SlideShare une entreprise Scribd logo

2014 10 16_challenge of natural security systems

Télécharger en tant que PPTX, PDF
R
rbrockway

Static security models and "business as usual" directives have naturally resulted in a collective eyes wide shut mentality of organizational entropy. Organisms, as well as organizations, can only adapt to changing environments by leaving (or being forced from) their comfort zones. It should be obvious that today's threat landscape is changing at a breakneck pace, yet most organizations are seemingly content in adding "spend" to the annual budget for more systems that claim to protect against the latest FUD. This is not learning and without learning adaptation cannot occur. Challenges to the organism and organization that move them both out of their respective comfort zones are crucial for successful adaptation. This talk will explore these adaptation requirements in an effort to develop a framework for more naturally secure systems and organizations. At its conclusion it will present a challenge for all those willing to get out of their own respective comfort zones and organically contribute to naturally stronger systems and organizations.

Internet
1  sur  42
The Challenge of Natural Security Systems Rockie Brockway Information Security and Business Risk Director Black Box Network Services @rockiebrockway
Credentials
Disclaimer A Nothing I say represents past, current or future employers
Disclaimer B Not a box popper talk Not a cool tool talk This is NOT about Darwinian Evolution vs Religion Arguments are expected Focused on natural security systems
Generic Problems with InfoSec It is viewed as a tactical IT function (Reactive) It is usually not, but needs to be accepted as a business risk management function (Rational) “Rational behavior requires theory. Reactive behavior requires only reflex action.” - W. Edwards Deming http://www.fiercecio.com/story/w-edwards-deming-hates-your-approach-it-security/2013-08-19
InfoSec’s Role Prevent the loss of Business critical data Protect the Brand Promote Innovation/Allow the Business to TAKE Risk What is the organization’s Business critical data? Who else might find value in that data? Where does that data actually live? What are the Business initiatives and goals? InfoSec’s Problems
<FUD> Insert standard sky is falling breach statistic slide here </FUD>
Organization/Business Reaction? Irony – Big Business arrogance and the natural reaction to their entropy has fueled a larger Big Business of product “solutions” Buy more blinky lights (apologies to our sponsors) Hackback? Legislation/Balkanization If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect national and/or economic interests, you have completely missed what was wrong to begin with. #FAIL
What problem(s) does this talk address and attempt to Solve?
What problem(s) does this talk address and attempt to Solve? IT/InfoSec spend increasing, breaches continue to increase As an Industry we are most likely at least two years behind the innovative and lucrative industry of stealing the data we are trying to protect Gartner Verizon DBIR 0 200 400 600 800 1000 1200 1400 1600 2008 2009 2010 2011 2012 2013 Breaches 2.9 3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 2007 2008 2009 2010 2011 2012 2013 Spend (T)
What problem(s) does this talk address and attempt to Solve? IT/InfoSec spend increasing, breaches continue to increase Our obsession with static models (e.g. The Problem with Walls)
Our obsession with static models (e.g. The Problem with Walls) So what is commonplace throughout most organizations reactionary, static take on security? < cheap “fixes” Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.
What problem(s) does this talk address and attempt to Solve? IT/InfoSec spend increasing, breaches continue to increase Our obsession with static models (e.g. The Problem with Walls) Organizational Entropy
Organizational Entropy (the natural result of assuming you are smarter than your adversaries)
What problem(s) does this talk address and attempt to Solve? IT/InfoSec spend increasing, breaches continue to increase Our obsession with static models (e.g. The Problem with Walls) Organizational Entropy The current Unnatural state of our business organizations
The current Unnatural state of our business organizations The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us. “Business as Usual” Organizational learning and adaptation is stagnant at best
What problem(s) does this talk address and attempt to Solve? IT/InfoSec spend increasing, breaches continue to increase Our obsession with static models (e.g. The Problem with Walls) Organizational Entropy The current Unnatural state of our business organizations Can we modify our organizations’ static, reactionary behavior without blatantly telling our CEOs and board members that they are conducting business wrong?
Posit - Naturally adaptive systems are inherently more secure
Inspirations/Sources
