Security Laboratory

Security Laboratory

Sec Lab: Security Products

In 1995 if you wanted a security product, you downloaded the source and compiled it on your Sun 3, today we buy supported commercial products: this series on the security lab is to introduce you to some of the products out there and, when possible, the movers and shakers that are part of the team that creates these products.

Other Related Articles in Sec Lab: Security Products

Interview with David Breslin, Director of Sales Engineering for Tenable Network Security, Inc.

By Stephen Northcutt
David Breslin is the Director of Sales Engineering for Tenable Network Security, Inc. He started out back in the early 90s working for SouthWestern Bell in the UK which was expanding telephony network services and laying some of the first fiber to the door subscriber networks. In more recent years he was worked as a consultant at Warner Brothers in Burbank and Cheap Tickets in Honolulu. In his position previous to Tenable he worked for Experian Consumer Direct which provides online credit reports and Identity Theft alert monitoring. The Security Laboratory is grateful for his time and willingness to share his thoughts.

David, you mentioned there are limits to what you can do with an active vulnerability scanner. Can you share a bit more about that?

When using an active vulnerability scanner like Nessus and performing non-credentialed scans we will detect vulnerabilities in network services. If we look at a popular network server/client protocol like HTTP, typically the network service is provided by a web server and the service consumer, the client, a web browser. Knowing that a web server is vulnerable because of a mis-configuration or missing patch is important in auditing vulnerability risk, but what about the service consumers, the clients? Nessus, without credentials to patch audit, cannot check the configuration or patch level of clients installed on hosts and devices.

Right, and it is the client that really matters, sometimes, true?

I think it's fair to say we are seeing the most popular feared exploit vector for organizations move away from the server side and into the client side, or at least the press is making it seem that way by dramatizing vulnerabilities like those found in the iPhone. One of the most popular vectors for malware is via a vulnerable web browser rendering a web page which has an embedded payload specially crafted to compromise the host on which the web browser is running.

Passive sniffing and analysis with a tool like P0f or the one you guys sell, how does it fit into the picture?

We can watch clients and servers chattering on a network and detect vulnerabilities by analyzing the network traffic without generating our own for discovery purposes. The same applies for peer to peer protocols.

I read once that the primary benefit to passive scanners is as a data source between active scans, what is your thought on that?

There are other reasons I may require the passive measurement of vulnerability risk rather than just throw my hands in the air and say auditing for vulnerability risk is simply impossible to support a remediation program because of service disruption fears from active auditing. There is a growing consciousness of how fragile some older power and utilities networks might be that have SCADA devices and there might be expensive, and even dangerous, side effects by actively auditing them for vulnerabilities. SCADA aside, in a large global organization where asset management is decentralized and SLAs are prevalent, it may prove very time-consuming for a security team given the responsibility of globally auditing vulnerability risk to get permission to perform active vulnerability detection on everything so that a phased approach can be deployed, starting with passive auditing and then blending in active as permissions are granted by asset owners. In a phased approach, the information learned by passive auditing can feed later into how to go about the most efficient way to actively audit.

I used to run your product in my lab, it was called NeVO, do you still have that?

Tenable has had a commercial offering for the passive detection of vulnerabilities for 4 years now and both small and very large forward thinking organizations have successfully deployed it. The product was first named NeVO but was re-branded to Tenable's PVS, Passive Vulnerability Scanner.

With credentials Tenable's Nessus 3 is capable of measuring levels of vulnerability risk that PVS can't like highly accurate patch audits and certified configuration audits agent-less. Like Nessus, however, PVS can be considered more than a vulnerability scanner, it is also a network auditing tool and its 24/7, always on, operating status is arguably a great strength over active scanners that have to repetitively scan frequently in environments where networks are growing rapidly for the audit and vulnerability data to be relatively current. Active scanning in large organizations is likely to be restricted in its frequency by adherence to well defined scan windows. Knowing one of my hosts or devices is vulnerable is interesting and necessary to support a remediation program; however, if tasked with mapping all networked assets, then knowing simply that a networked asset exists and where on a network would be useful information, especially if other attributes can be gathered like operating system, services and clients.

Okay David, you have mentioned Credentials twice, what exactly do you mean by that, where do I get them, how do I apply credentials, is that considered best practice?

