We are pleased to announce that Tenable has been ranked in the Inc 500/5000 for the second year in a row. In the 2011 rankings, we were ranked the fastest-growing private company in the enterprise security software market. We ranked 934^th overall, and 17^th among all security companies.

As a company, we’re changing the way that enterprises think about information security solutions by helping them move from ‘point-in-time’ security to ‘continuous’ security and compliance monitoring.  There’s no such thing as ‘good enough security,’ which is why we’re consistently developing new resources and innovative solutions to help our clients stay ahead of emerging threats.  This approach has been the cornerstone of our success.

See more about our Unified Security Monitoring platform at http://www.tenable.com/solutions

See more about the Inc. 5000 on their website: http://www.inc.com/inc5000/welcome 

In this week's Risky Business podcast, Patrick Gray and I chatted about the recent rise in cyber insurance. Insurance companies have been working on a variety of insurance packages for years and the recent rash of RSA, Sony and other high-profile attacks have raised the interest level and demand for this. The key point here is that if an insurance company can offer this type of coverage, they need to understand the risk much better than the customers buying the service. 

• Listen to Risky Business #198

Tenable is pleased to announce the availability of the Nessus On Demand training.

Below is a short "FAQ":

• What is On Demand training and how does it work? - The On Demand training represents training content, slides and audio that you can take anytime you like. Marcus Ranum (and the Tenable training team) has narrated nearly 20 hours of training material and lab exercises. This also includes full access to the online labs associated with the Nessus course.
• What products are currently being offered via On Demand? - Currently the "Nessus Vulnerability & Compliance Auditing" course is available On Demand and covers all aspects of using Nessus, including network vulnerability scans, authenticated patch auditing, configuration auditing and introducing the Nessus API and NASL scripting.

Tenable is proud to announce a newly formed partnership with the Univeristy of Maryland's Cybersecurity Center. The partnership will focus on preparing the future security workforce and collaborating on cybersecurity challenges.

"COLLEGE PARK, MD AND COLUMBIA, MD – The University of Maryland (UMD) and Tenable Network Security, the leader in Unified Security Monitoring and creator of the awardwinning Nessus vulnerability scanner, have announced a new partnership to establish collaborative activities in the area of cybersecurity. The partnership will promote cybersecurity education, research and technology development through UMD's newly established Maryland Cybersecurity Center (MC2, or MC-squared). UMD and Tenable plan to leverage one another's resources, knowledge base, and unique perspectives to develop innovative solutions to cybersecurity challenges."

Read the full press release.

Tenable has participated in several security challenges in the past, you can read more about our past experiences at these events here:

• The Mid-Atlantic Regional CCDC 2010 Event - Part I
• The Mid-Atlantic Regional CCDC 2010 Event - Part II
• Cyberdawn - A Diverse Cyber Exercise - Part I
• A Diverse Cyber Exercise - Part II
• NYC InfraGard Capture The Flag Event

It's a rare honor to receive the highest ranking accorded by a reviewer - especially in a highly competitive field. Tenable is very proud to announce that Secure Computing magazine has awarded Nessus 5 out of 5 stars in all categories, including a nice write-up about Nessus features, documentation, support and user experience:

"This product has been the old standby for years, and we find it is still the good dog when it comes to straight-up vulnerability assessment."

I was interviewed for episode #173 of the Risky Business information security podcast.

The previous Risky Business episode that discussed the recent release of the open source El Jefe project by Immunity Inc, focused on how process execution tracking for Windows can be a great source of security data - especially compared to raw network traces.  

During my interview with Patrick Gray, we covered how many SIEMs already have this sort of capability, but most SIEM users don't enable these features because they are complex. I also covered how Tenable's Log Correlation Engine can collect logs from both Unix and Windows computers that reflect process execution traces and how they can organized for attack detection, change detection, forensics, alerting, reporting and anomaly detection.  

