Ex-NSA Official Heads New Global Consortium Issuing Attack-Driven Security Controls

Volunteer army issues Top 20 Critical Security Controls that public- and private-sector organizations should use for locking down their environments from the latest attacks

A new international consortium launched today to help government agencies and the private sector prioritize their security defenses in the face of the latest threats and attacks. The Consortium for Cybersecurity Action (CCA) also updated the 20 Critical Security Controls that originated from initial work by the National Security Agency (NSA), with security steps to combat advanced persistent threat (APT)-type attacks.
Tony Sager, the retired chief operation officer of NSAs Information Assurance Directorate and who is heading up CCA, says its about prioritizing what organizations need to do to protect their computing environments and data. A great deal of the challenge is the fog of more. Things are changing so quickly, Sager said during a teleconference today. A lot of times, enterprises just dont know where and how, or what to do. Wheres the next dollar best spent?
The Top 20 Critical Security Controls provides a guide post, of sorts, for how specifically to go about prioritizing and locking down infrastructure. Rather than trying to deploy everything at once, an organization can focus on the little things first, for instance, such as gaining a comprehensive inventory of the authorized -- and unauthorized -- hardware and software in their environments.
CCA is basically a volunteer army, Sager said, that identifies and prioritizes the most important things to do to prevent breaches. Weve seen their adoption by critical enterprises, and lots of vendors are standing up and saying, We can support these controls, he says.
Tom Kellermann, who served on The Commission on Cyber Security for the 44th Presidency, says the 20 Critical Controls list is a paradigm shift to basing security defenses on the actual threats and attacks occurring within organizations. I am a huge proponent of the 20 Critical Controls. They represent a paradigm shift wherein offense truly will inform defense. The fact that they are dynamic ... [that they] are re-evaluated every year is a game changer, says Kellermann, who calls Sager the Yoda of cybersecurity.
But given the rapidly changing threat landscape, can the list of controls truly keep up with the times? Kellermann, who is vice president of cybersecurity at Trend Micro, says the list will stay timely because it will be based on input from penetration testers and the NSAs red and blue teams. They can understand what tactics are bypassing defense on depth stratagems, he says. Threat intelligence must also evolve and become global in nature, as well, he says.
The common strategy of patching vulnerabilities and manually decoding and analyzing packets just isnt working, notes Eric Cole, founder and chief scientist at Secure Anchor. We sat back and looked at what are the key things that are missing? Why are organizations failing and not being successful at defense, Cole said during todays teleconference.
Part of the problem, he says, is that organizations are not using a single playbook for securing their infrastructure. IT, security, auditors, and executives all need to have a common set of metrics, he said. Thats what the Top 20 Critical Controls list provides, he said.
[Strapped for cash and feeling pinched by the increase in targeted attacks, some federal agencies are coming up with their own solutions for better protecting their information. See
Government Agencies Get Creative In APT Battle
.]
Among the various updates to the list in Version 4 that reflect the changing attack landscape is running applications on the client side in a separate virtual machine to minimize the impact of an advanced attack, Cole told
Dark Reading
. A lot of the additions weve [made in Version 4] focus on APT-style things.
William Pelgrin, president and CEO of the Center for Internet Security, and chair of the Multi-State Information Sharing and Analysis Center (MS-ISAC), says security has historically been too strategic. It needs to be much more tactical, Pelgrin said in the teleconference today. Take those areas where you have the highest risk and your critical components and deal with them first.
Organizations cant fight threats all alone anymore, he says. The days of trying to do this alone are gone ... Anyone who says they can do it on their own is destined for failure.
But Pelgrin and other experts concede that the controls cant stop every determined attacker. Some things are totally out of our control, like a zero-day exploit, for example, Pelgrin said. But with the Top 20, youve solved the majority of issues facing your enterprise from being exploited. We really need to have these baseline standards.
While deploying the Top 20 may be the ideal, its not realistic for all organizations, especially smaller ones with limited resources and budget.
Secure Anchors Cole says implementing two or three of them can make a big difference. The biggest problem we see is in asset management, controlling what devices are in your network with BYOD, he says. Automated asset management would be a good start, he says. And automating controls is key to keeping up with the newest threats, he says.
If I had to pick one, it would be Critical Control #3, configuration management. If you have a secure configuration in hardening and locking down services and ports and software, youre really going to get the best payoff, Cole says. And getting #3 checked off the list would require the asset management pieces in Controls #1 and #2 for asset management of hardware and software, respectively, according to Cole.
So far, more than 13 states in the U.S. have adopted the Critical Controls, including Colorado, Ohio, Michigan, and New York.
Members of the CCA are American Express, Booz Allen Hamilton, Citibank, Core Security, U.K. Centre for the Protection of National Infrastructure, U.S. Department of Defense Cyber Crime Center, U.S. Department of Homeland Security, U.S. Defense Information Systems Agency, U.S. Department of Defense, Goldman Sachs, Mandiant, McAfee, Mitre, nCircle, NSA, Qualys, Symantec, and Tenable.
The full Top 20 Controls list is available
here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Ex-NSA Official Heads New Global Consortium Issuing Attack-Driven Security Controls