For situations where gathering up the domain passwords for sensitive divisions of an organization is a hard sell to upper management, using the agent-based version of the Nessus vulnerability scanning tool is a way to step around the issue, according to Ron Gula, CEO of Tenable Network Security.
"We've had a lot of organizations come to us and say, 'Gee, we want to go and find malware, we want to do patch audits, we want to figure out our configurations on Windows for our laptops,'" Gula said in this interview, recorded at the 2015 RSA Conference. SearchSecurity editorial director Robert Richardson sat down with Gula to discuss recent releases of Tenable's flagship Nessus scanner. "We recently added agents -- these agents are low impact. When they're not auditing your system they don't take any CPU, but when they do audit it, they do it with the exact same logic and research that Tenable performs.
"If you're used to doing a patch audit or Department of Defense STIG (Security Technical Information Guide) audit," Gula said, "the agents are identical, which means you can uniformly do credentialed scans to deployed agents and feed that back into the Nessus manager or the Nessus Cloud version of that."
Gula said Nessus Cloud, which was released in February of this year, brought the company's vulnerability management to a software as a service platform, building on a previous cloud iteration called Nessus Enterprise Cloud and providing remote management of distributed scanners and collaboration features that allow various departments beyond just the security team to work together on monitoring and managing vulnerabilities.
Nessus is one of the grand old master tools of the Internet, dating back to 1998 when it began as an open source tool. By some measures, it has on occasion been the most widely used security tool in the world, even after the tool became a proprietary product in 2005 (a free "Home" version of the tool is still available for download).
Transcript - Gula talks Nessus agents and Nessus cloud
Robert: Hi, I'm Robert Richardson. I'm the Editorial Director of SearchSecurity.com. And joining me is Ron Gula. He's the co-founder and CEO of Tenable. A lot of people know Tenable because of their Nessus product. Ron, I understand there have been some new additions to Nessus' capabilities, and in particular, agents, which I think Nessus users have been looking for because of the password issue. Talk to me about that.
Ron: Yeah, absolutely. So we recently released two products, Nessus Cloud and Nessus Manager. These are enterprise versions of Nessus, which allow organizations to deploy agents -- among other things -- and do things like audit Salesforce and Amazon Web servers, and look for malware in mobile devices. It's a whole, large set of enterprise things.
Now the agents in particular is an interesting use case because we had a lot of organizations come to us and say, "Gee, we want to go find malware. We want to do deep patch audits. We want to figure out our configurations for our Windows and our laptops and things like that." And even just getting the password from the domain was a political and bureaucratic thing that our security customers had to work with. So we recently released agents. The agents are low impact. When they're not auditing your system, they don't take any CPU. But when they do audit, they audit it with the same exact logic and research that Tenable performs. So if you're used to doing a patch audit or Department of Defense STIG audit or things like that, the agents are identical in the code that they run, which means that you can uniformly do credentialed scans, deploy agents, and actually feed that back into the Nessus Manager or the Nessus Cloud versions of that.
Robert: Right. And there's the Cloud version now, which is relatively new, I think.
Ron: We released the Nessus Cloud earlier this year. It's pretty popular with our customers who want to perform PCI, because even though you can do PCI audits with Nessus, if you want to get an authorized scanning vendor type of audit, you have to do it from a third party. And we do a lot more than just PCI, but we're really good at doing these audits. We're also one of the only vendors who mixes indicators of compromise -- such as botnet and malicious hashes and IP addresses -- as part of that audit.
Robert: A lot of what you're talking about sounds like SIM, and I know you don't think of Nessus as SIM. How do you differentiate those?
Ron: So our security center product line is probably the closest thing to a SIM. We actually think it's something between vuln [SP] management, SIM, and GRC. It's this layer of actually being able to measure things. So what I like to talk to people about is that if you think about devices on your network, you've got targets and you've got defenses. So if your defenses are firewalls, antivirus systems, anomaly detection systems, things like that. And then you have your targets, your Windows computers, your SCADA devices, your Internet of Things and whatnot. What we want to do at Tenable is look at everything working together. So if you have a 30-day patch window, but you believe you're protected because you have white listing software or antivirus software or a firewall, we actually want to audit that from end to end with evidence gathered from logs and configuration audits. Now some of that looks like SIM. It looks like GRC. But what it actually is is true automated measurement of your security infrastructure.
Robert: Looking ahead a little in terms of road map, is there any point at which this kind of capability intersects with some of the endpoint analytic stuff that we're seeing some startups around? In other words, if you've got vulnerabilities and you've got a baseline that you're looking for, can you then measure current traffic against it and see where you are? Is that in the cards?
Ron: So we actually do a little bit of that right now, and a lot of people here at RSA do that type of anomaly detection. What we really want to focus on, though, is not just trying to throw algorithms or threat feeds at your security and trying to feel secure about it, but really trying to audit what is out there and what should be out there so you can take action. One of the biggest problems in the security industry right now is that your auditing takes place way too slow. So it's great to go look for malwar, APTs or insider threats with an algorithm or a product. What's more useful is being able to take the action that would've prevented the abuse in the first place. It's the cheapest way to do it. And the best way to do it is be proactive in real time.
Robert: Makes sense. Ron, thank you so much for joining me. I'm Robert Richardson. I'm the editorial director at SearchSecurity and Ron Gula is the CEO of Tenable.
Ron: Thank you very much.