It’s a big day for risk-based vulnerability management! Tenable just delivered Lumin for their Tenable.io customers, the RBVM offering it announced 18 months ago.
We want to welcome Tenable to the RBVM space. We see Tenable’s entry into this market as validation of the need to prioritize vulnerabilities, communicate risk, and enable collaboration between security and IT. (There’s been plenty of other validation, of course, including awards and recognition from industry influencers like Gartner and Deloitte.)
But we get it: This stuff is hard
We know Tenable has been working on this for years, so we weren’t surprised when they aggressively pre-announced Lumin 18 months ago. But the problem with aggressive pre-announcements is that they aggressively set expectations. So now that Lumin has finally arrived, it struck us that the marketplace may have been wondering why, for the past year and a half, it was hearing about Lumin but not seeing it.
We have a pretty good idea why it took this long for Lumin to materialize. Here are a few reasons:
- RBVM isn’t something you can just throw together. We pioneered this space eight years ago, and even after earning multiple patents – most recently for our exploit prediction capabilities –we’re still improving our game because threats never stop. So we feel for anyone trying to enter the market at this point. It must be a little like trying to parachute onto a speedboat. It’s a great trick if you can pull it off, but you’ll probably wish you’d jumped on when everyone else was boarding.
- It helps when your technology is born in the cloud. Premise-based, legacy security solution vendors have struggled mightily to move their products to the cloud. Results have been mixed, and there’s always the problem of establishing parity between earthbound and cloud versions of the same solution. Some features are offered here but not there, etc. When you’re a pure cloud solution, you don’t have that legacy baggage to lug around.
- Scaling RBVM is a challenge. Scalability means many things. Of course it means the ability to protect millions of enterprise assets. That’s table stakes. But it also means analyzing 5.5 billion vulnerabilities every hour. Not to mention establishing an enterprise-class RBVM operational model that allows for efficient, reliable prediction and prioritization, along with mobilizing that model to solve second-order problems like rapidly scoring and remediating new vulnerabilities with new algorithms. (Check out the extensive industry research we’ve conducted with the Cyentia Institute to study best practices that inform our own operational model and that of our enterprise customers.)
- You need to bolster world-class threat visibility and enterprise-class analytics. The good news is that external threat intelligence sources are plentiful. The bad news is that you need them in your solution. We know firsthand that it takes some serious integration work to amass nearly 20 independent sources of external threat intel. But that’s just the beginning. You also have to make strategic use of that intel to predict how and when a vulnerability is likely to be weaponized—and then determine the threat it poses to a particular enterprise. So for years we’ve run billions of observations through those models to teach our patented machine learning platform to make reliable predictions. (And we give the entire industry a clear view of our methods, allowing virtually anyone to learn about the factors that shape our machine learning algorithm. And yes, that includes our competitors.)
- You need to support your customers’ tools and processes–no matter how many. Asset and vulnerability information can come from a lot of places, not just a single scanner. Organizations have vulnerability scanners, CMDBs and asset management systems, end point protection and EDR tools, as well as ticketing and defect tracking. RBVM isn’t just a dashboard, it makes data actionable no matter what the user’s role is in the vulnerability management process.
- Enterprise RBVM isn’t just about infrastructure. If you’re not enabling your customers to manage the risk to their applications, then you’re ignoring one of their biggest potential exposures. At a minimum, an enterprise vulnerability management program needs to intake vulnerabilities from Dynamic and Static Analysis tools, Software Composition Analysis and bug bounties. Even the Verizon DBIR calls this out as one of the primary sources of breaches.
We know what’s ahead for Tenable Lumin, because we’ve spent the last eight years scaling that wall. It’s steep and it’s challenging. But you go, Lumin. We believe in you!
Just one word of advice for the Tenable team, though: Don’t wait another 18 months to deliver your next product update. In the RBVM market, that’s not just a long time. It’s a lifetime.
To see what industry-leading RBVM is all about, request a demo of the Kenna Security Platform.