Tony Sager is a Senior VP and Chief Evangelist for the Center for Internet Security. He leads the development of the CIS Critical Security Controls, a worldwide consensus project to find and support technical best practices in cybersecurity. Tony also serves as the Director of the SANS Innovation Center, a subsidiary of The SANS Institute. He retired from the National Security Agency (NSA) after 34 years as an Information Assurance professional.
As the lead pathfinder at CIS, Mr. Sager addressed Cyber Security Summit 2016 on Making Best Practice Common Practice: the CIS Controls.
“…I have just completed 40 years in this business that we call cyber security. So what you’re going to hear is a little bit of history, a little bit of lessons learned, a little bit of what we need to do together to deal with this problem.”
“One of the challenges of getting older is that you keep seeing the same mistakes get made over and over again. So that’s why I’m here, to see if I can help avoid some of these things.”
“You cannot last in this business unless you’re one of two personality types – complete cynic, hopeless optimist,” Tony Sager told his audience. “Good news … there is something to pick on every day.” Cynics can spend their entire careers picking holes in the cyber defenses of client companies in Red Team exercises. “It’s great work…but it doesn’t solve the problem.
”The hopeless optimist – that’s me. You’ve got to believe you can make progress,” he said.
“Confidentiality used to be the main security issue back in the ‘70’s. We had communications information that was too sensitive for anyone else to know – military plans, diplomatic positions, and economic projections.”
“Is anyone else old enough to remember when, at the national level, we thought we had only one enemy… the Soviet Union.”
“Doesn’t that sound very quaint today? You live in a world where everybody’s sort of a friend and sort of an enemy and most of the time I can’t tell the difference on any given day.”
Ensuing years have demonstrated a more complex reality. ”Computer development has been driven by economics, not security.” In testing systems over his 40-year career, he said he has seen many things break.
“Security is an outsourced category in most peoples’ minds. They just want to have it handled. They don’t see their role. Ninety-nine percent of what you need to know to defend yourself is already out there.”
Any serious analysis of the business tells us that eighty to ninety percent of problems plaguing you today—stealing your money, exposing your credit card number, undoing your privacy– come down to basic hygiene,” he said, naming things like sloppy network design and unenforced policies.
“We have more of everything in cyber security –too many resources, too many.” he said, pointing to a slide titled The Fog of More showing a plethora of tools related to cyber security. “Here’s the irony of the business. As defenders, we have more tools, technology, more training, more certifications, more friends than we’ve ever had in our entire history as cyber defenders. That’s a fact I can give you many details on — and yet, we’re getting worse, not better, he said, then corrected himself. “Actually, we are getting better, just not as fast as the bad guys get better.
“Defense is always about prioritization. There’s a large number of things you could do – you can’t do them all. There’s a large number of technologies you could buy next door –you’re not going to buy them all. It’s all about priorities.”
How do you know what to do, he asked?
“Conflicting vendor claims, umpteen consultants with umpteen-and-a-half different opinions, every regulator in the business is coming after you, everybody wants to know what you’re doing. So there’s a technical challenge to figure out what to do, and then there’s the explanation challenge. I call this the defender’s dilemma.”
“You’ve got to figure out in all this noise…what should I do? I don’t have unlimited money, I don’t have unlimited time, so how much should I do? And then, how do I actually do it? Which means convince the boss, get a budget, get some time, hire some people, train them, choose the right things from the marketplace, implement it, operationalize it, build procedures around it … make it the way you run your system.
“These are the challenges we live with, and … most insidious of all … we’re in a world now where you have to do the right thing, figure it out, do it – you have to prove to many other parties that you have done the right thing.”
“So how do I demonstrate to others that I have done the right thing? We’re in a world where trust is a dynamically negotiated condition. Over and over again, there’s no binary trust (like) I trust you forever … we trust each other not so much.” Supply chain partners, for example, are given access only to a tightly controlled database directly needed to let them do their jobs.
“Attackers are human beings – they have a boss, they have a budget, they have time limits. They worry about those things.” The idea is to make hacking your system too expensive for them,” he said.
He named several questions that must be answered in the process to adopt best practices as common practice. Definitions are the beginning. What comprises a best practice? Drilling down further, what is a practice? Recognizing barriers to adoption is necessary step, and finally, acknowledging that cyber security takes more than just a list of practices. Robust cyber security relies on a marketplace of tools, training, community-building and sharing of ideas. Alignment of practices with oversight, auditing and compliance completes the detailed process to identify best practices, he said.
Participating on a panel that followed his personal presentation, Mr. Sager said, “The value of a company should consider a company’s IoT capability. Investors are waking up. When you buy a company, you buy their IT,” he noted.