>> From the Aria Resort in Las Vegas, it's theCUBE. Covering AWS marketplace. Brought to you by Amazon Web Services. >> Hey, welcome back everybody, Jeff Frick here with theCUBE. We are kicking off three crazy days at AWS re:Invent. It is the place to be the week after Thanksgiving. There's got to be 50,000 people, we haven't got the official word, but it's packed and it kicks off tonight with a reception. We're here at the AWS Marketplace and Service Catalog Experience over at the Aria, in the quad, come check us out. A lot of good stuff going on. A lot of fun stuff going on. And we're excited to have first time to theCUBE, he's Nathan Dyer, Senior Product Manager for Tenable. Great to see you. >> Jeff, great to be here. Thanks for having me. >> Yeah, have the energy the opened the doors the people are streaming in. >> I don't know if it's the food or the drinks or the vendors. >> All of the above. Probably more the food and the drinks. All right. So give us an overview of Tenable for people who aren't familiar with the company. >> Yeah, so Tenable, we are the cyber exposure company. We help organizations assess, manage, and measure their cyber risk across their entire organization, across their monitored tax surface. And so what we try to do is help answer four fundamental questions around security. How exposed are we? How do we prioritize based on risk, how are we doing over time from a measurement standpoint, and then how do we compare with our peers? And so, if you haven't heard of Tenable, chances are you've heard of Nessus, which is one of our flagship brands. Nessus just turned 20 years young earlier this year. If you're pen tester, if you're a consultant if you're a practitioner, you know Nessus. But over the years we've added some other brands as well. Security Center which is now renamed Tenable.sc which is our On-Prem vulnerability management solution. And then tenable.io which was released in 2017 which is our cloud based vulnerability management solution and built on AWS. >> Right. So I was doing some research, I love your guys' little mantra here, it's security for code, for clouds and containers. You got all the C's there. The containers, you know, what's going on with Docker over the last couple of years and now obviously the huge groundswell with Kubernetes, you know this container thing, depending on who you talk to has been around for a long time but it certainly didn't have the momentum. How's the kind of the growth of the container world impacted the securities base? >> Oh, it's massive. Containers are everywhere. In fact there's a strong affinity to cloud and containers. So a lot of our large AWS customers love containers. They've been dabbling with containers for quite some time. They're moving more and more workloads to be containerized and on Kubernetes, Dockers, et cetera. From a securities standpoint that introduces a lot of challenges, right. They're short lived life cycles of docker containers make it very hard for us in security to assess or discover them. They're part of the whole immutable infrastructure phenomenon, so you can't patch it in production, right. Infrastructure is code. You have to tear down the container, fix the image and then redeploy. So from our perspective, we think you have to secure containers by focusing on the container image. Specifically as developers are spinning up new code, compiling new builds, creating new container images, is it running quality assurance checks? Security has to be a critical part of that quality assurance process. As you're doing integration tests, unit testing, API testing, security has to be a critical test looking for vulnerabilities and malwares is part of that process. >> But the rate of change in those images is pretty high. I mean, the rate of deployments is super high, but like you said a lot of them have short life spans, they're up or they're down. So, have people baked that in to their process? I mean, obviously, I hope they are. Or how are you helping them to make sure that security is a really key piece to that image. Because once that image goes out it has access to all kinds of things. >> So, the new news with containers, and then by focusing on the image it forces security teams to talk to their development peers. In order to secure DevOps and secure containers, security has to be embedded into continuous integration, into continuous delivery cycles or systems. And if you're focusing on development, you have a much greater chance of making sure that vulnerable container images are not escaping into the wild. And you guys should get a hold of those vulnerable images and make sure they adhere to policies before they're released into production. So that's the new news. >> Well, it's funny because you reference the DevOps. 