News Stay informed about the latest enterprise technology news and product updates.

Gula talks Nessus agents and Nessus cloud

For situations where gathering up the domain passwords for sensitive divisions of an organization is a hard sell to upper management, using the agent-based version of the Nessus vulnerability scanning tool is a way to step around the issue, according to Ron Gula, CEO of Tenable Network Security.

"We've had a lot of organizations come to us and say, 'Gee, we want to go and find malware, we want to do patch audits, we want to figure out our configurations on Windows for our laptops,'" Gula said in this interview, recorded at the 2015 RSA Conference. SearchSecurity editorial director Robert Richardson sat down with Gula to discuss recent releases of Tenable's flagship Nessus scanner. "We recently added agents -- these agents are low impact. When they're not auditing your system they don't take any CPU, but when they do audit it, they do it with the exact same logic and research that Tenable performs.

"If you're used to doing a patch audit or Department of Defense STIG (Security Technical Information Guide) audit," Gula said, "the agents are identical, which means you can uniformly do credentialed scans to deployed agents and feed that back into the Nessus manager or the Nessus Cloud version of that."

Gula said Nessus Cloud, which was released in February of this year, brought the company's vulnerability management to a software as a service platform, building on a previous cloud iteration called Nessus Enterprise Cloud and providing remote management of distributed scanners and collaboration features that allow various departments beyond just the security team to work together on monitoring and managing vulnerabilities.

Nessus is one of the grand old master tools of the Internet, dating back to 1998 when it began as an open source tool. By some measures, it has on occasion been the most widely used security tool in the world, even after the tool became a proprietary product in 2005 (a free "Home" version of the tool is still available for download).

View All Videos

Transcript - Gula talks Nessus agents and Nessus cloud

Robert: Hi, I'm Robert Richardson. I'm the Editorial Director of And joining me is Ron Gula. He's the co-founder and CEO of Tenable. A lot of people know Tenable because of their Nessus product. Ron, I understand there have been some new additions to Nessus' capabilities, and in particular, agents, which I think Nessus users have been looking for because of the password issue. Talk to me about that.

Ron: Yeah, absolutely. So we recently released two products, Nessus Cloud and Nessus Manager. These are enterprise versions of Nessus, which allow organizations to deploy agents -- among other things -- and do things like audit Salesforce and Amazon Web servers, and look for malware in mobile devices. It's a whole, large set of enterprise things.

Now the agents in particular is an interesting use case because we had a lot of organizations come to us and say, "Gee, we want to go find malware. We want to do deep patch audits. We want to figure out our configurations for our Windows and our laptops and things like that." And even just getting the password from the domain was a political and bureaucratic thing that our security customers had to work with. So we recently released agents. The agents are low impact. When they're not auditing your system, they don't take any CPU. But when they do audit, they audit it with the same exact logic and research that Tenable performs. So if you're used to doing a patch audit or Department of Defense STIG audit or things like that, the agents are identical in the code that they run, which means that you can uniformly do credentialed scans, deploy agents, and actually feed that back into the Nessus Manager or the Nessus Cloud versions of that.

Robert: Right. And there's the Cloud version now, which is relatively new, I think.

Ron: We released the Nessus Cloud earlier this year. It's pretty popular with our customers who want to perform PCI, because even though you can do PCI audits with Nessus, if you want to get an authorized scanning vendor type of audit, you have to do it from a third party. And we do a lot more than just PCI, but we're really good at doing these audits. We're also one of the only vendors who mixes indicators of compromise -- such as botnet and malicious hashes and IP addresses -- as part of that audit.

Robert: A lot of what you're talking about sounds like SIM, and I know you don't think of Nessus as SIM. How do you differentiate those?

Ron: So our security center product line is probably the closest thing to a SIM. We actually think it's something between vuln [SP] management, SIM, and GRC. It's this layer of actually being able to measure things. So what I like to talk to people about is that if you think about devices on your network, you've got targets and you've got defenses. So if your defenses are firewalls, antivirus systems, anomaly detection systems, things like that. And then you have your targets, your Windows computers, your SCADA devices, your Internet of Things and whatnot. What we want to do at Tenable is look at everything working together. So if you have a 30-day patch window, but you believe you're protected because you have white listing software or antivirus software or a firewall, we actually want to audit that from end to end with evidence gathered from logs and configuration audits. Now some of that looks like SIM. It looks like GRC. But what it actually is is true automated measurement of your security infrastructure.

