Professional Documents
Culture Documents
Tony Sager Chief, Vulnerability Analysis & Operations Group Information Assurance Directorate National Security Agency
Protect classified information and real-time defense of information & systems Focus on GOTS crypto More products than services Avoid risk Find & mitigate vulnerability Broad spectrum of COTS IA & IT More services than products, and more influence than doing Manage risk and detect the threat
Vulnerability Analysis & Operations Group The nations most capable, influential, and trusted source of actionable information on network vulnerabilities and intrusions.
What We Do
Analyze vulnerabilities in
Emerging technologies Core concepts
Stakeholders in Assurance
Stakeholders in Assurance
DoD Policy, OMB, FISMA, Security Automation Program OS Vendors, Tool Vendors, Compliance Checklists
Authorities
Suppliers
Air Force, DoD, Standard Desktop Load
DISA STIGs, NIST Checklists, Corporate baselines NSA, DISA, NIST, Center for Internet Security
Vulnerability Plumbing
CONTENT New IT vulns Security Guides & benchmarks Red and Blue Team Reports Product tests Incident reports PLUMBING CVE OVAL CCE, CPE CVSS XCCDF FIXTURES Multiple tools to measure,fix, report Integrated reports Integrated tools Policy compliance Rapid vuln sharing, assessment, remediation
7
Towards Information Sharing Integrated Analysis & Reporting Security Sampling Community events,tools, standards, reporting, lessons, Red Team Blue Team OPSEC COMSEC TechSec
8
Organize the data generators Standardize the raw data Translate into something useful upstream Link to other business areas
e.g., network management, compliance
Community Activities
Federal Desktop Core Configuration (FDCC) ISAP/SCAP CND Data Strategy Pilot Assessment Methodology Cyber Defense Exercise (CDX) Red & Blue Boot Camps Red Blue Symposium
10
11