Resilience in information security is used as a buzzword, but hasn't been codified. I attempt to define what resilience means in cybersecurity, and look at cross-domain insights (climate change, disaster recovery, flood risk management) for practical ideas of how to implement it when architecting security strategy. HQ here: http://swagitda.com/speaking/Red-Pill-of-Resilience-Shortridge-RSS-2017.pdf

1. The Red Pill of Resilience
Kelly Shortridge (@swagitda_)
Rochester Security Summit 2017

2. Hi, I’m Kelly

3. 3
Resilience begets deterrence

4. “The oak fought the wind and was broken,
the willow bent when it must and survived.”

5. “The more you sweat in peace, the less you
bleed in war.”

6. Resilience is about accepting reality, and
building a defensive strategy around reality

7. 7
Stages of Grief in InfoSec
Etymology of Resilience
The Resilience Triad:
▪ Robustness
▪ Adaptability
▪ Transformability

8. Stages of Grief

9. 9
InfoSec is grieving that companies will never
be invulnerable to attack

10. 10
Denial – clinging to a false reality
“We aren’t really at risk”

11. 11
Anger – frustration that denial can’t go on
“It’s your fault that I need security”

12. 12
Bargaining – hope that the cause is avoidable
“Maybe we can stop attacks from happening”

13. 13
Depression – despair over the reality
“We’re going to be hacked, why bother?”

14. 14
Acceptance – embracing inevitability
“Attacks will happen, but I can be prepared”

15. 15
Lack of acceptance feeds solution
fragmentation, FUD, and snake oil

16. 16
Security nihilism isn’t the answer.
Resilience is.

17. Etymology of Resilience

18. 18
1858: Engineering – strength & ductility
20th Century: Psychology, ecology, social
sciences, climate change, disaster recovery

19. Resilience in Complex Systems

20. 20
Non-linear activity in the aggregate
Intertwined components, unpredictability

21. 21
Infosec is a complex system.
Defenders, attackers, users, governments,
software vendors, service providers, …

22. 22
Ecological resilience
Continually adapt; high degree of instability

23. 23
Chestnut trees in eastern North America’s
forests were wiped out by chestnut blight
Oak and hickory trees grew in their stead

24. 24
Evolutionary resilience assumes socio-
ecological systems are co-evolutionary

25. 25
Communities can diversify agricultural
landscapes and production systems

26. 26
Three central characteristics of resilience:
Robustness, Adaptability, Transformability

27. 27
Hurricane Harvey – primary damage was
flooding from ongoing rain, not storm surges

28. 28
Resilience is about the journey, not the
destination

29. 29
Accept the risk will exist
Reduce potential damage & restructure
around the risk

30. 30
Survival rests on embracing the unknown
and accepting that change is inevitable

31. Robustness

32. 32
Robustness: withstanding and resisting
a.k.a. “engineering resilience”

33. 33
Safe development paradox: stability allows
risk to accumulate, compromising resilience

34. 34
Focus on just engineering resilience leads to
a maladaptive feedback loop

35. 35
Suppressing fires in fire-adapted forests
leads to a build up of fuel over time

36. 36
Patching & retroactive hardening of vuln-
prone systems accumulates risk

37. 37
Levees support further human development
in at-risk floodplains

38. 38
“Don’t treat the symptoms of bad planning
with structures”

39. 39
Technical controls shouldn’t allow exemption
from cyber insurance requirements

40. 40
Artificially creating a stable environment
makes the system less adaptive to disruption

41. 41
Coral in marine preserves are less resilient
to climate disturbance than “stressed” coral

42. 42
Design & test internal systems with the same
threat model as externally-exposed ones

43. 43
Problem: infosec is exclusively focused on
robustness – how to stop / thwart / block

44. 44
Infosec’s current goal is to return to
“business as usual” post-breach.
There is no such thing.

45. 45
Other domains tried defying nature – it
doesn’t work

46. 46
Your systems must survive even if users click
on phishing links and download pdf.zip.exe’s

47. 47
Robustness is effective when you have
diverse and layered controls

48. 48
NYC’s excess heat guidelines: backup hybrid-
power generators, heat-tolerant systems,
window shades, high-performance glazing

49. 49
Diversity helps provide redundancy in
uncertain conditions

50. 50
APT BlinkyBoxTM doesn’t help when legit
creds are used to access a cloud service

51. 51
Don’t ignore correlated risk.
Fragmentation can inject a healthy level of
instability to foster resilience.

52. 52
Pitfall of efficiency: more limited space in
which your operations can survive

53. 53
Up for debate: manageability via uniformity
vs. minimized impact via diversity?

54. 54
Decision trees are useful to map out
necessary redundancies

55. 55
Raising attacker cost is the bridge from
robustness to adaptability

56. 56
“Attackers will take the least cost path
through an attack graph from their start
node to their goal node.”
– Dino Dai Zovi

57. Adaptability

58. 58
Adaptability: reduce costs and damage
incurred, while keeping your options open

59. 59
Intergov’t Panel on Climate Change (IPCC):
Incremental change creates a false sense of
security – goal is managed transformation

60. 60
Preserving habitats is unnatural &
counterproductive.
Wildlife naturally “tracks” ideal conditions.

