Ron Gula is the CTO and founder of Tenable Security. Mr. Gula was the original author of the Dragon intrusion detection system, and founded Network Security Wizards, which was later acquired by Enterasys Networks. Dragon has won several leading industry awards, and is extremely popular with financial, academic, government and managed security services industries.
Prior to founding Network Security Wizards, Mr. Gula held a wide variety of positions and jobs related to network security research, consulting and product development with US Internetworking, GTE Internetworking, BBN, and the Department of Defense. One of his earlier commercial security products included a network honeypot.
Mr. Gula has presented at a variety of computer security conferences and seminars including SANS, Blackhat, ISSA, CSI, HOPE, CANSEC, Techno Security, Infraguard and the HTCIA. He is also an adjunct faculty member of the Institute for Applied Network Security.
Q. You developed one of the original Intrusion Detection Systems, Dragon. IDS has a dual distinction of being one of the hottest security technologies recently, as well as one of the most maligned. What in your view are the deserved criticisms of the technology, and what are the incorrect applications of the technology by the end user?
A. A few comments here ... I answer this by saying that IDS devices have ZERO false positives. If you are familiar with IDS technology, you will know that they have a reputation for generating huge amounts of false alerts. These errors are not computational errors, they are inaccuracies and limitations of the IDS technology itself. For example, if you tell a computer to find every email with the word 'hacker' in it, it will also find emails to 'Henry Acker's' account. Finding computer security incidents is done the same way. Security folks write rules to find security incidents in antiseptic or particular environments, and when applied to the entire Internet, there are false positives, i.e. valid matches which were not the result of an attack.
This problem of false positives is also encumbered by the complexity of IDS products which require many man-hours to operate databases, conduct analysis of the data, respond to incidents and so on.
Having said that, there are many organizations which have deployed a variety of IDS technologies and have mitigated many attacks and compromises which would have gone unnoticed without IDS.
Where IDS has had its greatest disservice done is the marketing of the technology by product vendors. This has resulted in organizations simply purchasing an IDS as a 'check box' item that they feel they need to have without actually funding the correct level of deployment, training and staffing needed to reach the IDS's full potential.
Q. Gartner just came out with a report that IDS has failed and will be obsolete by 2005. Are they living in the real world?
A. There is some nuance to Gartner's claims that IDS can be difficult, hard to deploy, hard to use, etc. But they assume that the technology will be easier and more effective on the firewall. I don't buy this. I doubt we will see much come out of the firewall vendors that is significantly better than the traditional IDS. Gartner also fails to realize that the industry has had all sorts of IPS solutions, such as NIDS re-configuring firewalls, and these are not widely used today.
Q. What trends in IDS give you the most hope for its future?
A.
- Correlation with vulnerability detection systems
- embedded appliance solutions for both gigabit and cheap low end platforms
Q. Tell us about your new company, Tenable Security, and your unique value proposition.
A. Tenable offers a unique set of security management tools. These tools blend the sciences of vulnerability analysis and intrusion detection with a real organizational view of security.
Our value proposition depends on who you are. Starting with the top, our technology allows a CSO/CIO to see all of the vulnerability and IDS trends in the organizational structure as well as the 'work' being accomplished by both the security group and IT.
As a security director, our products offer the ability to complete vulnerability scans of multiple Class B networks in one maintenance window, continuously monitor a network for new vulnerabilities with no impact (to the network) and to significantly reduce the amount of false positives from intrusion detection systems. Security directors also see a lot of value in the ability to communicate 'official' recommendations to mitigate security vulnerabilities to just the IT administrators who have them. This saves time when trying to find out who owns which server with whichever recent vulnerability of the day. And finally, if you are a security engineer, our products leverage a close relationship and support of open source security solutions such as Snort and Nessus. Our products also do not use SQL databases, which reduces the time to install and train users.
Q. Does Tenable's heavy emphasis on vulnerability scanning mean that you are a "reformed IDS guru"?
A. Ha! I asked Marcus Ranum this same question a while back, but I asked if he was atoning for the firewall by doing the NFR intrusion detection product. I don't think I'm reformed about any particular technology, but I do think I am in tune with the problems that many CSOs and security groups are facing today. Even though Tenable is a product company, our focus is much more on having faith in people. With Dragon, my last product, we would try very hard to make the technology better. With Tenable, we are finding more and more ways to increase the level of effectiveness of the security group and the people they work with from IT admins to senior management.
