There's a lot of present-day talk about threat intelligence sharing and a lot of companies are introducing dozens of threat intelligence services, but there's too much emphasis on this side of the coin, according to Ron Gula, CEO of Tenable Security.
"Right now there's an 'overfocus' on threat intelligence sharing. And it's kind of hard to criticize that because we've always said the bad guys are sharing more than the good guys," Gula said in this interview recorded at the 2015 RSA Conference. SearchSecurity Editorial Director Robert Richardson sat down with Gula to discuss both his views on the relative importance of threat sharing and to catch up on recent developments in Tenable's product strategy, which includes both enhancements to its flagship Nessus product, but also increased inclusion of other kinds of sensors into its SecurityCenter continuous monitoring platform.
"My concern right now," Gula said, "is that people are leading with trying to detect indicators of compromise on their network, but they're forgetting to secure their networks in the first place." While threat intelligence providers have a role to play, "I keep thinking that these threat providers are doing really, really good research, but the thing I hear from my customers it that they take one or two or three feeds and they're very happy with the data." But the data in the feeds doesn't overlap, noting that he would expect some overlap among feeds. "So I think they're getting a false sense of security for what the threat really is."
Gula says Tenable's products do use a number of threat intelligence feeds from various sources, but the emphasis is on discovering all the assets on the network. "That's the whole principle with Tenable. We're trying to help organizations measure 100% of their assets and figure out what's the No. 1 risk they would like to mitigate."