For centuries mankind’s greatest innovations came about through careful examination of natural systems. Information Security is no different. This presentation will explore how information security professionals can use the agricultural concept of “permaculture” (the practice of using design principles observed in natural ecosystems) to cultivate a sustainable, data-driven security program.
In this fast-paced, thought-provoking session you’ll learn:
- The basic tenets of permaculture and how they apply to information security strategy
- How to build a security program that fosters collaboration, coupled with feedback loops and metrics
- How embracing differences within an organization can lead to increases in productivity and security
- Effective policy and control designs that enhance business objections as opposed to stifling them
2. Speaker
Chris Nelson
Director of Security for Distil Networks
Vice President of Denver chapter of the ISSA
Experienced in building security programs and
controls across different verticals and maturity
levels
3. The Basics of Permaculture
12 Design Principles
The Zones
Design Approaches
Permaculture Principles
Putting it all together
Agenda
4. Why is this webinar About Nature?
Much of of this talk uses examples from nature
The goal is to apply these principles and design approaches to your environment
6. What is Permaculture?
Permaculture (permanent agriculture) is the conscious design and maintenance of
agriculturally productive ecosystems which have the diversity, stability, and
resilience of natural ecosystems.
7. The Prime Directive
The only ethical decision is to take responsibility
for our own existence and that of our children
○ Life is cooperative rather than competitive
○ Life forms of very different qualities may interact
beneficially with one another and with their
physical environment
○ Cooperation, not competition, is the very basis of
existing life systems and of future survival
8. The 3 basic ethics
Care of the Earth (The System)
Care of People
Reinvest the Surplus
The Basic Ethics of Permaculture
The System
The People
Reinvest the
Surplus
Image Source: www.lushusa.com
9. The 12 Design Principles of Permaculture
Image Source: http://www.soilandsoul.org.uk
10. Design starts with Observation
Design Principle IT Security Takeaway
Observe & Interact
By taking time to engage with our systems and teams we can design
solutions that suit our particular situation
Integrate rather than segregate
By putting the right things in the right place, relationships develop
between those things and they work together to support each other
11. Moving from Observation to Design
Design Principle IT Security Takeaway
Design from patterns to details
We can observe patterns in nature, society and our systems and teams. These can
form the backbone of our designs, with the details filled in as we go.
Use slow and small solutions Small and slow systems are easier to maintain than big ones, making better use of
local resources and producing more sustainable outcomes. This also allows us to fail
faster and with less financial impact to the business.
Use edges and value the marginal The interface between things is where the most interesting events take place. These
are often the most valuable, diverse and productive elements in the system.
12. Optimize the use of your Resources
Design Principle IT Security Takeaway
Use and value renewable resources
and services
Make the best use of abundance, reduce consumptive behavior and dependence on
non-renewable resources
Produce No Waste
By valuing and making use of all the resources that are available to us, nothing goes
to waste
Catch and Store Energy
Developing systems that collect resources at peak abundance, we can use them in
times of need
13. All Things can be Turned into Positive Resources
Design Principle IT Security Takeaway
Use and Value Diversity
Diversity reduces vulnerability to a variety of threats and takes advantage of the
unique nature of the environment in which it resides
Apply Self-Regulation and Accept
Feedback
Discourage inappropriate activity to ensure that systems can continue to function well
Creatively use and respond to
change
We can have a positive impact on inevitable change by carefully observing, and then
intervening at the right time
Obtain a Yield Ensure that you are getting truly useful rewards for your work
15. What are the Zones and How are They Used?
Zones are used to organize design elements on the
basis of the frequency of use or needs.
Zones are numbered 0 to 5
Frequently manipulated or harvested areas of a
design have lower numbers
Develop the nearest area first, get it under control,
and then expand the perimeter
0
1
2
3
4
5
16. What are the Zones and How are They Used?
0
1
2
3
4
5
Zone Description
0 The house or center from which we work.
1 Includes elements in the system that require frequent attention,
or that need to be visited often.
2 Includes artifacts that require less frequent maintenance
3 Main artifacts are grown here.
After establishment, the maintenance required is fairly minimal.
4 A semi-wild area
5
A wilderness area. There is no human intervention in zone 5
apart from observation of natural ecosystems and cycles.
17. Aligning Security Processes and Controls to Zones
Align your controls based on:
○ The number of times you need to visit the control; and
○ The number of times the control needs you to visit it
For example:
Item Frequency Zone
IDS Alerts 25 to 50 per day 1
Malware Alerts 10 per week 2
VPN Logs 1 per day 3
Static Code Analysis 1 deploy per day 3
18. Applying the Zones to Your System
Place components in relation to other
components or functions for more
efficiency
Every element must be placed so that it
serves at least two or more functions
0
1
2
3
4
5
20. The Problem is the Solution
Everything works both ways - how we see
things that makes them advantageous or
not
Everything is a positive resource - it is up
to us to work out how we may use it as
such
21. Make the Least Change for the Greatest Possible Effect
For example - When choosing a dam site, select the area where you get the
most water for the least amount of earth moved.
