Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We’re likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we’ve managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about “Information Security Risk”. In fact, it’s worth noting that we can’t even agree if there is a space between “Cyber” and “Security” when it’s written out. This talk will take an anecdotal look at “Information Security Risk”, “What IS Cyber Security?”, and use that perspective to suggest areas of research that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.
2. Presently:
EnergySec Senior Strategist
International Policy Discussions
Previously:
Hacker Compound
Open Source (Honeypots)
Managed Commercial Security (Visualization! Correlation!)
FBI SOC
Enterprise Security Architect
ICS-CERT/NCCIC/DHS/INL: National Control Systems IR
Government : Public/Private Partnership Development as Transportation
SSA
Also:
Artist & Backpacker
About Me
3. We have been focusing on improving information security and risk management
practices to reduce cybersecurity risk.
This focus has likely improved information security practices, but without
meaningfully or sustainably reducing cybersecurity risk
This has come at the cost of the resources we will require to displace potentially
dangerously entrenched behavior and misaligned markets created as an
outcome of this focus.
Our focus on information security solution spaces may be preventing us from
making necessary transformative (as opposed to incremental) improvements
because:
Information Security practices and solution spaces do not control or speak to
enough of the exposure environment to create sustained, strategic
improvements in position
We need to take a wider view.
(Warning: The view may contradict itself and this will be a linear presentation of a non-linear topic)
Why this talk? Thesis
4. Progress in economics consists almost entirely in a progressive
improvement in the choice of models….
[It] is a science of thinking in terms of models joined to the art of
choosing models which are relevant to the contemporary world…
[and] it is essentially a moral science and not a natural science…
That is to say, it employs introspection and judgments of value.
– J. M. Keynes to Harrod , 4 July 1938 (Sorta)
Models: How we think
11. State of Security
The world already has a lot of cybersecurity “solutions” and
“products”
The average information security budget according to
PricewaterhouseCoopers is a staggering $4.1 million
According to Gartner, the worldwide Information Security market
is valued at more than $70 billion.
And, yet…
The list to your right contains many, but not all, major Fortune 500
breaches 2011-2014
These are not companies that cannot afford cybersecurity
Most organizations are notified by external parties 100’s of days
after breach
Cybersecurity is a hard problem that clearly – by any public
metric available - remains unsolved in any sustainable way
97% of networks have been breached (FireEye)
13. Of Solutions
At the Wrong Level
Without being Able to Articulate the Problem
NISTCSF
– Common Practices
– List of things that aren’t sufficient
Cybersec EU, Poland, 2015
– Talking Information Sharing at Highest International levels
– Conducting, not winning conflict
– Same solution spaces provided over and over again
– Specificity intersecting with applicability and repeatability extraordinarily
difficult
– This has to stop
…And yet we still rely on old
models
16. We don’t agree on much
We do not have a consensus definition
“Cybersecurity”
– Neither the problem space nor the discipline
– We can’t even decide if there is a <space> between
Cyber and Security
– Ask any 5 experts, get 5+ answers
Speaking of experts…..
17. Cybersecurity Experts
(Perspectives)
System Administrators
Malware Analysts`
Incident Responders
Lawyers
CISOs
Procurement Officials
Chairmen of the Senate
Whatever Committee
Heads of the NSA
Senior Sales Engineers for
Security Companies
Hackers
Children
• CEO/Executive Board Members
• Criminals/Terrorists
• Journalists
• Developers
• Activists
• Evolutionary Ecology PhD’s
• Diplomats
• Control Systems Engineers
• Regulators and Auditors
• Emergency Managers
• Citizens
• Operations Staff
• Firewall Engineers
18. Cybersecurity Context
Cybersecurity is a huge domain that spans
entire cultures, industries, and nations while
remaining highly individualized
This means we have to always be cognizant
of context, models, and definitions.
To start with, we should ask a fundamental
question…
19. What is a secure system?
Secure system:
One that does no more or less than we
want it to for the amount of effort and
resources we’re willing to invest in it.
But what does that MEAN?
20. Well, first, what is a
SYSTEM?
Connected Technology that Processes Information and
Produces Output
Technology just a proxy for human decision and action:
– Design
– Build
– Configure
– Operate
– Test
Our systems are our businesses, nations, and
cultures, we’ve just added technology.