General “Rules of Engagement” for Naturally Adaptable Systems * * http://www.security-informatics.com/content/1/1/14 They are organized semi-autonomously with little central control They learn from success They use information to mitigate uncertainty They extend their natural adaptability by engaging in a diverse range of symbiotic partnerships
1st Point Adaptation arises from leaving (or being forced from) your comfort zone. Adding more expensive anti-X/APT/FUD systems is not adapting
Details of Successful Adaptation Techniques (Sagarin) Decentralized and Distributed organizational systems
Decentralized and Distributed organizational systems The benefits of Decentralized and Distributed organizational systems Multiple sensors No preconceived notions Specialized tasks Redundancy
Details of Successful Adaptation Techniques (Sagarin) Decentralized and Distributed organizational systems The Requirement of a Challenge ( Important/2nd point)
The Requirement of a Challenge There must be some sort of challenge to initiate competition, cooperation and learning (more on this later) Finding food/shelter Finding a lost nuclear submarine Predicting the outcome of a presidential election Protecting business critical data
Details of Successful Adaptation Techniques (Sagarin) Decentralized and Distributed organizational systems The Requirement of a Challenge Information sharing, filtering and prioritization
Information sharing, filtering and prioritization Information use and sharing is as essential to survival as any other adaptation When used properly, information in survival situations creates and/or reduces uncertainty Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries (unpredictability).
Details of Successful Adaptation Techniques (Sagarin) Decentralized and Distributed organizational systems The Requirement of a Challenge Information sharing, filtering and prioritization Symbiosis
Symbiosis Symbiosis - A working relationship between organisms Mutualistic - both parties benefit Commensual - one party benefits, one is not affected Parasitic - one party benefits, one suffers Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism
Details of Successful Adaptation Techniques (Sagarin) Decentralized and Distributed organizational systems The requirement of a Challenge Information sharing, filtering and prioritization Symbiosis
Competition and Cooperation (3rd point) Competition between organisms can lead to group cooperation This group competition can then lead to group cooperation Group cooperation then increases the effectiveness of the group against other social groups
The Quandary Successful organizational leadership has little incentive to change Therefore, business as usual comfort zones will prevent true adaptation Incentivized adversarial innovation will continue to run away from our static, artificial barriers that we hope might prolong the inevitable How can we build more naturally secured systems in this environment?
Aren’t we human beings somewhat good at adaptation?
The Big Contradiction Yes! We humans are quite adaptable. Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation (BREACH) and then we once again show our amazing adaptability – The problem with Business as Usual Organizations = Organisms, e.g. self regulating, not static How can we as amazingly adaptable individual organisms have created systems and institutions so non-adaptable?
The Challenge How do we end up with systems within organizations that can deal with security problems and respond to them organically and automatically?
The Basics (getting outside your comfort zone) Introduce challenges, not directives. Without challenges, organizations don't learn. Decentralize your problem solving. No Orders. Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations. Take advantage of localized problem solvers, share and distribute information Promote learning, competition/cooperation and symbiosis
IT Calisthenics Who here thinks these behavioral and process changes are too radical for your stodgy organization? Who here is either in charge of a team regardless of size and/or is in a position of influence in such a team? Who here never raises their hand when asked to raise your hand at a talk?
Everyone with your hands up – this is your homework. Introducing these changes into your small sphere of influence will improve your business unit’s metrics and create competition between other units within your organization My Challenge to You Your small successes lead to bigger successes, and in the end we are all the better and naturally more secure That will lead to cooperation once you realize the goals are the same, leading to group cooperation that then will introduce competition at higher levels and you are now on your way to changing your business culture
All without telling the CEO he’s doing it wrong
Feedback Rockie Brockway Information Security and Business Risk Director Black Box Network Services @rockiebrockway

