Static security models and "business as usual" directives have naturally resulted in a collective eyes wide shut mentality of organizational entropy. Organisms, as well as organizations, can only adapt to changing environments by leaving (or being forced from) their comfort zones. It should be obvious that today's threat landscape is changing at a breakneck pace, yet most organizations are seemingly content in adding "spend" to the annual budget for more systems that claim to protect against the latest FUD. This is not learning and without learning adaptation cannot occur. Challenges to the organism and organization that move them both out of their respective comfort zones are crucial for successful adaptation. This talk will explore these adaptation requirements in an effort to develop a framework for more naturally secure systems and organizations. At its conclusion it will present a challenge for all those willing to get out of their own respective comfort zones and organically contribute to naturally stronger systems and organizations.
Call Girls In Ashram Chowk Delhi 💯Call Us 🔝8264348440🔝
2014 10 16_challenge of natural security systems
1. The Challenge of Natural Security
Systems
Rockie Brockway
Information Security and Business Risk
Director
Black Box Network Services
@rockiebrockway
5. Disclaimer B
Not a box popper talk
Not a cool tool talk
This is NOT about Darwinian Evolution vs Religion
Arguments are expected
Focused on natural security systems
6. Generic Problems with InfoSec
It is viewed as a tactical IT function (Reactive)
It is usually not, but needs to be accepted as a business risk
management function (Rational)
“Rational behavior requires theory. Reactive behavior requires only reflex action.”
- W. Edwards Deming
http://www.fiercecio.com/story/w-edwards-deming-hates-your-approach-it-security/2013-08-19
7. InfoSec’s Role
Prevent the loss of Business critical data
Protect the Brand
Promote Innovation/Allow the Business to TAKE Risk
What is the organization’s Business critical data?
Who else might find value in that data?
Where does that data actually live?
What are the Business initiatives and goals?
InfoSec’s Problems
9. Organization/Business Reaction?
Irony – Big Business arrogance and the natural reaction to their entropy
has fueled a larger Big Business of product “solutions”
Buy more blinky lights (apologies to our sponsors)
Hackback?
Legislation/Balkanization
If you get to the point where a problem becomes so big that you
need to try to legislate it in order to protect national and/or
economic interests, you have completely missed what was wrong
to begin with. #FAIL
11. What problem(s) does this talk address and attempt to Solve?
IT/InfoSec spend increasing, breaches continue to increase
As an Industry we are most likely at least two years behind the innovative and
lucrative industry of stealing the data we are trying to protect
Gartner Verizon DBIR
0
200
400
600
800
1000
1200
1400
1600
2008 2009 2010 2011 2012 2013
Breaches
2.9
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
2007 2008 2009 2010 2011 2012 2013
Spend (T)
12. What problem(s) does this talk address and attempt to Solve?
IT/InfoSec spend increasing, breaches continue to increase
Our obsession with static models (e.g. The Problem with Walls)
13. Our obsession with static models (e.g. The Problem with Walls)
So what is commonplace throughout most organizations reactionary,
static take on security? < cheap “fixes”
Dikes, levees, firewalls - all examples static security incident reactions
intended to protect against naturally dynamic threats. That eventually
fail.
14. What problem(s) does this talk address and attempt to Solve?
IT/InfoSec spend increasing, breaches continue to increase
Our obsession with static models (e.g. The Problem with Walls)
Organizational Entropy
16. What problem(s) does this talk address and attempt to Solve?
IT/InfoSec spend increasing, breaches continue to increase
Our obsession with static models (e.g. The Problem with Walls)
Organizational Entropy
The current Unnatural state of our business organizations
17. The current Unnatural state of our business organizations
The longer we accept these unnatural systems that our reactive
policies have dictated, the larger the window exists for our
adversaries to catch up and surpass us.