21. Human Systems
Following this logic
– Systems are VERY BIG
– They have FUZZY BOUNDARIES
– They are HARD TO MODEL and EMERGENTLY COMPLEX
– Individuals have LIMITED SPHERES OF INFLUENCE on them
– But are subject to COMPLICATED IMPACTS FROM OUTSIDE THEIR
SPHERE
– And we ***STILL HAVE TO MANAGE THESE SYSTEMS***
Our Threat Models must apply to our entire
system definition.
So, where do we create boundaries?
How does this definition affect security?
22. Decisions:
“Atomic” elements of Cyber
Security
Cyber Security State is comprised entirely of a series of
authorized decisions made by people in authorized
capacities on a timeline
To Model Systems and Security State, we have to Ask:
– Who is Making What Decisions, Why, and How?
A useful filter for determining boundaries and scopes can be created by
determining your sphere of influence and asking:
– Where on a timeline is your sphere influenced
– By which decisions and by whom
– For what goals/values
– To what kind of effect
How does your sphere of influence affect or not affect others?
23. Cybersecurity Experts
Revisited
CEO/Executives
Lawyers
Procurement Officials
Regulators and Auditors
Emergency Managers
Operations Staff
Chairmen Senate Committees
Heads of the NSA
Diplomats
Criminals/Terrorists
Journalists
Citizens
• Children
• Activists
• Evolutionary Ecology PhD’s
• CISOs
• Malware Analysts`
• Incident Responders
• Senior Security Sales Engineers
• White Hat Hackers
• Firewall Engineers
• Developers
• System Administrators
• Control Systems Engineers
How might these groups of Experts define Cybersecurity?
24. InfoSec vs CyberSec
Use Previous Filter to Group People
– InfoSec
• Closer to “Security” Technology
• Focused on Mitigation
• Short Span of Influence on Exposure Creation
• Core competencies in technological exposure mitigation
– Others
• Further from “Security” technology
• But MORE influence over exposure creation
• Greater span of influence in general
• Low security technology competency
“Others” have significantly more impact on system
security state than “InfoSec”, but are not directly
tasked with “Information Security”
25.
26. Cyber Definitions Revisited
Secure system: One that does no more or less than we
want it to for the amount of effort and resources we’re
willing to invest in it.
Cybersecurity: The enablement of an environment in
which business objectives are sustainably
achievable by Information Security, Control
Systems Security, and Other Related Security
Activities in the face of continuous risk resulting from
the use of cyber systems.
Cyber Risk: the possibility that actors will use our
systems as a means of repurposing our value chains to
alter the value produced, inhibit the value produced, or
produce new value in support of their own value chains.
27. Cybersecurity:
Managing a Parasitic Environment?
http://vignette1.wikia.nocookie.net/mutantsgeneticgladiators/images/7/7e/ParasiteQueen.png/revision/latest?cb=20140619191012
29. Error Handling
“Others” create cyber security exposure
(mostly)
“Others” also limit/define InfoSec scope
InfoSec Programs are primarily “Error
Handlers” and relatively non-causal to cyber
security state (this doesn’t mean
unimportant)
30. Island Internet
Isolated Security Events
Techies (me) without funding or buy-in develop practices
Automated Worms Disrupt Business
Market need identified and met by selling practices
Connected Important Stuff
Merging Realities, Conflict and All
Entrenched Models and Practices failing to solve for New Reality and New Scope
We started out specialized and then specialized further despite context and problem
space expansion and we’ve failed to improve and update models or develop
appropriate, specific objectives accounting for our environment*
Now we’re missing important fundamentals in scope, metaphor, language, and
strategies and are battling existing investment to fix
(*or, at least, we’ve failed to create effective socialization mechanisms for them)
Tail Wagging the Dog:
How did we get here?
