Enterprise SecurityTop Stories

Cyberthreats: Gavin Millard of Tenable on reducing the attack surface

Cyberthreats: Gavin Millard of Tenable on reducing the attack surface

Gavin Millard, technical director of Tenable, says: "The perception that cloud is any more vulnerable than on-premises solutions is a myth. It doesn’t matter where your infrastructure or applications reside - if they’re connected then they’re vulnerable." 

Tenable is a cyber exposure company with more than 23,000 organisations around the globe relying on it to manage and measure their modern attack surface to accurately understand and reduce cyber risk.

Intelligent CIO spoke to its technical director Gavin Millard, a trained, ethical hacker who works with medium and large enterprises to address their cybersecurity challenges. With a deep understanding of how attackers plot a breach, he helps improve the security of these companies by reducing their attack surface. 

Can you give a brief history of Tenable in the region and products and solutions provided?

Tenable has more than 23,000 customers worldwide and over 1.6 million end users. While we continue to expand our global footprint, we’re also growing our presence in the Middle East. Tenable opened its Dubai office in October 2015, which now serves as a hub for our operations in the region. Tenable currently has sales and technical resources in the United Arab Emirates (UAE) and Saudi Arabia, covering all of the Gulf Cooperation Council (GCC) from those two main hubs. Customers leverage Tenable technology to identify all assets within their environment and assess for vulnerabilities or weaknesses that could be leveraged by a malicious threat actor.

Looking at 2017/2018, what does Tenable see as the main demands of end-user enterprises and government entities in the region in terms of changing business environments and the security of the same?

Accelerated innovation and adoption of new technologies are making businesses more agile and competitive in today’s crowded markets. But these new additions to corporate networks add scale and complexity that make it more challenging for security teams to effectively identify and reduce cyber risk. Private industry and government entities are looking for security solutions that enable them to keep up with the fast-paced business environment, while also maintaining their security and compliance posture.

The Middle East is notorious for a more reluctant adoption of cloud/virtualised architecture than other more developed markets. How is Tenable adequately reassuring current and potential clients that workloads migrating off dedicated servers and visibility into critical data can remain in the hands of management?

The perception that cloud is any more vulnerable than on-premises solutions is a myth. It doesn’t matter where your infrastructure or applications reside – if they’re connected then they’re vulnerable. What is important is accepting this and addressing the issue.

Leveraging cloud technologies can be hugely beneficial from a security standpoint, enabling organisations to address the significant technical debt of outdated systems and the flaws associated with them. As organisations move from traditional IT to the far more agile approaches to providing compute power, security can be baked into the software development cycle earlier to ensure a more secure foundation.

That said, cloud isn’t always the right choice for every organisation, which is why Tenable offers both cloud and on-premises products to service customers with varying security, compliance and business needs.

In comparison to more developed markets, are enterprises in the region adequately aware of and/or preparing sufficiently for more advanced data breaches, especially in the age of private/hybrid cloud adoption?

Building and maintaining a strategic and resilient cybersecurity programme doesn’t happen overnight, but enterprises and government entities in the UAE are taking steps toward improved cybersecurity. We’re starting to see a more concerted focus on improving cybersecurity across the country, which is critical as the threat landscape continues to evolve. The UAE National Electronic Security Authority (NESA) outlines strict security guidelines for organisations, which is just one initiative put forth to improve the country’s cybersecurity posture.

Cloud adoption, DevOps, big data and mobility have been big talking points for 2016/2017. How is Tenable advising enterprises and/or government entities to best prioritise investments for 2017-2018 across these operations in order to better reinforce their asset security?

Networks, assets and threats have all changed dramatically over the last few years, thanks to the adoption of cloud, DevOps and other technology trends. But security solutions haven’t kept up, creating a massive gap in an organisation’s ability to truly understand their Cyber Exposure. This Cyber Exposure gap has left organisations vulnerable and exposed. Organisations need to think strategically about their security programmes, ensuring that they’re investing in the right solutions and tools to tackle today’s modern IT challenges.

This is why Tenable launched the industry’s first cloud-based vulnerability management platform to secure the full range of assets in the modern elastic IT environment, including containers and web applications. With Tenable, customers gain unparalleled visibility into the security status of their modern IT infrastructure. Tenable is enabling our clients to gain critical visibility into the CI/CD (Continuous Integration/Continuous Deployment) pipeline to ensure that containers used by developers and pushed into the live environment don’t contain easily exploited flaws.

How has the BYOD phenomenon affected how Tenable does business and how are clients best protecting their networks with BYOD becoming increasingly dominant? BYOD is dramatically changing how the world does business – by 2017, half of all employers will require BYOD in the workplace. But the growth of enterprise mobility and BYOD is increasing threats to security and privacy. How are organisations managing the risks and rewards?

It is now expected that employees, contractors, partners and others have access to your network when they bring their personal devices to work. Laptops, tablets, smartphones, wearables, and other devices demand connectivity, and even help employees do their jobs more efficiently. But this constant connectivity also introduces security risks that security teams must address.

Good security starts with great visibility. Security teams need visibility into all assets and devices, especially those that can instantly connect and disconnect from the corporate network, like mobile devices. It’s important that whatever tool an organisation uses to manage mobile security, it integrates with other security solutions already in place, and fits seamlessly into the overall vulnerability management programme.

As networks become more open, and the perimeters eroded by the necessity of third party access or untrusted devices, it’s critically important that the vulnerabilities of the systems providing access to corporate data are understood and addressed in a timely manner.

With increasing network speeds and data traffic across networks, are enterprises and governments adequately investing in pre-emptive security precautions and monitoring tools? Is a lag with regulation in the region enabling a lag with compliance?

Monitoring and reviewing the effectiveness of security processes and controls is critical to maintaining security and compliance posture. UAE government entities and others identified as critical by NESA, are required to do so as part of the National Cyber Security Strategy. Organisations that follow these compliance requirements benefit from greater protection of assets, and a security-conscious culture, which is critical for overcoming emerging security challenges.  Whilst compliance and regulatory requirements are hugely beneficial to those that follow them, they often lag behind the current threats faced. This means proactive assessment of the environment against emerging threats and attack vectors is important to ensuring organisation stay both compliant and secure.