The Evolving Role of Virtual CISOs

February 13, 2025

Guest: Arick Goomanovsky

Bio:

Arick is a tenured business leader with two decades of experience in strategy, technology, research, and leadership in government and the private sector. Prior to founding Ermetic, which was acquired by Tenable, Arick was a co-founder of Sygnia Consulting, a cyber consulting and incident response firm which was acquired by Temasek Holdings for $250M. 

Before Sygnia, Arick worked at McKinsey & Company in London, where he focused on strategy and operations. He served for 15 years in the IDF Intelligence Corps Unit 8200, where he held senior leadership positions from research to leading hundreds of cyber R&D experts. He received several awards for his unique contributions to national security. Arick earned a BSc in exact sciences (Talpiot program, cum laude), an MSc in mathematics from Hebrew University, and an MBA (cum laude) from INSEAD.

Summary:

In this episode, John Verry interviews Eric Gumanofsky, Vice President for Product Innovation at Tenable Security, about the concept of Cloud Detection and Response (CDR). They discuss the similarities and differences between CDR and Endpoint Detection and Response (EDR), as well as the integration of CDR into a comprehensive Cloud Native Application Protection (CNAP) solution. They also explore the challenges and benefits of automating response in the cloud and the importance of risk-based decision-making. The conversation highlights the evolving nature of the cloud security space and the need for organizations to stay informed and make informed decisions.

Keywords:

cloud detection response, CDR, endpoint detection response, EDR, cloud native application protection, CNAP, automation, risk-based decision-making, cloud security

Takeaways:

Cloud Detection and Response (CDR) is a suite of capabilities designed to help organizations detect and respond to threats in their cloud infrastructure environment.

CDR is similar to Endpoint Detection and Response (EDR), but it is more complex due to the diverse nature of cloud environments.

CDR can be integrated into a comprehensive Cloud Native Application Protection (CNAP) solution, providing a broader view of security and enabling more effective investigation and response.

Automation in the cloud can be beneficial for faster response and remediation, but organizations need to carefully consider the potential risks and disruptions.

The cloud security space is evolving, and organizations should stay informed about new technologies and solutions to make informed decisions.

John Verry (00:00)
Hey there and welcome to yet another episode of Virtual See So podcast with you as always your host John very and with me today a recent Visitor to the podcast and now on a second time Eric Gumanofsky Eric

Arick (Tenable) (00:17)
Hey John, thanks for having me here.

John Verry (00:19)
Thanks for coming back on. I enjoyed the first conversation. If anyone has not listened to it yet, I thought Eric did a phenomenal job of clarifying some things around CNAP. So take a listen to that one. think you’ll enjoy that. I always start simple. Tell us a little bit about who you are and what it is that you do every day.

Arick (Tenable) (00:39)
Sounds good. So I’m actually starting my new role right now. Today, I’m the Vice President for Product Innovation here at Tenable Security. So my role is to help Tenable structure its future capabilities, broadly speaking, in all the areas that Tenable is involved in. Prior to that, I was leading the Tenable Cloud Security product organization.

And in that role, my responsibility was to direct the product development in our cloud security domain.

John Verry (01:18)
So since the last time we chatted, role? Congratulations. Is it one you wanted or one that they asked you to take on?

Arick (Tenable) (01:21)
Correct?

So I wasn’t planning on it, but when RCO asked me to take this new responsibility, I wholeheartedly agreed. I think it’s a great opportunity. And it’s super exciting to look at the most innovative technologies out there and how we can take Tenable as a company to new heights. It’s super challenging and super exciting, obviously.

John Verry (01:58)
Congratulations. I know the last time we chatted when I asked you what your drink of choice was you said whatever the coolest sounding special is and you’ll fall back to a G &T. Have you had any cool drinks since the last time we chatted?

Arick (Tenable) (02:09)
So I had a couple pretty good espresso martinis. So, yeah.

John Verry (02:13)
It’s funny you should mention that. We have something in US called a Costco, which is these warehouse type clubs. And occasionally they’ll have a liquor store associated with them. And I’ve never seen one that did. And I went to one unusual for me. And I was like, wow, they got a liquor store. I’d love to see what it was. So I went in and I ended up with a, there wasn’t all that impressive to be blunt. But I did end up with this, I bought a grinder, G -R -I -N -D -R. It’s espresso based.

Arick (Tenable) (02:22)
Yeah, sure.

