Tony Sager, Senior Vice President and Chief Evangelist at CIS (Center for Internet Security) joins us to discuss the best approaches to the changing security landscape in the wake of COVID-19. Tony is a lifelong defender, with more than 44 years of experience. He spent most of his career at the NSA and now leads the development of the CIS Controls, a worldwide consensus project to find and support technical best practices in cybersecurity.
The following is an edited excerpt from a recent episode of Tripwire’s Cybersecurity Podcast.
Tim Erlin: Welcome everyone to the Tripwire Cybersecurity Podcast. This is Tim Erlin. I’m the vice president of product management and strategy at Tripwire. Today, I am joined by Tony Sager, senior vice president and chief evangelist at CIS. Welcome, Tony.
Tony Sager: Thank you very much. It’s a pleasure to be here with y’all.
Changes Produced by the COVID-19 Pandemic
TE: Okay. So we’re here to talk about the way that this COVID-19 pandemic is changing the information security landscape. From your perspective at CIS, what kind of changes are you seeing in the cybersecurity market or the cybersecurity industry as a result of the pandemic?
TS: Yeah, great question, Tim. You know, we’re both observers and we’re participants. So we’re a small but mighty, a technology company, a little nonprofit, and a pretty traditional office environment with a small percentage of people working from home scattered around the country. And almost overnight, maybe a long weekend or so, we find ourselves as a hundred percent remote workforce. So a lot of things happened in a hurry. Most successfully, I’m happy to say mostly because of what we did over the weekend, which was a pretty amazing bit of work, but also the prior year or two in better structuring our entire IT infrastructure and building more capacity. You know, turning from anyone outside the headquarters was a lost orphan with their shadow IT, we put in place a lot of cloud based and much more scalable solutions for the entire company no matter where they happen to work.
But yeah, we’ve seen a lot obviously shifting overnight and a lot of folks facing up to, I’ll call them the classic challenges. It’s been a truism for probably a decade or more: the perimeter is gone and so forth and this really makes you face up to it when, when literally over days and weeks you’re moving all your folks outside the building and then realizing many of them can’t do their work unless they have access to resources that are back inside the building.
So a lot of adjusting and a lot of rethinking, and thinking about, wait, wait a minute. Where is our information? Wheres the vital things that we depend upon and we would rather have the world not know, and how do we make that available to employees? So really a rapid shift, and conceptually, maybe it wasn’t a surprise. We’ve been saying these kinds of things for quite some years, but as a practical matter, they’re really a struggle to put in place the kind of flexibility and capacity that you need to support a large remote work program. Part of this boils down to prioritizing what’s important to you.
TE: Yeah. It’s one thing to say that there’s no perimeter any anymore and it’s another entirely to suddenly be forced to actually not have a perimeter.
Finding focus in this complicated world
TS: Things are just happening too fast and it’s dispersed across a large front. So you have to be both looking really broadly at all these different problems, but also very focused on what really matters, right? Everything can’t be equally important. So how do we focus our attention and our controls and our management attention on things that are really, really vital to the future of the company? We’ve talked for years about doing that, but I think this really brings it home for us.
TE: Yeah it brings to mind the difference between building security in at the start and adding it in as an afterthought. Where organizations for which security was part of their DNA, they would have looked at this expansion of working from home and security, it would have been part of the architecture that they looked at regardless.
TS: Yeah, that’s, that’s exactly right Tim. Towards the end of my career at the NSA, I remember one senior officer thought that we were horribly misguided in the DOD because we were trying to protect everything (which wasn’t actually true, but it was the way she thought of it). And therefore we’re not protecting the most important things. I offered a different way to think about it, which is, everything deserves some level of protection, but some deserve more. So, yeah, it’s sort of thinking ahead of time. I need to have some level of visibility and control and understanding and so forth of all my assets, right?
TE: You know, we spend a lot of time talking about how to prioritize remediation or how to assign appropriate business value to assets with the point being that you then can prioritize remediation. But part of your point there is that even the assets you might deem as unimportant can have a high value in an attack chain.
TS: Yeah. That’s right, Tim.