Another neat thing about doing Tenable is that we get to partner with all of the guys I used to compete with directly in the IDS space as well.
Q. Do you think vulnerability assessment technology can be "built in" to network infrastructure or the authentication process?
A. Absolutely. They should be deployed alongside or on the same platforms as the VPNs, AAA, NIDS and firewall devices. This process is very important because once they are deployed and the scans are scheduled, they become part of operations. I still see the need for 3rd party security audits, but these may not always be budgeted for and can be cancelled for a variety of political and business reasons.
Tying vulnerability into the authentication process is something we are seeing in the VPN market. Here, remote users can only go to certain places in the network based on the security, or patch level. I see this sort of technology being extended throughout the entire enterprise. Many times this technology is host based.
Q. One of the hot topics in vulnerability assessment is application layer assessment, what is your opinion of this trend?
A. I think we need to teach programmers to write more secure code, or at least appreciate how their applications will and could be used. I think the application layer assessment market is very valuable, but people need to understand that they are finding vulnerabilities, which may only be present in the applications they are developing and nowhere else, so it is difficult to place a threat or impact on it. What compounds this problem is that it is difficult to run an app scan on your production ecommerce box that is making you millions of dollars a day.
Q. How does the Lightning Console help solve the security data management issues?
A. We distribute the information and also limit what we look at. I used to think that I wanted to see everything -- all of the logs, all of the packets, all of the transaction, etc. This was because I was looking for that one attack that slipped past my NIDS, got through my firewall, etc. Don't get me wrong, there is a place for this sort of analysis, but it should be left up to someone who has enough experience, time and purpose to do it. This is not what our focus is at Tenable.
Instead, the Lightning Console helps a security group take the IDS events and vulnerability data, make sense of it for each organization, and then communicate a clear message to IT and senior management about what has been and is needed to be done. For example, a director of security using the Console would be able to tell their CSO that a recent worm outbreak caused a 200% rise in IDS events, but the worm's impact was limited because 4 out of 5 of the organizational groups had made 1100 security patches based on 2 recommendations from security three months ago; and that the fifth group did not make any patches because they only have 1 admin for a network that really needs 20.
Q. What can you share with us about Tenable's future roadmap?
A. Tenable is a major supporter of the Nessus vulnerability scanner project. Expect this support to continue, as well as some commercial products based on Nessus to emerge which are easy to use and very inexpensive. Tenable has also released a passive vulnerability scanner, which listens to network conversations and silently determines vulnerabilities without having to launch a scan. This will be integrated with our Lightning Console to automatically fill any gaps between periodic active scans.
Q. Passive vulnerability scanning. What are the main benefits compared to traditional probing scanners such as Nessus and do they use the same vulnerability database?
A. The main benefit is that is fills the gap between active scans. Anyone telling you that their active vulnerability scanner 'continuously' scans your web server for vulnerabilities is not telling you the truth. Most web admins won't tolerate a scan more than once a day if you are lucky. This is where the passive scanner comes in. You can run it 24x7 and it just looks for vulnerabilities in the network traffic. If there is a new vulnerability, you can see it in the traffic. The passive scanner relies on traffic, so you still need to do active scanning to find the vulnerable services that no one is talking to. We've based our NeVO product on the checks of those in the Nessus vulnerability scanner, but it is a separate signature base. It also includes checks for many host-based vulnerabilities such as AIM messaging clients.
Q. What do you think the US Federal gov't can do to best help organizations deal with information security issues? Perhaps you can tell us what they are doing right and what they are doing wrong.
A. The govt has a very difficult problem but offers many places to turn to for help like the CERT and the FBI's Infragard. The issue is that everyone has different security threats and risks and no matter what they say, there is enough 'wiggle room' in any policy to open the door for criticizing. I like the 'E-Gov' initiatives and think it will have a better effect on the security of government agencies than other programs in the past.
Q. Soapbox time. What would you most like to say to a gather of Chief Information Security Officers about what they need to be doing?
A. Make sure you understand your place in your organization. Who are your allies? What assets are you protecting? What are your largest threats and how are you defending against them? Is your security staff engaged in security technology for the sake of the technology, or are they actually securing and protecting? If you took a leave of absence today, what would happen to your security staff in six months or a year? How do you justify your job, staff and technology?
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.