Recommandé

2013 09 11_business adaptation
2013 09 11_business adaptation2013 09 11_business adaptation
2013 09 11_business adaptationrbrockway
 
Carrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyCarrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyAnthony Raja Devadoss
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Energy Network marcus evans
 
Workplace Stress -- the $300 Billion Profit Killer
Workplace Stress -- the $300 Billion Profit KillerWorkplace Stress -- the $300 Billion Profit Killer
Workplace Stress -- the $300 Billion Profit Killerinroads
 
Business Resiliency
Business ResiliencyBusiness Resiliency
Business ResiliencyRackspace
 
Building a Safety Culture - Dodge Data and Analytics Report
Building a Safety Culture - Dodge Data and Analytics ReportBuilding a Safety Culture - Dodge Data and Analytics Report
Building a Safety Culture - Dodge Data and Analytics ReportProcore Technologies
 
Pcms vs paper
Pcms vs paperPcms vs paper
Pcms vs paperRisman BizNet
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 

Recommandé

2013 09 11_business adaptation
2013 09 11_business adaptation2013 09 11_business adaptation
2013 09 11_business adaptationrbrockway
 
Carrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyCarrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyAnthony Raja Devadoss
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Energy Network marcus evans
 
Workplace Stress -- the $300 Billion Profit Killer
Workplace Stress -- the $300 Billion Profit KillerWorkplace Stress -- the $300 Billion Profit Killer
Workplace Stress -- the $300 Billion Profit Killerinroads
 
Business Resiliency
Business ResiliencyBusiness Resiliency
Business ResiliencyRackspace
 
Building a Safety Culture - Dodge Data and Analytics Report
Building a Safety Culture - Dodge Data and Analytics ReportBuilding a Safety Culture - Dodge Data and Analytics Report
Building a Safety Culture - Dodge Data and Analytics ReportProcore Technologies
 
Pcms vs paper
Pcms vs paperPcms vs paper
Pcms vs paperRisman BizNet
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
Dit yvol2iss49
Dit yvol2iss49Dit yvol2iss49
Dit yvol2iss49Rick Lemieux
 
Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security PoliciesHongyang Wang
 
Preventing CRM failures
Preventing CRM failuresPreventing CRM failures
Preventing CRM failuresMichael Krigsman
 
High-Reliability Organizations: Managing Risk In Complex Operating Environments
High-Reliability Organizations: Managing Risk In Complex Operating EnvironmentsHigh-Reliability Organizations: Managing Risk In Complex Operating Environments
High-Reliability Organizations: Managing Risk In Complex Operating EnvironmentsWilson Perumal and Company
 
Disaster management basics rev 1
Disaster management basics rev 1Disaster management basics rev 1
Disaster management basics rev 1Geary Sikich
 
What Is Complexity?
What Is Complexity?What Is Complexity?
What Is Complexity?David Wilson
 
IT Failure and Waste
IT Failure and WasteIT Failure and Waste
IT Failure and WasteMichael Krigsman
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalMichael Krigsman
 
Trauma in Organizations - Webinar
Trauma in Organizations - WebinarTrauma in Organizations - Webinar
Trauma in Organizations - WebinarPhilippe Bailleur
 
Business Continuation The Basics
Business Continuation The BasicsBusiness Continuation The Basics
Business Continuation The Basicsguest13df88e8
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyEMC
 
General presentation 29jun11.ppt
General presentation 29jun11.pptGeneral presentation 29jun11.ppt
General presentation 29jun11.pptWendy Taylor
 
Awakening the field
Awakening the fieldAwakening the field
Awakening the fieldPhilippe Bailleur
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
Best Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityBest Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityReadWrite
 
Leadership in a crisis responding to the coronavirus outbreak
Leadership in a crisis responding to the coronavirus outbreakLeadership in a crisis responding to the coronavirus outbreak
Leadership in a crisis responding to the coronavirus outbreakGraham Watson
 
V mware business trend brief - crash insurance - protect your business with...
V mware business trend brief - crash insurance - protect your business with...V mware business trend brief - crash insurance - protect your business with...
V mware business trend brief - crash insurance - protect your business with...VMware_EMEA
 
Mtw03008 usen
Mtw03008 usenMtw03008 usen
Mtw03008 usenrjstevens
 
Vertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPVertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPLuke Arrington
 
Accommodating needs workshop (april 2010) en
Accommodating needs workshop (april 2010) enAccommodating needs workshop (april 2010) en
Accommodating needs workshop (april 2010) enNRCanPDAN
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceJack Whitsitt
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 

Contenu connexe

Tendances

Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security PoliciesHongyang Wang
 
High-Reliability Organizations: Managing Risk In Complex Operating Environments
High-Reliability Organizations: Managing Risk In Complex Operating EnvironmentsHigh-Reliability Organizations: Managing Risk In Complex Operating Environments
High-Reliability Organizations: Managing Risk In Complex Operating EnvironmentsWilson Perumal and Company
 
Disaster management basics rev 1
Disaster management basics rev 1Disaster management basics rev 1
Disaster management basics rev 1Geary Sikich
 
What Is Complexity?
What Is Complexity?What Is Complexity?
What Is Complexity?David Wilson
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalMichael Krigsman
 
Trauma in Organizations - Webinar
Trauma in Organizations - WebinarTrauma in Organizations - Webinar
Trauma in Organizations - WebinarPhilippe Bailleur
 
Business Continuation The Basics
Business Continuation The BasicsBusiness Continuation The Basics
Business Continuation The Basicsguest13df88e8
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyEMC
 
General presentation 29jun11.ppt
General presentation 29jun11.pptGeneral presentation 29jun11.ppt
General presentation 29jun11.pptWendy Taylor
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Maurice Dawson
 
