Tenable Helps Customers Comply With NIST Cybersecurity Framework

Fresh off a $250M round of funding, Tenable CEO Ron Gula discusses how his company's technology is evolving and adding new options to its platform.

Tenable security solution

Tenable CEO Ron Gula is in an enviable position. The company raised an unprecedented $250 million in November 2015 to help grow the business, which is precisely what Gula is positioning Tenable to do by providing new options and approaches to help secure organizations.

While it is common for organizations to deploy multiple sets of tools to provide security, Tenable's goal is to help minimize the number of tools needed. The company's core technology is its SecurityCenter Continuous View (CV) platform, which is now being targeted at some additional new use cases beyond just simple visibility of network assets. The new use cases are not part of a specific new platform update, but rather an attempt by Tenable to explain how its platform is evolving.

"We don't do product and press releases with content updates, because these capabilities are just something that is included with the product [CV]," Gula told eWEEK.

One key use-case for Tenable's platform is to help ascertain compliance and adherence with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). NIST CSF is a broad set of guidelines and best practices for organizations to embrace to improve security.

Some compliance regulations like the Payment Card Industry Data Security Standard (PCI DSS) are very tactical in that they are specific to make sure electronic payments can be secured, Gula said, noting that organizations have used Tenable's platform to help with PCI DSS compliance.

"PCI DSS is not a framework that people use to measure all of their network," Gula said. "The NIST CSF is a framework [that provides] a way for an executive to have a model to measure security."

Even outside the U.S. government, NIST CSF is the number one framework that organizations use to measure their security, he said. "That doesn't mean organizations are deploying everything in CSF, but rather that they are using it to help measure security."

Where Tenable fits into the CSF use case with SecurityCenter CV is that every part of an organization's network can be automatically measured against how technologies are deployed in reference to the framework, he said. "What we're seeing is that the technical controls that people think they have, they actually don't have."

Many times, the entire process of looking at compliance is a manually driven process that only occurs at a point in time, and the promise of Tenable's platform is a continuous view in real time of what is actually running in an environment, he said.

Tenable's technology provides an assurance report card (ARC) that is used to help organizations understand their security posture. For example, if an organization is doing proper asset management, then every computer should have an entry in the company's Domain Name System to be properly identified. ARC will give a percentage score for how much of an organization's assets align with a given control or best practice.

"You end up with a report card of how compliant or non-compliant you are with each of the controls in the NIST Cybersecurity Framework," Gula said.

One of the things that Gula has noticed across many organizations is that with multiple types of compliance efforts, IT security professionals will attempt to manage toward a requirement, but not supersede it.

For example, Tenable is an authorized PCI DSS scanning vendor, and the most popular time that organizations tend to scan is at the end of the quarter, the day before a compliance report is due, Gula explained. However, "if organizations scan more continuously they can get way ahead of compliance issues," he added.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.