On-Demand Webinar
Beyond Cyber Chaos: How Public Sector Orgs Secure Smarter with Exposure Management
- Exposure Management
- Tenable One
It’s time for state and local government entities to move beyond vulnerability management and learn how exposure management provides greater clarity, control, and security in the face of modern threats.
Public sector agencies are high-value targets in a threat landscape that never stops shifting. Traditional vulnerability management isn’t enough.
In this webinar, you’ll learn how exposure management gives you better visibility into your entire attack surface – and a smarter, more proactive way to reduce risk. You’ll also gain insight into practical strategies for regaining control, communicating risk effectively, and safeguarding mission-critical systems.
Topics covered will include:
- How attack surfaces are evolving and expanding – and what that means for government agencies
- Tactics for identifying, prioritizing, and addressing real threats – not just vulnerabilities
- How state and local government entities use Tenable One to realize the benefits of exposure management
- Live Q&A to address your specific questions
Who should attend?
Infosec leaders, practitioners, and IT professionals responsible for securing state, local, and tribal government entities are encouraged to attend this session.
Register and watch on demand now.
Click here to review the webinar transcript
Presenter: Joseph Decker
1. Cyber Endurance in a Chaotic World
Thank you, everybody, for being here. I'm going to go ahead and jump in. We've got a lot of content to go through, but I really appreciate you all being here with us today for cyber endurance in a chaotic world.
So we'll go ahead and really just start with an introduction, right? And you'll notice a lot of polar exploration themes inside here. It's something I'm passionate about. So I like to use it. And it turns out that it really does have a lot of parallels to what we're seeing in cybersecurity. You know this one here, the greatest dangers and the severest tests lie in the unseen.
And when you look at that from a cybersecurity perspective, it goes back to the old cliche of you can't protect what you can't see. what we don't know about what we don't see, what we don't see in the environment or which threats we don't have great knowledge of. That's the real risk. It's great that we know all this information about a 0-day, because it's brand new, and it's something exciting. And people want to look at. But what about those older vulnerabilities that didn't have any real issues when they 1st came out, but are now being used as part of a ransomware attack. That's all the unseen data that can be really dangerous.
2. Who am I?
But first, st before we jump into the real content a bit about me. So I'm a security engineering leader here at Tenable. I lead our SLED security and sales engineering team been here for 11 years.
Before that. I was a nuclear engineer on submarines, and I will definitely talk to you for hours about a variety of topics, including F1, cricket, Liverpool, opera, Beethoven, and, of course, polar exploration. So if any of those seem super interesting to you, please feel free to hit me up on LinkedIn, and we can definitely have a chat about them.
3. Understanding The Cyber Landscape (Initial Overview)
So we've got to really look at the overall cyber landscape right now, and this is not to cause any FUD and fear out there. But there are headlines every single day about state, local government, higher education tribes being hit with cyber attacks. We're absolutely a target right now from the largest state organizations down to local organizations.
We've seen things like schools being taken down with Log4Shell, because kids didn't want to go to school on a Friday. All the way up to large school systems in K through 12 who have had their information stolen. And now kids are graduating with credit card debt they didn't know about. There's just a ton of different things happening in the environment, and it only takes a real, quick look at those headlines to understand that.
4. The Expansive and Interconnected Attack Surface
Right? We're really dealing now with a much more expanded surface than we've ever had, and that expansion also comes with a lot of interconnectivity. So you know, the attack surface. Real, quick definition. It's everything in your environment.
And that's going to not just include your laptops, desktops, and servers, and networking gear like it used to. but also the identities that exist in the IoT that's out there, those systems that we put in for remote work during the pandemic, that security may not have had the ability to really put their stamp on. but are now being used against us. So the attack surface is huge.
We've got to again move beyond the servers. There are other things out there that can cause havoc. It's not just those keys to the castle anymore, those crown jewels. It's about everything that can connect to those crown jewels that entire attack path.
5. AI & Cyber Hygiene
Because maybe there is ransomware that could impact our domain controller. But we can't take that down right now. But if we look at that attack path, and we learn that the entire way that this attack path ever works is because there's an RDP port open on a laptop in a Commissioner's office. We can still protect that all by just removing that RDP access. So we have to really have that full understanding of everything and how it interconnects.
AI is coming into place, and that's going to be for good and for bad. It's going to have a lot more capability to attack multiple system types, set off multi-pronged attacks. It's going to be more efficient than a human attacker. But on the flip side. We also have AI to help protect us, to help identify those threats to help. Look at prioritization.
I was, you know, candidly, I poo poohed AI for a really long time, because I just saw the threat from it. And you know, as Tenable has gone into that space with our recent acquisition of Apex. I need to learn more about it and start using the tools. And really, once you start to use them, as long as you, as an organization, have put the security in place. Put your rules in place, and those rules are being followed. It can really help with prioritization.
