Cyber Threat Intelligence

Interview: Glen Pendley On “Left Of Boom” Security And The Inspiration Behind The Tenable One Platform

Tenable’s Glen Pendley discusses the balance between “left of boom” and “right of boom” security, how businesses can ensure they’re prepared to deal with an attack, and how generative AI will impact defense and attack technology.

GlenPendley-Tenable-Interview

Cybersecurity tools can broadly be split into two categories: “left of boom” and “right of boom”. In this case, “boom” referrs to a security incident such (like a breach) and “left” or “right” refers to where the tool sits on the timeline of incidents (i.e., before or after the breach). Left of boom tools focus on prevention; they try to help businesses stop a breach from occurring in the first place. Right of boom tools involve detection and response; they help businesses remediate an incident once it has occurred. 

While there is some discourse in the security industry about which type of tool you should focus your resource (and budget) on, many experts recommend splitting at least some of your investments on both sides. 

“You should never do one or the other,” says Glen Pendley, Chief Technology Officer at Tenable. “It’s very symbiotic.”

Glen is responsible for Tenable’s vision, strategy, and product innovation, as well as for architecting and launching the Tenable One Exposure Management Platform. Prior to his current role, Glen served as Tenable’s Deputy CTO and SVP of research and development, leading the engineering and research teams. 

In an exclusive interview with Expert Insights at RSAC 2023, Glen discusses the balance between “left of boom” and “right of boom” security, and how businesses can ensure they’re prepared to deal with an attack. He also discusses how the rise of AI will impact the threat landscape, from both a defensive and adversarial perspective. 

You can listen to our full conversation with Glen on the Expert Insights Podcast

Balancing “Left Of Boom” and “Right Of Boom”

When it comes to preventative versus reactive security, many vendors preach the efficacy of one side of the coin—often dependent on what type of tool they’re producing. But in reality, businesses should be investing in both types of tool in order to obtain the best level of protection.

“To put it in the context of medical conditions, some people wait until they have a broken arm or they’re deathly sick to see the doctor,” explains Glen. “But if you want to live a long, healthy life, you get check-ups, which are preventative medicine, to try to stay healthy.” 

“Activity-driven security tools—XDR, EDR—can be so much better at stopping attacks when they actually happen, if you’re reducing the attack surface and the opportunity for people to take advantage of it.”

The Problem With Preventative Security…

The main challenge when it comes to proactive security, says Glen, is that many of the tools in this category are siloed in terms of their capabilities. Some tools look for software vulnerabilities; others look at open source vulnerabilities; others look at cloud misconfigurations; and so on. And while these tools work well alone, there often isn’t anything tying them together—leaving security practitioners with multiple disparate tools to manage any visibility gaps between those tools, which threat actors can exploit when attention is elsewhere. 

“At Tenable, we’ve invested a lot of money to do an amazing job of quantifying the risk of a CVE [Common Vulnerability and Exposure]. And I was ranting [to the Co-Founder of Tenable], saying that that’s not good enough,” says Glen. “There’s so much more context that plays a part, that’s unique to every single environment.”

“Let’s say that you’re using a laptop and I’m using a laptop, and the absolute worst vulnerability in the world is on both of our laptops. Every single security tool would say that both of those vulnerabilities are equally bad because they’re just looking at the vulnerability. But in reality, that’s not necessarily true.”

“If I’m the person that sits at the front door and checks IDs, I don’t have access to anything. You, on the other hand, are a system administrator with access to SalesForce data and GitHub, you’re not using multi-factor authentication, and you’re more privileged. So which vulnerability is more at risk? Yours.” 

…And Tenable’s Solution

In October 2022, Tenable launched the Tenable One platform as a means of rectifying this common challenge amongst preventative security tools, and they’re continuing the develop new technologies to support the evolution of their proactive security suite. 

“Almost every one of our customers uses scanners, and there’s so much data sitting in that scan information, but most people don’t even know where that data’s residing,” says Glen. “So, we’ve built a data platform with multiple different pipelines that are decomposing data from our scans, whether it’s cloud, Nessus, or any other stuff, and we’re building a data model and relationships around every aspect of every system.”

By analyzing the relationships and dependencies between endpoints and all of the assets installed on each endpoint, Tenable can help identify vulnerabilities and prioritize them based on the wider security context of each case. 

“We’re taking data from a bunch of different sources and then programmatically building these relationships and decorating them with a lot of data science, using ML and AI. There’s a lot of cool stuff coming on that front, and all of our products are going to be driven off that,” says Glen. 

The Future Of AI For Defense Teams (And Adversaries)

The “rise of AI” is a topic that’s been on the tip of everyone’s tongues, especially since the launch of Chat GPT in early 2023, with many security practitioners discussing how best to integrate new AI and ML models into their platforms. For Tenable, says Glen, utilizing AI is all about enhancing customer experience and improving efficiency.

“What I don’t want to do—and what I see the world doing—is rush to jump on the AI bandwagon and not do any proper due diligence,” says Glen. “What we’re working on, from that perspective, is more of, how can we build an experience where our users can interact with all that data we’re collecting, and start asking questions and building insights? Now just ‘give me a report so I can give it to my boss’, but ‘what’s the first thing I should work on today?’”

“It’s that sort of experience that can drive efficiencies, and that’s where our focus is.”

But while AI is sure to help improve the efficiency of IT, security, and SOC teams, it’s important to recognize that threat actors also have access to these technologies and will most likely also begin using them to improve efficiency… of their cyberattacks. 

“All of the positive impacts that [generative] AI brings to society; those same efficiencies can be used by attackers as well,” explains Glen. “I was talking to a few folks the other night here at RSA, and I referenced a talk that I did here like 10 years ago, where I was demonstrating how you can use social media to do reconnaissance. There’s so much information that people share on the internet, and to use that for reconnaissance takes time, but using an LLM [large language model] enables the bad guys to do that more quickly.” 

“A lot of people are like, ‘Oh, they’re going to be able to write crazy malware that they never had before.’ That’s not necessarily true. Attackers know how to [write basic code] already; that’s not where the efficiency comes from. I believe it’s reconnaissance or finding vulnerabilities in software; it just makes what attackers do more efficient.”

Preparing For Tomorrow’s Efficient Attacks, Today

In order to prepare for a wave of more efficient, targeted cyberattacks, businesses need to focus on employee training, says Glen. 

“A lot of anti-spam tools have been pretty good for a while [when it comes to detecting spear phishing and spam emails]. With gen AI, the emails that get sent in can be really convincing. We have to wait for the technology to get better on the protection side to do that, but, in the meantime, [we need to focus on] education.”

“I know it’s not a super sexy response, but you’ve really got to educate people on the potential things that may directly impact them in the short term and educate them on usage. Make people more diligent than they were before.”

Listen On Spotify:

Listen On Apple Podcasts

About Expert Insights

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions. You can find all of our podcasts here.