To defend networks, we should be able to measure their security performance. I’m going to show you the exact techniques to measure the security of portions of your internal networks, such as anti-virus, malware and anomalous event detection. Then we will apply the same techniques to compare the security of classes of protective security products even though vendors don’t supply such specifications. Main points covered: • How to measure security and compare the effectiveness of protective devices as a function of time • The internal process mechanism is immaterial to system measurement; signature-based A/V, rule-based binary decision making, heuristics, deep learning or any possible hybrid • Attendees will be introduced and receive the math, the tools, charts and schematics on how to measure their own security Presenter: Winn has lived Security since 1983, and now says, “I think, maybe, I’m just starting to understand it.” His predictions about the internet & security have been scarily spot on. He coined the term “Electronic Pearl Harbor” while testifying before Congress in 1991 and showed the world how and why massive identify theft, cyber-espionage, nation-state hacking and cyber-terrorism would be an integral part of our future. He was named the “Civilian Architect of Information Warfare,” by Admiral Tyrrell of the British MoD. Recorded webinar link: https://youtu.be/F8Fs4yE_CUU

2. The Premise(s)
• Current Security Models are 45 Years Old. (Anderson, 1972)
• Next Gen Ain’t Working and the next next-Gen won’t either.
• Digital is not binary.
• The key to network survival is the ability to adapt to change.
• We are stuck. In. Stasis.
• Infinity is why traditional network security has failed.
• Infinity is Our Single Biggest Enemy

3. My Mom -1943.
NBC Mastering Engineer
DAD
RADAR DEV. WW2

4. My First DefCon

5. Winn As TV Repairman: $.50 per Repair

6. My Electronics Store

7. 1961

8. The Family Business: My First Studio (16 yrs. Old)

9. My First Lathe: Analogue/Mechanical

10. 1969-1970: Complex Systems

11. Manual Sync for TV/Movies

12. 7 January 1983: went into security
No Degree. No Certs. No Creds.

13. The Early Days:
Weaponization of the Internet
1990 1993

14. June 27, 1991
Our computer systems are so
poorly protected, they are “An
electronic Pearl Harbor waiting
to happen.”
“The Civilian Architect of
Information Warfare.”
Admiral Tyrrell, UK MoD

15. Need To Fix The Internet

16. I Wanted to Prove Security
Impossible.
Of Course It Is.
Hold On.
Wait.
(crass commercial Plug
coming later…)

17. Security can be measured.
We’ve just been thinking the problem wrong.
• Digital is not binary. Binary conditions rarely exist. There is fuzz
everywhere.
• Security is never 100%. No, never.
• Firewalls, Passwords et al. are the Maginot Lines of network security.
• Infinity is the Enemy. Feedback is a Must!
• Think recursive. Get loopy.
• “At the same time” (simultaneity) only means something at the quantum
level. It’s otherwise meaningless. You really mean “in sync” or “soon”.
• One can never be 100% positive about trust; it is an analogue function.
Therefore, neither 100% or 0% trust is achievable or meaningful.

18. A Philosophical Approach to Cyber-Security
• Kill Absolutism: Min-Max Only. No ‘0’s and no ‘1’s. That’s
called ‘Analogue’.
• Security is Dynamic. Not Static. Trust is Fuzzy.
• Employ Detection in Depth.
• Integrate Analogue Functions to Measure Security
• Insert Feedback. (Pos/Neg/OODA)
• OOB Comm is Required.
• Introduce Negative Time.
Time is the common metric between security,
privacy and risk.
Above All:
Do Not Change
Current Internet
(TCP/IP) Protocols or
Network Architecture.

19. START HERE: Time Based Security (1998)
• Protection (Fortress Mentality Does Not Work)
• P(t) > D(t) + R(t), & P(t) = indeterminate
• D(t) + R(t) = E(t)
• The goal is: [D(t) + R(t)] >> 0
• If, Pt < Dt + Rt, then Et = [(Dt + Rt) - Pt]
• BW / IDBI = 1/E(t)
• Data Loss Risk

20. The Premises of Feedback in Networks
•Static Security is a Fail. Dynamism is Required.
•Without Feedback, Network Chaos is Ensured.
•Apply Min-Max instead of 1s and 0s.
•Think recursive. Get loopy. Squeeze the Loop.
•“At the same time” (simultaneity) only means
something at the quantum level. It’s otherwise
meaningless. You really mean “in sync”.