32. Full Cyber Stack:
A Problem Space Framework
Connected, Related
Problem Spaces
that Affect Cyber
Security State:
33. Problem Space: Humans
If Security State is Decisions on a Timeline,
we have to deal with:
– Average Ability
– Opaque Motivations and Habits
– Shaded Risk Perception
– Learning Capacity
– Conflicting Information Processing Mechanisms
– Personality Conflict
– Patterns Not Reality
34. Problem Space: Technology
Cannot Express Security Directly
Requires Core Competency replicated to all organizations
General Purpose Expressly Allows Exposure
Evolving Faster than Human Cultural Processes
Complexity : Exposure rising directly and infinitely with
complexity
35. Problem Space: Culture
Resistance to Change
Blinded (often) in certain Topic Areas
Socially, not factually, driven replication of talismanic memes
Simplification of complicated topics
Us vs Them: Perspective & Context Awareness
Firefighting is Sexier than Exposure Management
Language, Conceptual Clarity across Discipline Borders
36. Problem Space: Org
Behavior
Conflict in Hierarchical Value Production
Single “System”, but not engineered or designed
Data to Knowledge to Action bandwidth limits
Difficult or impossible risk aggregation
Limited Resource Allocation (Speed, Accuracy)
Insufficient resources hidden by poor risk perception
Organizations don’t feel risk
Little Full System (Human) Threat Modeling
37. Problem Space: Industries
Competition vs Common Need
Complex System Boundaries
Entrenched Investment (InfoSec!)
Indirect connection to Risk (Boiling Frogs)
Competency Required by all: Cannot
maintain
38. Problem Space: Nations & Body
Politic
Geography, Power Delegation, & Proximity
Common Problem Space Consensus
Multi-stakeholder Model/Regime
Management
Perception Management of Body Politic
Tragedy of the Commons
39. Problem Space: International
Bad Conflict Metaphor: Defender vs Siege
– (Creates Compliance Misalignment)
Stability Problems
Norms of Behavior & Confidence Building Measures
Information vs Kinetic Warfare
Few Capacity Building Missions/Mandates
40. Problem Space: Global
Culture
Predictably reliable infrastructure in order to
increase its health/wealth
Freedom to develop practices and norms and
boundaries and technologies which exist outside of
nation state constructs – as the internet (does it?)
breaks without this. This is a matter of opinion?
Tools and techniques and forums and media in
which to exist as an independent construct from
other sub-power brokers
42. Generally…
We have problems to solve
They are serious impediments to reducing
cyber security risk
They have not been defined or socialized
Without definition and socialization, people,
organizations, cultures, nations, etc. cannot
work together to solve them
We can convert these gaps into concrete plans
of action for resolution – or at least socialize
good practice
43. Specifically…
NIST CSF, NERC CIP, C2M2, Top 20, 800-53, etc…..
NONE of these address Exposure Introduction in a meaningful way within
organizations
If Exposure is not managed outside of InfoSec, InfoSec costs will continue to go up while
effectiveness will go down (due to rising complexity)
NONE of these addresses barriers to sustained implementation of their own advice
Organizations are exploited most often because of the gap between “Perceived” and
“Actual” reality
Being able to manage exposure introduction in a sustained manner within the
constraints of the outside world requires concerted planning, work,
coordination resources across your businesses, cultures, industries, nations,
and the world…
And we have few mechanisms in place to do so.
44. Expand
Clarify
Communicate
Maintain
Use
Market
Criticize
Trash it and Start Over if Needed
– We still need one
– Let’s just stop repeating ourselves
Improve on
This Problem Space
Framework?
45. Think Beyond InfoSec
– Broaden Scope Out As Far As You Can Go
Re-Consider your Metaphors and Models from the Ground Up
– If Only as a Thought Exercise
Ask how to manage risk without InfoSec
– Then build an error handler
Wonder at why we are where we are
– And treat common practices as solving an insufficiently complete
list of problems
If nothing else…
Left to Escape Ebola Zombies
Came back, turns out I made an effectively prioritized decision that had nothing to do with my perceived risk and executed a really well performed solution that improved my life, but not in a way I anticipated. Actually, no, I had goals, changed environmental factors, and suddenly my decision making capacity and effectiveness improved
But out there, eventually you run out of things to say to yourself and you start challenging your fundamentals…and this is what this talk is really about; Do we really know what the forest looks like, or are we getting lost in the trees? How do we find a way out?
Why is this? Why are we doing so poorly? What am I trying to get at with this talk….bad metaphors and targeted problem spaces
When submission time came, for this, I hadnt spent a lot of time doing hard research, but sometimes that’s ok…because thinking about models can be a valuable precursor to getting data….especially in a new space like cybersecurity (and I use the word intentionally) here….and especially when you think that perhaps existing models are deeply off. Many times, though, we’re stuck in the grind, though, and cant really focus on deep, big picture, abstract thoughts. But this year, I did have that chance….to very literally think about the forest for the trees
. A grab bag of solutions, not very related to each other, or maybe through bad metaphor, but we lose so many good ideas over time, turnover, repetition for lack of a common idea of what it is we’re solving for. Framework….