Nathan Dyer, Tenable | AWS Marketplace 2018

>>From the Aria Resort in Las Vegas, it’s theCUBE. Covering AWS marketplace. Brought to you by Amazon Web Services.>>Hey, welcome back everybody, Jeff Frick here with theCUBE. We are kicking off three
crazy days at AWS re:Invent. It is the place to be the
week after Thanksgiving. There’s got to be 50,000 people, we haven’t got the official word, but it’s packed and it kicks
off tonight with a reception. We’re here at the AWS
Marketplace and Service Catalog Experience over at the Aria,
in the quad, come check us out. A lot of good stuff going on. A lot of fun stuff going on. And we’re excited to have
first time to theCUBE, he’s Nathan Dyer, Senior
Product Manager for Tenable. Great to see you.>>Jeff, great to be here. Thanks for having me.>>Yeah, have the energy the
opened the doors the people are streaming in.>>I don’t know if it’s
the food or the drinks or the vendors.>>All of the above. Probably more the food and the drinks. All right. So give us an overview
of Tenable for people who aren’t familiar with the company.>>Yeah, so Tenable, we are
the cyber exposure company. We help organizations assess, manage, and measure their cyber risk across their entire organization, across their monitored tax surface. And so what we try to do is help answer four fundamental
questions around security. How exposed are we? How do we prioritize based on risk, how are we doing over time
from a measurement standpoint, and then how do we compare with our peers? And so, if you haven’t heard of Tenable, chances are you’ve heard of Nessus, which is one of our flagship brands. Nessus just turned 20 years
young earlier this year. If you’re pen tester,
if you’re a consultant if you’re a practitioner, you know Nessus. But over the years we’ve added
some other brands as well. Security Center which is now renamed which is our On-Prem vulnerability management solution. And then which was released in 2017
which is our cloud based vulnerability management
solution and built on AWS.>>Right. So I was doing some
research, I love your guys’ little mantra here, it’s
security for code, for clouds and containers. You got all the C’s there. The containers, you know, what’s going on with Docker
over the last couple of years and now obviously the huge groundswell with Kubernetes, you know this container thing, depending on who you talk to
has been around for a long time but it certainly didn’t have the momentum. How’s the kind of the growth
of the container world impacted the securities base?>>Oh, it’s massive. Containers are everywhere. In fact there’s a strong
affinity to cloud and containers. So a lot of our large AWS
customers love containers. They’ve been dabbling with
containers for quite some time. They’re moving more and more workloads to be containerized and on Kubernetes, Dockers, et cetera. From a securities standpoint that introduces a lot
of challenges, right. They’re short lived life
cycles of docker containers make it very hard for
us in security to assess or discover them. They’re part of the whole immutable infrastructure phenomenon, so you can’t patch it
in production, right. Infrastructure is code. You have to tear down the container, fix the image and then redeploy. So from our perspective, we think you have to secure containers by focusing on the container image. Specifically as developers
are spinning up new code, compiling new builds,
creating new container images, is it running quality assurance checks? Security has to be a critical part of that quality assurance process. As you’re doing integration
tests, unit testing, API testing, security
has to be a critical test looking for vulnerabilities and malwares is part of that process.>>But the rate of change in
those images is pretty high. I mean, the rate of deployments
is super high, but like you said a lot of them have short life spans, they’re up or they’re down. So, have people baked
that in to their process? I mean, obviously, I hope they are. Or how are you helping them to make sure that security is a really
key piece to that image. Because once that image goes out it has access to all kinds of things.>>So, the new news with containers, and then by focusing on the image it forces security teams to
talk to their development peers. In order to secure DevOps
and secure containers, security has to be embedded
into continuous integration, into continuous delivery
cycles or systems. And if you’re focusing on development, you have a much greater chance of making sure that
vulnerable container images are not escaping into the wild. And you guys should get a hold
of those vulnerable images and make sure they adhere to policies before they’re released into production. So that’s the new news.>>Well, it’s funny because
you reference the DevOps. ‘Cause DevOps has now
been around for a while and clearly is the way
the code gets deployed in a very rapid iteration. So they’re some significant lessons from the DevOps security angle that you’re now using then
on the container side. Yeah, well first thing with secure DevOps and Devops in general, is that you have to get the developers and security teams to talk. You have to have a shared understanding of what makes each other tick. What are the goals, what are the responsibilities, priorities, understand each other and it turns out there’s actually a lot of shared understanding and
mutual benefit between infosec and application developments. When security is focused on