21. SCADA/ICS are Measureable!
Programmable Logic
Controller
• Binary Controls
- On-Off = 1:0 =
Yes/No
• Analogue Controls
- > 0 & < 1

22. SCADA-like Negative Feedback In Our Personal Lives
• Thermostats: Auto-adjust cooling and heating systems to
dynamically adapt as dictated by the chosen temperature.
• Toilet ballcocks rises with water level; closes a valve that
turns off water.
• Motion detection for room lighting, which also happens to
be time-based.
• Home automation systems.
• Driverless cars.

23. Synaptic Weighting in Neural Networks
The Brain is Analogue, and
Processes Neurally.
Why are we letting the tech
(them!) tell we humans to
think like them?
Constant weighting,
feedback/feedforward, and
updates.

24. •We are only moving
data… not dynamic
control information.
•SCADA/ICS does
both.
Where is Network Security Feedback?

25. • This is the basis of
Analogue Network
Security.
Network Security Is A Bear

26. OODA Loop Feedback
• Apply to Kinetic Conflict
• Apply to Marketing
• Apply to Business
Processes
• It’s a Decision Cycle!
Developed by USAF Col. John B
for Aerial Dog-Fighting

27. OODA With More Feedback

28. OODA in Security Awareness: Positive
Feedback

29. Banking Verification with OOB Feedback

30. My Wife’s Car Does This – Out of Band
• Natural
Human
Feedback
• OOB (Head
Turn)
• Adapted to
Collision
Avoidance

31. I Have Trust Issues
•Trust is NOT
Binary!
•It changes over
time!
•Dynamic Trust
Degradation
•Periodic Trust Re-
Evaluation

32. The Analogue Two (Or More!) Man (Person) Rule
• Alice makes a choice
• Bob must approve
(Feedback)
• Time is the Metric
2 People or Processes
MUST agree.

33. Replace Defense in Depth (Epic Fail) with Detection
in Depth
Sensors on GE (et al) jet engines can produce 10
terabytes of operational information for every 30 minutes
they turn. A four engine jumbo jet can create 640
terabytes of data on just one Atlantic crossing. Now,
multiply that by the more than 25,000 flights flown each
day…”
COMMON DETECTION SENSOR TECHNIQUES:
Optical spectrum. Electromagnetic - DC to 300+
PetaHertz (gamma rays, 3 X 10^21 Hz). Sonic: from
almost 0 Hz to ~250KHz at sea level air. Pressure.
Viscosity. Phase relationships (time). Vibration
(intensity/time). Velocity (time). Acceleration (time^2).
Tuned to specific Chemical Signatures. Echoing &
Doppler. Temperature (time & time^2). Proximity.
Weight/Mass. Flow (time).

34. Testing Vendor Claims with Feedback
34

35. Using Feedback to Measure Security D&R Efficacy
35
• Detection
• Reaction
• “Squeeze The Loop”
• Add Trust Factor
For defensive security to
be effective:
P(t) > D(t) + R(t), and
E(t) → 0 (Limit formula)

36. 2 Detection Products: Applying Bayes and Trust

37. Data Exfiltration Protection

38. Measure Your Phishing Vendor Products

39. Adding an OOB Channel

40. When Primary Comm is DOS’d
•Reaction/Remedia
tion
not possible over
primary comm
channel;
•Ergo, OOB
Feedback

41. OOB/DDoS Feedback in Closed System

42. 1st Hop Feedback Mechanism:
Feedforward and Negative Time

43. Feedforward and Negative Time with Toggled Delay

44. Multi-Tier Feedback (DDoS)

45. Squeezing the Loop: T ➞ 0

46. Intelligence in the Loop

47. Feedback & Ebbinghaus: Visualizing Security

48. Feedback Yield OODA via Trust Decay

49. OODA: Go Fast or Lose

50. What Can You Do Now?
•Measure Your Detection Process. You can do this!
•Measure Your Reaction Process. You can do this!
•Measure Vendor Performance: You can do this!
•Compare Products in Test Bed
•Demand Hard Data From Your Vendor!
•Examine Security Process for Intrinsic Feedback
• Where else can Feedback be applied? Code? Human/Cyber/Physical
Pocesses?

51. ISO/IEC 27032
Training Courses
• ISO/IEC 27001 Introduction
1 Day Course
• ISO/IEC 27001 Foundation
2 Days Course
• ISO/IEC 27001 Lead Implementer
5 Days Course
• ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
www.pecb.com/events

52. THANK YOU
?
winn@thesecurityawarenesscompany.com
www.thesecurityawarenesscompany.com
linkedin.com/in/winnschwartau