Tenable today launched Lumin, a tool that allows companies to measure and quantify cyber risk.
Lumin is a new application within Tenable.io, the company’s cyber exposure platform. It works with Tenable’s other products, like its container and web application security offerings. The application analyzes vulnerability data, business-critical assets, and threat context. It then quantifies an organization’s cyber risk and benchmarks it against their peers.
“Cyber exposure enables businesses to undergo digital transformation in a secure way by helping them answer three questions: How am I exposed? What can I do to reduce my exposure as quickly as possible? And how do I compare to my peers?” explained Tenable CTO Renaud Deraison. “This is also a very difficult thing to do because security has a lot of dark magic, and the ability to compare other companies in my vertical is something we needed to add.”
How Lumin Works
Tenable does this by first deploying sensors throughout the enterprise — this includes software that monitors the network and agents deployed on laptops and other mobile devices. The sensors look for things like missing critical updates and patches or suspicious network traffic.
“We take all the data from the sensors and prioritize the results based on how critical the assets are to you as a company and what’s happening in the real world,” Deraison said.
It provides benchmarking data based on Tenable product telemetry and human intelligence from the company’s research team.
Lumin also uses third-party data APIs to assess this vulnerability data. It consolidates the data and presents it in a single view. Out of the box APIs include Qualys for vulnerability data, Amazon Web Services (AWS) for cloud workload data, and ServiceNow for IT asset data.
Tenable will begin a beta for Lumin in the second quarter. The company plans to announce new capabilities throughout 2018. Some of these new capabilities will include pulling threat and vulnerability data from other vendors, Deraison said.
The product will be generally available in the second half of the year.
Quantifying Cyber Risk
This idea of quantifying cyber risk is still relatively new from a software vendor standpoint. But it’s becoming more important to CISOs and CIOs as the sheer number of threats and their financial cost grows.
A February report from McAfee found cybercrime costs businesses close to $600 billion per year, or 0.8 percent of global GDP. This is up from a 2014 study that put global losses at about $445 billion.
According to Tenable’s own research, the average customer detects between 8,000 to 9,000 high- or critical-severity vulnerabilities every month.
Some of the other software companies in this space include RiskLens, Corax, and Cyence, which was recently acquired by Guidewire Software.
Last year, Gartner published its first integrated risk market forecast, covering strategic, operational, and IT risk. It found that by 2020, more than 50 percent of large enterprises will use an integrated risk management product or system, up from about 30 percent today.
Additionally, by 2020, at least half of the integrated risk management products on the market will be software-as-a-service (SaaS), up from about 25 percent today.