Podcast: Tony Sager Discusses The Community Defense Model
DATA SECURITY PODCAST
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, and Tony Sager, SVP & Chief Evangelist at CIS. , discuss the latest views on data security, and the importance of system integrity monitoring and best practices for businesses regarding file integrity monitoring. The podcast can be listened to in it's entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is Tony Sager. Tony as a Senior Vice President and Chief Evangelist for the Center for Internet Security Inc or CIS. He leads the development of the CIS controls a worldwide consensus project, to find support technical best practices and cybersecurity and champions. They use the controls and other solutions gleaned from previous cyber attacks to improve global cyber defense. Welcome back Tony. It's great to have you with us today.
A: Thanks so much. Pleasure to be here again.
Q: So Tony today we're going to discuss the Community Defense Model, from attacks to action. So what is a Community Defense Model and what would I use it for?
A: Sure thanks. The Community Defense Model is both kind of a operational model for the Center for Internet Security and also there's a paper that goes with it, we just released recently. The idea is to bring more data, more rigor, and transparency to security recommendations, like the Center for Internet Security Benchmarks and Controls. So a lot of the history of cybersecurity has been about "I'm not sure what to do, I better find some wizard-like people to come up with some ideas for me", you know as consultants through publications or through fancy tools — and I have to kind of trust them right — these are people that have lots of experience, so I hope good judgment.
And they're going to tell me what to do and I'll be fine. That that sort of gets you a little way down the road but frankly not far enough. So the notion is, can I bring more data to this or can I bring more rigor to this, as opposed to trying to make sense of millions of attacks that are happening around the world, all the time.
So the Community on Defense Model describes how we take what we started with and center around something called the Verizon Data Breach Report, which is kind of the most well-known of these annual summaries of attacks, as seen by Verizon and several dozen data partners, including the Center for Internet Security.
And think of it as a statement that doesn't give you all the data of every attack, it attempts to summarize and develop trends and patterns and so forth.
And that is essential because you know, while it might feel like it, we're not actually getting hit by millions of unique attacks every day. We're getting hit by millions of repeats of a very small number of patterns of attack over and over and over again, because they work. So the Verizon report sort of acts as the what's really happening out there in the world, real-life not what people dream about or might happen or could happen someday, but what is really happening.
We match that with something called a MITRE attack model, which is, think of it as a very detailed technical-oriented way to break down any given attack into all of its you might call atomic elements. Every sort of tactic, every step, every tool, every bit of data, you know all of the microscopic things are way under the hood that make up all the things that go into an attack.
So we pull together this here's the here's what's happening in real life, you know at the sort of summary level. Here's how I break those down to microscopic you know little elements and then we sort of work those, together with the products that we produce from CIS; the CIS benchmarks in the CIS controls.
And the notion there is, can we build a more rigorous statement about what specific security value does any security recommendation give you, where value is defined as its ability to provide some defensive value again some step of the attacker.
So it's a it's a conceptual way to sort of pull this together, to kind of move away from the "Gee, can I find 10 people I can trust or 10,000 people I can trust", to "Can I build a more reliable, transparent model and data driven way to talk about security recommendations". So that's kind of the idea of it it's it's not a one time thing for us it's a growing, evolving thing.
Q: OK, and then to build on that, why did CIS develop this and why is it so important?
A: You can think of it as as a current event in a multi-year process aimed at what I described earlier bringing data, rigor, and transparency. And one of the things that holds cybersecurity back from sort of mainstreaming or becoming you know from the realm of wizards into sort of social risk and decision makings is the lack of these kinds of models. You know we have things kind of like this in public health and the metaphor isn't perfect but it's pretty good .
And the idea is you know we do things in public health, believing that there's science behind it right? We get shots, we wash our hands, we don't cough on people, we avoid risky locations. And we kind of implicitly accept that there's a lot of analysis and research and studies going on under the hood. And we've been trying at CIS to push ourselves in that direction.
Because we think it's important you know, otherwise we're all kind of left with this wizard model right? Who do I trust to give me good advice? Is it the US Government, or some other government? Is this nonprofit or that commercial company?
And that might be helpful, but it doesn't really solve the nation-level problem right, of how do we make large scale progress in security and also be able to negotiate things like trust and supply chain security and so forth.
So for us it's an essential next step of bringing all these good properties of transparency and rigor in data, to the way we make recommendations. And then we put it all in the public right, because we're not claiming, this is the ultimate answer in fact no it's not. But we think it's a great step. By putting it in the public we're making it clear that this is how we make choices about the best practices products that we produce. And if you have a better idea, please tell us, because we want to hear it and we'll use that.