Based on customer demand, Tenable Network Security is introducing two new license types for the Passive Vulnerability Scanner. These are: 

• Unlimited PVS sensor deployments within a Class B
• Unlimited PVS sensor deployments within a Class C

Tenable will continue to offer an unlimited network monitoring license for a single PVS sensor. 

The additional license types allow an organization to consider deploying passive network monitoring without having to know exactly how many sensors they need. Tenable has many customers that deploy PVS sensors on the perimeter of their network before realizing that they could also benefit from direct passive monitoring of internal systems. 

We've received requests for a PVS license of this type to help monitor SQL databases, VPN termination points, virtual server farms, web sites subject to PCI DSS, segmented VLANs and users or offices deployed behind NAT devices.

If you would like to learn more about PVS pricing for these new license models, please contact our sales staff. 

Tenable Network Security recently received a patent for monitoring network traffic and analyzing it to perform discovery of systems, applications and vulnerabilities. This is the core function of Tenable's Passive Vulnerability Scanner and also a core component of our Unified Security Monitoring strategy. 

As the CEO and co-founder of Tenable Network Security, I am very proud to announce our inclusion in the 2010 Inc 5000 list of fastest growing companies in the United States. We placed #1369 out of 5000 ranked companies. Tenable is very unique on this list as being one of the only security companies present that is neither public nor has raised external investment capital. Tenable is approaching our eighth year of business and we have every intention of continuing to grow, continuing to innovate and most of all, continuing to help our customers enhance and monitor their state of security and compliance. If you want to join our winning team, Tenable has many open positions helping to support customers, perform security research and much more. 

Two weeks ago, several Tenable colleagues and I traveled to Boston to attend and speak at the SOURCE conference. The SOURCE conferences, founded by Stacy Thayer, are small in size but big on content. Since the conference is fairly intimate (this year’s had approximately 250 attendees), I had the chance to talk to many people in the hallways about security, attend some great talks and deliver a presentation on the state of embedded systems security.

SOURCE continues to be a great conference held in Boston, Massachusetts and Barcelona, Spain. It has a great atmosphere, the caliber of people in information security who attend are top notch and the presentations are great. Tenable submitted three presentations to SOURCE that were all well received and are described below:

Recently, I had the chance to be interviewed for two different podcasts. 

In Risky Business #138, I had the opportunity to chat with show host Patrick Gray about the recent Google hack, why they may have been using IE6 and what this means for information security in general. This episode also features an interview with Dan Geer on the future of computing which I highly recommend. 

In OWASP #58, I was interviewed by the show's producer, Jim Manico. Jim received several questions from the Internet and Twitter about the similarities between web application firewalls and intrusion detection systems which we covered in depth. We also spoke at great length about web application penetration testing, how web application security can be managed and leveraging technologies such as file integrity checking and process accounting for detecting and responding to incidents.

The latest episode of the Risky Business podcast is now online. Patrick Gray and I spoke about the recent SANS Incident Detection Summit and how forensics, security monitoring and the detection of advanced persistent threats is gaining more awareness and attention in enterprise networks. Episode #136 also discusses a new zero-day exploit for Cisco firmware and information security news events.

Tenable Network Security was ranked 290th on the Deloitte 2009 Technology Fast 500™ program. This program ranks the fastest growing companies in technology, media, telecommunications, life sciences and clean technology in North America. Rankings are based on the percentage of fiscal year revenue growth during the past five years. Tenable’s revenue grew 441% during this period.

Nessus, the Security Center and Passive Vulnerabiltiy Scanner were awarded a Reader's Choice award from Information Security magazine and SearchSecurity.com. The winners “were selected based on extensive, in-depth discussions and interviews between the editors of Information Security magazine and SearchSecurity.com and over 1,700 information security executives and managers, who were asked to assess and rate products deployed within their organizations from a listing of more than 380 products spanning 17 product categories. The judging panel then selected Gold, Silver and Bronze award winners within each product category.”

