Tenable is not an endpoint or perimeter security company in the sense that it does not provide firewalls and anti-virus/malware protection. It essentially provides a comprehensive, continuous monitoring system that can tell you in real-time if something is wrong or awry with said security.
Founded in 2002 it provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its clients include many Fortune 500 companies, the entire U.S. Department of Defence, and many of the world’s governments.
I had the opportunity to interview Dick Bussiere, Principal Architect for Tenable Network Security in the Asia Pacific region. He is based in Singapore and comes from Boston of French Canadian extract.
Dick has been with Tenable for 13 years and has been in ICT security and computer networking for over 20 years. He is a regular speaker at conferences including the 2014 RSA Conference – where the world talks security.
“We love antivirus and security companies – we are not competitors as you need something concentrating on protecting the perimeter and endpoints from virus, malware and intrusion,” Dick said. “But I challenge you to be able to define the extent of that perimeter these days with so many Bring Your Own Devices (BYOD), and now the Internet of Things (IoT). I also challenge you to find breaches quickly.”
The remainder of the interview is paraphrased to avoid repetition of he said etc.
In 2014 there were 152 operating vulnerabilities reported each week.
You may as well assume that your network will be breached – not if, but when.
We say continuously monitor the access levels of the LAN/WAN infrastructure. That means watching traffic flowing to and from devices and looking for tell tail signs of malicious activity. Two things need to be done:
First is the Vulnerability assessment to find security issues, patches, bugs and configurations.
Second is the Compliance audit where a set of rules are checked for completeness and compliance.
There is a big difference between the two functions – you can be compliant but you can never be secure.
A recent survey shows that over half of the larger companies only do security or vulnerability assessments irregularly – some quarterly and some never. Why? Because it is a lot of work and the huge amounts of data gained need extensive analysis. In labour savings alone, (OPEX) Tenable’s continuous monitoring pays for itself.
Tenable’s solution has been to develop a many-to-one software architecture in which many instances of the company’s Nessus scanners are linked to a central monitoring database. Nessus is an active scanner, it combines with PVS, the passive scanner, and LCE, log correlation, to deliver continuous network monitoring.
You cannot keep up any more using manual processes to maintain and completely understand your vulnerability position. Collecting the data, putting it into a searchable and query-able database, applying big-data principles is almost impossible. Tenable is unique in that it does all that continuously and provides a dashboard interface for system administrators to respond quickly.
It also can produce an ‘assurance report card’ for the C-Level executives who do not need to know the detail.
Dick spoke often about a single point of truth then asked me some questions?
Can you define your network, what are the IP addresses, what apps and programs are running, what known vulnerabilities do they have, where are your boundaries (BYOD), what about the IoT?
No one knows anymore where the network starts and ends. Sure, you have an internal network (intranet) but it also touches the internet – that is the equivalent of the wild west - and you can have an extranet and so on. This particularly applies to BYOD models, where large numbers of devices are deployed based on trust relationships not only with the corporate network, but also with other devices including virtual servers and Web-based cloud applications. The browser is the biggest vulnerability of all time.
We spoke about iOS, Windows Phone 8.1 (and Windows 10 Mobile) and Android.
Android is a nightmare, a train wreck, a disaster because of its open nature. Device manufacturers, telco carriers, and more all have access to the kernel and all put some form of bloatware on it making it almost impossible to update. Samsung’s Knox is a good start but it is not the solution – it [security] needs to be done from the kernel and that is Google’s responsibility.
iOS is safe simply because Apple will not let anyone into the kernel. Windows 10 and Windows 10 Mobile are following the same path and should be safe. But, hackers are now attacking apps instead of the kernel and that opens up a new threat vector.
Tenable’s solution he repeats is continuous monitoring and using big data (business intelligence) techniques to make it meaningful. He sees the time that endpoints will also need ‘agents’ to monitor their state and to connect with corporate networks.
We spoke about the IoT.
Again, it is a disaster, how do you find every asset on the network, especially those that only wake up occasionally and report something. Yes you can look at IP addresses but you don’t know what they are reporting, to whom (or what), are their apps/programs secure, are they in fact licensed (or counted as part of licensing processes), and who controls then?
Not knowing is bad enough. Tenable can provide that single point of truth and you would be surprised just how expansive networks can be. I am a great advocate for separating networks – those that are purely internal and trusted (do not need internet access), those that are trusted and need internet access, and then all those that are not trusted (guest networks).
Tenable’s solution is complete – all under one pane of glass (the dashboard) – other providers do pieces. The Tenable solution currently is dedicated software sitting on a hardened device (PC) on the network. It will eventually move to the cloud as a service once issues of security can be solved.
Dick had three messages he wanted conveyed to readers.
1. Consider the risk of not doing assessments regularly and look at Tenable’s continuous monitoring if only to reduce OPEX and gain peace of mind
2. Design networks to be safe but assume they will be compromised – real-time monitoring will discover, analyse, prioritise and allow a quick response.
3. The extent of the network has expanded with BYOD, IoT, cloud and internet. It is not easily definable and all endpoints need to be managed.