That's something that we're utilizing in our tools today, not to drive the the security, not to be the end, all be all, but to help improve that context, to dig into the information and pull data from outside that can help to fill in some gaps. You know. with all of these new pieces, there is some good news, right, and get Professor Farnsworth here. Good news, everyone. The foundations of cybersecurity still protect us. They don't change those attack. Paths still exist. Those attack paths are the same, whether it's an AI or it's a human attacker. Those attack paths are now expanded because of the context. We're learning more that cyber hygiene is improving the more data we have. So while there is a lot of stuff out there, we are absolutely a target. those foundations still help to protect us.
6. Exposure Management: A New Look at Risk
So when we look at really, what exposure management is, that's that new look, right? Exposure management is taking defense in depth and putting it on steroids. Yeah, we've got a lot of tools that are out there. We've got a lot of things that are doing different pieces. But let's put all those pieces into the same puzzle. Let's let them talk to each other. Let's let them learn from each other, so that in the limited amount of time, the limited amount of resources we have, we're taking full advantage of the tools that we use.
7. Identifying Risks: Attacker's Perspective
Right? We've got to really establish that to solve this problem. We need to understand the entire attack surface from an attacker's perspective, both external and internal. That's how they're going to gain access. We need to know how they're going to gain access and start to move laterally, to compromise assets and identities that are really and truly out there.
8. Detecting 3 Forms of Risk
Next, we have to identify our really our 3 preventable types of risks. There are 3 truly preventable types. That exposure management helps us to alleviate. That's going to be your traditional vulnerabilities, those misconfigurations and excess permissions is the last one, and that's 1 that we don't think about too often on the it side. But when you look at identity. It really is the new perimeter.
And if we're not looking at those identities from a zero trust type of perspective, and understanding what access they have, and eliminate excessive access. That's a path in. If somebody once needed admin for a simple project. And they still have admin today, 2 years later. that's a problem. That's something that can be used against us.
So we need to get all of those pieces right. The vulnerabilities, misconfigurations, the excess permissions. Because that's what attackers are going to use to compromise our assets and move laterally.
9. Cyber Risk Management Challenges
the challenges. It's a lot of noise, right? That's a lot of stuff that comes through so exposure management again helps to break down that noise. We've got to align our assets, our identities, and risk to our critical business services, right. Those functions that exist. Whether you're a State organization, local organization, wastewater power transportation, we need to identify what those critical services are that we have to continue and prioritize what resources we have to identify the things that matter most, the ones that if this goes down Our constituents, our population, are going to have the biggest issue. Our customers are going to have the biggest issue once we can identify what matters most. We can then assess and prioritize those attack paths and that risk based on that. So we understand that there might be 10 laptops that have the exact same vulnerability.
But if 8 of those laptops are just standard users, and 2 of those laptops are administrators. We know that those 2 laptops that are administrators are going to be the higher risk, and we need to prioritize them first, st above everything, the goal being to continually get ahead of attackers. Look at what the attacker is going to use and fix that first.st So we're applying that added context to provide to prioritize that that look and going into that risk so that we can have the biggest impact on risk reduction. Anytime we can reduce risk. We should make the biggest bang for the buck, and so exposure management through tools like Tenable One helps to bring all that together and show you. Go fix this first or hey? I have 5 min. What's the biggest impact I can have on risk reduction in 5 min, and go and get that done.
10. 2025 Cyber Risk Trends: Escalating Threats
so when we're looking at the overall risk management for government. there's a couple of things that we see as really key for 2025, right? One is that ransomware is really going up 92% increase for K through 12. We've seen a lot more nation-state actors coming in and impacting state and local governments and exploiting things like outdated systems. Now, I know none of you have any outdated systems. There's not some Windows, 98 box in a parking lot somewhere, but if you do have those, those are important to look at.
11. 2025 Cyber Risk Trends: Protecting Sensitive Data
The other part with education and government is, we have a lot of sensitive data working in my home state. I really love working with my state customers. Because that's my data. That's my son's data, my wife's data, my family's data. And that's the same for all of you, right? It's not just the data that you're responsible to protect. But it's going to be stuff that actually means something to you. And so we've got to protect that we don't want to see, not just our constituents. Our customers be impacted by this. But our own families and ourselves
12. 2025 Cyber Risk Trends: Adoption of Advanced Technologies
advanced technologies are coming up. I am in a lot of different talks now with people who are looking at AI. And what do we do with it? What can we do with it? Granted, a lot of those conversations end up devolving into how the heck are, we gonna secure our power systems so that we're able to continue using these things.
But we make sure that workforce training and governments is involved, these tools, incredibly powerful for good and ill. But if we're not putting in the safeguards and those guard rails something that seems like it's benign can then go on to hurt us. And so we need to make sure that as we do adopt these advanced technologies, anyone who could possibly touch them gets that training.
