A talk about security strategy, and how we can use data to better understand where to place our resources on the field and manage our portfolio of security controls.
1. Audience manual.
Please:
- Do not try to read all the content
- ‘Skim absorb’ the slides quickly (~3s)
- Refer back to this deck later if useful
- Sit back and enjoy the ride!
8. If we’re making all the
right moves, and we’re
not winning, we need to
change the game.
9. If we’re making all the
right moves, and we’re
not winning, we need to
change the game.
understand what the games are,
where to play what game, and when.
16. Give up thinking about "Defense" and "Offense" and
start thinking about what is being controlled by
what, or in other words what thing is being informed
or instrumented or manipulated by what other thing.
- Dave Aitel
https://cybersecpolitics.blogspot.com/2017/04/0-12-and-some-duct-tape.html
17. Security is a complex
system (controls)
operating in a complex
system (the business).
18.
19.
20.
21. - Where are we and what are the conditions?
- What are the patterns of play available to us?
- Which do we select and how do we apply them?
- How do we track progress to target and trajectory?
23. Protection
Too much Impossible.
Find and reduce
control friction.
Reduce spend. Find
and reduce control
friction.
Just right Impossible. Target
Deliver efficiency
gains to reduce
spend.
Too little
Build business
aligned strategy
and efficient
operations, then
raise spend.
Optimise control
design, delivery and
operationalisation.
Reduce spend.
Solve gaps / failures
in strategic and / or
operational
process.
Too little Just right Too much
Investment
24. Act to achieve balance
Understand adversary opportunity in it
Understand activity across it
Understand the terrain
25. Act to achieve balance
Understand adversary opportunity in it
Understand activity across it
Understand the terrain
26. Act to achieve balance
Understand adversary opportunity in it
Understand activity across it
Understand the terrain
27. Act to achieve balance
Understand adversary opportunity in it
Understand activity across it
Understand the terrain
28.
29. System entropy and / or complexity
Operating constraints
Culture of operations
Target capex / opex ratio
Capacity to absorb change
Delivery capability
30. System entropy and / or complexity
Operating constraints
Culture of operations
Target capex / opex ratio
Capacity to absorb change
Delivery capability
Change
36. Act to achieve balance
Understand adversary opportunity in it
Understand activity across it
Understand the terrain
What will define
our success here?
48. “Data captures. Information tables. Knowledge
graphs. Understanding maps. Wisdom filters.
And if that's right … if traditionally defenders think in
tables and attackers think in graphs, then the future
is owned by cartographers who can navigate
maps, and refine [paths through] them by filtering
to reach worthy destinations.”
@dantiumpro
49. A visual metaphor for
filtering paths through a
graph to reach worthy
destinations, using a map.
61. Act to achieve balance
Understand adversary opportunity in it
Understand activity across it
Understand the terrain
change in
<
change in
< change in
<
67. “Only a crisis - actual or perceived - produces real
change. When that crisis occurs, the actions that
are taken depend on the ideas that are lying
around. That, I believe, is our basic function: to
develop alternatives to existing policies, to keep
them alive and available until the politically
impossible becomes the politically inevitable.”
- Milton Friedman
https://en.wikiquote.org/wiki/Milton_Friedman
71. "Like any part of the world we might provisionally
mark off ... people and things will move through it in
a patterned way. We can take advantage of that
flow, in some instances riding its energy. The world
doesn't consist of solid things, but flows of forces, or
shifting configurations of shih."
73. "Shih exists only moment to moment. But one can
learn to recognise it ... as someone with a good eye
knows which way water will flow through a range of
hills, just from seeing the form of a value and its
surrounding spurs and ridges. Then we can
determine where to place a dam in this landscape -
seeing the simple and easy thing that changes
the whole configuration."
75. "Shih is the power inherent in configuration; it does
not rely solely on powerful components. The node is
the small juncture between the sections of bamboo.
It indicates the abrupt moment at which
something occurs. It must be short: it's target is
always in motion. The power of shih comes from
combining these two elements. When you pull the
trigger of a crossbow, its gradually accumulated
energy is released all at once, in a spot."
76. If we’re prepared, we can
act quickly, without waiting
for (or causing) chaos.
99. How can we reason
through available patterns,
which to select and how to
apply them?
100. How can we present that
model and make it easily
grokable for our colleagues?
101. Threat Actor
Motivation
Financial Gain Subversion Espionage Destruction
Nation State
Organised Crime
Hacker / hacktivist
Script Kiddie
Non-technical
insider
102. Threat Actor
Nation State
Organised Crime
Hacker / Hacktivist
Script Kiddie
Non-technical
insider
Advanced tools and tactics, only available to
government agencies
Ecosystem of commoditized services for business
compromise, access to systems, data exfil, etc
Capable individuals or groups who operate
using skills, experience and free / paid tools
Widely known tactics freely available
online and easy to try out
Anyone who knows how to
use the delete button on a file
Triangle indicates threat actor
population size (not to scale)
103. External
Internet
External
Social
External
Physical
Internal
Physical
Internal
Social
Internal
Cyber
Internal
Privileged
3rd party?
Available to
anyone
with an
internet
connection
Available to
anyone who
can get to a
site we own
Should
only be
admins
and VIPs
NB: This start point should be
furthest away from a vital asset. It
is also where the greatest number
of threat actors can reach us.