John Verry (02:42)
And for the first time I’ve ever had in the last few weeks since we chatted made espresso martinis at home. So we’re running in this kind of like parallel path here, which is a little bit odd, but yeah, a good espresso martini. And I went out and bought all the stuff that you needed for the Kahlua and a nice vanilla vodka. it’s been, I’ve had a few myself.

Arick (Tenable) (03:03)
Well,

you know, I’m based out of Tel Aviv and whenever I travel to the US, I’m always fighting the jet lag and it really helps me, right? Because you’re out there, you’re drinking socially, but you’re in parallel to that also having some espressos, which keeps you awake.

John Verry (03:19)
Yeah, and probably, you know, I would argue that the espresso is healthier than Red Bull. I mean, you could go Red Bull and vodka, but I don’t think the Red Bull is all that good for you. So yeah, and we might have just lost Red Bull as a sponsor for both of our organizations. I apologize for that. All right. So the last time you were on, I thought you did a really great job of untangling, you know, that CNAP.

Arick (Tenable) (03:27)
I think I passed that when I was 18, right?

John Verry (03:42)
CSPM, CIEM, CWPP, infrastructure, you know, that whole mess, you will, that acronym confusion. I’m hoping you can do the same for, you know, what I would call is another new cyber buzzword that I think is a little bit confusing to me and some others is, you know, CDR, or sometimes you see it called CNDR or CTDR. I think they’re all the same thing. So let’s start simply. What is a CDR?

Arick (Tenable) (04:08)
So basically CDR stands for cloud detection response. And it’s a suite of capabilities that are designed to help organizations detect and respond to threats, live threats in their cloud infrastructure environment. So if you would take the analogy of EDR, for example, which is endpoint detection response, the idea there is to help you detect potential

John Verry (04:11)
you

Arick (Tenable) (04:36)
threats on your endpoints. So if someone is trying to execute a malware on your laptop or server, you would use an EDR endpoint detection response tool that would have very deep visibility into everything that’s happening on your machine. So the analogy of that in the cloud or within the cloud infrastructure is CDR. Now, the difference between CDR and EDR, it’s not only that this is endpoint and this is cloud,

just also because cloud is more complex. It’s combined of endpoints that are running on servers. Some of them are serverless, right? So you have the machine detection response, but you also have the network detection response. You have the identity and API call detection response, right? So it all comes together. It is way more complex than an EDR solution is. If you want to take the analogy of CDR to something, it’s maybe…

what was called the on -prem environment XDR, right? So something that looks broadly across your entire environment, looks at your endpoints, looks at your network, looks at your identities, and trying to combine all these insights together to detect live threats. So the extension of XDR to the cloud is CDR, basically. That’s the idea.

John Verry (05:55)
Yeah, question for you. Some XDR vendors kind of claim that they are doing cloud. Is there a is there is that accurate? Is there a difference between XDR that does cloud versus CDR?

Arick (Tenable) (06:09)
I wouldn’t say that there is necessarily a difference per definition. It’s all a question of how you go about doing that. What we’ve seen with on -prem technology is that often when they extend their capabilities to the cloud, they’re not doing that in a cloud -native way. They’re basically taking the same capabilities they had on -premise and extending those to the cloud. The most common example is how you do

EPP or how do you do workload security in the cloud? So in the beginning, what people have been doing, they took the tools that they had on premise. So there are security tools that they used on on -prem servers and they ran those on cloud environments. That’s great. That does provide obviously significant value, but ultimately cloud workloads are different from

just the same server running in the cloud. You have also serverless environments, you have containerized environments. So ultimately there was a new space developed that is called Cloud Workload Protection, CWP, and I think we talked about that in our previous conversation, right? So yes, you can do CWP with your traditional on -prem endpoint tools, but if you wanted to do CWP properly, you should do that with cloud -specific or specialized tools. Same goes for CDR.

If you want to do detection in the cloud, you can do that in the same ways you tried to do that on premise, but you can do that in the cloud in ways that are different, more cloud native, leveraging more cloud APIs, deeper cloud capabilities, and also something that covers the entire cloud stack, which is somewhat different from the on -prem stack.

John Verry (07:53)
Gotcha. So if I’m going to oversimplify it, XDR in the cloud would be sort of like taking a CrowdStrike agent and putting it on a VM. And it’s going to provide a lot of value. But if you are cloud native and you’re actually, like you said, hooked into the APIs associated with the cloud services, we’re going to have a greater level of visibility. OK.

