2014 10 16_challenge of natural security systems
Transcript of 2014 10 16_challenge of natural security systems
The Challenge of Natural Security Systems
Rockie Brockway
Information Security and Business Risk Director
Black Box Network Services
@rockiebrockway
Disclaimer B
Not a box popper talk
Not a cool tool talk
This is NOT about Darwinian Evolution vs Religion
Arguments are expected
Focused on natural security systems
Generic Problems with InfoSec
It is viewed as a tactical IT function (Reactive)
It is usually not, but needs to be accepted as a business risk management function (Rational)
“Rational behavior requires theory. Reactive behavior requires only reflex action.”- W. Edwards Deming
http://www.fiercecio.com/story/w-edwards-deming-hates-your-approach-it-security/2013-08-19
InfoSec’s Role
Prevent the loss of Business critical data
Protect the Brand
Promote Innovation/Allow the Business to TAKE Risk
What is the organization’s Business critical data?
Who else might find value in that data?
Where does that data actually live?
What are the Business initiatives and goals?
InfoSec’s Problems
Organization/Business Reaction?
Irony – Big Business arrogance and the natural reaction to their entropy has fueled a larger Big Business of product “solutions”
Buy more blinky lights (apologies to our sponsors)
Hackback?
Legislation/Balkanization
If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect national and/or economic interests, you have completely missed what was wrong to begin with. #FAIL
What problem(s) does this talk address and attempt to Solve?
IT/InfoSec spend increasing, breaches continue to increase
As an Industry we are most likely at least two years behind the innovative and lucrative industry of stealing the data we are trying to protect
Gartner Verizon DBIR
0
200
400
600
800
1000
1200
1400
1600
2008 2009 2010 2011 2012 2013
Breaches
2.9
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
2007 2008 2009 2010 2011 2012 2013
Spend (T)
What problem(s) does this talk address and attempt to Solve?
IT/InfoSec spend increasing, breaches continue to increase
Our obsession with static models (e.g. The Problem with Walls)
Our obsession with static models (e.g. The Problem with Walls)
So what is commonplace throughout most organizations reactionary, static take on security? < cheap “fixes”
Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.
What problem(s) does this talk address and attempt to Solve?
IT/InfoSec spend increasing, breaches continue to increase
Our obsession with static models (e.g. The Problem with Walls)
Organizational Entropy
What problem(s) does this talk address and attempt to Solve?
IT/InfoSec spend increasing, breaches continue to increase
Our obsession with static models (e.g. The Problem with Walls)
Organizational Entropy
The current Unnatural state of our business organizations
The current Unnatural state of our business organizations
The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us.
“Business as Usual”
Organizational learning and adaptation is stagnant at best
What problem(s) does this talk address and attempt to Solve?
IT/InfoSec spend increasing, breaches continue to increase
Our obsession with static models (e.g. The Problem with Walls)
Organizational Entropy
The current Unnatural state of our business organizations
Can we modify our organizations’ static, reactionary behavior without blatantly telling our CEOs and board members that they are conducting business wrong?
General “Rules of Engagement” for Naturally Adaptable Systems *
* http://www.security-informatics.com/content/1/1/14
They are organized semi-autonomously with little central control
They learn from success
They use information to mitigate uncertainty
They extend their natural adaptability by engaging in a diverse range of symbiotic partnerships
1st Point
Adaptation arises from leaving (or being forced from) your comfort zone.
Adding more expensive anti-X/APT/FUD systems is not adapting
Details of Successful Adaptation Techniques (Sagarin)
Decentralized and Distributed organizational systems
Decentralized and Distributed organizational systems
The benefits of Decentralized and Distributed organizational systems
Multiple sensors
No preconceived notions
Specialized tasks
Redundancy
Details of Successful Adaptation Techniques (Sagarin)
Decentralized and Distributed organizational systems
The Requirement of a Challenge ( Important/2nd point)
The Requirement of a Challenge
There must be some sort of challenge to initiate competition, cooperation and learning (more on this later)
Finding food/shelter
Finding a lost nuclear submarine
Predicting the outcome of a presidential election
Protecting business critical data
Details of Successful Adaptation Techniques (Sagarin)
Decentralized and Distributed organizational systems
The Requirement of a Challenge
Information sharing, filtering and prioritization
Information sharing, filtering and prioritization
Information use and sharing is as essential to survival as any other adaptation
When used properly, information in survival situations creates and/or reduces uncertainty
Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries (unpredictability).
Details of Successful Adaptation Techniques (Sagarin)
Decentralized and Distributed organizational systems
The Requirement of a Challenge
Information sharing, filtering and prioritization
Symbiosis
Symbiosis
Symbiosis - A working relationship between organisms
Mutualistic - both parties benefitCommensual - one party benefits, one is not affectedParasitic - one party benefits, one suffers
Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism
Details of Successful Adaptation Techniques (Sagarin)
Decentralized and Distributed organizational systems
The requirement of a Challenge
Information sharing, filtering and prioritization
Symbiosis
Competition and Cooperation (3rd point)
Competition between organisms can lead to group cooperation
This group competition can then lead to group cooperation
Group cooperation then increases the effectiveness of the group against other social groups
The Quandary
Successful organizational leadership has little incentive to change
Therefore, business as usual comfort zones will prevent true adaptation
Incentivized adversarial innovation will continue to run away from our static, artificial barriers that we hope might prolong the inevitable
How can we build more naturally secured systems in this environment?
The Big Contradiction
Yes! We humans are quite adaptable.
Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation (BREACH) and then we once again show our amazing adaptability – The problem with Business as Usual
Organizations = Organisms, e.g. self regulating, not static
How can we as amazingly adaptable individual organisms have created systems and institutions so non-adaptable?
The Challenge
How do we end up with systems within organizations that can deal with security problems and respond to them organically and automatically?
The Basics (getting outside your comfort zone)
Introduce challenges, not directives. Without challenges, organizations don't learn. Decentralize your problem solving. No Orders.
Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations.
Take advantage of localized problem solvers, share and distribute information
Promote learning, competition/cooperation and symbiosis
IT Calisthenics
Who here thinks these behavioral and process changes are too radical for your stodgy organization?
Who here is either in charge of a team regardless of size and/or is in a position of influence in such a team?
Who here never raises their hand when asked to raise your hand at a talk?
Everyone with your hands up – this is your homework. Introducing these changes into your small sphere of influence will improve your business unit’s metrics and create competition between other units within your organization
My Challenge to You
Your small successes lead to bigger successes, and in the end we are all the better and naturally more secure
That will lead to cooperation once you realize the goals are the same, leading to group cooperation that then will introduce competition at higher levels and you are now on your way to changing your business culture