Tenable CEO: ‘Lack Of Transparency Is The Single Largest Problem In The Security Industry’
‘For cloud vendors in particular and cloud infrastructure providers in particular, there’s a phenomenal degree of trust that’s placed in them and I believe a phenomenal responsibility which they need to both take seriously and provide transparency into how they’re performing so that their customers are informed of the risks that they’re undertaking,’ Tenable CEO Amit Yoran tells CRN.
Tenable Tuesday unveiled its new Tenable One platform that company CEO Amit Yoran strongly believes will help transform preventive security by more quickly and accurately identifying organizations’ vulnerabilities.
Touting Tenable One as an “industry-first exposure management platform,” Yoran also thinks Tenable One is a golden opportunity for channel players, particularly MSSPs, to tap into as a new revenue stream.
But Tenable One isn’t the only thing Yoran strongly believes in when it comes to cybersecurity. In the past, he’s been a vocal critic of companies such as Microsoft for not being transparent enough when it comes to breaches.
In an interview with CRN, Yoran, a graduate of the U.S. Military Academy at West Point and one of the founding members of the U.S. Department of Defense’s Computer Emergency Response Team, indicated transparency within the industry as a whole hasn’t improved much since his public tangles with other companies.
“I think the lack of transparency is, far and away, the single largest problem in the security industry and the problem from which all solutions and all paths out stem from,” said Yoran, who has led Columbia, Md-based Tenable since 2017.
Yoran believes more laws may be needed to improve transparency and accountability, as some companies are not acknowledging breaches when they happen.
“Hiding breaches and sweeping them under the rug, and misleading people as to the nature and severity of the breaches, really puts the entire industry at risk,” he said.
Following are excerpts from CRN’s recent interview with Yoran, who talked about a wide range of issues, including Tenable One, Tenable’s recent acquisitions, security transparency and accountability, and the economic headwinds ahead for the industry.
Where do you see the new Tenable One platform having the biggest impact in terms of stopping cybersecurity breaches?
In my experience, a lot of the cyber industry operates in silos, so people say, ‘We’re going to protect this or we’re going to build a solution for that’, or ‘We’re going to monitor this particular activity or technology.’ That’s very different than how adversaries operate, where they’re really looking at the target and they don’t care how they get in. They use combinations of techniques to get in and so Tennable One is a pretty aggressive step forward in that we’re really helping people look across their entire landscape and say, ‘OK, where do I have weakness?’ Or ‘Where do I have combinations of weaknesses which could be used by an adversary to get in?’ [Tenable One] allows you to figure out where the most efficient way to break those paths is and where you can most efficiently reduce risk.
How much did the technology from Bit Discovery, which you acquired earlier this year, get incorporated into this new platform?
The platform really provides a holistic perspective to exposure and risk. It’s really sort of the only platform of its kind. So the Bit Discovery piece, which is really about external attack surface discovery and extra external attack surface management, is a key piece of that puzzle. We, of course, look at your internal exposures and your internal vulnerabilities. We look at what you’re doing in cloud. We look at what you’re doing in your identity and identity management systems. And so the analytics that I think are most compelling are the things that show you what is the path from the outside, from that externally discovered asset, to your most critical internal asset that you’re most concerned about. It’s about making sure that you don’t have combinations of weakness along those paths.
How much of the Cymptom technology that you acquired earlier this year was integrated into this new platform?
Cymptom was a key piece. It’s really that attack path mapping—that attack path discovery—that we think is a missing ingredient in the security space. Instead of looking at things as silos, start looking at them as attack graphs. How do the combinations of weaknesses and exposures result in a breach of consequence? And that’s the type of thing that, when you’re looking at things from a platform perspective and you’re applying these types of analytics, you can really discover.
What are some of the new platform’s capabilities that partners will be able to bring to the table to midmarket and large enterprise customers facing a barrage of breach attempts?
The opportunity for Tenable and the opportunity for our partners is because Tenable is really one of the very few companies in the security space that are 100 percent channel-based in our distribution. We think the channel is incredibly important and incredibly strategic. And so the opportunity is really about engaging with their customers and to help them understand cyber risk.
There’s a lot of security products out there. There’s a lot of things to detect malware and authenticate users and do all sorts of things. [But ] if customers really want to understand their cyber risk, understand their exposure and how to manage that risk, we think this Tenable One platform is the premier way to do that. And, again, I think because we’re 100 percent dedicated to channel, we think there’s a great opportunity for them to discover where all of these exposures exist and help their customers reduce risk.
How big of a opportunity does this platform open up for MSPs struggling to get their arms around the complete zero trust architecture model?
