kras99 - stock.adobe.com
In response to a rapidly growing attack surface, Tenable Inc. launched an exposure management platform intended to help organizations prioritize threats.
Tenable One, released Tuesday, is an assimilation of previous products and partnerships including Tenable.io's vulnerability management and web application scanning, as well as the vendor's cloud security, attack surface management and Active Directory (AD) security offerings. The company's goal with combining these offerings into one platform is to improve data analytics and enable a more proactive security posture for customers.
The Tenable One platform also includes new capabilities, such as Lumin Exposure View, which stems from the company's 2018 introduction of Lumin, a risk analytics platform; Attack Path Analysis, which is designed to help security teams better mitigate threats; and Asset Inventory, which provides a comprehensive view of customers' IT assets.
While Tenable is known for its vulnerability management focus, fixing flaws alone might no longer suffice. The company said its shift to an exposure management platform is driven by the evolution and growth of the attack surface. In addition to keeping traditional software up to date, organizations have to worry about threats to the cloud, its data center and servers, along with protecting its AD, open source library exposures and security concerns around APIs.
Tenable's shift also highlights an ongoing problem where organizations fail to patch vulnerabilities in a timely manner, leaving them vulnerable to fixed flaws for months and sometimes years. For example, the Microsoft Exchange Server attacks from 2021 and the risks associated with unpatched VPNs that warranted continuous government alerts.
In a Tenable One white paper, the company called for a change to how vulnerabilities are handled.
"Traditional approaches to vulnerability management need to evolve into a comprehensive exposure management program, enabling users to translate data about assets, vulnerabilities and threats into actionable insights," Tenable wrote in the white paper.
The paper also issued a call for better communication "across the various infosec functions in the organization" to help different departments and constituencies respond to and address threats more effectively.
Common exposures and weaknesses
Misconfigurations, which have been a growing problem and concern for enterprises, were a focal point of Tenable's white paper. The vendor noted that threat actors need "the right combination of vulnerabilities, misconfigurations and identity privileges that will give them the greatest level of access the fastest."
Because organizations have so many assets in public cloud services, the most obvious exposure is misconfigurations, according to Nico Popp, chief product officer at Tenable. He added that when customers talk about cloud security, they typically start with misconfigurations, followed by vulnerabilities and excessive access.
"It's so easy for the DevOps guy to leave an [AWS] S3 bucket open to the internet," Popp told TechTarget Editorial. "Misconfigurations are definitely kind of the No. 1 issue in the cloud, but then you realize, I'm still running software. I'm still going to have containers with software and libraries."
To include a range of products to monitor a variety of security weaknesses, recent Tenable acquisitions contributed to the new platform, including cloud security vendor Accurics, operational technology company Indegy and Alsid, which specialized in securing AD.
Popp emphasized that the main idea of the platform is to bring all types of data together so that organizations can run analytics and prioritize their top 10 issues. Exposure management is all about examining weaknesses, he said. For example, one weakness could be that a company has granted too much access for certain types of roles, making it easier for threat actors to abuse the access and move laterally.
"I think this notion of exposure management platform is going to become a category of its own, which will be welcomed, because I think it's time," Popp said. "We've become more proactive than preventive."