In a recent video interview Bruce Schneier, CTO of BT Global Services, and our very own Marcus Ranum, CSO here at Tenable Network Security discussed the new cybersecurity czar position and how it may, or may not, help to improve the overall state of information security.

Download the full video and listen to Bruce and Marcus discuss their different viewpoints on the issue.

I was recently asked by Carpathia Hosting to contribute to an eBook being written by their CTO, Jon Greaves. The book is titled 'The Datacenter of the Future'. 

The initial chapter describes the evolution of security and privacy as we've progressed from issues such as the Morris worm of 1988 to today's "it's in the cloud" attitude. There are some very good insights in the chapter which explain how the past evolution of technology will influence the types of offerings ISPs and hosting companies will provide in the next decade.

My contribution was to answer specific questions on how cloud computing can impact your security posture, what sort of functions should/could be outsourced and how organizations can minimize their operating costs with virtual systems.

If you are struggling in your organization to raise security awareness in a mass rush to outsource key applications, you, your peers or your managers will benefit from reading the chapter.There is no charge and no sales pitch.

Chapter 1 was recently released in PDF format and at the DataCenter Journal. I've uploaded a PDF copy  (454KB) below for readers of this blog: 

Episode #85 of Risky Business is now available and features an interview with Tenable's CSO Marcus Ranum. Also featured are a discussion with H.D. Moore about Metasploit 3.2's new features and license as well as a senior Microsoft executive who discusses last weeks out-of-band MS08-067 patch release.

Episode #66 of IT Radio's Risky Business is now online. This installment features a discussion of smart phone security, wireless complacency issues, forensics for mobile devices and a discussion of this week's information security news stories. Tenable's Chief Security Officer, Marcus Ranum, is also interviewed regarding the effectiveness (or lack thereof) of penetration testing. including some of the negative impact it can have on employee morale.

• The MP3 audio stream can be downloaded here.
• To play the recording in your browser, visit the show link here.

I recently got invited to contribute to a new blog at CIO online about open source in the enterprise. User's of Nessus know that Tenable focuses on as many platforms as possible to test for security issues, including open source OSes like SuSE, Red Hat and FreeBSD.  Nessus is also available for many of these platforms.

Our enterprise customers also know that we take logs from Apache, MySQL, Sendmail and many other open source applications very seriously.

This is something new for CIO, but other contributers include folks from IBM, MySQL, the 451 Group, Novell and many other users who manage or produce open source technologies and services that are used in the enterprise. Initial topics being discussed include outsourced management of open source applications, security and virtualization.

The blog is located at:

• http://advice.cio.com/blogs/executives_online
  

The initial posts from executives participating is also at:

• http://advice.cio.com/esther_schindler/tap_tap_tap_is_this_thing_on

Tenable Network Security recently began sponsoring the Risky Business podcast with Patrick Gray. Episode 59 is now online. This latest installment includes:

• A review and commentary of the week’s security news.
• Jeremiah Grossman of Whitehat Security talks about some of the very latest web vulnerabilities including Cross Site Request Forgery attacks.
• Patrick Gray interviews me about Tenable, our work in the logging and correlation space and the Nessus vulnerability scanner.

 If interested in the podcast, it is at the following link:

• http://www.itradio.com.au/security/?p=68

I was recently forwarded a link to a BBC video which demonstrates how a user on a wireless network can attack another user and break into their system.

In the video, the attacker uses Nessus and Metasploit to identify some security issues in the remote computer, and then break into it. My favorite line is when the analyst points to the "big red X" in the Nessus report and says that "here is a problem". If only it were this simple when managing 1000s of computers or more in a large enterprise.

I would have rather seen them speak about how monitoring an unsecured wireless network can passively reveal passwords, user information, vulnerabilities and so on. Overall, this sort of news isn't really news to the readers of this blog or users of Nessus. I am thrilled that this BBC coverage will raise awareness to European technical business managers who aren't exposed to vulnerability scanners, penetration testers and IT security issues on a regular basis.