“Business as Usual”
Organizational learning and adaptation is stagnant at best
18. What problem(s) does this talk address and attempt to Solve?
IT/InfoSec spend increasing, breaches continue to increase
Our obsession with static models (e.g. The Problem with Walls)
Organizational Entropy
The current Unnatural state of our business organizations
Can we modify our organizations’ static, reactionary behavior without blatantly telling
our CEOs and board members that they are conducting business wrong?
22. General “Rules of Engagement” for Naturally Adaptable Systems *
* http://www.security-informatics.com/content/1/1/14
They are organized semi-autonomously with little central control
They learn from success
They use information to mitigate uncertainty
They extend their natural adaptability by engaging in a diverse
range of symbiotic partnerships
23. 1st Point
Adaptation arises from leaving (or being forced from) your comfort zone.
Adding more expensive anti-X/APT/FUD systems is not adapting
24. Details of Successful Adaptation Techniques (Sagarin)
Decentralized and Distributed organizational systems
25. Decentralized and Distributed organizational systems
The benefits of Decentralized and Distributed organizational systems
Multiple sensors
No preconceived notions
Specialized tasks
Redundancy
26. Details of Successful Adaptation Techniques (Sagarin)
Decentralized and Distributed organizational systems
The Requirement of a Challenge ( Important/2nd point)
27. The Requirement of a Challenge
There must be some sort of challenge to initiate competition, cooperation
and learning (more on this later)
Finding food/shelter
Finding a lost nuclear submarine
Predicting the outcome of a presidential election
Protecting business critical data
28. Details of Successful Adaptation Techniques (Sagarin)
Decentralized and Distributed organizational systems
The Requirement of a Challenge
Information sharing, filtering and prioritization
29. Information sharing, filtering and prioritization
Information use and sharing is as essential to survival as any other
adaptation
When used properly, information in survival situations creates and/or
reduces uncertainty
Organisms seek to reduce uncertainty for themselves and increase
uncertainty for their adversaries (unpredictability).
30. Details of Successful Adaptation Techniques (Sagarin)
Decentralized and Distributed organizational systems
The Requirement of a Challenge
Information sharing, filtering and prioritization
Symbiosis
31. Symbiosis
Symbiosis - A working relationship between organisms
Mutualistic - both parties benefit
Commensual - one party benefits, one is not affected
Parasitic - one party benefits, one suffers
Symbiosis creates reactions that are more than just the sum of two
organisms working together - emergent properties that both transform
the organism and transforms the environment around the organism
32. Details of Successful Adaptation Techniques (Sagarin)
Decentralized and Distributed organizational systems
The requirement of a Challenge
Information sharing, filtering and prioritization
Symbiosis
33. Competition and Cooperation (3rd point)
Competition between organisms can lead to group cooperation
This group competition can then lead to group cooperation
Group cooperation then increases the effectiveness of the group against
other social groups
34. The Quandary
Successful organizational leadership has little incentive to change
Therefore, business as usual comfort zones will prevent true
adaptation
Incentivized adversarial innovation will continue to run away from
our static, artificial barriers that we hope might prolong the
inevitable
How can we build more naturally secured systems in this
environment?
36. The Big Contradiction
Yes! We humans are quite adaptable.
Yet we rarely leave our comfort zones unless we find ourselves in an
emergency situation (BREACH) and then we once again show our amazing
adaptability – The problem with Business as Usual
Organizations = Organisms, e.g. self regulating, not static
How can we as amazingly adaptable individual organisms have created
systems and institutions so non-adaptable?
37. The Challenge
How do we end up with systems within organizations that can deal
with security problems and respond to them organically and
automatically?
38. The Basics (getting outside your comfort zone)
Introduce challenges, not directives. Without challenges, organizations
don't learn. Decentralize your problem solving. No Orders.
Amplify, reward and replicate your successes. Innovation comes first and
learning accrues from successful innovations.
Take advantage of localized problem solvers, share and distribute
information
Promote learning, competition/cooperation and symbiosis
39. IT Calisthenics
Who here thinks these behavioral and process changes are too radical
for your stodgy organization?