'Cause DevOps has now been around for a while and clearly is the way the code gets deployed in a very rapid iteration. So they're some significant lessons from the DevOps security angle that you're now using then on the container side. Yeah, well first thing with secure DevOps and Devops in general, is that you have to get the developers and security teams to talk. You have to have a shared understanding of what makes each other tick. What are the goals, what are the responsibilities, priorities, understand each other and it turns out there's actually a lot of shared understanding and mutual benefit between infosec and application developments. When security is focused on solving for vulnerabilities and looking for security issues, that's improving code quality. That's removing some of the software defects from the development code and developers love that. They love producing high quality code. On the flip side, security teams can learn a lot about agile development. DevOps principles. Bringing DevOps into the security discipline, and help security teams start to leverage automation and continuous testing, continuous delivery, and make them much more scalable and productive in their organizations. So there's a lot of mutual of understanding there. >> Right. So I'd imagine there's a lot of, kind of similarities between classic waterfall and the moat, versus now kind of the DevOps and the continuous and ongoing constant process. >> That's exactly right. >> Yeah. So we're here at the AWS Marketplace. So you guys are selling through the marketplace, how has that been for the company? How has the experience been working with the AWS marketplace team? >> Oh, it's been great. I mean, Amazon is a great partner to work with. Tenable.io which is our cloud based vulnerability management solution is built on Amazon. We have a great relationship with Amazon engineers. Now for the marketplace, we've been selling Nessus for quite some time through the marketplace. So if you're a Nessus subscriber, if you're a tenable.io or securities center or tenable.sc subscriber, you get access to unlimited Nessus scanners and you can provision them very easily through the marketplace. It's super easy. Just recently, we now unveiled tenable.io through the marketplace and so far it's been a great success. Now customers who prefer to buy through Amazon marketplace AWS marketplace, can do so with a couple of clicks and be provisioned and get up and running with tenable.io. It's super easy, you can learn about the product. Kick the tires with a free evaluation, and really provision the product very simply. >> Yeah, I would imagine the touch from your guys side goes down significantly when they're just coming right through the marketplace. >> Exactly. That's the idea. Make it super easy for customers to invest in tenable.io and get a great experience in doing it. >> What about your own sales guys though. Is there a little channel conflict? They're like hey come one, I want to sell hat thing, we don't want to go through Amazon. >> Not at all. Our mantra is we want our customer to purchase through the channel they're comfortable with. And if they want to purchase through the AWS marketplace we have a channel for them, if they want to go through our three chair model we have obviously a great experience there as well. >> And clearly Amazon brings a lot of customer eyeballs to the table. >> They're a great partner. >> So, just before we wrap, you guys came out with the vulnerability intelligence report. I wonder if you can share some of the highlights of the things. You guys are obviously keeping track of this, you talked about benchmarking against your peers. And I know there's also a lot of sharing of information within security companies, to kind of know what the bad guys are and some of the patterns and best practices. So, I'm wondering if you can share some of the current trends. What are you seeing? How's the landscape changing? >> Well first of all, we have phenomenal tenable research team. They're phenomenal in terms of the data science, in terms of the vulnerability intelligence. We have a wealth of data in our hands from various deployments and so there's a lot of great number crunching and analysis we can generate from that. What we discovered in the vulnerability and intelligence report, is that security teams are just bombarded with vulnerabilities, literally, bombarded. Last year in 2017 we saw over 15,000 CVE's and unique vulnerabilities hitting the marketplace or hitting the industry. And by the end of this year we're expected to be between 18,000 and 19,000 vulnerabilities. So the trend is just going up, up, up. I think what makes matters worse though, is that when you start looking at those 19,000 vulnerabilities, over 60% of those vulnerabilities are classified as either high risk or critical. >> 65%? >> Around 60%. >> Of the, what was the numerator? 18,000? >> Of those 18,000 to 19,000 vulnerabilities, are classified as high risk or critical risk. So, that's a lot of fire drills that security teams need to chase. And so, what we're trying to achieve is helping our customers, helping the market at large understand what are the true risks out there, not the theoretical risks. What are the actual cyber risks. Meaning what are the vulnerabilities that could be easily exploitable, that have exploit kits already developed. We have our data science team looking at the characteristics of vulnerabilities and which ones would be leveraged by the bad guys and which ones would not be. And we significantly boil that number down so that organizations can focus on only 5% of the number of vulnerabilities that they otherwise would be chasing without changing their overall security risk to the organization. So, prioritization is super, super critical for those organizations. >> Nathan I think we all that separating the signal from the noise. (laughs) >> Jeff, well thanks for having me. >> Nathan, thank you very much, it's great to see you and have a great show. >> Thanks. You too. >> All right, I'm Jeff he's Nathan, you're watching theCUBE. We are at the AWS marketplace and service catalog experience at the Aria, at the quad. Come on by. We're serving free food and drink. See you next time. (lively music)