Tenable: Vulnerability management is out, attack surface management is in

Over the past two years, it has become increasingly clear that traditional vulnerability management does not work. With 18,378 vulnerabilities reported in 2021, security teams simply don’t have time to reduce all potential entry points before an attack can exploit them.

At the same time, modern business environments are so dynamic and expansive that organizations need complete visibility across the entire attack surface. This goes well beyond monitoring on-site IT assets to cloud services, containers, web apps and identity services.

This is a trend that the supplier of vulnerabilities shelf life has recognized by today launching Tenable One, a new cloud-based exposure management platform designed to discover assets and assess risk across the entire attack surface.

Exposure management gives security teams a broader view of the attack surface, provides the ability to perform attack path analytics to analyze attack paths from externally identified points to internal assets, and create a centralized inventory of all IT, cloud, Active Directory and web assets .

Vulnerability management is out, exposure management is in

Tenable’s shift from vulnerability management comes as more organizations struggle to manage the attack surface.

According to the State of Attack surface management 2022 report, 7 in 10 organizations were compromised in the past year through an unknown, unmanaged or mismanaged internet-facing asset.

One of the main reasons for this high level of exploitation is that many organizations are unable to identify exposed assets as part of a unified inventory.

“Traditional vulnerability management focuses on enumerating vulnerabilities in exploitable software (CVEs). Exposure management goes beyond this by providing additional context such as who is using the system, what they have access to, how it is configured, etc,” said Glen Pendley, CTO at Tenable.

“Proactively securing an environment is more than just patching software. Exposure management enables cybersecurity teams to operationalize their preventive security programs, which in turn also helps organizations clearly explain the effectiveness of their security program,” said Pendley.

Tenable One approaches exposure management by providing users with data about asset configuration issues, vulnerabilities, and attack paths to give security teams a clear picture of their environment and potential vulnerabilities that attackers could exploit.

A Look at the Vulnerability Management and Attack Surface Management Market

Tenable has been firmly in the vulnerability management market for years, which: researchers anticipate will reach a value of $2.51 billion by 2025, growing at a compound annual growth rate (CAGR) of 16.3%.

However, Tenable One can most accurately be described as competing with attack surface management providers, who strive to provide a comprehensive view of the exposures of internet-facing assets, rather than providing a system to identify vulnerabilities within an on-site network and to give priority.

One of the leading suppliers in this space is: Randoriwith a valuation between $50 and $100 million that IBM acquired mid-year and offers a cloud-based solution to map the attack surface in real time. This includes services, IPs, domains, networks, hostnames, and other components.

Another competitor is Cycognitowho raised $100 million in financing in December 2021 and achieved a valuation of $800 million, providing enterprises with a remote attack surface management platform that can automatically discover internet-facing assets and provide contextualized risk mapping, detection and prioritization that an attacker can exploit.

According to Pendley, the main distinguishing factor of Tenable is context. “As of today, no other company is able to provide the breadth of coverage, context and actionable reporting that Tenable can. We expect the major cybersecurity vendors to move in this direction, but no one has developed what Tenable has,” Pendley said.