Who here is either in charge of a team regardless of size and/or is in a
position of influence in such a team?
Who here never raises their hand when asked to raise your hand at a
talk?
40. Everyone with your hands up – this is your homework. Introducing these
changes into your small sphere of influence will improve your business unit’s
metrics and create competition between other units within your organization
My Challenge to You
Your small successes lead to bigger successes, and in the end we are all the
better and naturally more secure
That will lead to cooperation once you realize the goals are the same, leading
to group cooperation that then will introduce competition at higher levels
and you are now on your way to changing your business culture
My first boss in IT was Dr. Peter Tippett. In 1992, my senior year at Case Western Reserve University in Cleveland OH I was introduced to Dr. Tippett who mentored me on my senior project on Anti-virus technology. Lots of assembly language, which 22 years later is almost as foreign to me as latin. After I graduated I worked briefly for his company Certus International prior to the Symantec acquisition.
I’ve obtained 30+ “certifications” in my career, both vendor and non-vendor. All of which I believe have expired. I recertified my GSEC 3 times and taught it twice. I work with businesses to reduce risk. My day job entails trend and adversary analysis, enterprise security architecture, security intelligence, business systems and impact analysis and pentesting.
I am also an organizer of the Bsides Cleveland conference
But it should
Generic problems:
InfoSec = firewall implementation. Tactical security control implementation should live under IT as infrastructure. However, this mentality is purely reactive
Infosec and Risk is a function of the Business
Need to improve measuring infosec value vs. business metrics
W. Edwards Deming was a statistician, author and consultant in the 20th century. One of the many things he realized was that we need to think of manufacturing as a system, not as bits and pieces
I want to take a slide to simply perhaps reiterate what role infosec has in business.
<click>
And in order to successfully accomplish these tasks we need to at the very least understand the following.
<click>
Show of hands –
Who in your current role in InfoSec is communicated by your business leaders
Who knows what your organization’s business critical data is?
Who knows where your organization’s business critical data lives?
Anyone care to chime in on who might want to steal your data?
I’m going to get this out of the way early – FUD!
99.9% of today’s organizations are not learning and adapting. Meanwhile there’s a lot of alternative and malicious activity occurring daily
Media/IP loss/Retail (irreplaceable/replaceable)
I was recently asked to respond to an APT Appliance RFP. Kill me now.
Buying more blinky lights is more or less the norm
Now the US and other countries are reactively trying to legislate controls in an effort to “mitigate” everything we as leading nations have completely ignored due to our collective organizational entropy arrogance
<click>
Irony – Big Business arrogance and the natural reaction to their entropy has fueled a larger Big Business of product “solutions”
<click>
The bottom line is this - If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect the national, as well as global, economy as a whole, you have completely missed what was wrong to begin with. #FAIL
First and foremost, we need to address our dollar focus.
Our IT spend is for the most part trending upwards. Our Breaches are for the most part trending upwards. We essentially are investing in all of this fancy security and anti-X technology with very little actual measurable return
We are investing our security dollar in the wrong areas
Second, we have an obsession with walls
Most organizations are still looking for the least expensive, most effective “controls” to prevent BYOD threats, APT, Cyber<insert here> and whatever Gartner and Mandiant have determined are the most interesting threats to your business.
I might as well say something about The Art of War and Paradigm Shifts so I can at least finish this talk drunk but happy
<read second point>
A species of jumping spider mimics the olfactory signal of an ant colony, moves around unnoticed and simulates the behavior intended to communicate a transfer of larve, getting an easy free meal.
What do we call that? Social engineering.
The evolution of antibiotic resistant bacteria and viruses is paralleled by the overuse of antivirus for malware mitigation leading to adaptation of malware that is virtually AV resistant
Third – this guy
This is one of my favorite terms. It illustrates so much of our collective current business mentality in two words. So elegant.
This common state tells me that organizations are like organisms and have the same need to learn and adapt to new situations
The 4th and final problem I hope to address is this
There are a metric shit-ton of incentivized ways to breach your networks.