13. 2025 Cyber Risk Trends: Operational Continuity and Resilience
The other part on the government side is, we always have to have this continuity and resilience. When something happens, people look to their governments. They look to people like us to help them out. And if we're freaking out, if we're melting down, people are gonna melt down inside the organization and out. They're gonna take from that lead. And so we need to make sure that that cyber resilience exists there and proactive security exposure management absolutely helps with that cyber resilience.
14. Top Challenges for State and Local Governments (Including Education and Unique Challenges)
So here just a list of some of the top threats for State and local governments. Again, ransomware is a big thing, but also thing like lack of resources. I'm sure everybody here has every single person they need and every tool they need. But if not, you're in good company. A lot of others are facing those resource challenges.
We've also got phishing and social engineering that is becoming more advanced with things like AI, because they're now able to spoof much more greatly. I've got a friend who works for a startup as a development manager and 8 out of the 10 interviews he's done recently ended up being either deep fakes or North Korean threat actors, and luckily they were able to identify that because they've put certain safeguards in place. But it's becoming very, very advanced.
It's not just these notes that come through from hey? Totally, not a virus dot virus or anymore. It's looking like real things. So again, we need to get that view in front of people. So they understand what this looks like.
Regulatory compliance is also coming up right, especially on the Ot side. The new version of NERC SIP that's hitting next year requires operational technology and ICS organizations to prove that they're doing security versus just science. So a lot of different things for state and local governments, same thing with it for education, right? Protecting that student and faculty. PII, the lack of resources and funding those very open, decentralized environments and ransomware being a huge piece.
But Pii for students is incredibly valuable to the bad guys, because in general Our kids' credit scores aren't monitored like ours are. So these guys are able to do a lot of damage without setting off a lot of alerts, and we need to protect that.
15. Looking Ahead: Key 2025 Cyber Risk Trends (Phishing & Ransomware)
So those are some of the top challenges overall. Looking ahead again for 2025. Ransomware is a big piece phishing and social engineering. If I could leave you with two pieces that, we really need to focus on from this year. This is, gonna be it the ransomware and the phishing and social engineering. This is what the bad guys are really looking to do. And this is how they're hurting us.
The other piece is, these are no longer the single-pronged attacks that we've gotten really good at fighting against. These are now multi-pronged attacks, hey? I'm not going to use just one piece of ransomware. I'm going to use 3. I'm not just going to send an email. I'm also going to go on LinkedIn and do instant messaging to get that information out.
It's in the news almost daily. We actually had one recently here in Baltimore, where somebody had gone in, pretended to be a contractor, and changed the bank account to their own, and I think they got about 1.5 million dollars before it was discovered that this person had done that, and that was really not a technological attack at all. That was all fishing and social engineering and cost our city 1.5 million.
16. Strategies for Mitigating Risk: The Exposure Management Journey
So we'll go into a few things about strategies for mitigating risk. And there's a hint there for you. Exposure management is going to make this easier. The nice thing, too, about exposure management is, it's a journey. This is not something that you have to do right away, right? It can build with your maturity. It can also help to guide your maturity.
So maybe you're not ready to start digging into identity or operational technology, or you don't have a cloud project right now. But vulnerability management still there, web application, security is still there. Things like asm are still there, and all of that helps to work together and apply context. So you don't have to do every single piece of exposure management to get benefits from it.
17. Defining Exposure Management
What is exposure management? This guy not doing a great job. Terrible. Just a light jacket. Icicles everywhere. Horrible, horrible at exposure management. But what really is it right. It's taking a look at all these different attacks that have happened through the years and start to break it down into additional context, so that we can really understand the real exposure, the preventable risk that exists.
18. Understanding Exposure Context
and that's all that is is proactive, preventable risks. But now we're understanding the likelihood of exploitive attacker and the impact that it's going to have to you. And so those additional pieces are what take us from vulnerability, management, vulnerability, scanning to exposure management. It's that bringing all of that data together so that we understand more of what's happening right now.
So hey, we've got an attacker who's gonna come in and use this password form misconfiguration so that they can utilize this CVE to get into a system with excessive privileges. And now we understand what that impact is going to be overall. So hey, the technical context asset plus identity and risk relationships, all really bad stuff, all things that are preventable that we could fix to stop this attack. But if we don't business context, our digital commerce is going to go offline or you know, the ability for people to come in and pay their water bill, pay their taxes, goes offline or even something where they are coming into your website, your web applications and using injections to change things. Now, suddenly a reputation is on the line. People are seeing things they shouldn't be, or forms that used to go to. You are now being sent off to data brokers who are going to sell that data off. So all of those pieces of context are really what makes exposure management work.
19. Exposure Management Platform Requirements: Collection & Consolidation
And there are a few requirements, really for exposure management. Right? You start off with things like collecting, consolidate. Those are going to be your traditional scanning, your traditional risk-based vulnerability management. Hey? We're gonna pull that data in. We're gonna look at 3rd-party data. We're gonna correlate. It all deduplicate it normalize. It. So it's nice and pretty.