Arick (Tenable) (08:17)
Correct.

by the way, a great example, if you look at CDR vendors today, first of all, it’s an emerging space, We at Tenable obviously have CDR capabilities. I’ll mention that in a second, but there are other vendors, leading vendors that have similar capabilities. And you can see the different vendors started from different areas. Obviously the vendors like CrowdStrike capitalizing what they’re doing best, which is endpoint detection response, right? So their CDR is heavily built on their endpoint engine.

they’re using on -premise exactly to your example. We attendable historically, even when we were a young startup called Aromatic back in 2019, our first generation of a cloud Kim capability had a CDR capability because we were monitoring API calls in the cloud and detecting anomalous API calls or anomalous user behavior, which is another way to do CDR without any agent technology.

even without looking into machines. Obviously today we have a CDR capability that is way more advanced that couples that also with an endpoint visibility, but that’s an evolution, right? And you see this evolution among all the different vendors where every other vendor started from a different place, but gradually everyone is kind of converging towards the same kind of platform like visibility, exactly similar to what we haven’t seen now, right?

In CNAP, for example, WitterMedix started from the identity space, Palo started from the workload protection space, et cetera, et cetera. But ultimately, everyone kind of converges to the same platform approach, obviously with different flavors. Same happens in the CDR. By the way, if you want to look at CNAP and CDR, it’s like the pre -breach space, that’s the CNAP, and post -breach, that’s CDR. But it’s looking at the same problem from two different angles.

John Verry (10:12)
Gotcha, so it’s sort of XDR left or CSPM right, right? You know, we’re just, we’re just, we’re gonna, we’re gonna converge somewhere in the middle. And then depending upon what the lineage is, that’ll differentiate where one might be, do things a bit different, perhaps do things a little bit better. Okay. That, that, that makes sense. That makes sense. So, so let’s actually talk about that. The, the, you know, cause when we talked about this briefly in our last call,

Arick (Tenable) (10:17)
Correct. Exactly.

John Verry (10:43)
I got the impression that we could have added CDR into that acronym set because most of what you were already talking about, the CSPM, the CIEM, CWPP, effectively is an element of CDR. So is CDR just sort of endemic to a really comprehensive CNAP tool? Or is CDR another add -on, if you will, to a CNAP tool?

Arick (Tenable) (11:13)
This is a great question and I think the jury is still out. I think if you look at that only from a pure technical perspective, you could say, okay, I’m looking at the same APIs, I’m doing very similar analysis, why don’t I build a CDR as part of a CNAP solution? It’s a natural extension, it’s the same technologies. But in our business,

It’s not only about the technology, it’s also about the organization and people, Like everything that has to do with organizations. And historically, CDR solutions or detection solutions have a different user. If you look at the key user for a CNAP solution, it’s ultimately your cloud engineering or cloud security organizations. People that are using detection technologies usually belong to the SOC.

right? operation center, they’re using same product. They’re using the EDR XDR product. It’s a different user within the organization from the aura perspective. It’s a different buyer. It’s a different budget. And these are different use cases. And sometimes you can find a situation where a similar technology breaks into two different two distinct products because the user and the buyer is ultimately different. So

I don’t yet know whether CDR in itself will be a standalone category that the SOC users would use and it will ultimately basically integrate into the SOC or the SIEM product or whether it’s going to be a part of the SIEM solution and will be a module that will be sold on top of the SIEM solution but for a different user. I think there is one difference between

you know, a SIM product and the CDR product and why the affinity between CDR and CNAP so strong. If you’re a, you know, you’re a hunter or you’re a detection specialist or a SOC operator and you have an anomalous behavior alert, whether it’s coming from a machine or an API called whatever, right? And now you want to investigate that alert. You do not want to look only at the activities of the alerts and so on and so forth.

You also want to look at the configuration of your system. And that’s why a strong CDR solution needs a CNAP attached to it, right? Because you see that user, you see that the user has access, you know, a bucket with sensitive information in suspicious hours, right? Or from a suspicious IP address. You want to look at the configuration of the user. You want to look at the configuration of that bucket, right? You want to have that information at your hands, ready to do your investigation.

