The Center for Internet Security (CIS) is a non-profit organization that provides a treasure trove of information and assistance designed for the cyber practitioner, including assessment tools, recommended controls, best practices and advice, information about threats, special memberships and more to help organizations get started securing their environment and to stay secure [SEE sidebar ad and link to site]. Learn more about the work at CIS and the views of its Chief Evangelist – Tony Sager – regarding the emerging technology for active defenses in this interview with ActiveCyber.

Tony Sager is CIS’ Chief Evangelist – a role he seems to be well-suited. I met Tony several years ago when he was a prominent cyber official at NSA and have always enjoyed his talks at various conferences as he is in demand often. I saw Tony recently again at the Integrated Cyber conference where we briefly caught up and he graciously accepted my invitation for an interview. I was deeply impressed with Tony’s tremendous insight into what is practical today and what to look for in the future for active cyber defenses in this interview with ActiveCyber.

Spotlight on Tony Sager, Center for Internet Security

» Title: Senior Vice President and Chief Evangelist, Center for Internet Security (CIS)
» Website
» Linkedin:

Read his bio below.

November 7, 2017

Chris Daly, ActiveCyber: There are several definitions for active cyber defense being applied by industry and the media. What is your definition of active cyber defense? What are the key objectives and capabilities related to active cyber defense in your view? What are your views regarding the paths to adoption for active cyber defense solutions?

Tony Sager, SVP Center for Internet Security: For an enterprise, Active Cyber Defense means they have put in place the foundational machinery of cyber information management, to include action/remediation. This means close integration between system/network management and cyberdefense. They have ongoing situational awareness of all assets (hardware and software), the ability to take in new information (IOCs, alerts, bulletins, etc.), rapidly assess the applicability and risk, and take action. Information is constantly generated which can be used for system management, but also to assess the readiness of the enterprise business or mission, and even to generate evidence to others (auditors, regulators, etc). At a community level, this won’t happen without a supporting “plumbing” infrastructure of open standards, a marketplace for tools and services, and direct support via policies and governance at an ecosystem level.

ActiveCyber: At the 2017 RSA conference, several speakers spoke of the need to leverage cyber intelligence to inform active defenses and accelerate “hunt” capabilities. What is your view on the maturity of cyber intelligence capabilities and the ability to share intelligence machine-to-machine?

Sager: I think the market’s ability to create useful cyber intelligence information about attacks, indicators, etc. easily exceeds the community’s ability to make use of them.  The cyber intelligence ecosystem of providers provide too much [data], are too noisy, and have too much duplication for the vast majority of enterprises. When I see the phrase “share threat intelligence,” I urge readers to mentally replace the verb “share” with verbs like “translate” and “execute.” Intelligence data is a means to an end, not the destination. How can I translate millions of “negative” data points about system flaws and attacks into a smaller number of positive, constructive things that I can execute to deal with most of these? And by the way, the vast majority of this information and action applies to everyone, so how can we do this in a shared-labor way?  One key is to provide better context as intelligence is created, by categorizing vulnerabilities and attacks in a way that more naturally maps to types or classes of countermeasures. This is different from taking individual IoCs and deciding to block a port, vice understanding that the IoC is indicative of a class of attacks that is best managed through a combo of asset management (e.g., configurations) and architectural change. I think there are a lot of people diving into the threat of intelligence problem, with promising results but I think the balance between better understanding of attackers and prevention, and dealing with the root cause issues is out of balance.

ActiveCyber: Should cyber operations and investments be directed more towards identifying and mitigating threats or hunting for and fixing vulnerabilities?

Sager: I think that managing and fixing vulnerabilities is a foundational, must-do activity. It allows us to minimize the attack surface, lay a foundation for improved automation and visibility, and improve system operations overall. And I think the vast majority of vulnerabilities that need to be managed are already known, independent of the specific threats that might take advantage of them and that most of this need to find and fix vulnerabilities is well within reach of current technology. And in terms of operations, we don’t want to overachieve by using scarce and expensive humans to point out things we should already know. Sure, understanding threats is very important, but not in the way most people think. In classic computer security terms, threats are about adversaries and their capabilities.  The marketplace generally generates a lot of excitement about adversaries, but most of us should primarily care about capabilities because that’s the information that we need to design our defenses. Yes, governments and high-risk enterprises might care a lot about who the attackers are, and are willing to spend lots of time and energy to find that out. But most of us just need to defend ourselves, so understanding attacks at the level of summaries, trends, categories, types, patterns, etc. matters most.