I think classical thinking about computer security has always been intellectually complete, but practically not very useful in the sense, the idea is that every business is unique – our dependencies are unique and the risk appetite of our managers is unique and so forth. And that there’s truth in all there, but it leads us down the path with what I call the special snowflake school of security: Everyone is unique and therefore, you really don’t want to spend any money on defense until you figure out all this uniqueness and all these dependencies and so forth. And then you go to some giant catalog and you choose wisely from this catalog and you manage to that set of controls.
That’s not been very scalable or successful. So at CIS, we feel there’s this bad soup of bad things that we all have to deal with, right? As a practical matter, most enterprises don’t have the kind of threat information or the people and the time and the luxury of thinking about this. So our view is that there’s a set of things that we all ought to do. That’s really the kind of philosophy behind things like the CIS benchmarks and the CIS critical security controls.
Does COVID-19 Change Security Controls?
TE: Back to the COVID-19 issue: Do you see that those controls changing in light of the way that organizations are fundamentally changing how their workers connect and interact in order to get their jobs done?
TS: Yeah, I think that’s a fair observation. We think a lot about the fundamental problems facing organizations. So you know, as I started to really give that a lot of thought over the last couple versions of the controls and yes, at the end of the day we have a list, but I spent a lot of time on the introductory text, which are trying to describe this sort of foundational problems and the things that we ought to be aware of independent of specific solutions.
It’s a challenge to think of defense and attack in a really systemic way or in a holistic way. At the end of the day, a phrase I use is that both security and insecurity are, in fancy language, emergent properties of the system. We’re used to thinking of a zero day in a piece of software or a flaw in a protocol, et cetera, et cetera. But you don’t really understand the risk. You raise them up another level to put them in the context of the system and actions of humans and the composition problem of all these different pieces.
And so that’s the kind of discussion that we need to think more about. To balance security with what these assets are intended for.
TE: And you have to remember that the goal of any system is not to be secure. The objective of that system is not security. It’s whatever its other mission is. If it’s to process transactions or store data, security is an attribute and not an objective.
TS: Exactly. And I think that’s what we’re seeing, I think over the last few years now and we’re still struggling as an industry through this. At the end of the day, this is about senior decision makers at every level, making wise choices, with the best information that they have. And they’re doing it in the context of not separate from the business but in fact an enabler of the business or a foundational to the operation of a business. They’re just trying to make it as difficult as possible for the attacker.
How to Use Security Controls Amid the COVID-19 Pandemic
TE: I do want to wrap up with one question that’s hopefully a practical one for security leaders. How can security frameworks like CIS be used by those security leaders in this time and environment?
TS: We’re actually thinking this through.
What’s the problem we’re really trying to solve? What’s the more abstract way to think of it that’s independent of technology? We’re really trying to make it easier from this side for people to adopt it. You know, we’re not trying to create the best list. We’re trying to create the most useful security change. But I would say that for almost any, at a core level, most frameworks call out a really high correlation among different frameworks when you look at them, right?
I would be looking for these things that we have in common. And at the end of the day, for me, the most important ones are these foundational steps that bring you things like visibility, awareness—you know, understanding of the security state of the pieces, whether it’s patching or configuration or privileged management. This has really been the core set of things that drive the controls. I don’t see that changing anytime soon. I think it’s common across many of the frameworks. So that’s where I would begin.
TE: Thank you so much Tony. As always, an interesting conversation. I really appreciate the experience and expertise and knowledge that you have to share, and I think all the listeners do as well. Thank you again, Tony, and thanks everyone for listening. Hopefully, you’ll tune back in for the next edition of the Tripwire Cybersecurity Podcast.
- CIS Controls Companion Guides https://www.cisecurity.org/controls/cis-controls-companion-guides/
- CIS RAM (Risk Assessment Method) https://learn.cisecurity.org/cis-ram
- Framework mapping overview https://www.cisecurity.org/blog/compliance-that-connects/
- Detailed mapping of CIS Controls to other frameworks https://www.cisecurity.org/controls/cis-controls-implementation-groups/