And this is something that traditional sync products do not have because they’re mostly based on logs, et cetera, et cetera. Right. If you look at the splunks of the world, the sumo logics of the world, they’re giving you the suspicious behavior. But if you want to investigate the configuration of that user or machine or what have you, you have to go to another product. And that’s why tying CDR to CNAP is so important because if I run an alert on my CDR,

And because my CDR is part of my SINA platform, I enabled the user immediately to see the configuration and the potential problems that might be with that user, which helps to run the investigation and do the triage, which is so important.

John Verry (14:48)
Yeah, it’s a very interesting.

That integration is going to be very interesting because like conceptually, we aspire to a single pane of glass. And having internal systems as an example, feeding into a SIM and having this CDR standing by itself doesn’t make sense. So the CDR is going to have to talk to the SIM. The SOC is going to be, especially in a 24 by 7 shop, the SOC is going to have to have it.

So it seems to me like the CDR is just going to be the back end data source presented optimally for someone who is trying to understand whether a security event is a security incident.

Arick (Tenable) (15:38)
Correct. What I think and I believe what eventually would happen is that you’re absolutely correct. The CDR will generate alerts. These alerts would flow into a SIM product and a SOC analyst will see those alerts in the SIM product, which will be the single pane of glass for everything post -bridge. But then if they want to do an investigation of that alert and tries that alert properly, if they have a suspicion that this is indeed something serious,

They would double click into the CDR product, which will have all the data pulling from the CNAP, pulling from the behavior analytics, et cetera, et cetera, that would present all that context to the analyst. So they can make a quick decision, whether this is a false positive or a real live threat that they have now to go and investigate it into further. By the way, it’s not very different from the EDR space, you think, right? EDRs are also, they’re also shooting alerts into SIM, but eventually the investigation is done within the

John Verry (16:31)
no i agree

Arick (Tenable) (16:37)
domain -specific products.

John Verry (16:39)
Yeah, yeah. And now you’re getting into another interesting argument for platform vendors. The more I look at this, the more I think that the platform vendors and the security space are going to be the winners, if you will, over the next dozen years, just for this reason, right? I mean, if you’re sitting in your SIM tool and you need to consistently go to other

tools to investigate, just that process of going in and out of the different tools and them using, you’ve got non -normalized communication of information. And even just subtle things where someone’s referring to something as web, someone refers to it HTTP, someone refers to it as 443. That non -normalization, it can be challenging, especially in a stressful response. So it’s a shame that you don’t know anyone who heads up like

product development anywhere that would be looking to figure out a way to kind of make all this stuff come together in a single unified platform, right?

Arick (Tenable) (17:46)
So that’s exactly part of the, I think you hit the nail on a pad.

This is exactly the number one task I’m currently looking at trying to, know, Tenable were leaders in the, besides cloud security exposure management space, which is, you like, trying to, it speaks about exactly that, trying to consolidate all the security insights into a single platform.

John Verry (17:57)
Ha.

Arick (Tenable) (18:12)
for a breach, right? We’re not yet players in the post -breach space significantly besides the cloud CDR area. But yeah, I think you’re absolutely right. That’s exactly where the market is going to in a few years. You want to be able to look at the same platform, see the pre -breach, pause -breach, and be able to connect the dots in a meaningful way. I think that’s just the next phase of this cloud security, or generally security evolution.

John Verry (18:39)
Yeah, it’s interesting because it’s all of the things we talk about, know, attack surface management, configuration, vulnerability management, CSP, they’re all the same fundamental idea at different points in a life cycle, whether it’s the life cycle of products being deployed and operated, whether it’s the life cycle of an incident, right? So logically, the more visibility we have, and in a weird way, it also plugs into that shift left concept, right?

Because isn’t fundamental attack surface management and vulnerability and configuration management just like the ultimate of shifting left? And like we talked about, infrastructure is code scanning. That precedes CSPM, right? So yeah, it’s a continuum. And what you’re looking to do is ensure that you’re going to be able to protect them through the full continuum.

Arick (Tenable) (19:29)
That’s right. I remember four years ago, five years ago now, when we were looking at, when we were just starting our medic, we look at that in 3D space. We said, OK, there are different cloud service providers. So you can have to support the three cloud service providers. There are different user types. So you have developers. You have, you know,

You have, you know, death, fraud environments, but you also have the pre -breach and the post -breach, right? And you have to help organizations protect themselves, pre -breach, post -breach. So, and it also, it’s not even a continuum, it’s a cycle because if you go from a pre -breach, you go to a breach, you have a post -breach, then you have remediation, you go to a -breach again, right? So it’s kind of a never -ending cycle where…

Each organization is at some point, sometimes in a number of different ways, depends on the environment. One environment might be breached, one environment might not be breached, one environment was breached, and now you’re in a remediation stage, right? So it’s really challenging for organizations.