Best Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityBest Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityReadWrite
 
Leadership in a crisis responding to the coronavirus outbreak
Leadership in a crisis responding to the coronavirus outbreakLeadership in a crisis responding to the coronavirus outbreak
Leadership in a crisis responding to the coronavirus outbreakGraham Watson
 
V mware business trend brief - crash insurance - protect your business with...
V mware business trend brief - crash insurance - protect your business with...V mware business trend brief - crash insurance - protect your business with...
V mware business trend brief - crash insurance - protect your business with...VMware_EMEA
 
Mtw03008 usen
Mtw03008 usenMtw03008 usen
Mtw03008 usenrjstevens
 
Vertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPVertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPLuke Arrington
 
Accommodating needs workshop (april 2010) en
Accommodating needs workshop (april 2010) enAccommodating needs workshop (april 2010) en
Accommodating needs workshop (april 2010) enNRCanPDAN
 

Tendances (20)

Dit yvol2iss49
Dit yvol2iss49Dit yvol2iss49
Dit yvol2iss49
 
Compliance With Data Security Policies
Compliance With Data Security PoliciesCompliance With Data Security Policies
Compliance With Data Security Policies
 
Preventing CRM failures
Preventing CRM failuresPreventing CRM failures
Preventing CRM failures
 
High-Reliability Organizations: Managing Risk In Complex Operating Environments
High-Reliability Organizations: Managing Risk In Complex Operating EnvironmentsHigh-Reliability Organizations: Managing Risk In Complex Operating Environments
High-Reliability Organizations: Managing Risk In Complex Operating Environments
 
Disaster management basics rev 1
Disaster management basics rev 1Disaster management basics rev 1
Disaster management basics rev 1
 
What Is Complexity?
What Is Complexity?What Is Complexity?
What Is Complexity?
 
IT Failure and Waste
IT Failure and WasteIT Failure and Waste
IT Failure and Waste
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of Survival
 
Trauma in Organizations - Webinar
Trauma in Organizations - WebinarTrauma in Organizations - Webinar
Trauma in Organizations - Webinar
 
Business Continuation The Basics
Business Continuation The BasicsBusiness Continuation The Basics
Business Continuation The Basics
 
The Critical Incident Response Maturity Journey
The Critical Incident Response Maturity JourneyThe Critical Incident Response Maturity Journey
The Critical Incident Response Maturity Journey
 
General presentation 29jun11.ppt
General presentation 29jun11.pptGeneral presentation 29jun11.ppt
General presentation 29jun11.ppt
 
Awakening the field
Awakening the fieldAwakening the field
Awakening the field
 
Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)Emerging Need of a Chief Information Security Officer (CISO)
Emerging Need of a Chief Information Security Officer (CISO)
 
Best Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business ContinuityBest Practices for Proactive Disaster Recovery and Business Continuity
Best Practices for Proactive Disaster Recovery and Business Continuity
 
Leadership in a crisis responding to the coronavirus outbreak
Leadership in a crisis responding to the coronavirus outbreakLeadership in a crisis responding to the coronavirus outbreak
Leadership in a crisis responding to the coronavirus outbreak
 
V mware business trend brief - crash insurance - protect your business with...
V mware business trend brief - crash insurance - protect your business with...V mware business trend brief - crash insurance - protect your business with...
V mware business trend brief - crash insurance - protect your business with...
 
Mtw03008 usen
Mtw03008 usenMtw03008 usen
Mtw03008 usen
 
Vertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WPVertex_Why_Software_Non_Negotiable_WP
Vertex_Why_Software_Non_Negotiable_WP
 
Accommodating needs workshop (april 2010) en
Accommodating needs workshop (april 2010) enAccommodating needs workshop (april 2010) en
Accommodating needs workshop (april 2010) en
 

Similaire à 2014 10 16_challenge of natural security systems

Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceJack Whitsitt
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonPatricia M Watson
 
ISACA_21st century technologist
ISACA_21st century technologistISACA_21st century technologist
ISACA_21st century technologistDonald Tabone
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
 
Running Head Assignment 5 1INFRASTRUCTURE AND SECURITY6.docx
Running Head Assignment 5 1INFRASTRUCTURE AND SECURITY6.docxRunning Head Assignment 5 1INFRASTRUCTURE AND SECURITY6.docx
Running Head Assignment 5 1INFRASTRUCTURE AND SECURITY6.docxsusanschei
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McEstelaJeffery653
 