20. Exposure Management Platform Requirements: Enrichment & Prioritization
But where exposure management really starts to come in is this piece the enrichment and the prioritization? And these are the 2 things that Tenable does extremely well. And this is what's really setting us apart from others in the industry, who say they're doing exposure management. and they can't compete with it. Right? Our data science. We have one of the greatest research teams in the world, especially for risk and vulnerabilities. We're pulling in threat intelligence, not only from ourselves, but from the outside, using things like Llms to even pull in more intelligence that we can look at all that and start to map. The relationships understand what this user, who has way too many permissions, is going to be able to do down the line. understand how 2 systems interact in an operational technology, right in a water treatment plant. Hey? We need to know how these things interact normally so that we can see when they're not working. Normally, the piece is the prioritization.
So, taking all that enriched data and using it to prioritize, what do I fix first? st That's gonna come from scoring, gonna come from attack, path analysis, gonna come from insights, from things like AI. But if I'm looking at it again. 10,000 different systems with 100,000 different vulnerabilities. I need to be able to look at the data and it tells me. this is what I have to fix. First, st because this one thing is going to reduce risk more than anything. And so that's really where that vulnerability management, that unified vulnerability management, all comes into actual exposure management. And then, once we understand that, the next piece is coming in mobilization. Get that data out to the people who need it.
There's an idea that you'll see here later in Tenable one of exposure signal queries that you can set up that are being tracked. So if you want, hey? Anytime a laptop where the system owner has cheapened their title gets scanned, and has a vulnerability. That is a 9.0 or higher. I want you to go ahead and send a message to the team responsible. I want you to open up a ticket in Jira for us. And I want you to send an email to the user that their device has issues, right? And that's the mobilization piece that we're really going to be bringing later this year. And that's again key for exposure management, getting that data into people's hands who need it without them. Always having to monitor our tools. Hey? We'd love it if you were in Tenable One, 24-7. That's not reality. You have a lot of hats that you're wearing a lot of things that you're doing. So if you can cut out the middleman. If you can cut out the need to do any type of manual processing of this data to get it into the owner's hands. That saves you a ton of time, and then we need to be able to measure it. We need to look at that exposure. We need to see how it has changed over time. We need to be able to share it in ways that make sense to different groups. The way you share that data to an analyst is going to be very different than the way you share it to a governor's office or a commissioner. They're not going to understand that, hey? We had 10,000 vulnerabilities, and we fixed 500 of them. They're gonna look at you like you're not still have 9,500 things to do. But if we can explain it to them from a risk perspective, hey? We had these risks. We were at a score of 800 out of a thousand. We did a lot of work over the last 2 weeks. Our scores are now down at 500, we've set ourselves a goal of 120. And here's our plan to get there that can make a lot more sense than dealing with people who don't understand what a vulnerability is. Don't understand what the work goes to, and that's really the key to exposure management overall is right here on the screen. These 6 different pieces, especially that in the middle. That takes that vulnerability management story, that proactive security story into true exposure management, and then get that into the hands of the people who need it.
21. Risk-Based Exposure Management: Continuous VM & Context
So let's look at some things for risk-based exposure management, right? The reason why it's necessary and why we need to be doing continuous vulnerability management right. Yearly assessments aren't enough. There are tens of thousands of new vulnerabilities every year, even quarterly or monthly, can just be too much data hand up with. So this continuous look at vulnerability management is key.
Context is king. We need to understand why something is a risk for you. It's great that we were for the longest time able to say, Hey, this is bad. And then, you know, risk-based came in. We started bringing threat intelligence. This is bad, but now it's this is bad for you. And here is why? Because we understand your environment through all of this context, we can tell you what the biggest risk is specifically for you.
22. Risk-Based Exposure Management: Focus on Real-World Risk
We gotta focus on real-world risk. There's a ton of stuff in the media constantly. There are things that try to get us scared with all the FUD. and those who don't understand security may start pushing that stuff when we start to look at and realize there's nothing real there. Well, kind of a 1. Exposure management takes that guesswork out. We're bringing in the threat intelligence we're showing you. This is being used. We're showing you how it's being used and where it's being used. And so if we focus that that gets rid of a lot of the noise.
And that's important, because we don't have a ton of time. Right? That's 1 of the resources. We don't have time people tooling. Those are all things that we always can use more of. And so, if we can eliminate some noise that gives us back that time to make sure that the people we do have are able to go in and focus on that risk.
23. Risk-Based Exposure Management: Proactive Security vs. Reactive Tools
Defense in depth is important, but proactive security eliminates the need for hope. If we are totally reliant on reactive tools, generally. That means something has already happened right? If if a IDS is going on well, it's detecting an intrusion. So that means something's happening. If Edr is kicking on, it means that something's happening already. Proactive security removes the hope. I'm not telling anyone that they don't need things like EDRs and backups. That stuff is all incredibly important and still needs to exist. But nobody ever takes a backup hoping that they get to use it. One day, your reactive tools in a perfect world should do absolutely nothing. Because you've proactively eliminated the threat.
