Mitigating Vulnerabilities Takes Insight and Partnership

Recently, Tenable’s Chris Jensen, Federal Business Development and Capture Leader, was interviewed by Government Technology Insider to talk about how public sector agencies can mitigate vulnerabilities and manage risk. Jensen emphasized the importance of partnership in managing the constant cyber threats agencies are facing. Tenable is participating at the upcoming RSA Public Sector Day.

Government Technology Insider (GTI): Thank you for taking the time to speak with us today. Chris, can you tell us a little about your role at Tenable and what Tenable does?

Chris Jensen (CJ): As public sector business development manager, I help build our relationships with public sector agencies so they have a trusted advisor to help them tackle the myriad threats they’re facing. I manage programs with DoD and spend time supporting teams and making sure they have what they need at a system integrator level. Tenable is the cyber exposure company, built on a foundation that goes back over 20 years. We’re laser focused on helping organizations see, predict and act to reduce their cyber risk across the expanding attack surface — from IT to cloud to OT.

GTI: What are some of the most pressing security issues we are seeing right now in the public sector?

CJ: Public sector organizations are constantly targeted by bad actors looking to expose a vulnerability for strategic advantage. And, moreover, the actors and their tactics are constantly changing. Last year alone, there were over 18,000 vulnerabilities that had to be addressed.

GTI: How can agencies manage vulnerabilities?

CJ: The first step is to triage — agencies need to start by separating vulnerabilities from risk. Not all vulnerabilities pose risk, so you need a guide to understand which ones pose a risk and which ones are benign. If your agency isn’t working with a trusted partner in this area, it’s like you are going on a journey through a dense forest: without a guide, you are going to get lost. To help our agency partners manage vulnerabilities and risk, we go beyond the Common Vulnerability Scoring System (CVSS) to incorporate threat intelligence and other dynamic information to produce a Vulnerability Priority Rating (VPR), a benchmark that is updated daily and scores current vulnerabilities according to risk. Just a small percentage of vulnerabilities that are disclosed have a high probability of resulting in an attack or breach, so when you’re dealing with 18,000 vulnerabilities it is critical to know where the greatest risks lie.

GTI: Can you explain how resiliency is an important part of the security lifecycle?

CJ: Risk-based vulnerability management and resiliency are two sides of the same coin. To prevent being an easy target, the stronger your upfront defenses have to be in order to prevent attacks. And to be resilient, you first have to understand where the gaps are in your network.

GTI: Do you have any closing thoughts for us?

CJ: In today’s environment, IT is just part of the story. Every new connection creates new vulnerabilities. Active Directory, for example, is an often overlooked but critically important aspect of the environment that needs to be secured, and Tenable has launched Tenable.ad to address that threat. RSA Public Sector Day is a great way to learn about emerging capabilities like this, and we look forward to the opportunity to demonstrate these capabilities.