Hub event in Las Vegas. They discussed the current state of security and how Tenable is helping the market identify and prioritize risk. (* Disclosure below.)
[Editor’s note: The following answers have been condensed for clarity.]
Give us an overview of Tenable.
Dyer: We assess, manage and measure cyber risk across [an] entire organization [by answering] four fundamental questions around security. How exposed are we? How do we prioritize based on risk? How are we doing over time from a measurement standpoint? And how do we compare with our peers?
Nessus, one of our flagship brands, turned 20 earlier this year, but we’ve added SecurityCenter, now renamed Tenable.sc, our [on-premises] vulnerability management solution. Tenable.io is our cloud-based vulnerability management solution, built on AWS.
How has the growth of the container world impacted the securities base?
Dyer: It’s massive; containers are everywhere. A lot of our large AWS customers love containers; they’re moving more and more workloads to be containerized. From a securities standpoint, that introduces a lot of challenges. The short life cycles of containers makes it hard for us to assess or discover them. They’re part of the whole immutable infrastructure phenomenon; you can’t patch it in production. Infrastructure is code. You have to tear down the container, fix the image, and then redeploy.
We secure containers by focusing on the container image. As developers are spinning up new code, compiling new builds, creating new container images, security has to be a critical part of that quality-assurance process. If you’re focusing on development, you have a much greater chance of making sure vulnerable container images are not escaping into the wild.
You have to get the developers and security teams to talk, [and] have a shared understanding of goals, responsibilities, [and] priorities. When security is focused on solving for vulnerabilities and looking for security issues, that’s improving code quality. On the flip side, security teams can learn a lot about agile development. Bringing DevOps into the security discipline and helping security teams leverage automation, continuous testing, and continuous delivery makes them much more scalable and productive in their organizations.
So you guys are selling through the [AWS] Marketplace. How has that been for the company?
Dyer: Amazon is a great partner. Tenable.io, our cloud-based vulnerability management solution, is built on Amazon. We’ve been selling Nessus for quite some time through the Marketplace. If you’re a Nessus, Tenable.io or Tenable.sc subscriber, you get access to unlimited Nessus scanners and can provision them very easily through the Marketplace.
Customers who prefer to buy through [the] AWS Marketplace can do so with a couple of clicks and be provisioned and get up and running with Tenable.io. We want our customers to purchase through the channel they’re comfortable with.
You guys came out with the “Vulnerability Intelligence Report.” Share some of the current trends. How’s the landscape changing?
Dyer: What we discovered is that security teams are just bombarded with vulnerabilities. Last year in 2017 we saw over 15,000 [Common Vulnerabilities and Exposures] and unique vulnerabilities hitting the marketplace. By the end of this year, we’re expected to be between 18,000 and 19,000 vulnerabilities. The trend is going up. What makes matters worse is that when you start looking at those 19,000 vulnerabilities, over 60 percent are classified as either high risk or critical.
We’re helping our customers [and] the market at large understand the true vulnerabilities that could be easily exploitable. We have our data science team looking at the characteristics of vulnerabilities, which ones would be leveraged by the bad guys and which ones would not be. We significantly boil that number down so organizations can focus on only five percent of the vulnerabilities that they otherwise would be chasing. Prioritization is critical.
Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the AWS Marketplace and Service Catalog Experience Hub event. (*Disclosure: TheCUBE is a paid media partner for the AWS Marketplace and Service Catalog Experience Hub event. Neither Amazon Web Services Inc., the event sponsor, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We are holding our third cloud startup showcase on Sept. 22. Click here to join the free and open Startup Showcase event.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.