TechMatrix

Benefits of Tenable Adoption

• Comprehensive visibility of IT asset exposure
• Accurate prioritization of actions and reduction of effort enabled by risk-based vulnerability management
• Visibility of blind spots in Active Directory (AD) and improved efficiency in resolving associated AD security issues

Interviewees

Mr. Takeya Yoshikawa, Deputy General Manager, IT Infrastructure Construction and Operations Division
Mr. Naoto Sugiyama, Chief, IT Infrastructure Construction and Operations Division
Mr. Shigeyuki Kiriyama, Chief, IT Infrastructure Construction and Operations Division

Evolution of organizational readiness, to challenge emerging security threats

Q. Can you tell us how TechMatrix sees information systems and security, and about your operational policy and organization?

Mr. Yoshikawa: As we are engaged in a variety of business operations at TechMatrix, we embarked on setting up a Computer Security Incident Response Team (CSIRT) system in 2022 to strengthen security across the entire organization. The aim of CSIRT is to build an expert and fast response structure, to be ready for cyber attacks which are becoming more sophisticated by the day. We established an internal guideline for security, which is promoted and enforced by several key staff members. In addition to the traditional approach of defending our environment, we employ a multi-faceted approach in order to improve our level of security. 

Shift to exposure management that visualizes hidden risk

Q. Can you tell us about your previous security program, and the challenges you have faced in recent years? 

Mr. Sugiyama: Previously, our security program primarily focused on perimeter-based security and performing penetration tests a few times per year. However, in recent years, when a peer system integrator suffered a malware attack and their system was compromised, this gave rise to an uneasy sense of impending crisis within the organization, such that we were left with no option but to review our security program. The incident showed that the threat was real; that it was not just an attack coming from outside, but it also included risks that affected the entire supply chain and threats caused by shortcomings in internal configurations. 

In particular, the major security challenges were in the areas of vulnerability management and Active Directory (henceforward AD Security). 

• Vulnerability Management: We felt like we were at the end of the road with our ability to perform CVSS assessment and check results against lists. As vulnerabilities increased, our workload also increased, and we became aware of the challenge that using our in-house scoring system based on CVSS scores was not helping us to determine priorities accurately. Decision making was taking longer to decide which vulnerability should be prioritized for remediation.
• AD Security: There were a lot of system accounts—as you can imagine after many years of operation—which resulted in a great number of inventory tasks we were struggling with. We felt like there was great risk in security blind spots, weak passwords and excessively high permission settings, which lead directly to privileges being stolen by attackers in order to take control of AD. 

Tenable One enabled a streamlined, risk-based operation

Q. With those challenges you have just described, can you tell me the reason for selecting Tenable One? 

Mr. Yoshikawa:: As we compared and assessed many products, we came to the conclusion that Tenable One was the best solution to drive our exposure management initiative. The greatest advantage of Tenable One is in its flexible licensing model. It allows us to use as many features as we need, from vulnerability management to AD security. That was the critical factor in our decision making. Also, the user interface is localized into Japanese, so we thought that this would enable our non-specialist staff to navigate the system intuitively and help achieve a smooth operation. 

Q. Can you tell us the advantages of Tenable and any issues you had during the Proof of Value (PoV) stage? 

Mr. Sugiyama: We deployed the system ourselves in about three months, including the PoV period. During PoV, we experienced issues such as having to switch server redundancy that was monitoring PINGs during a vulnerability scan, and exceeding the license limit due to the innumerable dormant accounts we had, but all of these were cleared, thanks to Tenable’s apt advice and tuning. 

Q. What do you feel are the specific effects of introducing Tenable One? 

Mr. Kiriyama: They are:

• Vulnerability Management: Thanks to Tenable’s VPR (Vulnerability Priority Rating and guidelines for triage, we are now able to assess the importance of an IT asset accurately, based on risk. We now know which vulnerabilities we should address, resulting in a substantial reduction in time and effort. Moreover, we are now able to visualize vulnerabilities in our old systems, which we had not been able to see before, to provide appropriate advice to the business department in charge.
• AD Security: We were able to complete our inventory check of accounts quite smoothly, which our manual method was struggling with previously. We could highlight blind spots instantly, such as weak passwords and permission settings, so that we are now able to go ahead quickly with a holistic AD security program. As guidance is displayed in Japanese, our time to investigate the actions are greatly reduced, and efficiency is improved. 

Together with Tenable Techmatrix moves toward a more robust security environment

Q. Can you tell us about your vision for the future of your security program?

Mr. Yoshikawa: With the increase in the use of cloud resources in the future, we plan to enhance external data management capabilities, from a DLP (data loss prevention) perspective. We are also considering making further use of Tenable One to automate patch management, and to scale it to visualize the entire attack surface. 

Q. What would you like Tenable to do? Any requests? 

Mr. Yoshikawa:I hope that Tenable may create a community where users can share their use cases with one another and how they use the products. By exchanging knowledge, I am hoping that we may collaborate and build a more robust security environment. 

* Details as of March 2025