Presented at
DEF CON 32 (2024),
Aug. 9, 2024, 5:30 p.m.
(20 minutes).
What's it like to spend a career as a cyberdefender for the DoD and the nation, but homed inside of an intelligence agency? In this talk, I'll offer a historical and personal perspective based on 35 years at the National Security Agency as a vulnerability analyst for the defense, from junior analyst to executive manager. The common element across my career was the search for vulnerabilities in the name of defense - finding them, making sense of them, leading organizations to find them, and then translating that knowledge into action to prevent or manage them. I'll share lessons learned as cyberdefense evolved from a focus on mathematics and cryptography to systems and software; and from government security to a global internet. And we'll focus on the mission, technical, and cultural interplay of cyberdefense and offense/intelligence as it played out at NSA. War stories, culture clashes, bureaucratic mazes? Of course! But in the end, better security for all.
Communications Security, Computer Security, Information Security, Information Assurance, Defensive Information Operations, and several more - I'm very lucky to have ridden the World-Wide Wave we now call cybersecurity.
And I am very proud to have spent 35 years in Federal Service at the National Security Agency as part of the Information Assurance mission. The common element across my career was the search for vulnerabilities in the name of defense - finding vulnerabilities, making sense of them, leading organizations to find them, and then translating that knowledge into action to prevent or manage them.
That final challenge consumed the last third of my government career. How can we translate what we learn through product testing, Red Teams, Blue Teams, systems analysis, etc. into operational guidance, best practices, requirements, training, and security improvements? How can we bridge the gap between telling people what they are doing wrong, and helping them do what's right? This led to projects like the release of NSA Security Guides to the public (www.nsa.gov), involvement in open standards for security automation and information sharing, and an activity now known as the Critical Security Controls.
Since retirement in 2012, I have been able to continue to serve the cause of cyber defense through our work at the non-profit Center for Internet Security, and the Council on CyberSecurity before that. And I am very active in more volunteer cybersecurity causes than I can recall.
Presenters:
-
Tony Sager
- Senior VP & Chief Evangelist at Center for Internet Security (CIS)
Tony is currently Senior VP & Chief Evangelist for the Center for Internet Security (CIS), leading a wide variety of strategic, partnership, and outreach activities. He led the work which later became known as the CIS Critical Security Controls – an independent, volunteer-developed, cyber defense best practices program which is used throughout the industry. Tony has led numerous other activities to develop, share, scale, and sustain effective defensive cyber practices for worldwide adoption.
In addition to his duties at CIS, Tony is a volunteer in numerous cyber community service activities: inaugural member of the DHS/CISA Cyber Safety Review Board; Advisor to the Minnesota Cyber Security Summit; Advisory Boards for several local schools and colleges; formerly a member of the National Academy of Sciences Cyber Resilience Forum; and service on numerous national-level study groups and advisory panels.
Tony retired from the National Security Agency in 2012 after 34 years as a mathematician, computer scientist, and executive manager. As one of the Agency’s first Software Vulnerability Analysts, he helped create and led two premier NSA cyber defense organizations (the System and Network Attack Center, and the Vulnerability Analysis and Operations Group). In 2001, he led the release of NSA security guidance to the public and expanded NSA’s role in the development of open standards for security.
In 2023, Tony was inducted into the Cybersecurity Hall of Fame.
Similar Presentations: