Last week I had the pleasure of meeting self-declared 'infosec curmudgeon' Jack Daniel.
Known for his influential views on threat research and of course, his co-founding of the B-Sides conference circuit, Daniel also works as a product evangelist at Tenable Network Security, having left his previous position at Astaro following its acquisition by Sophos in 2011.
I began by asking Daniel how he had come to work for a vendor in the vulnerability management space. He said that having talked with CEO Ron Gula about a role at the company he believed that having the opportunity to work with him allowed him "to fill a nebulas role in the middle". He said: “A lot of what product management is, is reactive, so I talk to the users and with the marketing team to generate content and keep them up to speed on problems.
“I do more with the channel and my stuff with B-Sides and they give me the flexibility to do that, so I am having fun.”
I asked Daniel about vulnerability management and, following a start to the year that saw zero-days and software vulnerabilities hit the headlines over and over again, if he thought the sector was enjoying a new path of interest. He said that while vulnerability management is nothing new, it has got more attention and that the company was expecting vulnerability management to be "all the different things that what we expected SIEM (security incident and event management) to be".
Daniel continued by explaining that it is about a company's vulnerability and security posture, and Tripwire's acquisition of nCircle showed the interest in vulnerability management and he hoped that there would be more data from companies such as Microsoft, Verizon and others to feed the market.
“You can just patch stuff, but in a 150-node network you have to wonder if you are tracking enough or patching to scale, as just patching doesn't work, so you need to prioritise,” he said.
“This is a big part of what is driving vulnerability management. Look at the mobile impact; investigation is not sufficient but consider how vulnerable these technologies are. Personal devices need a better view. With Android you are at the mercy of the carrier and Apple you can do over the air, but how often is a vulnerability turned into a compromise, and what are the implications for business?”
Daniel bemoaned the concept of 'bring your own device' (BYOD) in this case, saying that businesses need to do investment for high performance in order to counter the lack of management. He said that the 'we don't allow' attitude was naïve, especially as policies are not enforced by martial law 'thankfully'.
So what is his solution? Daniel said that in 'his fantasy world' we would use what would be appropriate for us, restricting applications and enforcing encryption.
Talking about the recent story regarding the Microsoft patch that led many users to have a 'blue screen of death', Daniel said that this was not that bad, but again 'in his fantasy world' administrators would be able to re-image systems so they were finely tuned and depending on your settings, you could push patches out until 72 hours and everything would be secure.
He said: “You will be able to log in to use whatever tools you have, be able to re-image quickly and disaster recovery concepts work and put a new image on. These are all things to imagine in my fantasy world!”
We concluded by talking about third party software, with Daniel saying that the significance of third party software has been demonstrated in compromises, particularly with the Verizon Data Breach Investigations Report showing the influence of captured usernames and passwords being used.
He said that in his fantasy world, companies would watch their networks and third parties to look for signs of compromise, so it would tell you about problems so you could mitigate it.
“It will look for signs of compromise, tell you about attacks and tell you what to worry about as machines talk to each other,” he said.