Unified Security Monitoring: The Business Benefits - Ron Gula, CEO, Tenable Network Security
This is the business case made by Ron Gula, CEO of Tenable Network Security, who in an exclusive interview discusses:
Gula is known in the global security community as a visionary, innovator and engineer of extraordinary talent. He traces his passion for his work in security to starting his career in information security at the National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research.
Since co-founding Tenable in 2002, Gula has been CEO and CTO at Tenable, maker of the world renowned Nessus Vulnerability Scanner and Unified Security Monitoring enterprise solution. As CEO/CTO of Tenable, he is responsible for product strategy, research and development, and product design and development. Gula is also a leader in his community and a passionate advocate for education and scientific research.
TOM FIELD: Hi, I'm Tom Field, Editorial Director with Information Security Media Group. We are talking today about unified security monitoring, and we are talking with Ron Gula, the CEO of Tenable Network Security. Ron, thanks so much for joining me.
RON GULA: Thanks for having me on the show.
FIELD: Ron, just to set some context for people, let's define unified security monitoring. What is it really in a business context?
GULA: It's a different way of looking at the various information security processes that are going on in your organization right now. My background: I got started in this doing intrusion detection, and these were the folks who sniffed packets to look for the bad guys coming into or out of your network. There are a lot of other groups and information security; some of these people are in IT management, firewalls, anti-virus, vulnerability scanning and what have you. In the financial communities, what I see is that many of these processes are done in silos; they don't communicate to each other. The process of unified security monitoring is to bring this all together so that your offense knows what your defense is doing, so that you know if you are defending against the correct threats, and you have the synergy of being able to react when you get new information from any part of your group.
FIELD: So, Ron, what are the security challenges in the enterprise today that really demand unified security monitoring?
GULA: There are really two. On one hand, you have technical challenges of just having this data that is available that you need to feed into different systems, and on the other hand you have political stuff.
Just talking about each of those for a second: If you are trying to do vulnerability scanning for example, for a very, very large organization, there is an effort involved with that. But then taking the results of that vulnerability scan and piecing it up and sharing it to the various political groups -- that is the hard part. Unless you have volume from all those different groups out there, you are going to have issues with buy-in. Are they going to believe the data, are they going to make use of it, are they going to ask about it? It is very, very difficult.
On the other hand, politically you might have groups within your organization who don't want to be audited. They might not have a need to have their security inspected by a third party to have their source code reviewed, to have their processes reviewed. It is very, very interesting some of the conversations we have had. However, if you are going to try to defend a large financial organization and you don't have the buy-in from those groups, you are going to have gaps in your coverage.
FIELD: Well, you know that segues into a question I wanted to ask, which is really about trying to build a business case for this. What are the business benefits that are going to be realized by an investment in unified security monitoring?
GULA: There are several. At a very, very minute scale you can simply leverage the scalability of the modern technologies. If you can buy a 10-gigabyte intrusion prevention system, for example, that one intrusion prevention system might be good for the entire organization. If you can buy a service where you can scan large networks for vulnerabilities, again, you might be able to leverage a lower cost than if everybody went out and bought their own technology. Having said that, if everybody does go out and buy their own technology, then it is sort of like having two clocks -- you never know what time it is. That actually can cause a lot of issues when people are trying to be "100 percent compliant" or "100 percent secure." As a vendor, I am often asked by my customers 'How do I know when I am done?' You know, 'How do I know when I am secure?' And it it's a very interesting question because you can only go so far with one particular product.
The specific business case, though, the benefits that are realized here are that if you approach security from the point of view of implementing high level business objectives -- and that includes a lot of transparency in how your IT group works, a lot of transparency in how your security group is auditing things -- you can actually lower the cost of IT operations, and a benefit from that is you get good security.
So for example, if your IT group is supposed to managing all of the servers to a unique baseline, and your security group is auditing against that, well, if that is indeed having an effect, then you are going to need less IT resources to maintain a consistent baseline. A side effect of that is that you have less anti-virus tickets, you have less help desk tickets, and you have less security issues. So that should be your biggest goal in deploying something like unified security monitoring, in that you should be able to measure some sort of reduced costs in the IT costs of your business.
FIELD: Now, Ron, my understanding is that unified security monitoring also has some ancillary benefits in other elements of risk management and compliance. Can you offer up some of those please?
GULA: Absolutely. So, if you are a large financial organization, or any large organization for that matter, you have a heavy load in that you have to demonstrate compliance. You can have the best system administrators in the world. You could have bought the most secure firewall, or the best anti-virus product, but at the end of the day if you have an auditor from the U.S. government, from the credit card industry, from the healthcare industry, or perhaps you are such a large organization that you have your own auditors, if you need to prove to them that what you are doing is good, that can be a completely different issue.