John Verry (20:43)
And it

gets even more challenging for them and for you because so often we conflate, in fact, we often get funding for security through compliance. And I’ve always said that, like, know, in the SIM world, know, security is about the signal and compliance is about the noise, right? So we’re trying to serve two masters with one system, and you’re going to have the same challenge with, you know, CNAP, right?

flowing into CDR is, you these same tools are ultimately our, the largest value problem in many organizations or the way that they get funded is through compliance.

Arick (Tenable) (21:25)
That’s true. That’s true. And a lot of people confuse security with compliance, right? They think they are the same and no, they’re fundamentally different. Compliance is important for variety of reasons, but it’s not security. And you have to understand to what extent you want to be compliant and to what extent you want to be secure. And although I would say 80 % of the time or 90 % of the time, these objectives are not

contradictory. There are 10 % of the time where you really have to choose where you’re putting your extra buck, right? So whether you’re working more towards compliance or you’re enhancing security. And by the way, post breach and CDR, it’s more about security than compliance, right? Because to your point, it’s trying to find the needle in the haystack or the signal out of the noise, right?

John Verry (22:20)
Yeah, but I just think as a, you, especially in your new product, architecture, product engineering, you know, role, you know, it’s inherently a challenge that you’re trying to develop a product which has disparate end goals for different parts of the organization. But yet there’s an expectation that if we’re going to spend, you know, a lot of money that we’re going to end up with both. Right. So, I’m glad it’s your problem to solve, not mine.

Arick (Tenable) (22:46)
Thank you. but I think it’s what makes the life and work of a product leader so interesting, right? You always have to understand your users, right? And to your point, if platforms are going to be the winners, platforms ultimately solve more than one user.

John Verry (22:46)
Should we have had this conversation before you said yes?

Arick (Tenable) (23:15)
If the age of single use case siloed security solutions is over and we’re going to be offering solutions like CNAP that talk network and talk identity and talk workloads, and talk data, ultimately you have different users that you have to cater to. You have the data owners and you have the identity people and workload people. And developers.

So it’s a lot of users and you have to build smart products that are able to multiple languages and support multiple use cases. But on the other hand, I think this new generation of products will also empower those users and help the users speak multiple languages as well. Because in order to be successful security practitioner today, you have to understand various domains and you have to speak a number of different languages.

It’s not only enough for you to speak network today, right? If you’re in the cloud, you have to understand a little bit of identity and vice versa, right? So I think this is the not only evolution of the security products, but also evolution of security experts and organizations and talent over time as well.

John Verry (24:31)
I would imagine that a CDR product that comes to it from the CSPM CNAP side, one of the advantages that it would have is that because it’s more cloud native, if I use that phrase, and it’s more wired into the underlying services, it would have a higher likelihood of being able to, I’m going to say automate some of the remediation and response.

Is that true and can you give me an example?

Arick (Tenable) (25:04)
Yes, I would say it is. First of all, response in the cloud is challenging. If you think about response on premise, the on -prem environments, it’s split between the user environment and the production, or the backend, the data center environment. In the cloud, it’s only the data center. So if I detect a suspicious process, or

on the user endpoint. Unless it’s the CEO’s endpoint, I can immediately take it off the network. I can immediately shut it down. The impact on the organization is very limited to that specific machine. You want to be way more cautious if you’re doing something like that on the server side, because now you can have a tremendous disruption of your business. And in the cloud, it’s always the server side. It’s always production. It’s always applications.