It's time once again to vote for your favorite security companies and products with SC Magazine.Tenable has submitted the Nessus 3 Vulnerability Scanner for the 'Best Audit/Vulnerability Assessment' award as well as the Tenable Security Center and Log Correlation Engine solution for the 'Best Event Management' award.

If Tenable has helped your organization manage its security and compliance, or helped your service provide value to its customers, casting your vote at SC Magazine can help recognize the hard work, research, support and development performed by Tenable employees every day.

To cast a vote for Nessus 3, click here.

To cast a vote for the Security Center and Log Correlation Engine, click here.

Dave Breslin, Tenable's Director of Sales Engineering, was recently interviewed by Stephen Northcutt, President of the SANS Technology Institute, about recent advances in network security and describes the benefits of passive vulnerability scanning.

On March 21st, Tenable announced that our products were officially under NIAP Common Criteria evaluation.  Tenable is scheduled to complete the certification this year. This was good news to our United States DOD customers, but we also received a wide variety of feedback and comments which is the focus of this blog.

Common Criteria in the DOD

If you are not familiar with the concept of NIAP, the DOD can only officially acquire products that have gone through this sort of evaluation. In reality, organizations can get a waiver if they want to purchase something that has not been certified. Most organizations also wait until a product is officially "in evaluation" with NIAP before they attempt to acquire it.

The National Information Assurance Project (NIAP) is a U.S. Government initiative between the National Institute of Standards and Technology (NIST) and the National Security Agency.  NIAP sponsors a variety of projects and activities, including the Common Criteria Evaluation and Validation Scheme (CCEVS).  The Common Criteria is a standard for evaluation of security measures in a given product.  Many government agencies require that products they deploy have been evaluated under the Common Criteria process.

Tenable has contracted SAIC to perform a Common Criteria (CC) Evaluation at Evaluation Assurance Level Two Augmented with Flaw Remediation (EAL2+) of the Tenable Security Center 3.2 product.  The Target Of Evaluation (TOE) includes all the elements that comprise a full deployment of the Security Center suite: Nessus Vulnerability Scanner (Nessus), Log Correlation Engine (LCE) and the LCE Clients, Passive Vulnerability Scanner (PVS), and the 3D Tool (3DT).

We're not finished with NIAP by any means, but to get into evaluation means that our product architecture, documentation and even our internal processes at Tenable has been considered. In some cases, we had to add certain features into Security Center 3.2 or enhance our documentation specifically because of a NIAP requirement.

United States Based Sources for Plugin Downloads

We've participated in a few trade shows since our announcement and one type of feedback we consistently got from DOD attendees was:

It's great that your products are in certification, but I can't use Nessus because the downloads come from France.

This really surprised us, because there are a great number of ".mil" accounts used to register for Nessus. Although we don't publish Nessus download statistics, we never felt that the ".mil" community was under-represented. As it turns out, certain portions of the DOD block all access to international sites. In this case, plugins.nessus.org is hosted by an ISP based in France. This is the site that the "free" users of Nessus obtain their registered plugins from.

Our co-founder and Nessus author Renaud Deraison is from France. Because of this, you should expect that Tenable has been able to have great relationships with new customers and business partners there. In this case, we have site that supports all worldwide Nessus user plugin downloads.

Tenable has several places we conduct our hosting, mail delivery and product distribution. The main page that plugins are distributed to Direct Feed and Security Center customers is from our offices in Columbia, Maryland. If you need to obtain plugins directly from a United States sources, you can do this with a purchase of the Direct Feed or operate the Security Center.