I have talked to a lot of CISO's, and they say that they burden of proof, proving that you are secure, is almost as difficult as knowing that you are secure. So if you have the unified security monitoring, if you have the ability to pivot from knowing your vulnerabilities to knowing your intrusions, to knowing your configurations to being able to search logs, to being able to do whatever it is you need to do, then when that auditor asks you about anti-virus or about patching or about standards and things and you can have that data at your fingertips, and then you can also show evidence in the other areas, in other words looking at your vulnerability scanning for results from your anti-virus, or looking in your logs to know that your systems are being patched -- if you can show that you have that type of thorough understanding of what is on your network, then demonstrating compliance with any of the regulations out there is much, much, much easier.
FIELD: That makes sense. Now if I am an organization of that size, then I have got a significant existing security technology investment. How does your approach help me maximize that investment?
GULA: The way it is maximized is by looking at the specific technologies and saying 'What more can I get out of this than what it is doing for me?' So, the example I always throw out there, and I am going to use a couple here, is vulnerability scanning.
I often ask people 'What does a vulnerability scan tell you?,' and the obvious answer is: where my vulnerabilities are. But in the context of a compliant organization that is trying to perform unified security management, unified security monitoring, what they are really going to find are computers, servers, users, and systems that are not being managed.
In other words, a modern organization is going to have something like a patch policy or a baseline configuration and when you find a vulnerability scanner and you find vulnerabilities, you are going to see evidence of maybe vulnerabilities ... but if your patching policy says that my patching window is 30 days, really vulnerabilities that are older than 40 days or 30 days or 50 days are indicative of a system that is not being managed. That allows your group to be a lot more responsive and proactive; it's not so much that you say 'Hey, you need to go and fix this, you have these security issues.' You can say 'Hey, you need to go and fix this process because these machines aren't being managed.'
Now I talk to a lot of traditional security experts, and we talk about the different ways you can use intrusion detection systems, firewalls and configuration auditing systems in this manner, and I get a lot of, 'Wow, I never really thought about it that way.' But if you can rise sort of to the next level and apply that data in a way so how it looks for the business unit, you can get a lot of mileage out of your existing security investments.
FIELD: Well, I like those examples Ron. I wanted to ask you, can you give us some examples of how some of your customers have benefited from this approach. I understand you probably can't name names, but you can probably give some good examples of this.
GULA: Sure. We'll just do a real simple one, or two simple ones. If you have the classic vulnerability scanning problem, where most scanners do a really good job of simulating the hacker view of the network, let's just scan and find systems out there. Yet almost every scanner out there, you can give the same credentials that your IT administrators use to manage your DNS servers and your Windows domain controllers and things like that. If you can deploy such a system where you have enough transparency that your controllers and your administrators can give these credentials, then what you get is a lot more visibility. And it is one thing to have your IT group or your information server group be able to look at their own servers and see their configurations; it is another thing completely to have a group that has responsibility for compliance and security auditing to have that third-party group. That is basically a way to get people to have incentives to make sure their systems are patched and also not to exceed any service level agreements and things like that.
Now if you have a more serious incident, if you have something like the Conficker worm you are trying to respond to, being able to have one group that has access to the network traffic, the vulnerabilities, the configurations and various types of other information that you can bring in in the unified security monitoring strategy, it makes this notion of 'How do we respond to the underlying vulnerabilities to the Conficker worm, how do we respond to the actual worm itself,' much, much, much easier. It allows organizations -- and we have had several customers who have done this -- be able to respond quicker and make better decisions sooner, which can really limit the type of outbreak that has been going on.
There are many others. We could talk about PCI, web apps, things like that, but the idea is transparency, to bring everything under one view where you can make better decisions because you have better information.
FIELD: Ron, one last question for you. If you could offer one piece of advice to somebody that has just heard about unified security monitoring and wants to go down that path, what would your advice be?
GULA: If you are an organization where this unified security monitoring concept seems knew because you are not doing it, then my piece of advice is to pick one other type of technology that your security group (assuming that you are coming from a security monitoring point of view) does not have access to.
For example, there are a lot of people in security audit where they don't have access to the daily firewall logs, they don't have access to the daily web logs, they don't have access to the daily user authentication logs, and any of those types of things can have dramatic impact on any type of security posture assessment, any type of incident response, and possibly compliance reporting. Pick one and make a business case, get executive buy-in and then try to figure out a way for you to integrate that into one kind of dashboard, one kind of system.
Now there are vendors like Tenable who have products that do this. There are open source tools out there. There are ways to outsource. But the idea is to really pick one area that you can think you can get a lot of synergy out of, and tackle that. Once you demonstrate that there is a lot of value in bringing this information together, you should be able to get buy-in and show value with other types of security and compliance-monitoring technologies.
FIELD: Ron, that is excellent. I really appreciate your time and your insight today.
GULA: Thank you very much for the questions.
FIELD: We have been talking about unified security monitoring, and we have been talking with Ron Gula, CEO of Tenable Network Security. For Information Security Media Group, I'm Tom Field. Thank you very much.