61. 61
Legacy systems are like preserved habitats.
We need to be able to migrate to better
conditions.

62. 62
Example: patching inline PHP code
Instead: single class for DB queries

63. 63
Static indicators like high coral cover or fish
abundance reflect favorable past conditions.
Erosion of coral reef resilience is dynamic.

64. 64
Ensure your threat models aren’t based on
favorable past conditions

65. 65
Survival strategy: comingle warm-adapted
species with cold-adapted cohorts

66. 66
Apps built with legacy systems and libs will
not survive in an increasingly open API world

67. 67
Uncertainty and surprise must be baked into
your approach

68. 68
Test adaptability to attacker methods with
attack simulation or auto playbook testing

69. 69
Chaos Monkey

70. 70
Randomly kills instances to test their ability
to withstand failure.
It also makes persistence really hard.

71. 71
Design your security architecture for
survival even if individual controls fail

72. 72
Rethinking security architecture is hard.
The industry offers too much complexity.

73. 73
Containers

74. 74
Containers promote adaptability and
support transformability
@jessfraz | blog.jessfraz.com/post/talks

75. 75
Containers = “isolated, resource-controlled,
and portable runtime environments”

76. 76
Easier to determine root cause
Easier to transport to better infrastructure
Easier to kill the infection & stop spread

77. 77
Ongoing stress like ocean warming or
overfishing makes coral less resilient in the
face of cyclones or coral bleaching events

78. 78
Complexity will erode your resilience in the
face of new vulns or data breaches

79. Transformability

80. 80
Transformability = challenge existing
assumptions & reorganize your system

81. 81
Prior example: inline code makes it difficult
to reorganize your system vs. a single class

82. 82
In disaster recovery policy, ideal is to change
location & remove urbanization

83. 83
2011: 6.3mms earthquake hit Christchurch
Cost to rebuild of $40bn+

84. 84
NZ designated a “red zone” where land is too
vulnerable & where rebuilding is uneconomic

85. 85
Identify the red zones within your IT systems

86. 86
Choose your own infosec redzone criteria:
Publicly exposed, legacy systems, critical
data, privileged access, overly verbose, single
point of failure, difficult to update, …

87. 87
Example: API consuming critical data should
be in “red zone” whether it has vulns or not

88. 88
Identify assets that fall under your red zone
criteria & migrate them to a safer system

89. 89
Example: Planned decommission of levees to
assist migration
Prohibits becoming a permanent “fix”

90. 90
Continually consider how you can prepare in
advance for migration

91. 91
Complex systems require collaborative
planning across stakeholders

92. 92
Open sharing of protections in place, what
risk remains, uncertainties in the approach

93. 93
Partner with engineering – they benefit from
flexibility and transformability as well

94. 94
Your role is to manage state transitions.
Consider how a resilience approach fits into
engineering workflows.

95. 95
2FAC @ Facebook: integrated 2FA into dev
workflows without creating friction

96. 96
“You can actually implement security
controls that affect every single thing people
are doing and still make them love it in the
process”

97. 97
Find someone with whom to collaborate &
how security can fit into their workflows

98. 98
Ensure your org is learning from prior
experiences – foster a security culture

99. Conclusion

100. 100
Infosec resilience means a flexible system
that can absorb an attack and reorganize
around the threat.

101. 101
Robustness is optimized through diversity of
controls

102. 102
Adaptability minimizes the impact of an
attack and keeps your options open

103. 103
Transformability demands you challenge
assumptions & reorganize around reality

104. 104
“The history of evolution is that life escapes
all barriers.
Life breaks free. Life expands to new
territories. Painfully, perhaps even
dangerously.
But life finds a way.”

105. 105
Attacks will evolve. We can evolve, too.

106. 106
Let’s strive for acceptance of our grief, and
architect effective and realistic defense

107. 107
The blue pill relegates us to the role of a
firefighting cat who’s drunk on snake oil

108. 108
Instead of accepting snake oil, take the red
pill of resilience instead

109. “Good enough is good enough. Good enough
always beats perfect.”
– Dan Geer

110. 110
@swagitda_
/in/kellyshortridge
kelly@greywire.net

111. 111
Suggested Reading
▪ Engineering resilience versus ecological resilience
▪ Resilience and disaster risk reduction: an etymological journey
▪ A strategy-based framework for assessing the flood resilience of cities – A Hamburg case study
▪ Vulnerability, Resilience, and the Collapse of Society
▪ Are some forms of resilience more sustainable than others?
▪ Flood Resilience: a Co-Evolutionary Approach
▪ The oak or the reed: how resilience theories are translated into disaster management policies
▪ Rethinking Ecosystem Resilience in the Face of Climate Change
▪ Building evolutionary resilience for conserving biodiversity under climate change
▪ Complexity and Planning: Systems, Assemblages and Simulations
▪ “Windows Containers” by Microsoft
▪ “The Netflix Simian Army” by Netflix