Podcast: Tony Sager Discusses Defense Strategies
DATA SECURITY PODCAST
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, and Tony Sager, SVP & Chief Evangelist at CIS. , discuss the latest views on data security, and the importance of system integrity monitoring and best practices for businesses regarding file integrity monitoring. The podcast can be listened to in it's entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Joining us today is Tony Sager. Tony as a Senior Vice President and Chief Evangelist for the Center for Internet Security Inc or CIS. He leads the development of the CIS controls a worldwide consensus project, to find support technical best practices and cybersecurity and champions. They use the controls and other solutions gleaned from previous cyber attacks to improve global cyber defense. Welcome, Tony. It's great to have you with us today.
A: Thanks very much for having me, appreciate being here.
Q: So Tony, let's discuss defense in-depth strategies. Are they still effective and then how do we know the best tools to protect our infrastructures, starting with the term defense in-depth that has been a standard industry bumper sticker for decades at least since the first posters with castles and moats. What does it specifically mean to you?
A: Yeah, well, I remember those posters from the late 70s when my first assignment in computer security. I think 1978 or so. And the intention was good. Right? The idea was you need more than one layer of defense because attackers are determined, and so you don't want to count on any one layer, you want to make it difficult for the adversary.
The problem with them is literally the castles and moats, right? The idea was, you'd have a physical layer of a moat. And if they got through that, then there's the castle wall or there's the drawbridge, after that there are mean people with sharp objects ready to stab bad people. You know, it was a sort of a one thing-one thing-one thing, kind of a model, but it was a way to get the idea across. However it was outdated when it, when it came out.
I prefer to think of depth in two dimensions in sort of space and time. Right. So there's a sort of kind of a notion of space. And there's a notion of time. An attack is not a thing. It's a whole bunch of things. It's a series of steps; line attacker, everything from reconnaissance and tool development, to the initial stage, to moving around inside your network, exfiltrating data or causing some other bad effect.
So your model of depth ought to account for that. That is, the attacker has his own model of offense and you should design your defenses to cause him either cost or visibility or pain at multiple places at multiple points in time.
So I think it's a healthier and more modern way to think of defense in depth. And it gives you more flexibility. The idea of a kind of a wall model is that it is sort of all or nothing that goes next to nothing. And really this is a much more dynamic problem then we thought about in the late 70s and the 80s. The other thing to remember is that defenses are never or they should not be ever static, that is, you want to keep the adversary guessing too. One reason adversaries are often successful is that we are sitting ducks, right? They can do reconnaissance, they know what technology we're using, they know how we're configured, they know our network topology.
And so, if nothing ever changes, then the adversary has the luxury of sort of doing reconnaissance and this is good for a long period of time. So part of that then, is depth is also about raising confusion or uncertainty on the attackers' part.
Q: Okay, so with that does depth of defense really matter? Aren't sophisticated attackers just going around our defenses?
A: Well you know it's easy to think that, but it turns out to not be true. I'm one of the few lifelong defenders. I'm at 43 years and counting now, with 35 of it at the National Security Agency. So I'm one of the few lifelong defenders that lived inside an intelligence agency. And having studied them — and believe me, they are good at what they do, but they are not magicians, they don't perform magic.
They have their own life cycle — they have to do a number of things and attacks. As you model and understand them —they have weak points or points of uncertainty for the attacker where they have their own risk model. And so you have to think about that, again, as you're designing defenses. You can't protect against every stage of every thing the attacker might do. The defender has to worry about economics, right, what's, what's the cost-effectiveness of my defense? The attacker has to worry about sort of "how do I get in there?".
My observation about the biggest difference between sort of the nation state high-end super duper attacker and sort of the mass market — which is huge, is that nation-state attackers have this model, but they cheat. They cheat any model you can come up with. They can attack your life cycle. They can bribe human beings. They can do things that sort of, they don't cause a different model to occur, they sort of jump into your model at a different stage.
And that's another reason why layers of defense really matter, right? You can't count on say your perimeter of defense to stop everything there. The really determined attacker might bypass that through some means — again like getting into your supply chain of software or something. And therefore, you've got to have another layer somewhere later in space and time to be able to catch them, prevent them, so forth.