That’s why people are very cautious with automatic response in the cloud. Even on the preemptive side, right? Like, let’s say I see a publicly exposed database or bucket, right? Some people are very hesitant with automatic, you know, automatically taking that off the network or off the public exposure. Same goes obviously for with threats. But when you’re a cloud native, you have the broader context, right? You see the activities. So you can say, okay, I see that this machine

there might be something malicious on the machine. I won’t take the machine off the network, but I will block some of the permissions that it has. So for example, it’s using a service account that that service account has, you know, the ability to elevate privileges or some admin permissions not using, right? I can block these and I know it’s not using these permissions because I have this cloud native context and I can block these and there is no risk for the business.

but I somewhat mitigated the threat of that malware until I do further investigation. And that’s not something that you can do if you’re taking only the kind of workload approach. You’re seeing that machine, you’re seeing that malware, but you don’t have the broader context. You don’t have any mitigating controls. You can either kill the process or not kill it. When you have the broader view from the CNAP solution, the cloud native view, you have a lot of additional mitigating controls you can leverage.

and that’s to your advantage obviously.

John Verry (27:34)
Yeah, and you have more native visibility, right? So even if you’re not using the automation component, you should be able to respond faster. Quick question for you. We have had the ability to automate response for a long, I mean, if I remember, know Kena Stormwatch was like, I remember when that product came out and then Cisco bought it. I, as a security guy, was like, okay, this is the best thing I’ve ever seen. Like it was tripwire on steroids and we have tripwire, right? Another great tool that’s still out there.

But yet we, for, mean, and that’s gotta be 20 years ago. So for the last 20 years, we’ve had these capabilities to do automated response and cut these things off. everyone is scared to death, especially with revenue generating systems, to actually do so. That being said, with the insane number of breaches that we’re having and the cost and impact of many of them, right, change healthcare, $15 billion worth of healthcare claims, processing, impossible.

people having problems in hospitals, servicing sick patients. Should we be looking a little bit more and, know, like is the poison, excuse me, is the medicine actually, you know, better than the poison at this point? Should we be leaning more into some automation?

Arick (Tenable) (28:55)
That’s a good question. And again, I think that you’re still out. Obviously, I think we should be leaning into as much automation as possible, obviously in the cloud where everything is automated. That said, look at the recent crowd strike incident. Obviously, the business disruption there with the problem with the security technology was way bigger than potential risks from.

cyber threats, right? So you have to be very careful about how you’re using security tools and what you’re allowing the security tools to automatically do on your environment because if you misuse them or there is a problem with the tool, the business disruption damages can be pretty, pretty hard.

John Verry (29:46)
Does the fact that we’re in the cloud mitigate some of that, though? So as an example, if you had a tool like an Okina storm watch and it took action on a conventional server sitting in a conventional data center, and it takes the server down, the process of spinning up a new server is fairly significant. It could take hours. It could take days, depending upon the complexity of the application. In the cloud, if this is something which is Kubernetes, is it

really not that difficult to spin up something to replace something that went down. does the fact that the cloud gives us those kind of capabilities, should that be encourage us to lean more into automation of this nature?

Arick (Tenable) (30:33)
I think

ultimately, yes, but you have to be very careful about how you do that. You really have to trust those workflows that you build out for those specific use cases. I think the more advanced organizations that I’ve seen in the past few years as I engage more and more organizations that operate in the cloud, the more advanced organization, have this, they call that a risk ledger or what have you, right? They map out those specific scenarios, which are

from a security standpoint are unbearable to those organizations where they are willingly ready to enforce automation and remediate automatically those scenarios, either pre -breach or post -breach obviously. And there are other scenarios where they’re saying, okay, we’ve got to have a human being, a person in the loop who kind of makes the decision and does the judgment. But I think the less advanced organizations still

kind of trying to err on the side of caution. But I think you’re absolutely right. There is no way that with the scale of organization, especially in the cloud and all the automation that happens in the cloud, that people would have to be able to, you know, stick to manual processes and manual, you know, decision -making processes, mostly when it comes to remediation. A lot of that will have to be automated.

John Verry (32:01)
Yeah, I like what you said that it’s a risk -based decision. And I think that people are not making those risk -based decisions. They just fear automation and disruption of, let’s say, e -commerce, right? So if we looked at this and said, at any point in time, we might have six shopping carts carrying X thousand dollars worth of product in them that we might lose as sales. But in the event that someone dumps our client database, that is a three million dollar or

$30 million breach, maybe it’s not such a bad idea to drop a couple of shopping carts because half of them are going to come back and refill them anyway.

Arick (Tenable) (32:41)
Correct, correct. And you see that happening more and more. And by the way, a lot of those shopping carts, put it in your words, are being dropped anyway because of other operational issues. So the downside of that is minimal in many cases.