Our orgs are not learning/adapting from that = unnatural, needs to change
“business as usual” =/= adaptation
Continued entropy = loss of innovation
That Entropy = unnatural, therefore it is failing
So here are the problems
And this is our dilema –
Can we change successful, Revenue/GP businesses who are “business as usual” and not adapting to current threats without telling the C-Suite they are doing it wrong?
This is applicable to both organisms as well as organizations.
As InfoSec professionals I HIGHLY recommend these three books
Emergence – the Connected lives of Ants, Brains, Cities and Software – Steven Johnson
The Wisdom of Crowds – James Surowiecki
Learning from the Octopus – Rafe Sagarin
We’ll start with general rules of engagement for naturally adaptive systems –
Decentralization
Learning from successes (not failures)
Information usage to mitigate uncertainty
Symbiotic partnerships
These systems do not predict, plan, or perfect the development of biological organisms – there are no mandates, no edicts
The combination of these four variables will result in natural adaptation
This is the first major point
Successful Adaptation (according to Sagarin) boils down to four techniques
The first is …
So sagarin talks about the benefits of decentralized and distributed systems:
Multiple sensors have greater chances of identifying unusual change and additional opportunities. – Does anyone here have multiple resources in your organization?
We have our userspace. Dave Kennedy talks about the organizational benefits of having hundreds of human sensors through security awareness.
These sensors see the environment for what it "is" rather than what it "should" be according to some preconceived notion.
Specialized tasks save energy and allow resources to get assigned to important tasks.
If you touch IS/IT in any way you know the importance of redundancy to critical systems
Diversity is crucial to collectively wise decisions
The second technique and second major point is …
Does anyone know the story of the USS Scorpion?
Iowa Election Markets – non profit political futures market where the max investment is $1. Has an insanely greater accuracy than traditional polls, takes party affiliation out of the equation due to incentives
The third technique is …
Having knowledge of other orgs experiences and adaptation techniques is critical.
In survival situations using information can either create or reduce uncertainty. Hmmm. That sounds very much like some of the strategies infosec employs:
As a defender we want to reduce the amount of uncertainty for ourselves and create and inflate uncertainty for our adversaries, increasing attacker costs, delaying their operation and increasing their potential for error
And the final technique is …
Essentially, nobody can survive on their own.
All organisms are constrained in their individual adaptability at some point
- symbiotic relationships allow us to extend our inherent adaptive capacities
3 types of symbiosis
Symbiosis is everywhere in nature and the relationships are incredibly complex
Think Target
The four requirements for successful adaptation
3rd major point
Individual competition can lead to group cooperation. This then increases the effectiveness of the group
As competing individuals begin to form social groups, the better they cooperate with each other and the more effective they are at competing with other social groups
The important features of cooperative networks are that they emerge naturally (not mandated) and they are designed to solve specific problems, not solve world peace
I’ve touched on this already – successful business has little incentive to change. This business as usual state cannot learn nor adapt
Our highly motivated and incentivized adversaries who are finding out of the box ways to profit from our poorly protected data will continue to get around our static walls
The human race has gotten this far, can’t we just rely on our inherent adaptability?
We are good at individual adaption under duress, yet we suck at institutional adaption under the constraints of modern day life, since it is “comfortable”
Remember - Adaptation occurs when you leave your comfort zone.
Most of our businesses culture is comfy in their own zone of revenue generation and profit sharing
Orders assume there is one solution to a problem. A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution.
Challenges are essential to learning, which leads to competition, which naturally leads to cooperation
Monetary incentives are always good, symbiosis can arise from competition as well as different entities realizing they can solve problems better together (Iowa Electronic Markets)
Learn from your successes
Introducing these changes -> improved business unit metrics, creating competition w/ other BUs, leading to cooperation between BUs and competition at higher levels, etc.
You are on your way to naturally more secure organizations
Guess what? We all have work to do