Thought Leaders

Table of Contents

An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information

Stephen Northcutt - August 13th, 2009

What's changed in the last few years?

Since we last chatted, I think the biggest thing that has hit the security industry is scaling -- doing more with less. Regardless if you are the "one man security shop" or you have a team responsible for securing a network with 100,000 nodes, you are likely being asked to do more with the products already in your tool kit.

We've seen a move across our customer base to do more with what they've already been using. For example, we've seen Nessus users who traditionally did remote vulnerability scans mature their processes so they can scan with credentials and perform patch and configuration audits alongside IT. We've also seen our enterprise network customers move from siloed vulnerability detection, log analysis and network monitoring technologies into a more unified offering. Having all that data from one vendor like Tenable is much easier than trying to aggregate it from multiple vendors.

On a tactical note, Tenable also made a big investment to strengthen Nessus' ability to perform web application assessments. Nessus now performs many of the industry standard web application tests such as SQL injection and Cross Site Scripting analysis. When you combine this with our database, application and operating system configuration audits, it is a much deeper form of analysis than pure black-box testing.

What operational benefits do you get with all of the data centralized?

There are a variety of efficiencies.

In smaller organizations, a lot of our customers are benefiting from the commoditization of certain technologies like log aggregation. In the past, an organization like a small university would have had to spend a small fortune to get scanning, log analysis, correlation, patch auditing and so on. Today you can buy solutions like that from Tenable at a cost much less than that of a security analyst's salary. That is a big game changer.

In larger organizations, having a deep repository of assets, vulnerabilities, configurations, logs and network activity is a gold mine that can satisfy a wide variety of compliance reporting and incident response processes. Many times, larger organizations don't have the understanding that you can re-purpose security tools to perform a variety of IT monitoring functions. For example, we have many enterprise customers that use Nessus credential checks to independently test for an active anti-virus agent which is a requirement of PCI.

How have the SANS CAG polices been adopted by your customers?

When I first read the SANS CAG, I had a very positive reaction. Much of how I structured Tenable to be able to offer passive monitoring, scanning, patch auditing, log analysis and so on was right in the recommendations. I was also very happy with the direct nature of the CAGs.

I've worked with a lot of organizations who have implemented ITIL or COBIT successfully for their network, but the issue there is that often the IT admin or security auditor does not know why or how they fit into the overall requirements.

With the CAGs, I see them getting adopted much more readily because they can be easily grasped. I also feel that although there is no regulatory requirement to perform CAG types of management, network organizations that do implement these controls will have a much easier time complying with things like PCI, FDCC and so on.

March 22, 2007 Interview:

Ron Gula, the author of the Dragon IDS is now running Tenable Security and they are releasing a novel technology, a vulnerability scanner plugin that looks for sensitive information. You know, the stuff you read about being breached every other day. Ron was kind enough to be interviewed, so here we go.

Other than finding security holes Ron, I was not aware you could scan for things like Social Security Numbers (SSN)?

We're releasing the ability to scan for sensitive data on Windows servers using Nessus and a new Nessus plugin named "Windows File Contents Check" (plugin ID # 24760). It has the ability to find a wide variety of sensitive data at rest on Windows computers.

Well, that is amazing Ron, how does someone get this technology?

This will be available in the Direct Feed and also has a great impact on what you can do with the Security Center.

OK, slow down Ron you are scaring us. What is a Direct Feed and what is a Security Center? I went to your web site to prepare for this interview and it says this about the Security Center "The Tenable Security Center provides proactive, asset-based security risk management. It unifies the process of asset discovery, vulnerability detection, event management and compliance reporting for small and large enterprises." Great, but what does that mean in English?

The Direct Feed is a subscription and support service that any Nessus 3 user can purchase. With the feed, users get the latest vulnerability checks, the ability to audit system UNIX & Windows configurations against NSA, NIST, CERT, DISA and other "best Practices" policies, technical support and now the ability to scan for sensitive data at rest.

The Security Center is a software product that allows management and monitoring of multiple types of security and compliance data at the network level. It can be used to divide up a network between political groups (HR, Accounting, IT, .etc), technology (printers, Cisco routers, web servers, laptops, .etc) as well as all of the devices with make up a "business asset" such as PeopleSoft, the entire management infrastructure for the NIDS, and so on. The idea is to centralize logs, vulnerabilities and configuration data and then to give this information securely in a variety of formats to IT, business owners, auditors and security monitoring staff.

Thanks for helping us catch up! The last time we talked I thought you told me that you monitored sensitive information using a passive scanner, why the change to active scanning?

This also compliments how we monitor credit cards and SSNs and such passively with the Passive Vulnerability Scanner. Passively, we need to wait until someone moves a sensitive file in order to see it. Using both active and passive methods, we have a better chance of seeing the data and discovering it. Using active and passive monitoring is also the same principal we use to discover new hosts and new vulnerabilities.

Thanks Ron, I understand you guys have a blog that has the really gory technical details and examples of the code for the .audit files that actually do the work of finding things like an SSN, how does someone find your blog?

The blog is at We try to keep it very technical and very useful with content that appeals to everyone from the casual Nessus user, to our larger Security Center customers that monitor device counts in access of 100,000 nodes.

What other types of sensitive information have you created these .audit files to find?

We have created rules to look for CCNs and SSNs in a variety of formats. In additional, there are also rules to search for international wire transfers, driver's license numbers and even copy written source code. We're expecting to get many requests and ideas for new file formats and new content.

The most appealing aspect of this type of search is the ability to customize your own "sensitive content". It is very easy to create rules to search for your own copy written content, employee lists with a few of your company's real employee names, or even "keywords" that would be of interest searching someone's local chat logs.

For compliance monitoring, Nessus 3 also has the ability to scan a system to see if it is configured correctly. For example, checking that event logging on a Windows 2003 server is indeed enabled and logs are being kept for the proper amount of time.

Tenable has produced many policies which can be used to audit against many different standards and we're always adding more policies and tools to make an auditor's life easier. We just added a tool to extract specific variable settings in UNIX configuration files and we're about to release a tool that supports NIST's XCCDF standard. (the URL for the NIST stuff is:

So this is starting to sound like you are serious, do you think other vulnerability scanners will be interested in the IT audit world?

I think Nessus and the Security Center will be one of the first "vulnerability" guys to really jump into IT auditing with both feet. I've always felt that scanning and auditing is very useful, but being able to centralize this information alongside user, firewall, authentication, IDS and other types of logs makes finding security and compliance issues much easier.