Q: So it makes sense to have more than one layer of defense, just in case, but are three layers better than two? How do I know when I have enough defense in place layers or otherwise?
A: Well, that's a great question. So if you ask the old security professionals like me the answer to is it enough — the answer is always no and it's always I need to do more. But that's not realistic for businesses or government agencies. You have to decide what you're willing to spend and that depends on what's at risk and all these complications.
I've always said this: If you make your defenses too complicated or too expensive, then your users become your attackers, and they go around your defenses —the people that you're trying to serve. And we used to call it "they thumbdrive your defenses" or "they Dropbox your defenses". So they go around them. And it's not because they're bad people, or they're evil, it's because they believe they have a job to do.
The IT is there for a reason to help people get the job done. And so if you treat security as this sort of like, you know, ivory tower garden wall, must do everything my way kind of approach, then you cripple the operations of the business. And so that's not very helpful. And you can't afford the bankrupt your business in the name of security.
So the real trick I think in sort of security thinking and architecture is to decide: We have a job to get done, and I need to have multiple layers of defense—but I also need to support the mission or the needs of the business.
And so for security professionals, it's better to sort of work with something you can live with, you know, manage, monitor track down where the company information goes, as opposed to standing on the sidelines telling people they just can't do things and then eventually they will ignore you, and then leadership is going to ignore you.
So I think it is always prudent to think about having more than one layer of defense in the way that I talked about, sort of in space and time. It's the way to think about it. But at some point, you also wind up with overkill. And I heard this all the time from financial services companies or industries where there's a lot of mergers and acquisitions. Where you know the CISO wakes up one day to this combined company realizes, I've got like seven tools to detect the initial compromise of an attacker. And I've got no way to detect when they start exfiltrating data out of my business.
That was a sort of an accidental bad architecture. And so they start thinking about how do I de-invest in some of these upfront tools and invest in tools to give me a more of a balanced portfolio of defense. So it's very common to find yourself with sort of too much defense at one point and no defense somewhere else in your system.
Q: So how does one go about convincing management to support a depth strategy. I'm sure there are folks out there and listeners that are struggling to sell their management team on one layer.
A: Oh, absolutely. That's sad but true, you know, but the time is coming and it sort of feels a little painful right now, but we're entering a phase I call the "mainstreaming of cybersecurity". Cybersecurity has been traditionally the work of wizards, you know, kind of scruffy looking people that speak a different language, and technology will save us.
And because our entire economy and all of our social interaction is dependent upon technology, that's not good enough. It's not good enough. It's great job security for all folks like me, but it's terrible public policy, for example. So we need to think about ways that the understanding of risk and attacks and what is prudent to do. We're not going to teach everyone that kind of information. We don't teach everyone that information for public health either or airline safety or medical safety or anything else.
So we embed a lot of the risk analysis and the action that follows kind of under the hood, in regulations and code, in practices that are encouraged or discouraged by things like insurance and other "business kind" of mechanisms. For today, any company that isn't thinking about this is headed for disaster, because the kinds of attacks are so pervasive.
So you have ways to convince people that say you need to do this. It's becoming the expectation. It is something that we have to do. We cannot outsource our risk, for example, created by cyber insurance, unless we show that we take certain kinds of actions on our part so that the insurance company can decide we're insurable.
Now big sort of supply chain leaders (like the Defense Department) are deciding I need to push some requirements or some security expectations down to my supply chain or I can't afford to buy stuff from the suppliers. So you're seeing that as a big wave that's coming and of course, the courts and the lawyers and the regulators and the auditors. Everyone has a role in the cybersecurity business. And it's really becoming again less of a technical specialty and more of a social life expectation around risk and management. Similar to the way that we treat things like public health and again like airline safety.
And it's uncomfortable for technologists— for my generation, but it's actually the right answer. That's the only way that we can sort of align the incentive to improve security with the technology that could in fact do it — is to bring these things together into one place so that people can make rational decisions for their business or their lives in a way that improves security but doesn't bankrupt them or cripple the business.
Q: Tony, thank you so much for joining us today.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".