Device Identification , Endpoint Security , Governance & Risk Management
Tenable to Buy Bit Discovery to Find More Vulnerable Assets
$44.5 Million Deal Aims to Expand Visibility for Tenable's Vulnerability ManagementTenable has agreed to purchase startup Bit Discovery for $44.5 million to help organizations discover, attribute and monitor assets on the internet.
See Also: Cyber Hygiene and Asset Management Perception vs. Reality
The Columbia, Maryland-based vulnerability management vendor said its proposed acquisition of Santa Clara, California-based Bit Discovery will allow Tenable to identify vulnerable internet-facing assets that could be attacked.
The company plans to integrate Bit Discovery's automated attack surface discovery capability into Tenable products at no additional cost.
"Tenable customers are going to get visibility that they've never had before just with the Bit Discovery product that we're going to acquire," Tenable Chief Technology Officer Glen Pendley tells Information Security Media Group. "So if you're using Tenable.io to do vulnerability management today, you're immediately going to get discovery of these different assets that are sitting on the internet."
The Bit Discovery acquisition is expected to close in June and increase Tenable's calculated current billings by $2 million to $3 million in the second half of 2022. Tenable is also expected to take a $2 million to $3 million hit to its non-GAAP net loss as a result of the transaction. The company's stock is up $1.93 - 3.48% - to $57.45 per share in after-hours trading Tuesday.
Bit Discovery was founded in 2018 and led by ex-WhiteHat Security founder and Chief Technology Officer Jeremiah Grossman. Former Falling Rock Networks CEO Robert Hansen co-founded Bit Discovery with Grossman and has served as the company's CTO. The company currently employs eight people, according to LinkedIn (see: OT-IT Integration Raises Risk for Water Providers, Experts Say).
"We think this is the right asset for us," Tenable Chairman and CEO Amit Yoran tells investors Tuesday. "We think we're extremely well positioned to radically disrupt the dynamic that exists today in the ASM [attack surface management] space."
The Need for Scale
Beyond the basic discovery capability that will be offered to existing Tenable customers, Yoran says the company will add a new SKU for the Bit Discovery technology with advanced attribution functionality that will help customers understand the broader context and exposure of their assets. Tenable and Bit Discovery have the same buyer, go-to-market motion and messaging, which should boost time to value.
In addition, Yoran says Bit Discovery fits very well with the attack path analysis capabilities Tenable is acquiring from Cymptom. Combining the Cymptom and Bit Discovery tools will allow Tenable to identify the possible entryways and points of exposure that could lead to high-value assets within a business, Yoran says.
"Looking at all internet assets and being able to accurately ascribe particular assets to particular organizations is quite a complex task," Yoran says. "We really believe strongly in what the Bit Discovery team has done and their ability to achieve scale as we bring this capability to our 40,000 customers."
Most organizations have no idea what their internet-facing corporate footprint looks like, especially at large enterprises such as Disney, where the marketing team associated with subsidiaries and sub-brands might spin up its own websites without the security department's knowledge, Pendley says. Bit Discovery can spot not only corporate websites but also other assets, such as OT devices, Pendley says.
"It's crazy how much gets spun up and thrown on the internet for business reasons without the security team or risk and compliance people knowing it's there," Pendley says. "If you don't know it exists, you can't secure it."
Taking Attribution to the Next Level
Delivering attribution around external attack surface management is no easy feat since a basic scan of the internet doesn't indicate which IP addresses or systems belong to a particular user or organization, Pendley says. What Bit Discovery does, he adds, requires correlating disparate data feeds and applying logic to infer which certificate authorities are associated with particular companies or systems.
"To be honest, attribution is an impossible thing to do perfectly," Pendley says. "But from the research we did and what we looked at, Bit Discovery does an amazing job with that attribution."
Pendley expects to have Bit Discovery's technology embedded in the Nessus vulnerability assessment and Tenable.io vulnerability management offerings by early in the third quarter, with a stand-alone offering featuring Bit Discovery's attribution capability available around the same time. Bit Discovery should help CISOs prioritize which vulnerabilities and misconfigurations need to be patched first.
The new discovery capabilities provided by Bit Discovery are expected to boost demand for Tenable's web and application scanning products, Pendley says. Ultimately, he says, increased visibility across the attack surface should keep organizations safer.
"If you really want to measure the security posture of your organization, it's vital to be able to see your entire attack surface holistically in a 360-degree view and be able to apply whatever you do from the organization to that view versus looking at everything in a siloed manner," Pendley says.
This is Tenable's fifth acquisition since becoming publicly traded on the Nasdaq stock exchange in July 2018. The company bought Cymptom in February to continuously test and evaluate threats according to the MITRE ATT&CK framework. In September 2021, Tenable bought cloud security startup Accurics for $160 million to remediate policy violations and breach paths before infrastructure is ever provisioned.
Seven months earlier, Tenable purchased cybersecurity startup Alsid for $98 million to help customers find and fix security weaknesses in Microsoft's Active Directory in real time. And in December 2019, Tenable bought industrial security startup Indegy for $78 million to provide visibility, protection and control across operational technology environments.