Listen to this article
This audio has been generated with an AI tool.
As part of a new blog series, Sekuro CTO, Jason Trampevski chats with Nathan Wenzler, Chief Security Strategist at Tenable to get his take on exposure management and the broader cyber security landscape. From the human-centricity of cyber security to the role of a CISO, this is your chance to be a fly on the wall for an insightful conversation (and sometimes deep philosophising) between two cyber security leaders.
The third in the series, this blog will focus on how Tenable stays ahead of threats.
Staying ahead of threats
Jason: How does Tenable stay ahead of threats?
Nathan: First of all, we have a dedicated research team of around 110-120 people dedicated to zero-day research. Their whole world is essentially looking at what’s going on in the real world. Do we see trends changing? Do we see new exploit kits coming out? Are there new criminal groups on the move? Are there old criminal groups doing something new? We build a lot of threat intelligence within our own team but also ingest a lot from other sources. So it’s a combination of having a dedicated team and automation.
We do a pretty good job of staying on top of what goes on in the public space or on the dark web (in the scary lane) ourselves. But we also have a lot of partnerships with the major manufacturers – with the likes of Microsoft and Apple, to make sure that when they’re aware of vulnerabilities, we’re aware of them too so that we can build detection capabilities and help our customers find them as quickly as possible.
Generally speaking, we try to do this within 24 hours of a new vulnerability being detected, but we’re usually delivering something within the single digits.
A clear example is Log4j. It was such an evolving vulnerability that we kept finding it on new OSs, new pieces of firmware, new web servers – it was everywhere. I think in the initial release we had up to six detections but we ended up with over a hundred, and when you break down each of those, we were getting detections out in sometimes one or two hours.
Predicting risk with Artificial Intelligence (AI) and machine Learning (ML)
Jason: What are you doing to drive forward and innovate?
Nathan: This is where we are looking at AI and ML. We’ve always had some amount of machine learning behind some of our threat algorithms. If we see a new vulnerability come out, firstly, our research team will look at what the exploit is capable of doing, what kind of technology the exploit attacks and what it is taking advantage of. And then we would look at the machine learning aspect of it to find what other vulnerabilities we have seen in the past that have similar characteristics. Then we can leverage that information to make predictive decisions about how fast this vulnerability would typically go from the discovery to a proof of concept of an actual exploit kit.
We can then say, “Okay, this is not as serious because these types of vulnerabilities that we’ve seen over time don’t usually get exploited for months.” Or, “No, this is a really hot thing and we typically see these kinds of vulnerabilities getting exploited within days” and prioritise accordingly.
However, with some of the new large language model tools and their ability to provide an easily- searchable interface, we’re starting to explore ways we can take that to a customer so they can better understand what problems in their environment could be exploited in the next 14 days, for example. That’s a tough hypothetical question to ask, but that kind of data analysis is where we can start to try and answer that question, so we’re pretty excited about a lot of what we’re bringing into our products.
Trends come and go, fundamentals are forever
When we think about new technologies, the trends follow very similar patterns. Criminals try out new technology just like we would. They see what it's capable of, just like we would, and then frankly, they settle back into tried and true methods. Everyone is worrying about cyber criminals jumping on new technology, but when the annual threat reports come out, they will still find that it’s the same old patches on Windows and Linux boxes that are being attacked.
Jason: Are there any trends in relation to threats and vulnerabilities that we will see in the next 5-10 years?
Nathan: If you take a step back and think about it, criminals are basically just security people like us. You can go back to the original definition of what a hacker is. Hacker didn’t mean criminal. I’m not trying to defend criminal behaviour by any stretch, but a hacker was just someone who wanted to break things apart so they could see how it worked and understand it. It came from a place of creativity and curiosity.
You look at the news cycles over the last few months around OpenAI and ChatGPT. Yes sure, we’ve seen instances of AI helping hackers write writing code and better phishing emails. But are we seeing it become the norm? I don’t think so, but they are trying it out and seeing what they can do with it creatively.
When we think about new technologies, the trends follow very similar patterns. Criminals try out new technology just like we would. They see what it’s capable of, just like we would, and then frankly, they settle back into tried and true methods. Everyone is worrying about cyber criminals jumping on new technology, but when the annual threat reports come out, they will still find that it’s the same old patches on Windows and Linux boxes that are being attacked.
