[ISN] NSA guru lauds security intelligence sharing

From: InfoSec News (alerts@private)
Date: Thu Aug 02 2007 - 03:05:25 PDT


http://www.infoworld.com/article/07/08/01/NSA-guru-lauds-security-intelligence-sharing_1.html

By Matt Hines
InfoWorld
August 01, 2007

Government initiatives aimed at fostering the sharing of security 
intelligence throughout the federal space are helping to establish the 
community atmosphere and best practices necessary to help those agencies 
-- and private enterprises -- improve their network and applications 
defenses, a National Security Agency leader told attendees of the Black 
Hat conference on Wednesday

Stepping to the stage to deliver a keynote presentation at the annual 
hacker confab in Las Vegas, Tony Stager, chief of the Vulnerability 
Analysis and Operations Group at the NSA, said that data-sharing efforts 
led by his agency and others in the federal space are maturing rapidly.

Having served a little less than 30 years as a security expert at the 
NSA, Stager said that federal agencies are finally succeeding in their 
efforts to build standards for issues such as secure configuration of 
Microsoft's Windows operating systems, and that those guidelines are 
likewise being adopted by other security initiatives and moving into the 
public arena.

At the heart of the progress is the notion that government entities and 
private institutions cannot effectively tackle security problems on 
their own, a deduction that seems obvious, but one that has been hard to 
implement on a practical level, in particular among agencies such as the 
NSA and U.S. Department of Defense, which closely guard all their IT 
policies.

"NSA has shifted the nature of its work over the last few years; the 
time has come when we are all living in this same chaotic network and 
need to come together to solve problems of this scale," Sager said.

"In the old days, the idea was that we could simply design away the 
risk, but this is a much more complex world today," he said. "We've gone 
from protecting [assets] to protecting not only data, but all the 
information around that and the infrastructure that supports it; it's a 
much more dynamic problem, and there's no way of escaping that this is a 
shared problem."

As part of its effort to help foster security data sharing, NSA has 
moved its focus from trying to build technologies aimed at solving major 
security issues to attempting to influence practices across the 
government space that can also be adopted by private-sector firms, he 
said.

A major element of the vision is pushing for standards that translate 
security intelligence into language that any organization can interpret, 
said Sager. He highlighted the Common Weakness Enumeration (CWE) project 
-- an effort aimed at creating a common language for identifying 
software vulnerabilities that is backed by the Department of Homeland 
Security and nonprofit Mitre -- as one example of the types of standards 
that are delivering on the NSA's goal.

"The time has come when folks in my business are thinking about how to 
transfer knowledge outwardly; we don't solve these problems one 
organization or one vulnerability at a time, so we're thinking of ways 
to leverage knowledge in light of the available economies of scale," 
Sager said. "We must be able to deliver expertise within the context of 
others' problems. In that way, this has become a business of influence 
[for the NSA]."

In a nod to the challenges of the past, Sager said that organizations 
such as the NSA traditionally developed their own practices for handling 
issues such as secure configuration of Windows, and that nearly every 
other government agency would do the same.

As government bodies finally began sharing their security information 
and establishing more unilateral best practices, the agencies realized 
that they could even drive technology vendors such as Microsoft to begin 
shipping their products in the state that the organizations demanded -- 
and that other organizations, such as private enterprises, could begin 
to adopt the same measures and benefit from the data as well.

Despite the progress that is being made, Sager said that the ongoing 
process of creating unilateral security frameworks such as the CWE and 
many other projects backed by Mitre -- a quasi-governmental body -- 
remains a challenge.

Organizations are sharing information, but the underlying processes that 
support the efforts still need further refinement, he said.

"We can't just dump our inboxes on each other. It has to be about 
sharing all of our different outputs in the same language, and people 
still don't understand that in a lot of cases," said Sager. "But through 
a lot of these efforts, the understanding is growing, and people are 
getting onto the same page, which is crucial to improving security for 
everyone."

Other observers agreed that the process of creating standard security 
language and practices across the government and private sectors are 
moving forward quickly.

Robert Martin, head of Mitre's CVE (Common Vulnerability Exposures) 
compatibility effort and a contributor to the CWE initiative, said that 
momentum is building behind his organization's guidelines and helping 
many government and private entities to better understand and share 
their own practices.

"With all these different pieces that are coming together, we are 
standardizing the basic concepts of security themselves as well as 
methods for reviewing and improving computing and networking systems," 
said Martin. "I see a future where a tapestry of tools, procedures, and 
processes are built over time that recognize and address the common 
problems that exist among all these constituencies."

Martin said that Mitre's efforts to add new security policy frameworks 
will continue to improve as they mature and even more parties begin to 
contribute their intelligence to the initiatives.

Black Hat attendees seemed encouraged by the progress being made, at 
least in terms of getting all the necessary parties to come together and 
share their tools and processes.

This level of collaboration is what has been sorely lacking in the 
security community in the past, observed Ray Kaplan, an independent 
security consultant based out of St. Paul, Minn.

"At last there's a metaview of all these shared problems. Up until 
recently, it seemed that this process was a confusing morass where 
everyone had different tools and procedures," Kaplan said. "The 
complimentary nature of what is going on with NSA and other agencies, 
and with Mitre and private involvement, should help create the common 
infrastructure needed to address these issues."

Matt Hines is a senior writer at InfoWorld.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Aug 02 2007 - 03:24:12 PDT