Windows, Linux and UNIX hosts can be patch and configuration audited agent-less by Nessus 3 if it's supplied with the appropriate authentication credentials. For Windows this involves a local or domain administrator account which will be used to authenticate Nessus 3 to a Windows host over SMB. For Linux/UNIX this involves setting up the host accounts for SSH access. For a large organization Security Center 3 has the ability to maintain an elaborate asset centric set of credentials where many distributed Nessus 3 servers can be supplied exactly the asset credentials they require. For enterprise risk auditing providing Nessus 3 with credentials is definitely Tenable recommended best practice but sometimes difficult to get over as a concept where organizations bring in specialized penetration tester teams who use tools like Nessus but aren't supplied credentials and perhaps one of their goals is to attempt to discover information like user ids and passwords. A blended approach to risk auditing using both Nessus 3 and PVS is also considered best practice. Ron has blogged,, about Tenable Wednesday which is a concept growing in popularity amongst our customers. Our Research team often has a late night on Microsoft Tuesday so our customers can audit the next day for the latest vulnerabilities which is a great way to sanity check that patching is working and configured correctly. However, it should be noted some vulnerability checks require credentials like checking for those client vulnerabilities previously mentioned. It should also be noted that Nessus 3 with credentials can now search through files on Windows for sensitive data.

One of the most important keys to security, as far as I am concerned, is change management. If you think about it, that is exactly what hackers and malware do, unauthorized changes. The problem is that we have insiders called system administrators that also implement unauthorized changes though they think they are doing it for good reasons. Do you have tools that can help with that?

Like Nessus, PVS can be folded into an automated change management auditing initiative looking for unauthorized change like new devices, hosts, services and clients. Under Tenable's Unified Security Monitoring model it should come as no surprise that PVS's data can be fed into two enterprise products, Tenable's Security Center 3 and Tenable's Log Correlation Engine. In the Log Correlation Engine its auditing and real-time alerting data is extremely useful when correlated with other data sources like operating system logs and firewall logs for a high level of visibility into what a host or device is doing and detecting behavioral anomalies. In Security Center 3 PVS's vulnerability data can be blended with Nessus 3's in support of a collaborative remediation program supported through Security Center 3's workflow, multi-user model and reporting. Security Center 3 can also use PVS's vulnerability data to correlate with NIDS events to generate alerts indicating a high probability of compromise. PVS, although never intended to replace a NIDS sensor operating on a comprehensive list of exploit signatures, can also feed real-time alerts into Security Center 3 for interesting events like port scan detection and new host detection.

What is the most common question people ask about Passive Vulnerability Sniffer?

A common question of Tenable's Sales Engineering team is how to deploy PVS. Sometimes the question is answered by asking how an existing NIDS system was deployed. However, the most common deployment method is placing PVS at the network perimeters(s), the connection(s) to the Internet, versus deploying at the network core. The reasoning is to understand the view of vulnerability risk from clients that reach out to the Internet from internal network locations allowing informed decisions to be made on how to reduce the risk and then measure the effectiveness of those decisions. A relatively recent feature addition to PVS incorporates looking for sensitive data in transit on a network, which also adds weight to placing PVS at the perimeter since sensitive data leaving an internal network for some Internet location is more unusual than it moving around internally.

Tenable partnered with Enterasys allowing its Dragon IDS sensor and Tenable's PVS to be deployed side by side on the same network appliance allowing threat auditing, NIDS alerts, and risk auditing, PVS vulnerability detection, to be deployed on the same device.

Brag time, what make PVS better than the other guy's product?

PVS, with being on the market now for 4 years, highlights the high level of innovation Tenable brings to the table for its customers that not only want to meet compliance standards, but exceed them. Tenable's enterprise architecture in support of its Unified Security Monitoring is modular and customers that deploy a subset can very easily snap on other pieces later. This allows a very flexible dynamic deployment in support of vulnerability risk auditing for large organizations where PVS and Nessus 3 can be used in combination or separately for various network locations. The Log Correlation Engine can be deployed if more visibility is sought over networked assets at a later date from using various sources of real-time network monitoring data like PVS or host behavior gleaned from O/S and application logs.

On the Securitylab, we like to give people a bully pulpit, a chance to share whatever security trend is on your heart, what would you like our readers to know?

I believe enterprise tools driven by the needs of INFOSEC for providing visibility into networked asset behavior and configurations are being built and matured for Security Professionals that belong as equally in the hands of IT Operations. When tools aren't shared there is a tendency for them to truly under perform in terms of ROI for an organization. How many Security teams working autonomously for example fail to secure credentials so they can incorporate deeper views of vulnerability risk by accurate patch and configuration auditing? Tenable's Security Center 3 incorporates an asset centric collaborative user model where not only the Security team can review vulnerability, IDS and log data but also those that are responsible for the operation of networked asset and SLAs.

Last question and we certainly appreciate your time. Can you tell us just a bit about yourself, when you are not in front of a computer, what do you like to do?

  • Jogging, we have a great 1 mile circuit right outside Tenable HQ.
  • Cycling on Maryland's numerous trails.
  • The reason I need to jog and cycle, the occasional pint of Liffey Water.
  • Following Manchester United which I've done since I was 7 and my Grandfather took me to see them for the first time.