CMGT400 v7Threats, Attacks, and Vulnerability Assessment Templa.docx
CMGT400 v7Threats, Attacks, and Vulnerability Assessment Templa.docxCMGT400 v7Threats, Attacks, and Vulnerability Assessment Templa.docx
CMGT400 v7Threats, Attacks, and Vulnerability Assessment Templa.docxmary772
 
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Plus Consulting
 
DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItEmerson Exchange
 
Leveraging and Designing Smart Ecosystems
Leveraging and Designing Smart EcosystemsLeveraging and Designing Smart Ecosystems
Leveraging and Designing Smart EcosystemsYassin Boullauazan
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
Turban dss9e ch01
Turban dss9e ch01Turban dss9e ch01
Turban dss9e ch01asmazq
 
20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh Shanmughanathan20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh ShanmughanathanSharath Kumar
 

Similaire à 2014 10 16_challenge of natural security systems (20)

Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem Space
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organization
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
CIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 WatsonCIA Trifecta ISACA Boise 2016 Watson
CIA Trifecta ISACA Boise 2016 Watson
 
ISACA_21st century technologist
ISACA_21st century technologistISACA_21st century technologist
ISACA_21st century technologist
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational Approach
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
Running Head Assignment 5 1INFRASTRUCTURE AND SECURITY6.docx
Running Head Assignment 5 1INFRASTRUCTURE AND SECURITY6.docxRunning Head Assignment 5 1INFRASTRUCTURE AND SECURITY6.docx
Running Head Assignment 5 1INFRASTRUCTURE AND SECURITY6.docx
 
Chapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by McChapter 1Information Security OverviewCopyright © 2014 by Mc
Chapter 1Information Security OverviewCopyright © 2014 by Mc
 
CMGT400 v7Threats, Attacks, and Vulnerability Assessment Templa.docx
CMGT400 v7Threats, Attacks, and Vulnerability Assessment Templa.docxCMGT400 v7Threats, Attacks, and Vulnerability Assessment Templa.docx
CMGT400 v7Threats, Attacks, and Vulnerability Assessment Templa.docx
 
ICISS Newsletter Sept 14
ICISS Newsletter Sept 14ICISS Newsletter Sept 14
ICISS Newsletter Sept 14
 
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
Cyber-Security Threats: Why We are Losing the Battle (and Probably Don't Even...
 
DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without It
 
Leveraging and Designing Smart Ecosystems
Leveraging and Designing Smart EcosystemsLeveraging and Designing Smart Ecosystems
Leveraging and Designing Smart Ecosystems
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
Turban dss9e ch01
Turban dss9e ch01Turban dss9e ch01
Turban dss9e ch01
 
20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh Shanmughanathan20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh Shanmughanathan
 

Dernier

Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Servicegwenoracqe6
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Dernier (20)

Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl ServiceRussian Call girl in Ajman +971563133746 Ajman Call girl Service
Russian Call girl in Ajman +971563133746 Ajman Call girl Service
 
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
@9999965857 🫦 Sexy Desi Call Girls Laxmi Nagar 💓 High Profile Escorts Delhi 🫶
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
 