I think it opens up for MSSPs in particular. I think it opens up a new revenue opportunity because these aren’t the traditional MSSP services, right? The traditional MSSP work, as you know, has historically been firewalls, intrusion detection systems. They started doing some endpoint work. This is an all-new revenue opportunity that is additive to MSSPs and their customers. [It’s] a new value-added capability and new revenue opportunity, helping them understand risk, in addition to the traditional MSSP work. So we think it’s a significant new market opportunity for MSSPs. And we’ve built the technology with the the MSSP partners in mind.
Switching gears, you have been vocal about the need for transparency in dealing with security issues, including Microsoft’s failure to acknowledge a critical vulnerabilityin Azure until you guys said it would go public. How big a problem is this in the industry, particularly with cloud service providers?
I think lack of transparency is, far and away, the single largest problem in the security industry and the problem from which all solutions and all paths out stem from. For cloud vendors in particular and cloud infrastructure providers in particular, there’s a phenomenal degree of trust that’s placed in them and I believe a phenomenal responsibility which they need to both take seriously and provide transparency into how they’re performing so that their customers are informed of the risks that they’re undertaking.
If you have a vulnerability in a cloud platform, even if you patch it, you still have a duty to inform your customers that there was a hole. Because that hole may have been exploited and your customers taken advantage of before you patched it. Hiding exposure from [customers] exposes them to risk that they‘re unaware of. I believe that’s not a sort of moral business practice.
Have you had similar incidents with other cloud providers or just Microsoft?
I think the most egregious case that we’ve seen has been from Microsoft. But I think that this responsibility for transparency is applicable to all and should be applicable to all.
Have you communicated directly with Microsoft on the need to respond swiftly to these issues and what has been their reply?
We have. We have a strong relationship with Microsoft. I think Microsoft is a very large ship on a course and heading and doesn’t move with great agility. So we haven’t seen a significant change in behaviors. But these issues don’t come up every day. So hopefully next time we engage, their response will be different.
You have called out other companies besides Microsoft. What other companies have you singled out for lack of transparency and who are the bigger offenders?
Over time, I’ve called out a number of folks. The higher-profile ones have been Microsoft and Okta in the past, specifically around their breach. I don’t believe that that was well-handled.
I think you can look at breaches and say this one was handled well and this one wasn’t. It’s usually, I won’t call it black and white, but it’s usually pretty black and white. You look at Mandiant and I think it was a perfect example of [transparency]. It was very quick to tell their customers and the market that they were breached. It’s important because other customers may have been at risk or vulnerable as a result. So even though they’re not a cloud infrastructure provider, they were very quick to disclose what they knew at the time. And then as their investigation continued, they discovered that the source of the breach was SolarWinds. I think that’s a perfect example of how transparency can help raise the game and the level of play for our entire industry.
Hiding breaches and sweeping them under the rug, and misleading people as to the nature and severity of the breaches really puts the entire industry at risk.
Given your background as a former founding member of the U.S. Computer Emergency Readiness Team, do you think we need better federal laws to mandate cybersecurity transparency?
I do think that increased regulatory pressure will be helpful to the industry, not hurtful, certainly around transparency and responsibility and accountability. So I think that would be helpful. Some might require new laws. Some might require interpretation of existing statutes. Some might require using the regulatory authorities that various departments and agencies might have. I think the SEC had a proposed ruling on requiring organizations to disclose their risk management practices, in addition to the breach notification. I think having CEOs of public companies attest that they’ve looked at their cybersecurity and that their cybersecurity practices are in accordance with the risks they face as an organization, I think that type of attestation would be phenomenal in terms of increasing time, attention and focus from corporate leadership and improving cybersecurity more broadly.
Given your participation now with the full attack surface in a platform approach to security, what do you see as the biggest cybersecurity threat at this point in time?
It’s a great question. I think the greatest challenge is organizations not doing the basic work. You know, being walled into a false sense of helplessness and saying, ‘Oh, these threat actors are so sophisticated and we’re going to get breached anyway.’ I think that’s simply not true. I think if you look at organizations, some are consistently being breached and others I think have fared far better. As a vendor and as a partner, we see the ones that are putting in the time and the effort—updating and managing their systems, applying their patches, designing their architectures in better ways—and we see them as much more resilient and less frequently impacted.
The markets are going through some tough times right now. And there’s yet more talk of an economic recession. Do you expect an economic downturn and, if there is one, what do you think its impact might be on partners and customers?
There are clearly many people who are better qualified to comment on what’s happening in the global macro environment and to forecast what might happen. But it’s clear we’re in a period of extreme economic turmoil. And I believe these economic challenges will be with us for some time to come. There’s some people that would say cybersecurity is not impacted. I’m not one of them. I believe any time customers’ economic circumstances are changed, they look at their operating spending and change their purchasing behaviors. It doesn’t mean they won‘t continue to prioritize cybersecurity. I believe they will. But if it impacts the market and impacts your customers, then it impacts you as well.