Robert: Looking ahead a little in terms of road map, is there any point at which this kind of capability intersects with some of the endpoint analytic stuff that we're seeing some startups around? In other words, if you've got vulnerabilities and you've got a baseline that you're looking for, can you then measure current traffic against it and see where you are? Is that in the cards?

Ron: So we actually do a little bit of that right now, and a lot of people here at RSA do that type of anomaly detection. What we really want to focus on, though, is not just trying to throw algorithms or threat feeds at your security and trying to feel secure about it, but really trying to audit what is out there and what should be out there so you can take action. One of the biggest problems in the security industry right now is that your auditing takes place way too slow. So it's great to go look for malwar, APTs or insider threats with an algorithm or a product. What's more useful is being able to take the action that would've prevented the abuse in the first place. It's the cheapest way to do it. And the best way to do it is be proactive in real time.

Robert: Makes sense. Ron, thank you so much for joining me. I'm Robert Richardson. I'm the editorial director at SearchSecurity and Ron Gula is the CEO of Tenable.

Ron: Thank you very much.

+ Show Transcript

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you use automated testing to help ensure that your software is secure?
We don't, at least not on my team. Admittedly none of us are really knowledgeable regarding security testing, and I haven't had any exposure to automation tools. 
@abuell -- I suspect that your team is like a lot of others... :-) 

Is your team more security oriented or more development oriented?
2 things.

There are two types of things you might scan for.  One is for Weakness (See Common Weakness Enumerations), the other is for vulnerabilities that are known in libraries and dependencies)

I don't believe that automation alone for now can ensure security, what it can do is give a better picture of the security aspects of the software to the extent you can scan for things.  There will always need to be human eyes on the process and project as it grows.
I certainly agree that automation alone won't get it done. Human eyes, though, aren't going to work in any scalable way, though, unless we can create enough reliance on well-known components and frameworks. Otherwise there's just too much software in need of a pair of eyes. It's a tricky problem, for sure. 
At this point, we use HP’s WebInspect, which does a lot of the work for us, but I’m not sure whether that’s considered automated or not since we kick it off ourselves and monitor as it checks various weaknesses and vulnerabilities.
Interesting thing. Even companies that use security scanners do not necessarily take an effort to fix the vulnerabilities if no one bothers to put the technical description of a weakness into the business context. Can say much due to NDA, but seen really bizarre bugs tolerated because "there were no business impact".
@agareev -- Interesting. I guess if a vulnerability *truly* had no business impact, it might be ok to ignore it. It's just that a) I'm not sure it's really a security vuln if it has no impact (though there's the question of whether it has external impacts) and b) it's so hard to really be sure something has no impact.
@Mcorum the scanning is automated, the reporting is automated... the fixing probably is not automated, and the prioritizing what to fix first is likely not automated either, although the tool might infer priorities based on severity or class of issue.
Robert Richardson:
"I guess if a vulnerability *truly* had no business impact, it might be ok to ignore it."
But how do you know without investigation? You can only believe. And if you don't really know how to fix it or have to meet the schedule, your beliefs are biased.

The trick is, technical descriptions aren't scary at all. Try it.
Say "HTML injection in form fields".
Say "Someone can put such data that it will make the legal record unsearchable".

Tools do not investigate the vulnerabilities and do not interpret them in the business context. Someone accountable and skilled should look after that. 

I am not a out right security tester, but being an automation engineer I have contributed to automating few of the security testing scenarios like SQL injection, XML validation, security level access for REST API.

These as usual were to quickly get back to the security checking results, but either way what I found was the security expert never trusted automation code much and would run through the manual test time permitting.
@KrishnanG -
A good robust automated can be trusted for checking of known requirements and known problems. But new security threats arise every day. I guess that expert was well aware of the limitations of tooling and did his best to discover new bugs.