 From the Aria Resort in Las Vegas, it's theCUBE. Covering AWS Marketplace, brought to you by Amazon Web Services. Hey, welcome back everybody. Jeff Frick here with theCUBE. We are kicking off three crazy days at AWS re-invent. It is the place to be the week after Thanksgiving. There's got to be 50,000 people. We haven't got the official word, but it's packed and it kicks off tonight with the reception. We're here at the AWS Marketplace and Service Catalog Experience. Over at the Aria in the quad. Come check us out. A lot of good stuff going on. A lot of fun stuff going on. And we're excited to have first time to theCUBE. He's Nathan Dyer, Senior Product Manager for Tenable. Great to see you. Jeff, great to be here. Thanks for having me. Yeah, they have the energy. They open the doors, the people are streaming. I don't know if it's the food or the drinks or the vendors. All the above. Yeah, I think so. Probably more of the food in the thing. Yeah, I think so. All right, so give us overview of Tenable for people aren't familiar with the company. Yeah, so Tenable, we are the cyber exposure company. We help organizations assess, manage and measure their cyber risk across their entire organization, across their modern attack surface. And so what we try to do is help answer four fundamental questions around security. You know, how exposed are we? How do we prioritize based on risk? How are we doing over time from a measurement standpoint? And then how do we compare with our peers? And so if you haven't heard of Tenable, chances are you've heard of Nessus, which is one of our flagship brands. Nessus just turned 20 years young earlier this year. You know, if you're a pen tester, if you're a consultant, if you're a practitioner, you know Nessus. But over the years, we've added some other brands as well. Security Center, which is now renamed Tenable.SE, which is our on-prem vulnerability management solution. And then Tenable.io, which was released in 2017, which is our cloud-based vulnerability management solution and built on AWS. Right, so I was doing some research. I love your guys' little mantra here. You know, it's security for code, for clouds, and containers. You know, you got all the C's there. The containers, you know, what's going on with Docker over the last couple of years, and now obviously the huge grounds well with Kubernetes. You know, this container thing, depending on who you talk to, it's been around for a long time, but it certainly didn't have a momentum. How has the growth of the container world impacted the security space? Oh, it's massive. I mean, containers are everywhere. In fact, there's a strong affinity to cloud and containers. So a lot of our large AWS customers love containers. They've been dabbling with containers for quite some time. They're moving more and more workloads to be containerized and on Kubernetes and Docker, et cetera. From a security standpoint, that introduces a lot of challenges, right? You know, the short-lived life cycles of Docker containers make it very hard for us in security to assess or discover them. You know, they're part of the whole immutable infrastructure phenomenon, so you can't patch it in production, right? It's infrastructure as code. You have to tear down the container, fix the image, and then redeploy. So, you know, from our perspective, we think you have to secure containers by focusing on the container image, right? And so specifically as developers are, you know, they're spinning up new code, compiling new builds, creating new container images, is there running quality assurance checks? Security has to be a critical part of that quality assurance process, right? As you're doing integration tests, unit testing, API testing, security has to be a critical test, looking for vulnerabilities in malware as part of that process, too. But the rate of change in those images is pretty high. I mean, the rate of deployments is super high, but like you said, a lot of them have short lifespans, they're up and they're down. So, you know, have people bake that into their process? I mean, obviously, they are, how are you helping them to make sure that security is a really key piece to that image? Because once that image goes out, it has access to all kinds of things. So then the new news with containers, and then by focusing the image, it forces security teams to talk to their development peers, right? In order to secure DevOps and secure containers, security has to be embedded in the continuous integration, continuous delivery cycles or systems. And if you're focusing on development, you have a much greater chance of, you know, making sure that vulnerable container images are not escaping into the wild and you actually get a hold of those vulnerable images and make sure they adhere to corporate policies before they're released into production. So that's the new news. It was funny because you referenced the DevOps, because DevOps now has been around for a while and clearly is the way the code gets deployed at a very rapid iteration. So they're letting, you know, some significant lessons from the DevOps security angle that you're now using then on the container side. Yeah, well, first thing with secure DevOps and DevSecOps in general, is you have to get the developers and security teams to talk, right? You have to have a shared understanding of what makes each other tick, whether the goals, whether responsibilities, priorities, understand each other. And it turns out there's actually a lot of shared understanding and mutual benefit between InfoSec and application developments, right? When security is focused on, you know, solving