Cyber-security vendor Tenable Inc. announced its new cyber-exposure benchmarking service called Lumin on March 8.
Lumin is part of the tenable.io Software-as-a-Service (SaaS) platform that Tenable launched in January 2017, which provides security scanning and vulnerability management capabilities. With Lumin, Tenable is adding a new layer of functionality that aims to enable organizations to better understand their overall risk profile.
"The world of vulnerability management has always been about gathering data," Renaud Deraison, CTO and co-founder of Tenable, told eWEEK. "Lumin is all about making sense of the vulnerability data and providing insights."
Deraison said that Lumin imports data from multiple third party sources outside of Tenable, including Qualys and ServiceNow. He explained that Lumin takes all the scan results and merges them with threat data to see what vulnerabilities are actually being exploited.
Lumin provides a ranking for detected vulnerabilities within an organization to help prioritize and remediate the most impactful issues. Additionally, Deraison said that Lumin provides benchmarking capabilities to help organizations understand how long it takes to respond to an issue.
Determining the impact of a given vulnerability isn't always an easy task. One widely-used approach for scoring a vulnerability is the industry standard Common Vulnerability Scoring System (CVSS), though Deraison said that in Lumin, Tenable is making use of a broader set of metrics to determine impact.
Deraison explained that Tenable has its own scoring system that considers CVSS as well as asset configuration details taken from a Configuration Management Database (CMBD) system.
"We also take threat information into account for scoring," Deraison said. "We have a partnership with Recorded Future, which helps us to understand how exploited a given vulnerability is."
Among the common causes of modern data breaches are chained exploits, where multiple vulnerabilities are linked together in order to exfiltrate data. Deraison noted that CVSS in particular, fails when it comes to understanding the impact of chained exploits.
With chained exploits, often there are multiple low or medium risk vulnerability rankings that each on their own, might not merit the attention of a cyber-security team. Deraison explained that tenable.io Lumin users will get a flag when a medium or low risk vulnerability is being used as part of an exploit that provides an alert that it is a more immediate risk that needs to be remediated.
While Lumin provides information to organizations about their cyber exposure and vulnerabilities that should be patched, the tenable.io platform does not directly provide patching capabilities. Rather, Deraison said that his company has an integration with ServiceNow, to help organizations with patching. He explained that based on information that Tenable sees as being important the system can open a ticket in an IT operations system to fix it. In Deraison's view, there is still a clear line of demarcation between security and operations teams within many organizations.
"We don't think we should patch systems directly, so we integrate with ServiceNow or Jira for that process," Deraison said.
Deraison noted that he has been surprised at how long it can take different organizations to actually identify and then patch known risks.
"That's one of the big reasons why we wanted to build Lumin. We want to provide organizations with guidance on what to fix first," Deraison said. "There are a lot of worm-able vulnerabilities, out there that are not being fixed because there hasn't been immediate pressure. Part of the goal of Lumin is to help drive healthy behavior toward patching before a breach happens."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.