2017 Trends in Vulnerability Management, Featuring Forrester Research

Earlier this week, guest speaker Josh Zelonis, Senior Analyst at Forrester, and Michael Applebaum, VP Product Marketing at Tenable spoke at a webinar about some of the big trends in vulnerability management in 2017.

You can access an on-demand recording anytime on our Webinars web page. If you’re wondering what it was all about, here are a few highlights.

Forrester survey results

49% of organizations suffered one or more breaches in the past year

Josh kicked off the talk by sharing a few results from a recent Forrester Global Security Survey. I was surprised by the first result he shared -- that 49% of organizations had suffered one or more breaches in the past year. I know the breaches are common; any Google search for “data breach” will come up with pages of results. A search today, for example, shows that job seekers are one group who had a bad week with breaches reported at the Illinois Department of Employment Security, IdahoWorks, and America's JobLink Alliance (AJLA) affecting millions of job applicants in multiple states. Still, I was surprised that the survey result showed breaches affected almost half of all organizations.

The #1 issue that was pervasive across the attacks was software vulnerabilities or software exploits

Given all the focus and research we do on vulnerability management here at Tenable, less surprising was the detail how those breaches occurred. Of those 49% of organizations that had reported being breached, 56% had experienced one of those breaches as an external attack and the #1 issue that was pervasive across the attacks was software vulnerabilities or software exploits. We know that vulnerability management is a significant challenge for organizations in 2017.

The mix of active scanners, agents and passive listening sensors in Tenable.io are designed to maximize scan coverage

One reason Josh gave for vulnerability management being such a challenge is that organizations have a difficult time knowing what assets are in their environment, especially fluid, or dynamic assets that come and go from the network frequently like cloud services or containers. Tenable research shows that dynamic assets are difficult to track using traditional vulnerability management methods like active scanning alone. If a cloud service or container isn’t on the network when an active scan is taking place, it won’t be included in the results. That’s one reason why Tenable has invested so much in Tenable.io and specifically the Tenable.io Container Security application. The mix of active scanners, agents and passive listening sensors in Tenable.io are designed to maximize scan coverage, while the specific capabilities of Tenable.io Container Security bring security into the container build process.

DevOps and early detection

These dynamic assets though, as Josh put it, can actually be a gift to security. Dynamic assets like containers are often discussed in the context of DevOps. DevOps, as you likely know, is the cooperation between developers and operations professionals (and often QA and security) with a goal to accelerate IT and development processes. DevOps gives organizations the ability to set goals, determine processes, and test for security misconfigurations and vulnerabilities earlier in the development lifecycle. Software flaws can be identified and addressed in the QA environment, which is not only more secure, but also more efficient than fixing flaws in production applications.

Learn more

There’s more good insights from Josh and others in the webinar. I encourage you take a few minutes to enjoy the webinar and also learn more about Tenable.io via any of these resources:

• Vulnerability Management in 2017: Leap Ahead or Fall Behind webinar recording
• Additional sessions of this webinar will be scheduled for EMEA and APAC regions. Watch for your invitation!
• Tenable.io information
• Tenable.io evaluation