NSA guru lauds security intelligence sharing

In a nod to the challenges of the past, Sager said that organizations such as the NSA traditionally developed their own practices for handling issues such as secure configuration of Windows, and that nearly every other government agency would do the same.

As government bodies finally began sharing their security information and establishing more unilateral best practices, the agencies realized that they could even drive technology vendors such as Microsoft to begin shipping their products in the state that the organizations demanded -- and that other organizations, such as private enterprises, could begin to adopt the same measures and benefit from the data as well.

Despite the progress that is being made, Sager said that the ongoing process of creating unilateral security frameworks such as the CWE and many other projects backed by Mitre -- a quasi-governmental body -- remains a challenge.

Organizations are sharing information, but the underlying processes that support the efforts still need further refinement, he said.

"We can't just dump our inboxes on each other. It has to be about sharing all of our different outputs in the same language, and people still don't understand that in a lot of cases," said Sager. "But through a lot of these efforts, the understanding is growing, and people are getting onto the same page, which is crucial to improving security for everyone."

Other observers agreed that the process of creating standard security language and practices across the government and private sectors are moving forward quickly.

Robert Martin, head of Mitre's CVE (Common Vulnerability Exposures) compatibility effort and a contributor to the CWE initiative, said that momentum is building behind his organization's guidelines and helping many government and private entities to better understand and share their own practices.

"With all these different pieces that are coming together, we are standardizing the basic concepts of security themselves as well as methods for reviewing and improving computing and networking systems," said Martin. "I see a future where a tapestry of tools, procedures, and processes are built over time that recognize and address the common problems that exist among all these constituencies."

Martin said that Mitre's efforts to add new security policy frameworks will continue to improve as they mature and even more parties begin to contribute their intelligence to the initiatives.

Black Hat attendees seemed encouraged by the progress being made, at least in terms of getting all the necessary parties to come together and share their tools and processes.

This level of collaboration is what has been sorely lacking in the security community in the past, observed Ray Kaplan, an independent security consultant based out of St. Paul, Minn.

"At last there's a metaview of all these shared problems. Up until recently, it seemed that this process was a confusing morass where everyone had different tools and procedures," Kaplan said. "The complimentary nature of what is going on with NSA and other agencies, and with Mitre and private involvement, should help create the common infrastructure needed to address these issues."