BOSTON- Tony Sager has not only witnessed the revolutionary change in cybersecurity over the past several decades – he has lived it, through several decades with the National Security Agency (NSA).
The most significant, he says, is the transformation of cybersecurity from a government monopoly to a vast marketplace of threats, enemies, defensive tools and solutions that are far too complex for any one organization or institution to manage. The only hope, he said, is simplification and collaboration.
Sager, a founding member and chief technologist at the Council on CyberSecurity and also director of the SANS Innovation Center, focused on explaining that change and its implications in his keynote address at the SANS Security Leadership Summit Wednesday morning in Boston.
Among his key points:
The way we were: A government monopoly facing a single enemy.
“I’m a reformed monopolist,” Sager said, noting that in the 1970s, early in his career at the NSA, “the business of cybersecurity was a government monopoly. Who controlled the context, who decided what constituted success, who decided what security was good enough, who paid the freight for most of the R&D? It was the government.
“If you wanted encryption of sensitive or classified information, you had to come to a monopoly – the NSA. There was a kind of implicit notion that government would save us and solve the problem,” he said.
There was also the perception that the nation faced a single enemy – an existential threat from a single nation “that we didn’t know much about, because it was a closed society.”
The entire notion of connectivity was still in the future as well, so the notion was that cybersecurity was primarily a technology problem. “If we could build better technology, people could use that, our information would be safer, our operations would be more assured, and that would fix it,” Sager said.
The way we are: Millions of connections, millions of enemies
None of those notions of the past, “match the world we live in today,” Sager said. “We don’t have centralized ownership of the problem. We’re all connected, all using the same commodity IT, no one is breathlessly waiting for the government to tell us what is safe enough.”
Meanwhile, “we’re fighting all the time against an infinite number of bad guys,” he said. “It’s changed the flavor of the whole security business and how we think of leadership.”
Security leaders even have a tough time convincing their CEOs that the latest technology from Google, Apple, Microsoft or other vendors needs some study before it’s deployed.
“Your boss is absolutely sure you must have it right now,” he said. So, for security leaders, the new challenge is, “What’s the best we can do with what’s coming out of the marketplace? What are the prudent steps we can take? It’s no longer central control – it’s driven by consumers.”
Don't drown in defenses
It’s not that there is a lack of defensive tools. It is that there are too many. “Never before have we had so many at our disposal,” Sager said, “yet the problem seems to be getting worse. We’re drowning in stuff to help us – there’s tons of stuff, but so much of it, and so much in conflict, you don’t know where to begin.”
That confusion, or conflict, extends to the experts, Sager said, highlighting a saying that has become a cliché in the industry – that information security experts agree with one another 90% of the time, but then waste 90% of their time arguing to the death about the other 10%.
Cut through “the fog of more” with collaboration, simplicity
Sager said the explosion of threats and defenses resulting from universal connectivity – what he came to call “the fog of more,” led him to the philosophy that the most effective way to confront and solve those problems was through collaboration. “There is a list of problems that none of us should have to solve on our own,” he said. “I started to bump into them over and over again.”
One of them is high-level security and threat understanding. “Most of you don’t have the budget and staff to do high-level security or to understand threats in a comprehensive way,” he said. “So you can do it by proxy – leverage a large community. It doesn’t even make sense to know about it all. What you really want to know is what to do about it. ‘What action should I take?’
“Everybody’s on networks, has partnerships and relationships with vendors. So, mapping from the knowledge of threats to action is a problem we should not be solving on our own,” he said, when it can be vastly improved through, “an ecosystem of contributors, adopters, vendors, working, aides, consultants, teachers and more.”
Another example is improved security through simplicity. Sager said nobody, not even the government, has the market weight to force a company of Microsoft’s size to simply, “improve security.”
The key, he said, is to ask for something specific. In one case, he sought a reduction in the vast number of desktop configurations. “If you have a preconfigured standard, it lets you manage security properties much more effectively,” he said. “It’s very hard to do with an uncontrolled environment. Millions of end points all configured differently is a nightmare. But if you can cut that down to five, or even 15, you can cut costs. “
It’s good for the vendor as well, he added, “since they will know what a DoD desktop looks like. That saves them support costs. So it’s an economic benefit for both parties.”
Use a simplified, prioritized, shared standard for security
Sager said in 2001 he “shifted my thinking” on sharing government security recommendations with the public. “I got permission to release all the security guidance that we were developing for the DoD to the public,” he said. You could go to NSA.gov and get the same security guidance as the DoD. It was all designed to be unclassified and sharable.”
But, he said, it eventually became clear to him that despite his good intentions, this had contributed to the “fog of more.” A private-sector associate told him that while he appreciated all the information, that he was, “drowning in this stuff. I need to know what should I do now. Not everything, but now.”
That, Sager said, led him to convene a meeting with colleagues he trusted, where they whittled the list of “everything” down to 10 crucial security practices. That, in turn was eventually adopted by the SANS Institute as a community consensus project, “and took on a life well beyond anything we expected. And it started with nothing more grandiose than the question: ‘What should people do first?’”
That became part of what is now SANS’ well-known “Top 20” list, the first five of which are: Software whitelisting; secure standard configurations; application security patching; system security patching; and no administrative privileges while browsing the web or reading email.
“This is based on the 80/20 concept of security – that most of your value is derived from a small set of things,” Sager said. “It really matters, because that’s how we’re getting eaten alive. If you can’t handle this, you can’t handle more sophisticated threats.”
And that led to his final thought on leadership: “The most common mistake of strong leaders I saw,” he said, “was that they were great at telling you new things to do, but not so great at telling you what to stop doing.
“A lack of focus and priority is often a great weakness,” he said, recalling the late Apple cofounder Steve Jobs saying he was just as proud of the 10,000 things Apple didn’t do as the 10 things it did.
“If everything is important, then nothing gets done,” he said.