ActiveCyber Interviews Ron Gula – Former Tenable CEO Embarks on New Venture in Cybersecurity Start-up Investing

Ron Gula has been at the forefront of the cybersecurity space for over 20 years, starting his career as a pentester for NSA and recently stepping down as the CEO and co-founder of Tenable Network Security. Now, Ron and his wife Cyndi are embarking on a new adventure, assisting other cybersecurity start-ups in terms of funding and advice. Ron’s passion for technology and his insight into what is practical lend themselves well to such a venture, and are clearly manifested in this interview with ActiveCyber. Learn more about what Ron is thinking about in various areas of emerging cybersecurity technology in this interview and check out his portfolio of companies he is helping at the link below.  

Spotlight on Ron Gula

» Title: President and Co-Founder, Gula Tech Adventures; Former CEO and Co-Founder Tenable Network Security
» Website: http://www.gula.tech/
» Linkedin: linkedin.com/in/rongula

Read his bio below.

November 27, 2017

Chris Daly, ActiveCyber: How have your investment strategies and priorities for investment changed (or stayed the same) as you have made the transition from CEO of a major cybersecurity tool provider to the CEO of your own tech investment company?

Ron Gula, Gula Tech Adventures: A lot of the angel investing I did while CEO for Tenable was a combination of wanting to work with great teams and technology outside of Tenable’s. Now doing this full time, we focus on three areas – cyber hygiene, threat management and web security. We still look for great teams and technology, but I’m also looking for an ability to participate and share our experience full time with these companies.

ActiveCyber: We have seen and heard about autonomous vehicles. Recently DARPA hosted a cyber grand challenge called the World’s First All Machine Hacking Tournament where autonomous systems defended systems from cyber attack without human intervention [see http://archive.darpa.mil/cybergrandchallenge/]. During the competition, each team’s Cyber Reasoning System (CRS) automatically identified software flaws, and scanned a purpose-built, air-gapped network to identify affected hosts. For nearly twelve hours teams were scored based on how capably their systems protected hosts, scanned the network for vulnerabilities and maintained the correct function of software. What is your view regarding a cyber ecosystem built on distributed, cooperating, intelligent and autonomous endpoints that provide proactive and collaborative defenses? In what timeframe, if ever, do you believe autonomous cyber systems will play a role in defending (and attacking) in cyberspace?

Gula: I don’t believe machine learning is ready to solve the big problems of cyber security. To date, they’ve been applied to discrete tasks such as identifying unknown malicious software or activity anomalies. Although there has been progress in these areas, the problem is not solved and users of this tech speak in terms of false positive rates or augmenting humans. When I say big problems, I’m talking about being able to have an AI that could speak to a board or executive, and based on all of the security and compliance big data, make a recommendation in a manner the board will take action on. Said another way, lots of very smart humans have been telling boards and politicians what they need to do to be secure, but the message isn’t getting through. And lastly, when I see companies pitching me an “ecosystem built on distributed, cooperating, intelligent and autonomous endpoints that provide proactive and collaborative defenses” I tend to see technology that looks a lot like what the anti-virus guys have been shipping for decades and is less effective than anti-virus is today.

ActiveCyber: One of the shifts in focus being discussed in the cybersphere is the movement to hunting for threats versus hunting for vulnerabilities. Do you believe that hunting for threats and sharing threat information will be more effective in combatting cyber attacks than hunting for vulnerabilities and sharing vulnerability information / patches?

Gula: It’s 2017 and if you visit any network operations center and ask them where the security operation center is, it’s usually in another part of the building. If you ask where the audit and compliance team is, it is in yet another place. Although there are lots of political and legal reasons for this, it creates stove pipes and we’ve all heard that keeping a network running well can be a problem if you are trying to secure it. I reject that and claim a poorly designed or managed network is hard to secure. When I have any time with politicians or policy makers or boards or execs, I tell them the best thing they can do to increase the security of a poorly run network is to require that it be audited continuously. The government, such as OPM, CIA and NSA, are known for having some big hacks, but they didn’t get enough credit for moving from annual audits, to 30 days and now to hours.  They also don’t get enough credit for being transparent and measured by the NIST Cyber Security Framework. We still see hacks and they are on very grand scales. We would see less hacks if more organizations knew how to leverage frameworks to measure their networks effectively and make security policy decisions based on this data.

ActiveCyber: Cyber analytics powered by machine learning is a hot area for investment and innovation by all media accounts. What is your view on investing in this area? How do you see dynamic defenses improving as a result of improvements in cyber analytics? What do you expect the timeline to be for broad adoption of these technologies in cyber defenses?

Gula: Machine learning is used in a variety of our portfolio companies, but it is subtle. For example, there may be a very complex or large set of data used to produce a list of malicious domain names and machine learning may take place in the cloud somewhere, in a process supervised by human curators, but the sensors collecting and blocking traffic are “dumb” and just looking at matches on lists. I’ve avoided in investing directly in companies that focus on collecting data, dumping it into a data store and alerting on outliers in the data as their primary focus. It’s great to have a report or an alert of something different happening on my network or in my data that has not happened before, but detecting change from a baseline is not the same as detecting evil or maliciousness.

