Daniel Miessler discusses moving from a prevention-focused approach to security to a resilience-focused approach. He argues that, like "peak oil", our ability to continue growing prevention capabilities has limits and we need to find new ways to reduce the impact of incidents that do occur. Miessler advocates preparing for inevitable risks by making data unusable if stolen, insuring against losses, improving response and recovery, and reducing the value of what attackers can access. The goal is shifting from fully preventing incidents to reducing their impact when they do happen.
2. Intro
Daniel Miessler (@danielmiessler)
18 years in infosec: mostly as a tester (net/web/app/iot)
Run the consulting practice for IOActive
Read / write / podcast / table tennis
5. Peak $THING
We used to have a lot of room to grow.
That growth has stopped.
We now have as much as we’ll ever have.
We need to find another source of what it was providing.
6. Peak $THING (oil)
We used to have a lot of room to grow. (finding more oil, producing it faster)
That growth has stopped. (we found most of the oil)
We now have as much as we’ll ever have. (it’s all downhill from here)
We need to find another source of what it was providing. (energy)
10. Peak $THING (prevention)
We used to have a lot of room to grow. (add firewalls, AV)
That growth has stopped. (it can all be bypassed)
We now have as much as we’ll ever have. (kind of)
We need to find another source of what it was providing. (risk reduction)
This is not about a tool. It’s not about a service. It’s about an idea.
You should be able to apply this whether you’re in senior management, doing technical defense, and whether you’re a vendor or an internal resource.
Who knows what peak oil is?
You can abstract PEAK to anything.
…
So energy was the thing we wanted, oil was giving it to us, and now we need another source.
So with infosec we have an equation for RISK, which is probability x impact.
We’ve been getting our energy from oil, so where have we been getting our risk reduction?
WE STOP THIS, WE PREVENT THIS
How many booths have you seen where the focus was making it ok if you got hacked?
So if we plug prevention in here we get something like this.
So if we take a look at how the risk equation plays out, we can see something like this.
It’s multiplication.
So you change the ratings for probability and impact, and the risk score changes.
Anything times zero is 0.
So let’s say our acceptable risk is 40-60—say 50.
So here’s where we’re tying to get.
Well here’s the problem.
Our impact is jacked up. And we are reaching our limit for prevention.
So we can spend millions more on more prevention technologies, and still not get much reduction in probability.
If we peak at 7 for prevention, we get locked in for impact.
One more thing about the prevention peak. Are we REALLY peaked at 5?
Who thinks we’re doing the best we can in prevention? Great. And who things it’s going to get better in the next 1-5 years?
So if we’re locked in at 7 for prevention, impact can’t go above 6.
But we’re not at 6. We’re at a 10. Or a 9.
Everything bad that happens is catastrophic, because RSA (and the entire narrative) is bent around prevention.
So if we want to move into the green box, and we’re spent on prevention, we need to get into THIS area for impact.
But the problem is that we’re here.
This is the problem. We’re way too focused on prevention.
And this applies to SO MANY THINGS.
Terrorism.
9/11 cost the country over 5 trillion dollars and hundreds of thousands of lives.
Think about the damage that 10 people can do to the country with basic pipe bombs.
How do you prevent 10 people with pipe bombs? You don’t.
How do you prevent skilled attackers from getting into most networks? You don’t.
Great. So what do we do?
We need to find ways to reduce impact when bad things do happen.
I’m not going to name tools because that’s not what this is about. There are solutions starting to come out now.
Longer term.
I take the takeaways seriously.
We have more control over the impact side of the equation than the probability side.
We need to use it.
Look for impact reduction in all your threat scenarios.
Expect to see this shift.
Finally, think about what this shift is going to do to decision making in the C-Suite.
What happens when CEOs and CISOs start asking questions?
That’s what I wanted to share today.
Hopefully I’ve given you something to think about.
Thanks for having me.