2014 10 16_challenge of natural security systems

  • 1. The Challenge of Natural Security Systems Rockie Brockway Information Security and Business Risk Director Black Box Network Services @rockiebrockway
  • 3.
  • 4. Disclaimer A Nothing I say represents past, current or future employers
  • 5. Disclaimer B Not a box popper talk Not a cool tool talk This is NOT about Darwinian Evolution vs Religion Arguments are expected Focused on natural security systems
  • 6. Generic Problems with InfoSec It is viewed as a tactical IT function (Reactive) It is usually not, but needs to be accepted as a business risk management function (Rational) “Rational behavior requires theory. Reactive behavior requires only reflex action.” - W. Edwards Deming http://www.fiercecio.com/story/w-edwards-deming-hates-your-approach-it-security/2013-08-19
  • 7. InfoSec’s Role Prevent the loss of Business critical data Protect the Brand Promote Innovation/Allow the Business to TAKE Risk What is the organization’s Business critical data? Who else might find value in that data? Where does that data actually live? What are the Business initiatives and goals? InfoSec’s Problems
  • 8. <FUD> Insert standard sky is falling breach statistic slide here </FUD>
  • 9. Organization/Business Reaction? Irony – Big Business arrogance and the natural reaction to their entropy has fueled a larger Big Business of product “solutions” Buy more blinky lights (apologies to our sponsors) Hackback? Legislation/Balkanization If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect national and/or economic interests, you have completely missed what was wrong to begin with. #FAIL
  • 10. What problem(s) does this talk address and attempt to Solve?
  • 11. What problem(s) does this talk address and attempt to Solve? IT/InfoSec spend increasing, breaches continue to increase As an Industry we are most likely at least two years behind the innovative and lucrative industry of stealing the data we are trying to protect Gartner Verizon DBIR 0 200 400 600 800 1000 1200 1400 1600 2008 2009 2010 2011 2012 2013 Breaches 2.9 3 3.1 3.2 3.3 3.4 3.5 3.6 3.7 2007 2008 2009 2010 2011 2012 2013 Spend (T)
  • 12. What problem(s) does this talk address and attempt to Solve? IT/InfoSec spend increasing, breaches continue to increase Our obsession with static models (e.g. The Problem with Walls)
  • 13. Our obsession with static models (e.g. The Problem with Walls) So what is commonplace throughout most organizations reactionary, static take on security? < cheap “fixes” Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.
  • 14. What problem(s) does this talk address and attempt to Solve? IT/InfoSec spend increasing, breaches continue to increase Our obsession with static models (e.g. The Problem with Walls) Organizational Entropy
  • 15. Organizational Entropy (the natural result of assuming you are smarter than your adversaries)
  • 16. What problem(s) does this talk address and attempt to Solve? IT/InfoSec spend increasing, breaches continue to increase Our obsession with static models (e.g. The Problem with Walls) Organizational Entropy The current Unnatural state of our business organizations
  • 17. The current Unnatural state of our business organizations The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us. “Business as Usual” Organizational learning and adaptation is stagnant at best
  • 18. What problem(s) does this talk address and attempt to Solve? IT/InfoSec spend increasing, breaches continue to increase Our obsession with static models (e.g. The Problem with Walls) Organizational Entropy The current Unnatural state of our business organizations Can we modify our organizations’ static, reactionary behavior without blatantly telling our CEOs and board members that they are conducting business wrong?
  • 19.
  • 20. Posit - Naturally adaptive systems are inherently more secure
  • 22. General “Rules of Engagement” for Naturally Adaptable Systems * * http://www.security-informatics.com/content/1/1/14 They are organized semi-autonomously with little central control They learn from success They use information to mitigate uncertainty They extend their natural adaptability by engaging in a diverse range of symbiotic partnerships
  • 23. 1st Point Adaptation arises from leaving (or being forced from) your comfort zone. Adding more expensive anti-X/APT/FUD systems is not adapting
  • 24. Details of Successful Adaptation Techniques (Sagarin) Decentralized and Distributed organizational systems