Obviously not the case. In the real world. Things are gonna slip by. People are gonna get tricky. Those reactive tools need to be there in case something does happen. But I would love it if every single one of your reactive tools never showed up. You never saw a single threat because we were able to eliminate everything proactively.
24. Risk-Based Exposure Management: Cultivating Vigilance
We also need to have a culture of vigilance and openness. People need to say something when they see something. If people make a mistake. they can't be afraid to go to security and tell them about it, hey? This phishing message came from came through. We just learned that holiday parties were off, and it said, Hey, sign up for the Christmas party. I got really excited and hit it realized it was a phishing message telling them, Yeah, it's a pain. You're gonna have to train them up, or, you know, potentially something worse, if this is something that's ongoing. But if they're so afraid to tell you that they did it, it means that there's now a threat in your environment that you may not know about until it's too late.
And so we want to make sure that that culture of openness is there, and that everybody who has access to our assets the entire attack surface, whether it's, you know, a custodial engineer, all the way up to a governor's office. They all have that understanding and that training.
25. Reducing Identity Exposures: Zero Trust Journey
We also need to reduce our identity exposures. Like, I said before, identity is the new perimeter, and unfortunately, it's a perimeter that has tentacles into every single thing that we do. 0 trust is a big part of that. But it's a journey. It's not something that can be bought.
It's, you know, there are no zero trust tools. Hey? Get this, and you're gonna do zero trust. Everything goes into that policy engine that is ongoing and continuous. That's where we sit as Tenable. Right? We're able to provide a ton of data to that policy engine, so that we understand what permissions people have, or where somebody leaves an organization, showing exactly what's going on from a blast radius, and we can shut down all of the different permissions they have. But even a small piece of zero trust is better than no zero trust. So don't think of this as something that's we got to rip the Band-Aid off and just go straight. zero trust. It's that continuous journey.
26. Reducing Identity Exposures: Reassessing Convenience & Training
we need to reassess the things that have made our work convenient. As the pandemic came up we were in a rush to get remote access. VPN's IoT set up, and Security didn't always have the say that we should have had when that went through. And now that people are returning to the office, we're still maintaining that remote access, we need to go and reassess those tools, make sure they're up to date. Make sure that the permissions are correct. Make sure that people can't get into them from the outside. Because they are wide open entrance into our environment.
Even something as simply as an RDP port opened up so that somebody can go into TeamViewer from outside. That's an opening that we can get rid of. We need to train our non-technical teams to be able to identify things. It's great that Security knows what all that social engineering looks like, and knows how to identify phishing knows how to make sure that the guy behind them is actually supposed to be there, not just carrying a clipboard. To look official, we need to get the non-technical teams to understand that as well, because they're going to be the ones who are probably the biggest risk. The biggest strength that we have for security is people. The biggest weakness that we have is people. And so the more that we can train them up, the better.
27. Reducing Identity Exposures: Continuous Monitoring of AD
We also need to continuously monitor identity system configurations. Active Directory is old, and before that we we had Exchange and things that got brought over from Exchange into Active Directory and carried over for 20 years. Those configurations are still out there. Every single demo, every single proof of value that I've been on for identity exposure or identity exposure tool people laugh when we ask them, oh, yeah, so is your Active Directory clean? Because people don't know, and that stuff is out there that those misconfigurations, whether it's a dangerous Kerberos delegation that lets somebody intercept a ticket and impersonate an admin, down to people not adhering to password policies or accounts that have not been logged in for years That one needs to be reassessed continuously. We need to monitor it and understand it.
Again, identity is what the bad guys want. Threat actors want it because it allows them to get in. shut off logging, shut off Edrs, shut up our reactive tools and hide in general, when you look at something like a ransomware attack, it comes in from the identity side. And when you really do the forensics, this isn't they got in, put ransomware in and and left. They were there for months, if not years, pulling out data, and the ransomware is the last thing they do. And so we wanna make sure that they're not there. They're not hiding. We can identify where there's a shadow domain controller up there or somebody's thinking things they shouldn't be, you know, an admin doing an admin thing. Yeah, it's not gonna set up a lot of alarms unless you're looking for it. And that's really where that part comes from.
28. Cloud Security: Not a Given
Finally, cloud security. And you know, in the public sector. It was about 5 years ago when I felt that we were about 5 years from State and local governments really jumping into the cloud. And we're there now, and that's what we're seeing. A lot more cloud projects. But security isn't a given in the cloud. And you know, as security professionals, we understand that. But a lot of people don't. You know, I've heard from numerous people. They're like, Yeah, we just put in AWS, they take care of the security.
