Tenable doesn’t want to be Tenable anymore

“Neither Rapid7”. It’s from the interview of HD Moore, founder of the Metasploit and ex-CRO of Rapid7, that he recently gave to Paul Asadoorian, ex-Product Strategist Tenable, in the latest episode of “Startup Security Weekly”. It’s a great show, strongly recommend it, as well as “Enterprise Security Weekly” and others. See all subscription options available here.

VM Vendors Market

The most interesting part for me is 00:05:00 till 00:10:00. Talking about the best areas for security startups, HD Moore recommended to take a close look on cloud-based WAFs, like Signal Sciences, Cloudflare. It’s relatively easy to find customers for such projects. However it’s very expansive to build it up and investments are required.

HD Moore doesn’t see lot’s of folks building new content-based security products, such as Tenable, Rapid7, Metasploit. It makes him sad and me either. Instead of regular updates of security content and signatures, new companies rely more on things like machine learning. It’s a good start, but it won’t solve all the problems.

Well, not only in Russia Vulnerability Management is not a trend, but even in the US.

Furthermore, “Tenable doesn’t want to be Tenable anymore, neither Rapid7”. VM Vendors are trying to find the ways to get out of their market now. The fact that VM product is 10% better than can’t impress customers. They may be impressed only by something related to Web App security, advanced risk assessment, etc.

I agree that the situation looks exactly as HD Moore describes. Most of the classical VM vendors are trying to move to new types of products: SIEM, AST, WebApp scanners, even Anti-APT solutions. Perhaps they are motivated by the fact that Vulnerability Management is becoming a commodity and difference in 10 percent doesn’t solve nothing.

In fact it’s not. The difference between VM solutions is significant. But you can see it only if you compare them properly. Vulnerability Scanner is mostly a knowledge base. And some scripts that make a vulnerability detection, using this knowledge base. But have you ever seen VM vendor writing about their KB and vulnerabilities they can and, even more interesting, they can’t detect? Take Gartner MarketScope for Vulnerability Assessment. There’s almost nothing about the knowledge base and detection quality – the main feature of the products.

When VM vendor stores vulnerability detection plugins in parsable form – it’s great. That’s mean, that there is a possibility to predict what the product can and can’t detect. Hovewer, if you even compare knowledge bases of two scanners, OpenVAS and Nessus, both KBs are available in Vulners, by CVE IDs plugin references, you will find out a great differences: thousands of CVEs that Nessus can detects, and OpenVAS can’t and vise versa. Vulnerability Scanner knowledge bases are far from completeness. Even if we ignore at the differences of the platforms: different detection plugins required for the same CVE for Linux, Windows, different network devices. Even if we ignore plugin types: local security check and remote security check are completely different but refer to the same CVE id.

Who destroys the VM market? The customer who does not care about scan quality? In my opinion, it’s the VM vendor, who sell, in fact, knowledge base, with no emphasis on it’s quality and therefore devalue it.

4 thoughts on “Tenable doesn’t want to be Tenable anymore

  1. HD Moore

    Hello,

    To clarify the comment; we are seeing traditional vulnerability management (VM) vendors expand into adjacent space because customers are not rewarding innovation around test coverage, and the green field for VM is growing slower than the investors of these companies demand of the business.

    VM companies cater to three[1] major sectors; consultants, small-and-medium businesses, and enterprises. Of these, the consultants care the most about the quality, depth, and width of coverage, but have the least influence with the product teams because they spend far less than enterprise customers.

    Enterprise customers, by contrast, care more about scalability, complimentary features, and integration, with better coverage as a nice-to-have. The result is that these companies expand into areas that increase their offerings for enterprise customers, at the cost of better coverage.

    I have seen large customers get upset when the scan coverage improves, because it hurts the predictability of their security program. IT managers tend to get annoyed when a new scan update causes a “secure” system to show a high-level vulnerability, even if this was a false negative in the past. At the end of the day, vulnerability scanning tools create work for the customer, and while management platforms help, better coverage is at odds with customer incentives in these environments.

    There is always opportunity to build better coverage for the consulting sector and the early adopters in the enterprise space, but focusing on these markets will limit potential growth. As a developer of security tools, this has been frustrating to realize, as I feel like the companies who benefit most from improved coverage are the least likely to demand it from their vendors.

    It is not all gloom and doom at least; this stuff tends to be cyclical, and the next major area of concern for businesses will spawn a new cadre of smaller tools, which will eventually be pulled into the larger ones. Small shops are unlikely to displace larger VM players, as the minimum coverage bar is ridiculously high at this point, but they can build add-on coverage that makes them attractive as buy-out (or clone) targets by the larger players.

    -HD

    1. Technically four if you count government, but you can lump this in with enterprise (federal) or small-and-medium (local) for the purposes of this discussion.

    Reply
    1. Alexander Leonov Post author

      Hello, HD!

      Thank you for the great comment!

      Very interesting information about the difference in VM market segments.

      I want to believe, that some public discussion may somehow help to fix the blind spots in vulnerability detection. If VM solution doesn’t support detection of some vulnerability why won’t Tenable, or other vendor, just order development of such detection plugin? Not a big deal. Lots of companies and individuals can make NASL or OVAL.

      With vulnerability bases, like http://vulners.com , containing both vulnerabilities, exploits, bulletins, detection plugins, etc. the lacks of vulnerability scanners become more visible. Like this one: https://vulners.com/exploitdb/EDB-ID:31425 … Here is an exploit, with linked OpenVAS detection script. But there is no Nessus detection script. Why? Idk, good question for Tenable. Of course, it’s only can be possible if the security vendor will realize, that this problem really exists.

      I am fully agree with you on the perspectives of small very focused tools. I think integration with existing VM solutions may be also very useful. Something like OpenVAS OSPd connectors for 3d party tools and scanners (http://docs.greenbone.net/GSM-Manual/gos-3.1/en/osp.html)

      Reply
  2. Pingback: QSC16: from Vulnerability Management to IT Visibility | Alexander V. Leonov

  3. Pingback: Fast comparison of Nessus and OpenVAS knowledge bases | Alexander V. Leonov

Leave a Reply

Your email address will not be published. Required fields are marked *