Jason: That’s right, and weak passwords.
Nathan: Exactly. So, I get that people are worried about the new phishing emails that are more grammatically correct and harder to spot, but the criminal groups are still breaking in because you don’t patch your systems. And the vast majority of attacks are still going after the low-hanging fruit, the vulnerabilities that have been around for 10 years.
To put it frankly, why should I, as a criminal hacker, do the hard creative stuff when I can just automate it and walk in the front door?
History has shown us that this is unlikely to change, even with generative AI. But I am always keeping an eye out for the breaking point where the criminals just give up on the old methods that we’ve been worried about and actually do move on to some really advanced data-crunching ML/AI kind of polymorphic attack structure that becomes so hard to defend. In saying that, I think over the next several years we’re going to see more of the same.
The instant gratification conundrum
Jason: Yes, I feel like that’s because organisations don’t look at the fundamentals of just doing security hygiene 101.
Nathan: In the past, I’ve spoken about the instant gratification conundrum. It was a model for CISOs about how security programs get stuck in this cycle of always buying the newest thing. And the problem is, if you’re a CISO you’ll often come into an organisation and the board and C-suite will often tell you that everything is terrible and you’ve got to fix it.
That CISO will take a look and realise none of the basics have been done right and with good intentions will start going down the road of fixing the fundamentals. However, the pressure from the board will start to mount, because they want an instant fix that they can tick off their list. Often the CISO will finally succumb to the pressure and find the latest acronym tool to buy so they can show the board they’ve done something. Now the CISO has bought themselves some time to roll out the technology, but by then they’re onto the next job because the average tenure of a CISO is only 18 months, and the cycle repeats itself again and again.
Jason: I agree, I talk about this a lot
Nathan Wenzler: It’s the whole buzzword bingo thing, right? SOAR, SIEM, Syslog! Instead, We need to stay focused on the fundamentals. It’s not sexy, it’s not fun, it’s a lot of hard work. It doesn’t let you go to the board and say, “Look at this cool thing I did. I built an asset database.” New tooling can help you do the fundamentals better and automate a lot more of the work. Better processes can help make things easier too. But at the end of the day, fundamentals are the key, period.
Jason: Yeah, one hundred per cent. I think it’s always the equal balance of people, process and technology and not swinging too hard one way or the other.
Nathan: Yes, and getting the fundamentals of all three right. I don’t mean fundamentals in terms of buying the basic tools. It’s the fundamentals of your whole security program.
Some people will tell me they are going to fire their team because they are going to automate everything. That’s not going to work, because fundamentally, you need humans involved to do the analysis work and to be able to make the decisions.
I’ve talked to CISOs who try to change their best practice frameworks every two years because they think they need to jump on every new thing. They’re caught in a cycle of wanting to look like they’re doing something. So, even from a process standpoint, we have organisations that don’t build fundamentally strong processes that can support what they need to do to maintain long-term success. It has to be about getting the fundamentals right across the board.
Often the CISO will finally succumb to the pressure and find the latest acronym tool to buy so they can show the board they’ve done something. Now the CISO has bought themselves some time to roll out the technology, but by then they’re onto the next job because the average tenure of a CISO is only 18 months, and the cycle repeats itself again and again.
Nathan Wenzler
Chief Security Strategist, Tenable
Nathan has over 25 years of experience in the trenches as CISO of Information Security programs, helping organisations to optimise, mature and accelerate their information security and risk management programs. Nathan’s focus areas include vulnerability and exposure management, PAM, incident response, process and workflow improvements, executive-level program management, and the human-focused aspects of InfoSec.
Jason Trampevski
Chief Technology Officer (CTO), Sekuro
Jason is a strategic technology leader dedicated to helping organisations achieve their goals through the effective use of technology. His expertise lies in building resilience and driving business success. As a specialist in transforming complex business requirements into streamlined technology solutions, his focus lies in harmonising the essential components of people, processes, and technology to empower organisations to maintain agility and competitiveness in today's rapidly evolving digital world.