It's really the opposite of that, you know. They rely on you to put that security in so security is not a given in the cloud. We need to be in that conversation early. It is much easier to deploy, secure, and maintain it than it is to go back in the wild Wild West and try to fix all of these issues and misconfigurations and vulnerabilities. We saw something very similar when containerization came in. People would think, Oh, yeah, you know, we've got 4 images that we use. But then, when you actually run and look at their There are images. Things weren't tagged properly. There are thousands of them out there. Most of them are insecure, and while they're only using four of them because they didn't understand what needed to be put in for security, it's just a terrible mess.
We need to understand what's deployed in the cloud again. This kind of goes back to that. Those known unknowns that exist out there. We need to see what's out there. When people are deploying in the cloud, security is not aware. That's a problem, because we don't know who exactly is doing what. And so this goes back to the old cliche. You can't protect what you can't see, and with the ease of deploying in the cloud, it can get out of hand very, very quickly.
29. Cloud Security: Team Coordination & Non-Human Identities
We also want to coordinate across multiple teams to ensure that we've got that safety, availability, security, IT should not just be a single team working on this. Everyone involved should have a place at the table security as well as development as well as the administrators, that everyone understands what people are doing. And you know, security. We're often seen as the bad guys. And that's because we kind of come in over the top. And we're like. Oh, Nope, you can't do that. Everybody's involved at the beginning. It takes away some of that friction and hopefully makes us more secure overall with a lot of that vigilance and openness built in.
We also can't forget about non-human identities. It's not just about the actual users and people, but also the different tools that are being used in the cloud,
30. Cloud Security: Compliance Model & Continuous Testing
and finally pick a compliance model and standardize on it. Once we're standardized on a compliance model, we can continuously test against it. We can. We can tweak it as needed. Hey? Some things are gonna work in your environment. Some things aren't. But if we're not continuously testing against compliance, it just becomes a checkbox, and checkbox security is not good enough anymore. It really isn't. We can check the box right now. But a month from now we're gonna get hit, and it's gonna be because we didn't do that continuous look, or we went with good enough good enough is not gonna be good enough anymore with the way attacks are happening and the tools at their in their tool belt these days. So we really need to use things like compliance models, make sure that we're doing it, but also continuously test against it and tweak as needed. Add in new features. Add it or remove stuff that's making business just way too difficult, not providing a ton of risk reduction but compliance very important in cloud security.
31. Tenable One Unified Platform: Capabilities & Data Integration
So we're gonna look a little bit at the Tenable one unified platform, which is our exposure management platform. All the pieces of Tenable combined into one, bringing in that great context so that you can make the correct decisions and prioritizations on, hey, how are we gonna reduce risk? It gives you that single navigation piece, so we can come in. See all of our exposure management pieces, whether that's a high-level report card or very refined attack paths. So, the central place is very important for a unified platform. You know. you can say single pane of glass if you would like. We actually have a rule where you have to put 20 bucks in a jar, so I'll put 20 bucks in the jar for saying it that time. But that's, you know, really, what this can be from a marketing side is that single pane of glass. But really think about it as a unified environment. For all that security information.
We're also adding things like software inventory to make it easier for you to look at vulnerabilities and weaknesses from a different perspective. This is all data that we've had for a really long time, but it's been locked in plugin outputs. And so now it's gonna be very easy to go in. See when things are end of life, that can help to eliminate some low-hanging fruit. We know that we've got a whole bunch of tools that are end-of-life or end-of-support, not getting any security updates. Well. That means we need to move. We need to update those things and see where they're going. We also need to understand where things are deployed in the environment where they're located and how many different versions of software we have. So it's about taking data that we had for a really long time and making it easier again, you'll notice over and over again this exposure management story. This Tenable One story is all about saving you time and getting down to the real risk without a ton of work to be done exposure signals. This is another way to keep track. You can craft different queries that you want to look for in this example. Here devices that are exposed to the Internet with Log4J. Or Apache server installed, and have a version greater than one used by an admin account. So a ton of different info, coming from all different pieces of the platform together, all looking at. I also have customers who are using this for things like burn Downs for patch Tuesday, but the exposure signals are a really great way to track what's going on and get that data into the hands of the people who need it.
Oh. also. With our acquisition of Vulcan earlier this year, we've added much more advanced reporting into the platform to really help to drive action. You know, the reporting on previously Tenable.io and Tenable One has always been It's not necessarily lacking, but it's not as robust as we'd wanted it to be. Now, we're able to get that robust reporting to help get those actions out more drilled in down capability, a lot more different filters that can be used, and a lot more different widget types. So you can really craft these reports to look how you need them to look for you and your team.
Also, you know, you've got other tools, right? That Vulcan acquisition also now allows us to ingest data from your other security tools. And so we can look at it and merge those assets together. We can understand the capabilities from those other tools. And the idea being that the end result is, if you have a specific vulnerability. Let's say we've got Bluekeep. And to us, that's bad. But you've got an Edr tool that's protecting against it, so we can reduce that risk the other side, though, is if we know that you've got tools out there that are protecting you. And we understand through threat intelligence that they're having an incident, or those tools aren't working right now. Well, we can increase risk. Because now your risk has gone up.