solving for vulnerabilities and looking for security issues, that’s improving code quality. That’s removing some
of the software defects from the development code
and developers love that. They love producing high quality code. On the flip side, security
teams can learn a lot about agile development. DevOps principles. Bringing DevOps into
the security discipline, and help security teams
start to leverage automation and continuous testing,
continuous delivery, and make them much more scalable and productive in their organizations. So there’s a lot of mutual
of understanding there.>>Right. So I’d imagine there’s a
lot of, kind of similarities between classic waterfall and the moat, versus now kind of the DevOps and the continuous and
ongoing constant process.>>That’s exactly right.>>Yeah. So we’re here at the AWS Marketplace. So you guys are selling
through the marketplace, how has that been for the company? How has the experience been working with the AWS marketplace team?>>Oh, it’s been great. I mean, Amazon is a great
partner to work with. which is our cloud based vulnerability management
solution is built on Amazon. We have a great relationship
with Amazon engineers. Now for the marketplace, we’ve been selling Nessus
for quite some time through the marketplace. So if you’re a Nessus subscriber, if you’re a
or securities center or subscriber, you get access to
unlimited Nessus scanners and you can provision them very easily through the marketplace. It’s super easy. Just recently, we now unveiled through the marketplace and so far it’s been a great success. Now customers who prefer to
buy through Amazon marketplace AWS marketplace, can do so with a couple of clicks and be provisioned and get up
and running with It’s super easy, you can
learn about the product. Kick the tires with a free evaluation, and really provision
the product very simply.>>Yeah, I would imagine the
touch from your guys side goes down significantly when they’re
just coming right through the marketplace.>>Exactly. That’s the idea. Make it super easy for customers to invest in and get a great experience in doing it.>>What about your own sales guys though. Is there a little channel conflict? They’re like hey come one, I want to sell hat thing, we don’t want to go through Amazon.>>Not at all. Our mantra is we want
our customer to purchase through the channel
they’re comfortable with. And if they want to purchase
through the AWS marketplace we have a channel for them, if they want to go through
our three chair model we have obviously a great
experience there as well.>>And clearly Amazon brings
a lot of customer eyeballs to the table.>>They’re a great partner.>>So, just before we
wrap, you guys came out with the vulnerability
intelligence report. I wonder if you can share
some of the highlights of the things. You guys are obviously
keeping track of this, you talked about benchmarking
against your peers. And I know there’s also a
lot of sharing of information within security companies, to kind of know what the bad guys are and some of the patterns
and best practices. So, I’m wondering if you can share some of the current trends. What are you seeing? How’s the landscape changing?>>Well first of all, we have phenomenal tenable research team. They’re phenomenal in
terms of the data science, in terms of the
vulnerability intelligence. We have a wealth of data in our hands from various deployments and so there’s a lot of
great number crunching and analysis we can generate from that. What we discovered in the vulnerability and intelligence report, is that security teams are just bombarded with vulnerabilities,
literally, bombarded. Last year in 2017 we saw over 15,000 CVE’s and unique vulnerabilities
hitting the marketplace or hitting the industry. And by the end of this
year we’re expected to be between 18,000 and
19,000 vulnerabilities. So the trend is just going up, up, up. I think what makes matters worse though, is that when you start looking at those 19,000 vulnerabilities, over 60% of those vulnerabilities are classified as either
high risk or critical.>>65%?>>Around 60%.>>Of the, what was the numerator? 18,000?>>Of those 18,000 to
19,000 vulnerabilities, are classified as high
risk or critical risk. So, that’s a lot of fire drills that security teams need to chase. And so, what we’re trying
to achieve is helping our customers, helping the market
at large understand what are the true risks out there,
not the theoretical risks. What are the actual cyber risks. Meaning what are the vulnerabilities that could be easily
exploitable, that have exploit kits already developed. We have our data science team looking at the characteristics of vulnerabilities and which
ones would be leveraged by the bad guys and which ones would not be. And we significantly boil that number down so that organizations can focus on only 5% of the number of
vulnerabilities that they otherwise would be chasing
without changing their overall security risk to the organization. So, prioritization is
super, super critical for those organizations.>>Nathan I think we all that
separating the signal from the noise. (laughs)>>Jeff, well thanks for having me.>>Nathan, thank you very
much, it’s great to see you and have a great show.>>Thanks. You too.>>All right, I’m Jeff he’s
Nathan, you’re watching theCUBE. We are at the AWS marketplace
and service catalog experience at the Aria, at the quad. Come on by. We’re serving free food and drink. See you next time. (lively music)

Leave a Reply

Your email address will not be published. Required fields are marked *