This article can also be found in the Premium Editorial Download "Information Security magazine: Balancing act: Security resource planning helps manage IT risk."
Download it now to read this article plus other related content.
Ron Gula is no rock star.
Says who? Gula, for starters.
"From where I sit, I only have to figure out if other people are rock stars. I assume that I'm lacking, that this is kind of where I landed," he says from his Maryland home. He's just dropped his two sons at day care and is heading to an Atlanta network security forum.
Gula has no "handlers." No PR people to prop up his image. No groupies to goose his ego. But he has developed a following since the debut of Dragon, his IDS that maintains a loyal fan base despite Gula's departure from Enterasys Networks, which sells Dragon. And he's hoping for a similar success story with his new company, Tenable Network Security, a security startup he runs with Jack Huffard and Nessus creator Renaud Deraison. Tenable's flagship product is a vulnerability assessment tool called Lightning.
"He may not be a rock star, but he'll be considered one of the more solid reformers we've had, especially in the commercial arena," says Becky Bace, CEO of Infidel and an IDS expert who has known Gula since they worked together at the National Security Agency (NSA). "I think he'd gladly leave the rock star stuff to someone else."
Ronald Joseph Gula
CTO, Tenable Network Security
M.S., electrical engineering, Illinois University; B.S., computer and electrical engineering, Clarkson University
Married to Cyndi; two sons, R.J. and Andrew
First Paid Job:
Working with his father doing carpentry
Best Part of Current Job:
"Working with great people that I choose to work with."
Philosophy of Life:
"Everything happens for a reason."
Maybe so, but Gula is hoping to trade on his name and his reputation as one of the industry's most innovative coders to fuse two disparate technologies in a new way to produce a better picture of an organization's security status and provide clearer road maps for remediation.
Gula went to college in upstate New York, not too far from his hometown, Syracuse. He joined the Air Force, worked at the NSA, then at an ASP in Maryland, where he ran a small team devoted to intrusion detection and vulnerability assessment. Commercial IDS vendors weren't providing the high-end solution he desired, so Gula built his own in 1999 and christened it Dragon.
It was an instant hit. To meet the needs and expanding ranks of Dragon devotees, Gula formed a tiny company eventually named Network Security Wizards. His wife, Cyndi, a ceramics engineer by training, handled the operational side of the business.
Dragon appealed to the technologist fluent in Unix at a time when Windows ruled. Those same people liked Snort, the highly touted open-source IDS that requires strong technical acumen. Dragon has a lightweight interface that lets users manipulate management platforms from any point in the network without soaking up bandwidth. Moreover, the IDS focuses on forensics, allowing admins to see not only alerts but the network's responses.
That's not to say Dragon was, or remains, universally loved. Some network engineers and administrators complain the GUI could be improved; others claim its rules are poorly written and reports are overwhelming. However, users like Scot Anderson, IDS manager at Paladin Technologies, are more typical. "It's clear and well written in terms of management and handling different signatures and updates," says Anderson. "The data itself is accessible for higher level analysis. I find it a very workable design."
Gula's company was in prime position for acquisition when Enterasys Networks, a network equipment provider, bought it in early 2001. Huffard was Enterasys' senior manager and director of business development, assigned to research and recommend companies for acquisition. He called all of Network Security Wizard's clients and reviewed its technology. "I was immediately sold on his customers. They were top tier across the board, a very impressive group," Huffard says.
Some thought Gula deserved a higher profile at Enterasys, given his role in Dragon and the business it was bound to bring in. But the Dragon line represented only a fraction of Enterasys's overall revenue stream and, though it did help sell equipment, security wasn't the company's core business. Hired to head the IDS division, Gula eventually found himself moving into strategic business planning and away from product development. "And that just didn't interest me that much," he says.
So he left.
Gossip within the tightly knit security community shifted into high gear about Gula's departure, with many speculating that he was disenchanted by Enterasys' mishandling of Dragon.