So a lot of ways to bring in that 3rd party data, but also tracking. Hey, we've got these systems that have been scanned with Tenable, these systems that have been scanned by your EDR solution. And here's the gap where neither of them is looked at, or we're only one or the other is being looked at, so that we can make sure that we're getting the best data possible and assessing everything the way that It should be assessed. Third-party data is really coming in to complete the picture of that context and allow us to truly understand your environment, not just what Tenable sees but also what you're seeing from your other tools. And now it's all applied together, all prioritized, all given context.
And then we want to put that data to work with these different connectors. So we've got 50 connectors. Really. Right now, to start you get that configuration is fairly simple to run through and get these going and start pulling that data in. So we want to put that to work. You've got these other tools. You're using these other tools. Let's bring it all together so that we can really understand and get that full exposure management experience. So this is really, you know, again, very market-y slide here. But this is what we're doing right? It's unifying that vision, all those assets, all those risks seen in one place. Getting that critical context and insights, whether it's from threat, intelligence, or AI, helping to complete the picture, bringing it all from your other tools together to unify that insight and then get that mobilization piece. So get that data out there so that we're unifying the action. And that's really the full idea behind exposure management, specifically to us, the Tenable One platform.
32. Building Resilient Cyber Teams & Conclusion
So there's 1 last piece that really goes outside of the technology and really focuses in on our teams. You know, quote here, this is a quote from Arnold Shackleton, who is one of my personal heroes, a polar explorer. But you know, difficulties are just things to overcome, and we're gonna run into difficulties. But as a security team, it's up to us to help overcome those for the rest of our organization that our mission it is to protect.
So we need to cultivate a culture of cyber awareness, and training is for everyone with access to assets. There's no need to really hold back and say, Oh, well, they're not going to use it too often, and it'll be fine. It's not going to be fun. They're going to be the ones that gets you get you attacked.
We also need to engage our stakeholders early and often and ensure that we're brought into projects. We don't want people hiding things from security because they think we're the bad guy who's going to cause problems overall. So, if we build those relationships very early on in a project, we understand what their goals are. We can align security to those goals. They know what will work and what will not. And it's a partnership.
One size doesn't fit all; you have to match the training to your audience. The training that is gonna be great for you may be absolutely terrible for a student or for an administrative assistant. Right? You're gonna understand those big technical aspects, and you can save a lot of time with that, because you don't have to explain certain items. But if you're just going in there and throwing in acronyms at people who don't understand them never heard them. The acronyms might mean something entirely different to them. It's just gonna make everything much more confused. So while it does take a little bit more time than just creating a 1. Size fits all make sure that the training matches the audience.
When one approach fails, try another. Don't sit there and beat your head against the wall, trying to get something to work that just isn't working. Security has to move fast. Right? We would love for it to be established, and we can just set it, forget it, and leave. But that's not the case with the modern attack surface and the modern tools that our attackers have. We need to pivot very quickly. Once we realize. Yep, this just isn't gonna work, or, Hey, we put this and we got hit the next day. Let's leave it alone. Let's go to something else that is going to work.
We should simulate and assess, right? It's great that we have processes and tools, but if no one's ever used them when something does happen? We're gonna waste a ton of time reading through documentation, working with the vendor. I'm watching YouTube videos to see how the heck we get this backup restored. we need to make sure that we're using real-world threats and scenarios with the team, so that when something does happen it's simply we go off and do it. This is what we've trained for. It's almost kind of that, that military mindset, where? Yeah, we gotta train for the real world threat, because if we do have to restore from this backup to get up and running as fast as possible, I don't want to waste hours trying to figure out how to do it.
We should also be updating our policies regularly. So new technology is gonna bring new threats to the table. The security policies that we had from 5 years ago probably don't include AI. The ones we had from 10 years ago didn't include cloud or remote work. And so we have to continuously update those policies and make sure that those who are beholden to them understand those changes and understand what's going on.
Last, but not least. we're Tenable. We're gonna talk about proactive security. But proactive security really is the foundation. And another hint for you. It's exposure management exposure management helps to make this easy on you.
You can't protect what you can't see right? I've been with Tenable 11 years. The 1st T-shirt I ever got literally says you can't protect what you can't see it's been washed so many times that you really can't see the: “you can't protect, what you can't see,” but it's there. I know it's there. But that asset inventory is essential. We need to know what's out there, and that's not just what is sitting in front of us. That's not just our laptops, or what's an active directory? It's gonna be those IoT devices, those identities. What's in the cloud, OT devices, building management systems. IoT the entire attack surface. What we need to assess and what we need to know about.