for vulnerabilities and looking for security issues, you know, that's improving code quality. That's removing some of the software defects from the development code. And, you know, developers love that. They love producing high quality code. On the flip side, you know, security teams could learn a lot about agile development, DevOps principles, right? Bringing DevOps into the security discipline and help develop or help security teams, you know, start to leverage automation and continuous testing, continuous delivery and make them much more scalable and productive in their organization. So there's a lot of mutual understanding there. So I'd imagine there's a lot of kind of similarities between kind of classic waterfall in the moat versus now kind of the DevOps and the continuous and ongoing constant process. That's exactly right, yeah. So we're here at the AWS Marketplace. So you guys are selling through the Marketplace. How has that been for the company? How's the experience been working with the AWS Marketplace? That's been great. I mean, Amazon's a great partner to work with. You know, Tenable.io, which is our cloud-based vulnerability management solution, is built on Amazon. We have a great relationship with Amazon engineers. Now for the Marketplace, we've been selling Nessus for quite some time through the Marketplace. So if you're a Nessus subscriber, if you're a Tenable.io or a security center or a Tenable.sc subscriber, you get access to unlimited Nessus scanners and you can provision them very easily through the Marketplace. It's super easy. Just recently, we now unveiled Tenable.io through the Marketplace and so far it's been a great success. Now customers who prefer to buy through Amazon Marketplace, AWS Marketplace, can do so with a number, with a couple clicks and be provisioned and get up and running with Tenable.io. It's super easy. You can learn about the product, kick the tires with a free evaluation and really provision the product very simply. Yeah, I would imagine the touch from your guys side goes down significantly when they're just coming right through the Marketplace. Exactly, that's the idea. Make it super easy for customers to invest in Tenable.io and get a great experience in doing it. Right. What about your own sales guys though? They're a little channel conflict like, hey, come on, I want to sell that thing. We don't want to go through Amazon. Not at all. Our mantra is we want the customer to purchase through the channel they're comfortable with and if they want to purchase through the AWS Marketplace, we have a channel for them. They want to go through our three-tier model. We have obviously a great experience here as well. Yeah, and clearly Amazon brings a lot of customer eyeballs to the table. They're a great partner. So just before we wrap, you guys came out of the vulnerability intelligence report. I wonder if you could share some of the highlights, some of the things you guys are obviously keeping track of this. You talked about benchmarking against your peers and I know there's also a lot of sharing of information within security companies to kind of know what the bad guys are and some of the patterns and best practices. So I wonder if you could share some of the current trends, what are you seeing? How's the landscape changing? Well, first of all, we have phenomenal tenable research team. They're phenomenal in terms of the data science, in terms of the vulnerability intelligence. We have a wealth of data at our hands from various deployments and so there's a lot of great number crunching and analysis we can generate from that. What we discovered in the vulnerability intelligence report is the security teams are just bombarded with vulnerabilities, literally bombarded. You know, last year in 2017, we saw I think over 15,000 CVEs and unique vulnerabilities hitting the marketplace or hitting industry and by the end of this year we're expected to be between 18,000 and 19,000 vulnerabilities. So the trend is just going up, up, up. I think what makes matters worse though is that when you start looking at those 19,000 vulnerabilities, over 60% of those vulnerabilities are classified as either high risk or critical. 65%? We're on 60%. Of the, what was the numerator? Of those CVE, of those 18,000 to 19,000 vulnerabilities are classified as high risk or critical risk. So that's a lot of fire drills that security teams need to chase. And so what we're trying to achieve is helping our customers and helping the market at large understand what are the true risks out there? Not the theoretical risks, what are the actual cyber risks? Meaning one of the vulnerabilities that could be easily exploitable that have exploited, you know, exploit kits already developed. We have our data science team, looking at the different, you know, the characteristics of vulnerabilities and which ones would be leveraged by the bad guys and which ones would not be. And so we can significantly boil that number down so that organizations can focus on only 5% of the number of vulnerabilities that they otherwise would be chasing without changing the overall security risk to organization. So prioritization is super, super critical for those organizations. And Nathan, I think we'd call that separate in the signal from the noise. It's cute. All right, Jeff, thanks for having me. Nathan, thank you very much. It's great to see you and have a great show. Thanks, YouTube. All right, I'm Jeff, he's Nathan, you're watching theCUBE. We are at the AWS Marketplace and Service Catalog Experience at the Aria, at the Quad, come on by. You're serving free food and drink. See you next time.