22. Seeking Order Yields Energy
Order and harmony produce
energy for other uses
Disorder consumes energy
with no useful end
23. Nature is full of Cycles, Learn to Harness them
Cycles are recurring events or phenomena
Every cyclic event increases the opportunity for yield
To increase cycling is to increase yield
Cycles exist In Nature Cycles exist in IT
24. Diversity of Components
The number of components in a
system does not dictate their function
or capacity
Diversity does not guarantee stability
or yield
The beneficial connections between
these components leads to stability
The more numbers and types of tools,
people, systems, and software don’t
dictate capacity
Positive connections between them,
does
25. Permitted and Forced Functions
Key elements in a system may
supply many functions
Trying to force too many functions
on an element makes it collapse.
People have a wide variety of skills
They like to use them instead of being
forced into a single function.
26. Work with nature, rather than against it
We can assist rather than impede
natural elements, forces,
pressures, processes, agencies
and evolutions
“If we throw nature out the
window, she comes back in the
door with a pitchfork”
-Masanobu Fukuoka
Work to enable people, instead of
impeding them
27. Applying Laws and Principles to Design
Life Intervention Principle
In chaos lies opportunity to creative order
Law of Return
Whatever we take, we must return
Our goal as designers
To prevent energy from leaving before the basic needs
of the whole system are satisfied, so that growth,
reproduction, and maintenance continue in our living
components.
28. Proper Placement Principle
If good placement is made, more
advantages become obvious
If we start well, other good things
naturally follow on as an unplanned
results
29. Obtaining Exportable Yields
Gain a foothold
Stabilize a small area
Develop a self-reliance
Be flexible in management
○ Steer based on trials
○ Act on new information
○ Continue to observe and adapt
Start with one critical project, get it
running well, and then expand to
other projects.
Adapt based on new information.
30. Tips for Designing Efficient Programs
Design the program on paper
Start with a nucleus and expand outward
Set priorities based on economic reality
Locate and trade for components
Expand on information and area using controls suited
for the site
Break up the job into small, easily achieved,
basic stages and complete these one at a time
31. Design Success Relies on People Embracing It
The success of any design comes down to how it
is accepted and implemented by the people on
the ground
Large, centralized schemes often result in ruins
and monuments as opposed to stable, well-
maintained ecologies
32. Putting it all together
Every design is an assembly of components.
The first priority is to locate and cost those
components
Where resources are scarce, look closely at the
site, thinking of everything as a potential resource
Planning stage is critical
First attend to Zones 0-2
Develop very compact systems
34. The First Easy and Accurate Way to Defend
Websites Against Malicious Bots
About Distil Networks
35. How the Distil Bot Detection Solution Works
As web traffic passes through Distil, the system
1. Fingerprints each incoming connection and
compares it to our Known Violators Database
1. If it’s a new fingerprint, validates the browser
to determine if it’s a Bot or Not
1. Based on your preferences, automatically tags,
challenges, or blocks the bot
36. How Companies Benefit from Distil
Increase insight & control
over human, good bot &
bad bot traffic
Block 99.9% of malicious
bots without impacting
legitimate users
Slash the high tax bots
place on internal teams
& web infrastructure
Protect data from web
scrapers, unauthorized
aggregators & hackers
39. Understandings
Everything is of use.
IT is not necessarily needed by people, but it is needed by the life complex of
which we are dependent part.
We cannot order complex functions. They must evolve themselves.
We cannot know a fraction of what exists. We will always be a minor part of the
total information system.
42. The Yield of a System is Theoretically Unlimited
The only limit on the number of uses of a resource possible within a system is
in the limit of the information and imagination of the designer.
43. Using Permaculture to Cultivate a Sustainable Security Program
For centuries mankind’s greatest innovations came about through careful
examination of natural systems. Information Security is no different. This
presentation will explore how information security professionals can use the
agricultural concept of “permaculture” (the practice of using design principles
observed in natural ecosystems) to cultivate a sustainable, data-driven security
program.
In this fast-paced, thought-provoking session you’ll learn:
○ The basic tenets of permaculture and how they apply to information security
strategy
○ How to build a security program that fosters collaboration, coupled with
feedback loops and metrics
○ How embracing differences within an organization can lead to increases in
productivity and security
○ Effective policy and control designs that enhance business objections as
opposed to stifling them