Continuous assessment will show weaknesses and exposures early. It only takes one weakness or one exposure. I believe it was last year, the year before, when a health organization was hit because of a misconfiguration in Jenkins, a build tool in AWS. and all of their customer data was stolen, or being that most of us are engineers. I get to make geeky references. Think of the Death Star for this, right? They spent a ton of time. There's literally an entire movie and series now about the Death Star being built, and it had turrets. It had shields. It had Darth Vader flying around all these TIE fighters. and one little tiny exhaust port, and that's all it took to make the whole thing come down. That's the same thing with your environment. It takes that one RDP port that's open to take down a county. It takes that one system that's susceptible to ransomware to bring down a school organization. And so this continuous assessment is going to show those weaknesses, show those exposures and help to prioritize them. As this is being used in the real world. Go get this fixed because this is the one that's gonna hit you next.
0 days are bad, but mature exploits are worse zero days. Yeah, they come through. But in general, most attacks don't happen from 0 days. It used to be that no attacks happened for zero days, but Log4shell changed that. But for the most part, most attackers use mature exploits, ones that they like to use. They're gonna have a couple of CVEs that they're going to want to get into. And as they're kind of doing their look through to see. Yeah, can I hit this guy? If you don't have those cves, they're probably gonna move on unless they really want to. Now, this will change a little bit with AI, because they're gonna probably be able to utilize much more of those Cves. But they're still mature experts. There are still things that we can track and show you. And so yeah, 0 days, everybody gets really, really upset by that. But they forget about that vulnerability. That was a 5.0 from 3 years ago. That's now wreaking havoc as part of a ransomware campaign.
0 trust limits the attack surface. And again, 0 trust is that continuous journey. But even just doing a cursory, even if you just take 0 trust to mean for your organization that, hey? When somebody leaves, we're going to go through with a fine-tooth comb and make sure that we've removed all their access. That's a zero-trust exercise, and that's something that's going to reduce your overall attack surface. And so it's not something you have to rip a band-aid off. It's not something that's 1 and done. It's that continuous journey. But it is going to consistently limit your attack surface and the way that attackers can get in.
and don't just focus on the servers. Every single asset is a risk. And it comes up all the time. People, yeah, we're just gonna protect the servers. Okay? But that means somebody's in your environment. They might not be able to get to the server. But now they've got access to your workstation. They've got access to your IoT. They've got access to databases. It's not just the servers. So please focus on everything. But again, don't think that this is something that you have to do all or nothing. Right? It may be that. Yeah, right now, with the resources we have, we can only focus on servers and workstations. That's still better than just servers, and as time goes on, as maturity comes through, as resources become available, you can start adding in those additional pieces that provide additional context.
the goal should always be to reduce risk. Despite what people outside of our industry like to think no such thing as 0 risk, we'll never get there. But if we can consistently show that we are more secure today than we were yesterday, that's a huge win.
So just a quick conclusion, hopefully, I didn't lose anyone, and hopefully, none of you thought that going through this was hell. But just quick. Recap right, big thing. Be resilient in the face of chaos, security teams. Set the tone for your organization when these things happen, if there's an incident and security is running around like their heads cut off, you don't know how to restore. You're not sure how this tool works. You're not sure where to go. The entire org is going to look at that, and it can make things much more chaotic for you, because you're going to be getting asked questions and constant anxieties from people. Well, you're trying to get stuff fixed up, so be resilient.
We also always want to work towards a set of ultimate goals and objectives but be adaptable when things don't go as planned. The ultimate goal is to reduce risk. It's gonna change how we do that. There's gonna be different projects. There's going to be different priorities. But we should always be working towards risk reduction.
Cultivate cyber awareness across the entire organization. No one is above or below the need for that type of training and for that type of cultivation.
and finally be proactive and maintain a strong foundation with exposure management as the cornerstone exposure management is really one of the most exciting things that I've seen happen in the industry not because it really takes a defense in depth to a new level, but because now it's multiple tools working together. Yeah, you know, we're all. We're all different vendors. We all have competition and things. But at the end of the day. If your Edr tool, your SIM tool, and your IDS. IPS can talk to your proactive security and exposure management tool, that's better for everyone. Right? It's all about taking time and manual effort off the table, letting the tool do its job and getting you the prioritization that you need to fully reduce risk.
So we'll go ahead, and we can open it up to any questions that you might have. I think we had one in QA. So Dr. David Johnson. The exposure management reports are going to be in the exposure management section under analytics. It may not be in your environment yet. It's something that's being pushed through with some of the third-party data ingestion and connectors. So, if you're not seeing it, please reach out to your customer success manager, and they can work with you to get that into your environment. Oh, any other questions? Well, great! I thank you all for your attention today. Again, if you enjoyed this, please feel free to reach out to me on LinkedIn. If you loved it. My name was Joe Decker if you hated it. My name was Dwayne, The Rock, Johnson. But thank you all very much for your attention today, and hope to see you on your exposure, management, journey, thanks, everyone.
Speakers

Joseph Decker
Manager, Security Engineering, Tenable