"Anytime somebody sells a company to a larger corporation and the product is successful, or not successful, there are all kinds of opportunities to point fingers and make accusations and claims and talk about what might have been," Gula explains. "But the reality is, if I knew what I was getting into, I'd do it again. I benefited, customers benefited, my employees benefited, and the acquiring company benefited. So I call it a win.
"Could things have been different? Absolutely. Things probably could have been a lot worse, too."
Some questioned a connection between Gula exiting his two-year contract early and an SEC investigation of improper accounting practices at Enterasys (which the company settled without admitting or denying allegations). Gula had sold some of his company stock just prior to the probe--and a stock devaluation--but only enough to pay off a tax debt. He says there was no insider trading, as rumored.
Meanwhile, Dragon users everywhere began posting prolific threads on mailing lists and message boards questioning whether the IDS would wither.
"You've got to remember we were all entrenched in the technology. Like a lot of people, it hit me hard," says David Markle, a security engineer for a large financial institution. "The whole industry was concerned because Ron was one of the fathers of commercial intrusion detection systems, if you will. But I think Enterasys did a pretty decent job helping people deal with those concerns."
Gula had, in fact, gladly played frontman for a band of technically savvy but shy developers dedicated to continually improving the IDS.
A month after Gula left, Gary Golomb, a senior vulnerability researcher on the Dragon team, penned a lengthy post to a Dragon newsgroup, explaining that, yes, the product had lost its leader but not the team behind it.
"When Ron was here, he was the figurehead. A couple of us had talked at conferences, but we weren't the PR types. None of us made an effort to be in the spotlight," Golomb explains. "When he left, it was a big reality check. We realized this was now on our shoulders, and that we haven't done a good job letting people know that we are Dragon, too."
Golomb invited users to visit Enterasys and meet the team. Among the takers was Tom Vincent, a senior security engineer with a major wireless carrier, whose posting had sparked a heated and lengthy online discussion about Dragon's potential demise.
Vincent left Columbia, Md., impressed. "I realized that although Ron had the vision and was the original person behind Dragon, he'd also had employees who knew just as much about the product and shared the same vision.
"Since that time, I've been very satisfied with what they've been doing. The support is just amazing. The people are very knowledgeable and eager to help out."
Gula, too, has maintained a strong affiliation with Dragon and its customer base.
"Dragon is still doing phenomenally well," he says. "There's a huge user base. A lot of people are using the product on their network every day, and I know who these people are, because they're calling me to work with them again at Tenable."
An Entrepreneur at Heart, Tenable's Lightning is no Dragon.
Dragon was a technology for the security gurus. Lightning, by contrast, seeks a broader audience--the entire enterprise--with software that finds perforations in supposedly impenetrable perimeters. In essence, it provides a report card on how well those gurus are doing.
Lightning deploys the popular open-source Nessus vulnerability scanner throughout an enterprise to continually audit for network security soft spots. It takes intrusions discovered by the IDS and correlates them with detected vulnerabilities, then reports the threat potential via a Web-based portal. Lightning also scans remote networks to get a better read on insider threats and the effectiveness of internal firewall and IDS deployment.
Fusing Nessus and emerging security information management (SIM) technology should be a good sell. But it's a more competitive landscape than when Gula debuted Dragon. And it's a departure for the technologist.
"With Dragon, there were a lot of other intrusion detection systems out there, and we had a solution that offered features people wanted. This time around, the customer is really the entire enterprise," Gula says.
Lightning works with a variety of IDSes, including Dragon, of course.
Because Tenable is still in its infancy, it's difficult to assess commercial traction. Competition is fierce, with companies like Qualys and Foundstone already established in the space. Huffard says initial evaluations on the Lightning proxy and console have been good, and he expects a "decent year" with about a dozen large customers by year's end.
By the way, Huffard maintains that Gula is a rock star.
"He likes the lower profile," he admits. Then he adds, "I don't think he's gotten the notoriety he deserves, but I also think he's on the rise."
Anne Saita is Information Security's senior editor and West Coast bureau chief.
This was first published in July 2003