You know the idea is we're not, this is not about commercial gain, this is about security improvement and allowing people who don't have a room full of experts to get the value of security improvement. Most of our economy, most of the businesses, for example, don't really have security professionals on their team. They can't afford them, even if they were out there to be had. So they're not going to do the kind of analysis that a large financial company or big government agencies to do. They're going to have to take recommendations from somebody else who has that horsepower.
But for folks like us, we want to do it in a way that's transparent. Then you can look at what we've done, decide that you like it or not, improve it, if you choose, bringing other data if you choose. So it's really essential we think for folks like us to be really clear about why we recommend what we say. And if we don't do that then there's no basis for comparison or argument or any other thing.
Q: So Tony is this one size fits all or could I tailor this for specific cases like a sector or a supply chain?
A: By design it's meant to be flexible. So I mentioned, we started with the Verizon Data Breach report and we also work with the Multi State ISAC data, The Information Sharing Analysis Center CIS is also the home of that. But it wasn't unique to them, we just have a great relationship with the Verizon folks and of course with the MS ISAC.
So we use that as our primary input to define the most common attacks. I think the ones we really think that our practices should defend against. There is no reason on earth, now it takes some analysis, but there's no reason in the world you couldn't do that with any other sort of similar vendor report. And we've worked with folks as diverse as Palo Alto and IBM and Symantec, MacAfee, HP, you know, basically, at some point we've talked to everyone we can find who has an annual report that is legitimately based on data, and sort of talked this idea and walked through this with them.
Now the Verizon report is very representative of the industry, but it's not perfect. It has a lot of data sources of different types, so it's a great starting point. In the future will start to work with others and we think that would be kind of a natural way to diversify it.
If now there are, for example, sectors of the economy that might have a concern about a different set of attacks, you know, maybe in the power generation or some other sort of utility or infrastructure-oriented place. They may have their own way to aggregate, or pull up summaries of attacks that are kind of unique to them.
My experience has been they don't have wildly different types of attacks, but they often prioritize attacks differently. For a lot of infrastructure stuff, availability is the driving requirements, but the systems must stay up and they're not so concerned about confidentiality.
And in other industries, the opposite is true. They could they could care completely about confidentiality, and they can suffer a little bit of availability problems.
So a sector which has sort of thought about their kind of attacks they really care about — again we've published this to the public — you can take our sort of model and way of working with it and we'd be glad to talk to anybody to help them take the same idea but apply it to their specific sector with their data which they may or may not choose to share with us, either way it's fine.
Supply chains are similar. Everyone is struggling with this sort of supply chain thing. A large company may have tens, hundreds, or literally thousands — and if you talk government level — hundreds of thousands of companies in their supply chain.
And they would like to know is it safe for you to be in my supply chain for the kind of functions that we need, or the data we need to share for you to sell stuff to me? What should be my security expectation of you? And you could build kind of a larger simpler version around the Community Defense Model that is really tailored to that. We have not done that but we've discussed it with lots of folks who are interested in that kind of problem, so we think that might be another thing.
Q: Okay, so is the Community Defense Model done or is there more to do and potentially an evolutionary path?
A: There's plenty more to do. As I said, there's not the ultimate answer, but we believe that it represents a significant step in the in the public step that we're happy to argue about. I mentioned one of the constituent pieces is pointing to the MITRE attack framework, which has become the de facto industry standard for sort of low level analysis of attacks.
We are a part of the nonprofit that MITRE has set up to manage that activity. And we're working with them to suggest improvements that would make it kind of more natural for the kind of community things we have done in the Community Defense Model. So that's a clear path.
We're going to make some suggestions and we share some improvements in there to help people with this mapping problem of "how do I sort of map from data about attacks into some standard form for which I could make security recommendations or frameworks and requirements" or whatever.
That same would be true with lots of other sources of data but also then allow us to talk about all kinds of tools and the security value that they would provide. So we'll bring in other sources, also the question you asked earlier about tailoring I think deserve some more thoughts, and so we're going to spend some time chewing on that around this as, you know I'm very conscious of this.
I spent most of my career actually working in the government, where you had a mix of classified and unclassified sources and so I'm very conscious of this idea of there's data that sort of "everybody can see" and then there's lots of data that "only a few people can see".
What you want is one model that sort of allows you to work with whatever data you have and choose to share it or not. But the output of the model, that is the things you recommend, are easily shareable. So this has always been in my thinking; How do we put a pull all that together to make it the goal?
Again, the goal here is not for every company to hire a roomful wizards. The goal is for every company or every business, every agency, or every individual frankly, to be able to know what to do — based upon real expertise — even if they can't afford to hire them.
Q: Great well Tony Thank you so much for joining us today.
A: Oh it's been a pleasure thanks so much for having me.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".