ActiveCyber: A growing problem, generally, for SOC operators relates to the increasing number of tools, scripts, and corresponding complexity / costs for accomplishing the security mission. Do you believe we are maxed out in terms of tools a SOC can handle? To what extent do you believe will process automation help to relieve this burden? How will the workload shift for the SOC operator when greater utilization of process automation is achieved?

Sager: I think we’ve long passed the overload tipping point for operators. Too many tools, too many information feeds, too much noise, too much duplication. And every new tool or technology or feed creates another integration problem for overworked operators. Smarter algorithms and better data are promising, but not yet mainstream enough to make a difference. We really do need better process automation especially to manage the gap from knowledge to system management so that we can remediate problems, and this is within reach of the marketplace. In terms of shifting workload, we all want to take advantage of the things humans can do better, and let them focus on problems requiring insight and intuition vice grunt work and data management.

ActiveCyber: Tying security concerns to mission objectives is a recurring theme these days. Risk and resilience are often used as metrics to tie these concerns together. However, mission objectives and operations and security posture can change almost on a daily basis. What approaches do you recommend to ensure the metrics for mission impact and security posture are reported accurately and understood by stakeholders in such a dynamic environment?

Sager: In today’s kind of environment, which is constantly changing, and with no absolute metric or understanding or perfect goal in cyber security, I think the most important starting point is to understand where the enterprise is relative to some yardstick of technical standards of best defensive practices (which have been developed and are maintained with broad community understanding of the nature of attacks). This is the approach we have taken at CIS. It’s not perfect but it’s very workable, open, and market friendly –  and demonstrably deals with the vast majority of attacks. And then the secondary step is to work with your key partners and suppliers to see that they do the same.

ActiveCyber: Artificial intelligence and machine learning are being discussed as the next big thing to improve cyber security. What is your view of the role these technologies can play or should play to support active defenses? What do you expect the timeline to be for broad adoption of these technologies in cyber defenses?

Sager: AI and ML are potentially big impact plays, in an area where we really need something better. But I have this uneasy feeling that there’s a lot of energy going into smarter algorithms and analytics to connect dots, understand tradecraft, and improve attribution – but not enough to help more directly with the cyber defense problem. By that I mean helping us understand attacks by category and type, helping us measure the value of defensive choices and identify the types of defenses that don’t provide enough value, and sort out the tactical indicator – chasing from foundational architectural or root-cause improvements.

ActiveCyber: The Internet of Things (IoT) promises to bring billions of more devices to the network to be securely managed. What types of changes do you envision to the SOC as the IoT comes on line?

Sager: I think the IoT will bring more emphasis to something that needs to happen anyway. Much more of the minute-by-minute management needs to be automated, and operators put into position to look by exception. The explosion of devices needs a distributed management environment in which controls and security functions are pushed to local levels. For example, for home use we see the fast rise in smart appliances, light bulbs, etc. followed by growth in smarter home firewalls and gateways and services. At a local level we need to define, or have machines learn, acceptable device behavior (who it talks to, who can issue commands), and build appropriate safeguards. And involve operators when rules are violated or when we don’t have rules for anomalous conditions.

Tony, I greatly appreciate your insight and I know my readers do as well. You have laid out a great plan of action for what vendors and enterprises need to consider when they look to improving their security posture through active cyber defenses. I also look forward to watching how CIS takes on the cyber challenges and provides assistance in defining and promoting the next generation of best practices focused on security automation.

And thanks for checking out! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, or other security topics. Also, email if you’re interested in interviewing or advertising with us at ActiveCyber.

About Tony Sager

Tony Sager is a Senior Vice President and Chief Evangelist for CIS (The Center for Internet Security). In this role, he leads the development of the CIS Controls, a worldwide consensus project to find and support technical best practices in cybersecurity. Tony also serves as the Director of the SANS Innovation Center, a subsidiary of The SANS Institute.

Tony retired from the National Security Agency (NSA) after 34 years as an Information Assurance professional. He started his career in the Communications Security (COMSEC) Intern Program, and worked as a mathematical cryptographer and a software vulnerability analyst. In 2001, Tony led the release of NSA security guidance to the public. He also expanded the NSA’s role in the development of open standards for security.

Mr. Sager holds a B.A. in Mathematics from Western Maryland College and an M.S. in Computer Science from The Johns Hopkins University.