ActiveCyber: Where do you believe is the best area to emphasize in training and educating the next generation of cyber specialists? How does education and training need to change to meet the challenges that we face in supplying a capable cyber workforce and to inspire the technology leaders and innovators for cybersecurity?

Gula: One thing that has been the same now that was 20 years ago, is that there are more open jobs and positions in cyber security than there are people. The big difference now is that you can get some experience in cyber for free. You can get free online cyber training from places like Cybrary and many security solution vendors. There are lots of downloadable tools and virtual solutions where you can practice running and testing many types of technology. There are competitions that have evolved from Defcon’s capture the flag to high school level competitions like Cyber Patriot. Even with all of this though, we are still really short on talent, which is why I advocate moving to the cloud and leveraging more security automation – i.e., reduce your attack surface and cyber exposure at the same time you are investing in technology, people and processes across the entire NIST cyber security framework.

ActiveCyber: What types of innovation do you see emerging to assist cloud providers and cloud stakeholders in securing their resources?

Gula: If you have a legacy application that you wrote or bought from a vendor, you can get a plethora of ways to secure it. For example, a complex enterprise email solution based on Microsoft Exchange needs to be patched, have a hardened configuration, be protected with a firewall, have its logs monitored, be physically secured, and on and on. When that same email is sent through Microsoft’s Office 365, many of those processes go away. Said another way, you still need to be accountable for the confidentiality, integrity and availability of your data in the cloud, it’s just more efficient to let someone else fight these battles for you. I would like to see more adoption of logging and monitoring of cloud applications. For example, I always tell on-premise network security teams that each time an application like email or customer resource leaves the network and goes to the cloud, they need to be collecting the telemetry from the cloud provider.

ActiveCyber: Quantum computing poses major impacts to securing critical infrastructure due to dependencies on PKI and other cryptographic technologies that are not quantum resistant today. What are your thoughts about this issue?

Gula: I’m not a cryptologist or an expert on large scale encryption, but we live in a society that is increasingly concerned about privacy let posts very sensitive data to social media. We have politicians that ask for backdoors in computer manufacturers and we have offensive hacking tools from our intelligence community being lost and creating world-wide devastation. We also have huge amounts of wire fraud being perpetrated with spoofed emails and web sites and all phone calls are basically unencrypted. So having said that, I’m not that concerned about the impact of this on critical infrastructure because most of those networks are disconnected from the Internet. Many critical infrastructure networks are also so old, they don’t have patches available for these systems.

ActiveCyber: What are the major cyber issues emerging from the growing deployment of the Internet of Things? What types of minimum standards need to be in place to provide reasonable cyber protections as these IoT devices come on line?

Gula: I am a believer that the Internet of Things is really just the Internet and that always, humans are horrible at making risk decisions. For example, there have been stories circulating recently that “Chinese” web cams had vulnerabilities in them. These vulnerabilities were real and exploitable which impacted specific vendors, but not one article referenced the massive WiFi security vulnerability we had earlier this summer which impacted almost every vendor.I’m also a believer that we won’t see regulation on minimum standards for IoT devices. Yes, I want my car to not be hackable, but yes, I like getting traffic, music and weather updates from a connection to the Internet. I’m willing to accept that risk and because of this, commend vendors who have bug bounty programs and don’t try to hide breaches or security issues when they occur. Along those lines would be to increase penalties for breach issues. If you consider GDPR and the 4% of revenue or $20m in fines just for data loss, I would expect to see more outcome-based regulation in the future and not minimum security standards.

ActiveCyber: Deception, IP address cloaking, cyber maneuver, micro-segmentation technology have been considered hard to deploy or hard to manage technologies in the past. Do you see the adoption of this technology changing as new innovators bring about greater efficiencies in this area?

Gula: There have been many advances in deception. One of our portfolio companies, CryptoniteNXT, takes this to the extreme and offers an authorized user’s computer a completely unique view of the network. This is a technology developed with the Air Force and DHS called moving target defense. Other advances include honeypots and honey networks where interacting with them can not only detect hackers and insiders, but to also find their motivations, targets and techniques, such as zero day hacks. These have been productized with companies like TrapX.

ActiveCyber: Blockchain technology promises to bring about some revolutionary changes in commerce, banking, logistics, and even medical systems. What security challenges still need to be addressed in your view to consider the adoption of this technology? Do you see an uptick in investment in technology to secure block chain applications?

Gula: Blockchain solves so many issues, it is almost being made fun of in the venture world because every third or fourth pitch makes use of it. Said another way, the things we do every day from e-commerce, to banking to sending email have so many things wrong about them from a security point of view, they are too numerous to list. Blockchain can solve some of the security issues we have today, but not all of them. For example, Blockchain can prevent spoofing in many ways from someone attacking a system which communicates messages to each other but it can’t prevent a hacked client from sending a fraudulent message.

Thank you Ron for providing a quick tour of your thoughts concerning this wide variety of cybersecurity emerging technologies. I am sure that all of your portfolio companies will benefit tremendously from your experience of being at the helm of a start-up that has reached significant heights in the industry. And I look forward to seeing how these different portfolio companies will enable better active defenses for our national community.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, securing the Internet of Things, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.