The SANS Technology Institute

Security Laboratory

Security Laboratory: Thought Leaders

Stephen Northcutt from the security laboratory conducts in depth interviews with the thought leaders in information security. For every novel security product, there is a thought leader, a man or woman of vision that sees the need and guides the creation of the security product. If there is someone missing whose voice you feel should be heard, drop me a note, stephen@sans.edu

What is a Security Thought Leader - March 22nd, 2008
Amrit Williams, Chief Technology Officer, BigFix - June 30th, 2008
Andrew Hay, Q1 Labs - May 13th, 2008
Gene Schultz, CTO of High Tower - April 4th, 2008
Tomasz Kojm, original author of ClamAV - April 3rd, 2008
Bill Johnson, CEO TDI - April 2nd, 2008
Gene Kim, Tripwire - March 14th, 2008
Kevin Kenan, Managing Director, K2 Digital Defense - March 14th, 2008
Leigh Purdie, InterSect Alliance, co-founder of Snare - March 7th, 2008
Marty Roesch, Sourcefire CEO and Snort creator - February 26th, 2008
Dr. Anton Chuvakin, Chief Logging Evangelist with LogLogic - January 28th, 2008
Kishore Kumar, CEO of Pari Networks - Updated January 28th, 2008
Ivan Arce, CTO of Core Security Technologies - October 26th, 2007
Mike Weider, CTO for Watchfire - Updated July 23rd, 2007
Jeremiah Grossman, Founder and CTO of WhiteHat Security - July 12th, 2007
Interview with authors of The Art of Software Security Assessment - Updated July 9th, 2007
Ryan Barnett, Director of Application Security Training at Breach Security, Inc. - June 29th, 2007
Dinis Cruz, Director of Advanced Technology, Ounce Labs - June 11th, 2007
Brian Chess, Chief Scientist for Fortify Software - June 9th, 2007
Caleb Sima, CTO for SPI Dynamics - Updated May 29th, 2007
An Interview with David Hoelzer, author of DAD, a log aggregator - May 1st, 2007
An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information - March 22nd, 2007

An Interview with Ron Gula from Tenable about the role of a vulnerability scanner in protecting sensitive information

March 22nd, 2007
By Stephen Northcutt

Ron Gula, the author of the Dragon IDS is now running Tenable Security and they are releasing a novel technology, a vulnerability scanner plugin that looks for sensitive information. You know, the stuff you read about being breached every other day. Ron was kind enough to be interviewed, so here we go.

Other than finding security holes Ron, I was not aware you could scan for things like Social Security Numbers (SSN)?

We're releasing the ability to scan for sensitive data on Windows servers using Nessus and a new Nessus plugin named "Windows File Contents Check" (plugin ID # 24760). It has the ability to find a wide variety of sensitive data at rest on Windows computers.

Well that is amazing Ron, how does someone get this technology?

This will be available in the Direct Feed and also has a great impact on what you can do with the Security Center.

OK, slow down Ron you are scaring us. What is a Direct Feed and what is a Security Center? I went to your web site to prepare for this interview and it says this about the Security Center "The Tenable Security Center provides proactive, asset-based security risk management. It unifies the process of asset discovery, vulnerability detection, event management and compliance reporting for small and large enterprises." Great, but what does that mean in English?

The Direct Feed is a subscription and support service that any Nessus 3 user can purchase. With the feed, users get the latest vulnerability checks, the ability to audit system UNIX & Windows configurations against NSA, NIST, CERT, DISA and other "best Practices" policies, technical support and now the ability to scan for sensitive data at rest.

The Security Center is a software product that allows management and monitoring of multiple types of security and compliance data at the network level. It can be used to divide up a network between political groups (HR, Accounting, IT, .etc), technology (printers, Cisco routers, web servers, laptops, .etc) as well as all of the devices with make up a "business asset" such as PeopleSoft, the entire management infrastructure for the NIDS, and so on. The idea is to centralize logs, vulnerabilities and configuration data and then to give this information securely in a variety of formats to IT, business owners, auditors and security monitoring staff.

Thanks for helping us catch up! The last time we talked I thought you told me that you monitored sensitive information using a passive scanner, why the change to active scanning?

This also compliments how we monitor credit cards and SSNs and such passively with the Passive Vulnerability Scanner. Passively, we need to wait until someone moves a sensitive file in order to see it. Using both active and passive methods, we have a better chance of seeing the data and discovering it. Using active and passive monitoring is also the same principal we use to discover new hosts and new vulnerabilities.

Thanks Ron, I understand you guys have a blog that has the really gory technical details and examples of the code for the .audit files that actually do the work of finding things like an SSN, how does someone find your blog?

The blog is at http://blog.tenablesecurity.com. We try to keep it very technical and very useful with content that appeals to everyone from the casual Nessus user, to our larger Security Center customers that monitor device counts in access of 100,000 nodes.

What other types of sensitive information have you created these .audit files to find?

We have created rules to look for CCNs and SSNs in a variety of formats. In additional, there are also rules to search for international wire transfers, driver's license numbers and even copy written source code. We're expecting to get many requests and ideas for new file formats and new content.

The most appealing aspect of this type of search is the ability to customize your own "sensitive content". It is very easy to create rules to search for your own copy written content, employee lists with a few of your company's real employee names, or even "keywords" that would be of interest searching someone's local chat logs.

For compliance monitoring, Nessus 3 also has the ability to scan a system to see if it is configured correctly. For example, checking that event logging on a Windows 2003 server is indeed enabled and logs are being kept for the proper amount of time.

Tenable has produced many policies which can be used to audit against many different standards and we're always adding more policies and tools to make an auditor's life easier. We just added a tool to extract specific variable settings in UNIX configuration files and we're about to release a tool that supports NISTS XCCDF standard.

(the URL for the NIST stuff is: http://nvd.nist.gov/scap/content.cfm)

So this is starting to sound like you are serious, do you think other vulnerability scanners will be interested in the IT audit world?

I think Nessus and the Security Center will be one of the first "vulnerability" guys to really jump into IT auditing with both feet. I've always felt that scanning and auditing is very useful, but being able to centralize this information alongside user, firewall, authentication, IDS and other types of logs makes finding security and compliance issues much easier.