For More Information

If you are interested in Tenable products, please feel free to contact us or visit our products pages. To review our evaluation status with NIAP, please visit: http://www.niap-ccevs.org/cc-scheme/in_evaluation.cfm

I got the chance to virtually sit down with the folks at PaulDotCom for an interview. We discussed a variety of topics including vulnerability disclosure, Nessus usage, the early days of Dragon and Snort, advice for people entering the computer security industry and my background.

Anyone interested in the interview can obtain the MP3 audio here:
http://hydrogen.oshean.org/pauldotcom-SE-gula.mp3

There have been several security bloggers "tagging" each other this new year and recently I got tagged. Normally, I try to keep this blog fairly technical and product centric. Since I don't have a personal blog and I don't want to be rude, I'm posting "5 things about Ron Gula" most folks may or may not know here and tagging 5 other folks who have not been tagged yet. We'll follow this post up with a technical one right away.

Five facts on Ron Gula you might not know

1. I originally went into the Air Force to be a pilot, but didn't do that well in flight school, had issues with G forces and eventually went back purely into computers. The experience really helped me focus much later on how important it is to know your audience and give them the right data at the right time. Experiences describing information security issues to the "war fighter" helped me prepare for building security products which were relevant to small and large enterprise customers.

2. I work with my wife, Cyndi Gula, voluntarily. A lot of folks who find this out seem to be quite surprised by this fact. This is the second company we've worked on together, the first being Network Security Wizards which did the Dragon IDS. Cyndi runs the internal operations for Tenable.

3. I'm also the CEO for Tenable Network Security. Most of the time, I use the CTO title, which tends to get more attention and less requirements for wearing a suit or a tie.

4. I like to run almost as much as I enjoy a good cigar. Fortunately for my lungs, I tend to run more than lite up a Macanudo.

5. I still feel very positive about my experience at Enterasys with Dragon. There were many people that benefited (and still do) from working with Dragon. This included a lot of technical, marketing and sales folks who went on to form new companies and new careers in the security space. This also includes a lot of customers who are still running Dragon today. I recently had the chance to do some incident response for a customer who had deployed Tenable products all over the world. In their SOC was also Dragon.

Five blog pings for people I respect

• Robert David Graham
• Michael Rash
• Dale Petersen, CEO Digital Bond
• Ariel Silverstone
• Timothy 'TK' Keanini., CTO nCircle

Dale Peterson is the CEO and founder of Digital Bond, a research and consulting practice which specializes in IT and Control Systems security. Digital Bond recently completed research on behalf of Tenable Network Security which produced the SCADA plugins for the Nessus vulnerability scanner.

I was able to interview Dale and record his thoughts on SCADA security. In the podcast below we discuss what SCADA is, performing security assessments of live SCADA networks, the SCADA plugins for Nessus and passive SCADA network monitoring. 

Download dale-peterson-interview.mp3

Over the next few months, Tenable will be interviewing many different industry leaders in the information security field. Our first interview is now available. Our guest was Thomas Ptacek of Matasano Security.

Mr. Ptacek's background includes development of one of the first commercial vulnerability scanners, ground breaking research in network intrusion detection evasion as well as network anomaly and DDOS detection. His current company, Matasano Security, specializes in vulnerability assessments of products such as operating systems, network appliances and software applications. I got to ask Thomas Ptacek some questions regarding recent trends in network security including:

• changes that vulnerability scanning technology has gone through since the late 90s
• the impact of evasion in modern NIDS/IPS products
• recent technical advances in the security of operating systems such as Vista
• issues with Network Access Control deployment on enterprise networks

Listeners who find the interview interesting should subscribe to the Matasano BLOG.

Click on the link below to listen to the interview.

Download thomas-ptacek-interview-nov27-2006.mp3

Nessus 3 was recently tested by Network Computing Magazine. Their analysts used Nessus 3 subscribed to a Direct Feed to audit the configuration of a remote Windows system. We felt the article was very accurate and made several references to the documentation and tools which can help users quickly create custom policies.