  • 25. Decentralized and Distributed organizational systems The benefits of Decentralized and Distributed organizational systems Multiple sensors No preconceived notions Specialized tasks Redundancy
  • 26. Details of Successful Adaptation Techniques (Sagarin) Decentralized and Distributed organizational systems The Requirement of a Challenge ( Important/2nd point)
  • 27. The Requirement of a Challenge There must be some sort of challenge to initiate competition, cooperation and learning (more on this later) Finding food/shelter Finding a lost nuclear submarine Predicting the outcome of a presidential election Protecting business critical data
  • 28. Details of Successful Adaptation Techniques (Sagarin) Decentralized and Distributed organizational systems The Requirement of a Challenge Information sharing, filtering and prioritization
  • 29. Information sharing, filtering and prioritization Information use and sharing is as essential to survival as any other adaptation When used properly, information in survival situations creates and/or reduces uncertainty Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries (unpredictability).
  • 30. Details of Successful Adaptation Techniques (Sagarin) Decentralized and Distributed organizational systems The Requirement of a Challenge Information sharing, filtering and prioritization Symbiosis
  • 31. Symbiosis Symbiosis - A working relationship between organisms Mutualistic - both parties benefit Commensual - one party benefits, one is not affected Parasitic - one party benefits, one suffers Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism
  • 32. Details of Successful Adaptation Techniques (Sagarin) Decentralized and Distributed organizational systems The requirement of a Challenge Information sharing, filtering and prioritization Symbiosis
  • 33. Competition and Cooperation (3rd point) Competition between organisms can lead to group cooperation This group competition can then lead to group cooperation Group cooperation then increases the effectiveness of the group against other social groups
  • 34. The Quandary Successful organizational leadership has little incentive to change Therefore, business as usual comfort zones will prevent true adaptation Incentivized adversarial innovation will continue to run away from our static, artificial barriers that we hope might prolong the inevitable How can we build more naturally secured systems in this environment?
  • 35. Aren’t we human beings somewhat good at adaptation?
  • 36. The Big Contradiction Yes! We humans are quite adaptable. Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation (BREACH) and then we once again show our amazing adaptability – The problem with Business as Usual Organizations = Organisms, e.g. self regulating, not static How can we as amazingly adaptable individual organisms have created systems and institutions so non-adaptable?
  • 37. The Challenge How do we end up with systems within organizations that can deal with security problems and respond to them organically and automatically?
  • 38. The Basics (getting outside your comfort zone) Introduce challenges, not directives. Without challenges, organizations don't learn. Decentralize your problem solving. No Orders. Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations. Take advantage of localized problem solvers, share and distribute information Promote learning, competition/cooperation and symbiosis
  • 39. IT Calisthenics Who here thinks these behavioral and process changes are too radical for your stodgy organization? Who here is either in charge of a team regardless of size and/or is in a position of influence in such a team? Who here never raises their hand when asked to raise your hand at a talk?
  • 40. Everyone with your hands up – this is your homework. Introducing these changes into your small sphere of influence will improve your business unit’s metrics and create competition between other units within your organization My Challenge to You Your small successes lead to bigger successes, and in the end we are all the better and naturally more secure That will lead to cooperation once you realize the goals are the same, leading to group cooperation that then will introduce competition at higher levels and you are now on your way to changing your business culture
  • 41. All without telling the CEO he’s doing it wrong
  • 42. Feedback Rockie Brockway Information Security and Business Risk Director Black Box Network Services @rockiebrockway