John Verry (32:57)
Gotcha. is CDR a, so if we were using your product, is CDR something that we license as something on top of the normal CNAP product, or is CDR just currently inherent in the CNAP product?

Arick (Tenable) (33:15)
So currently it’s inherent in the SINA product. There is a slightly additional charge if you’re using agent -based technology on your workloads, right? So we charge a little bit for that. But again, I think this pricing and licensing discussion, it’s a moving target, right? We’re still exploring this phase. We’re still learning what the customers are looking for.

the market is shaping still. So maybe in a year down the road, once the market is more established, maybe it’s going to be a different skew that will be included in the whole CNAP product. But maybe some customers want to purchase only the CDR component because they might have a different CNAP solution. So for example, already today, because we’re leaders in the Kim space, we have customers that are using a different CNAP solution but are using our Kim to augment that.

So similar things might happen. Yeah, yeah, it’s pretty common.

John Verry (34:15)
Really? That’s,

yeah, wow. That’s actually, so they’re using somebody else’s CNAP CSPM, whatever component of it it is, and your CIEM product on top of that. That’s interesting. I mean, would imagine it’s better than not using it, but if you can combine the two, I would imagine that there are,

Arick (Tenable) (34:31)
Correct? Correct.

So I think similar things.

John Verry (34:43)
sort of dangerous combinations of things which are more likely, you which are you don’t have the capability of seeing if you’re using disparate tools,

Arick (Tenable) (34:52)
Yeah, that’s true. Although in most situations like that, they have all that information from us as well. Or we integrate into the other CS camera as well. So I think that that risk is minimal. But to your point, it’s still better to have a single pane of glass. However, again, it goes back to the point of the different users. So for example, the key user of a Kim solution is an identity person.

They have different use cases that many CNAP solutions do not support or most CNAP solutions do not support. That’s why they need a different tool. And for a large organization, Fortune 10 enterprise, the additional cost of investing in an additional solution is much smaller to your point than the risk of a breach or a miscompliance. So it does make sense.

Obviously, we’re still going towards consolidation. But again, there might be a situation a year or two from now where an organization is using a CNAP solution from Palo Alto and a CDR from Tenable or vice versa. I would not write that off as easy. We see situations like that in similar domains still.

John Verry (36:16)
interesting. The more things change, the more they stay the same. Anything we missed would beat this up pretty good. Anything else you want to add?

Arick (Tenable) (36:27)
I think it’s just important to remember that, again, this is an evolving space. Whatever we say today might still be relevant six months or 12 months down the road or might be less relevant. So I would encourage everyone to try to keep up with the pace to see what are the new things that are coming out, what the vendors are offering and make informed decisions.

John Verry (36:53)
Well, as always, you brought it. Thank you. Appreciate it. Good luck with the new role.

Arick (Tenable) (36:59)
Thank you so much.

Pivot Point is now part of CBIZ. Click Here for more information.

Episode 148: Cloud Detection & Response

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

Do We Need a Virtual CISO? Or a Virtual Security Team?

9 Reasons vCISO Engagements Fail

Dark Web Monitoring for SMBs—7 Features to Look For

10 Top Dark Web Monitoring Use Cases for Your Business

What is the Dark Web and Why Does My Business Need to Go There?

CMMC Final Rule: 5 Key Concerns Around the Annual Affirmation of Compliance

CMMC Final Rule: Does My MSP or CSP Need to be CMMC Compliant?

CMMC Final Rule: What is the Final Word on Flowdown?

CMMC Final Rule: When Do We Need to be Ready?

Cybersecurity Contingency Planning 101

TX-RAMP Versus StateRAMP—Which is Right for My Business?

The Rising Threat from Targeted “Data Ransom” Attacks—and How to Protect Your Business

Four Major Reasons Why Up To 60% FedRAMP Efforts Fails – And How To Prevent Them.

What is AZRAMP and Does My Business Need to Comply?

What are the New CMMC 2.0 Flowdown Requirements to Manage Defense Supply Chain Cyber Risk?

What is Swarm AI and How Can It Advance Cybersecurity?

How CMMC Enhances Defense Supply Chain Security

Is Decentralized Cybersecurity Mesh the Future of Cybersecurity?

What is a Post-Quantum Strategy and Does Our Business Need One?

What is Kubernetes Security Posture Management (KSPM) and Why Should We (as Cloud-Native Developers) Care?

How can we help you?

Services

Compliance

Insights

Pivot Point Security