One of the tools mentioned in the article was the Windows Nessus Policy Creator (WNPC). The WNPC allows a user to create an audit file for Nessus 3 from a "gold" system and then audit other systems with this audit file. We've written about this tool previously and readers can also see a video of the tool here if they like.

The analysts doing the testing for the article also wrote about some of the issues they ran into while configuring a remote Windows system for analysis. If you have a non-domain Windows system and want to enable this sort of auditing, follow these steps:

1. In the Microsoft Management Console, open the Group Policy and select Security Settings.
2. Open Network access: Sharing and security model for local accounts element and the select Properties.
3. In this dialog, select Classic - local users authenticate as themselves and click OK to save this.

The above content was extracted from the paper, "Nessus Credentials Checks for UNIX and Windows".

You can read the full article here and in the September 21, 2006 printed issue of Network Computing Magazine.

Tenable's Security Center and Log Correlation Engine were reviewed in the September 2006 print issue of SC Magazine in a section named "Group Test: Event Management". The article about Tenable leads off with a great quote, "The Tenable Security Center has massive capability wrapped in a single, easy-to-navigate interface". The article makes several really good comments about our product's features. However, the only draw-back the article points out was that we were priced more expensive than the other products evaluated. The article comments: "Priced at the high end of the spectrum, the Tenable Security Center offers a powerful tool with a price tag that is higher than that of some full appliances."

As tested, our overall price was $74,000 because we included our fully licensed Log Correlation Engine at a cost of $50,000. The SC Magazine evaluation didn't really stress a large number of total log entires for evaluation and we could have easily submitted our 5 million event LCE license at a cost of $9995. This would of placed our total cost around $34,000, which is much more competitive with the other products tested.

I encourage everyone to read through the article and specific products tested. As you do this, please keep in mind:

• Although the article was focused on SIM and log analysis, our products as tested included full vulnerability and compliance auditing features. This provides a great deal more value for customers who don't want to run separate products or train users in multiple vendors.
• Tenable's Log Correlation Engine licensing doesn't penalize you for the number of agents used, the maximum number of events per second or require you to purchase or obtain a separate SQL database
• We felt there were many other vendors that aggregate logs and do intelligent things with them missing from the evaluation. We would have very much liked to have seen ArcSight, Cisco MARS or LogLogic for example.
• We would have also liked the testing to include log sources beyond IDS/IPS and firewalls. Tenable has made great efforts to include support for anti-virus, honeypot, netflow and dozens of other categories with hundreds of different supported solutions.

Note: this review is now available online.

Recently, Michael Arnone from Federal Computer Week wrote an article about various open source projects going closed source. The article mentioned Nessus, OpenBSD and Mozilla and had several quotes from industry experts. We felt some of the comments about Tenable and Nessus were taken out of context and I would like to add some commentary to them:

• Nick Selby, a senior analyst for 451 Group, mentioned that "Nessus was probably the first major open-source IT security tool to become proprietary". We feel that both the Tripwire integrity checking tool and Gauntlet firewall projects had gone from open source to closed-source projects long before Tenable even existed.
• The article gives the impression that the licensing change was big news. I agree it made some headlines, but we've added far more users to the Nessus community. Most of these users are on the Windows platform and are not driven by the need to use an open source product. I think the real story is that most folks can get a product with a license and support model that is in line with their corporate guidelines.
• The article also implied that people were required to change their scanners. We have many users still running Nessus 2 and Tenable is still maintaining it, free of charge. For organizations who want to use that platform, we are not preventing them at all. Users who want more performance and support do have the option to upgrade to Nessus 3.

I'm always really glad to see Tenable products independently reviewed and accurately reported on. Information Security magazine recently reviewed the Security Center and gave it really good marks in the July issue of the magazine. They did a very good job in a small amount of words describing how we do vuln scanning, correlation and compliance monitoring.

To read the original article, you need to grab a copy of the magazine, register at the Information Security web site, or can read the content here.