Notes de l'éditeur

  1. My first boss in IT was Dr. Peter Tippett. In 1992, my senior year at Case Western Reserve University in Cleveland OH I was introduced to Dr. Tippett who mentored me on my senior project on Anti-virus technology. Lots of assembly language, which 22 years later is almost as foreign to me as latin. After I graduated I worked briefly for his company Certus International prior to the Symantec acquisition. I’ve obtained 30+ “certifications” in my career, both vendor and non-vendor. All of which I believe have expired. I recertified my GSEC 3 times and taught it twice. I work with businesses to reduce risk. My day job entails trend and adversary analysis, enterprise security architecture, security intelligence, business systems and impact analysis and pentesting.
  2. I am also an organizer of the Bsides Cleveland conference
  3. But it should
  4. Generic problems: InfoSec = firewall implementation. Tactical security control implementation should live under IT as infrastructure. However, this mentality is purely reactive Infosec and Risk is a function of the Business Need to improve measuring infosec value vs. business metrics W. Edwards Deming was a statistician, author and consultant in the 20th century. One of the many things he realized was that we need to think of manufacturing as a system, not as bits and pieces
  5. I want to take a slide to simply perhaps reiterate what role infosec has in business. <click> And in order to successfully accomplish these tasks we need to at the very least understand the following. <click> Show of hands – Who in your current role in InfoSec is communicated by your business leaders Who knows what your organization’s business critical data is? Who knows where your organization’s business critical data lives? Anyone care to chime in on who might want to steal your data?
  6. I’m going to get this out of the way early – FUD! 99.9% of today’s organizations are not learning and adapting. Meanwhile there’s a lot of alternative and malicious activity occurring daily
  7. Media/IP loss/Retail (irreplaceable/replaceable) I was recently asked to respond to an APT Appliance RFP. Kill me now. Buying more blinky lights is more or less the norm Now the US and other countries are reactively trying to legislate controls in an effort to “mitigate” everything we as leading nations have completely ignored due to our collective organizational entropy arrogance <click> Irony – Big Business arrogance and the natural reaction to their entropy has fueled a larger Big Business of product “solutions” <click> The bottom line is this - If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect the national, as well as global, economy as a whole, you have completely missed what was wrong to begin with. #FAIL
  8. First and foremost, we need to address our dollar focus. Our IT spend is for the most part trending upwards. Our Breaches are for the most part trending upwards. We essentially are investing in all of this fancy security and anti-X technology with very little actual measurable return We are investing our security dollar in the wrong areas
  9. Second, we have an obsession with walls
  10. Most organizations are still looking for the least expensive, most effective “controls” to prevent BYOD threats, APT, Cyber<insert here> and whatever Gartner and Mandiant have determined are the most interesting threats to your business. I might as well say something about The Art of War and Paradigm Shifts so I can at least finish this talk drunk but happy <read second point> A species of jumping spider mimics the olfactory signal of an ant colony, moves around unnoticed and simulates the behavior intended to communicate a transfer of larve, getting an easy free meal. What do we call that? Social engineering. The evolution of antibiotic resistant bacteria and viruses is paralleled by the overuse of antivirus for malware mitigation leading to adaptation of malware that is virtually AV resistant
  11. Third – this guy
  12. This is one of my favorite terms. It illustrates so much of our collective current business mentality in two words. So elegant. This common state tells me that organizations are like organisms and have the same need to learn and adapt to new situations
  13. The 4th and final problem I hope to address is this
  14. There are a metric shit-ton of incentivized ways to breach your networks. Our orgs are not learning/adapting from that = unnatural, needs to change “business as usual” =/= adaptation Continued entropy = loss of innovation That Entropy = unnatural, therefore it is failing
  15. So here are the problems And this is our dilema – Can we change successful, Revenue/GP businesses who are “business as usual” and not adapting to current threats without telling the C-Suite they are doing it wrong?
  16. This is applicable to both organisms as well as organizations.
  17. As InfoSec professionals I HIGHLY recommend these three books Emergence – the Connected lives of Ants, Brains, Cities and Software – Steven Johnson The Wisdom of Crowds – James Surowiecki Learning from the Octopus – Rafe Sagarin
  18. We’ll start with general rules of engagement for naturally adaptive systems – Decentralization Learning from successes (not failures) Information usage to mitigate uncertainty Symbiotic partnerships These systems do not predict, plan, or perfect the development of biological organisms – there are no mandates, no edicts The combination of these four variables will result in natural adaptation
  19. This is the first major point
  20. Successful Adaptation (according to Sagarin) boils down to four techniques The first is …
  21. So sagarin talks about the benefits of decentralized and distributed systems: Multiple sensors have greater chances of identifying unusual change and additional opportunities. – Does anyone here have multiple resources in your organization? We have our userspace. Dave Kennedy talks about the organizational benefits of having hundreds of human sensors through security awareness. These sensors see the environment for what it "is" rather than what it "should" be according to some preconceived notion. Specialized tasks save energy and allow resources to get assigned to important tasks. If you touch IS/IT in any way you know the importance of redundancy to critical systems Diversity is crucial to collectively wise decisions
  22. The second technique and second major point is …
  23. Does anyone know the story of the USS Scorpion? Iowa Election Markets – non profit political futures market where the max investment is $1. Has an insanely greater accuracy than traditional polls, takes party affiliation out of the equation due to incentives
  24. The third technique is …
  25. Having knowledge of other orgs experiences and adaptation techniques is critical. In survival situations using information can either create or reduce uncertainty. Hmmm. That sounds very much like some of the strategies infosec employs: As a defender we want to reduce the amount of uncertainty for ourselves and create and inflate uncertainty for our adversaries, increasing attacker costs, delaying their operation and increasing their potential for error
  26. And the final technique is …
  27. Essentially, nobody can survive on their own. All organisms are constrained in their individual adaptability at some point - symbiotic relationships allow us to extend our inherent adaptive capacities 3 types of symbiosis Symbiosis is everywhere in nature and the relationships are incredibly complex Think Target
  28. The four requirements for successful adaptation
  29. 3rd major point Individual competition can lead to group cooperation. This then increases the effectiveness of the group As competing individuals begin to form social groups, the better they cooperate with each other and the more effective they are at competing with other social groups The important features of cooperative networks are that they emerge naturally (not mandated) and they are designed to solve specific problems, not solve world peace
  30. I’ve touched on this already – successful business has little incentive to change. This business as usual state cannot learn nor adapt Our highly motivated and incentivized adversaries who are finding out of the box ways to profit from our poorly protected data will continue to get around our static walls The human race has gotten this far, can’t we just rely on our inherent adaptability?
  31. We are good at individual adaption under duress, yet we suck at institutional adaption under the constraints of modern day life, since it is “comfortable” Remember - Adaptation occurs when you leave your comfort zone. Most of our businesses culture is comfy in their own zone of revenue generation and profit sharing
  32. Orders assume there is one solution to a problem. A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution. Challenges are essential to learning, which leads to competition, which naturally leads to cooperation Monetary incentives are always good, symbiosis can arise from competition as well as different entities realizing they can solve problems better together (Iowa Electronic Markets) Learn from your successes
  33. Introducing these changes -> improved business unit metrics, creating competition w/ other BUs, leading to cooperation between BUs and competition at higher levels, etc. You are on your way to naturally more secure organizations Guess what? We all have work to do