Attack
surface for
‘standard
user’
NB: This start point will be closest to
vital assets. Ideally it has the least
number of actors to contend with and
is the most tightly controlled.
Phone,
email,
down the
pub
Once you’re
inside our sites
these surfaces
are open to you
109. Attack game space Target game space
Vector Exploit Attack surface Vulnerability
Paths to reach
the target
Means to
compromise it
Exposed
weaknesses
Weaknesses the
exploit can use
Change is
rare
Change is
frequent
Change
collapses
controls
Change
degrades
controls
Change needs operational or
tactical response to close gaps or
address failures
Constrain Reduce Fix
Thanks to @sounilyu for this framework
112. Constrain
Reduce
Fix
Target game space
Attack game space
Vector
Exploit
Attack
Surface
Vuln
Paths to reach target
Means to compromise target
Exposed weaknesses
Weaknesses the exploit can use
Change
rare
Change
frequent
Access
Data
Apps
Device
Network
Identify Protect Detect Respond Recover
Thanks to @sounilyu for this framework
113. Identify Protect Detect Respond Recover
Access
Data
Apps
Device
Network
External
Internet
External
Social
External
Physical
Internal
Physical
Internal Social Internal Cyber Internal
Privileged
3rd party?
Vector
Exploit
Attack
Surface
Vuln
114. Identify Protect Detect Respond Recover
Access
Data
Apps
Device
Network
Vector
Exploit
Attack
Surface
Vuln
External
Internet
External
Social
External
Physical
Internal
Physical
Internal Social Internal Cyber Internal
Privileged
3rd party?
138. Alerts going into an inbox; no one
knows where they’re from.
Alerts going into a SIEM; no one
knows where they’re from.
We built a data lake on open
source.
Niche analytics vendor sits on top
of your SIEM; it’s useless.
Come and join our hunt team!
An ML anomaly detection ‘solution’
generating 1000s of alerts.
139. How different a threat
actor looks to ‘normal’
Threat actor
adaptability
Hunter
Analyst
Operator
140. How different a threat
actor looks to ‘normal’
Threat actor
adaptability
Hunter
Analyst
Operator
Graphs
Tables
Lists
141. How different a threat
actor looks to ‘normal’
Threat actor
adaptability
Lists
Tables
Graphs
142. Graphs but ... partial
context from the bottom
up, that struggles to
connect top down.
143. Inability to get complete
enough representations
that communicate
strategic deficiency and
effect improvement.
165. Did we detect it?
Yes
Turned the
noise down;
didn’t have
time
It looked
innocuous,
we’ve done ‘x’
1000 times
No
Vendor won’t
share their
detection logic
No obvious
pipeline failure
No Yes
Did we respond to it?
173. In 2013, John Allspaw
(then the CTO of Etsy)
wrote a blog post on
‘Owning Attention’.
174. What I’m interested in is not how software can be used to detect
anomalies automatically, (well, I’m interested, but I don’t doubt that
we all will continue to get better at it) … it is how people navigate this
boundary between themselves and the machines they work with.
The boundary between humans and machines, as we observe our
use of tools, is a focus in and of itself. If we have any hope of making
progress in monitoring complex systems, we must take this boundary
into account.
https://www.kitchensoap.com/2013/07/22/owning-attention-considerations-for-alert-design/
178. Give up thinking about "Defense" and "Offense" and
start thinking about what is being controlled by
what, or in other words what thing is being informed
or instrumented or manipulated by what other thing.
https://cybersecpolitics.blogspot.com/2017/04/0-12-and-some-duct-tape.html
179. Lots of tables joined
together is a leading
indicator you’re entering a
strategic problem space.
180. How different a threat
actor looks to ‘normal’
Threat actor
adaptability
Lists
Tables
Graphs
Operational layer,
strategic problem
181. As we enter strategic
problem spaces, we need
to think how we use
signals, and apply them to
populations.
185. Knowing what to
EXPECT
Knowing what to
LOOK FOR
Knowing what to
DO
Knowing what has
HAPPENED
Anticipation
Monitoring
Response
Learning
https://www.kitchensoap.com/2012/06/18/resilience-engineering-part-ii-lenses/
Recognition
186. What you can
COLLECT
What you can
RECOGNISE
What you can
JOIN UP
What you can
INTERPRET
Sensors
Analytics
Orchestrators
Actuators
187. What problem space are
we in, what signals are
likely available, how do
we partner with them?
190. Signal
Strength
Signal Density
Field of uncertainty with
limited scope, the details
of which can be reduced
over time to a boundary of
relative certainty.
No set formulae or chance
to learn by trial and error,
and no way to know your
solution is definitive as it
can’t be true or false, just
good or bad.
Defy easy restriction and
do not easily converge to
a boundary of certainty
(even with great effort.)
Unbounded
Unbounded
Bounded
Wicked
Strong
Weak
Sparse Dense
195. Signals
The things they connect
The relationships they suggest
The answers we can get
How we think about using those
The tools we need
196.
197. https://www.kitchensoap.com/2013/07/22/owning-attention-considerations-for-alert-design/
What if we viewed alerting systems as a partner? What does the
world look like if we designed alerting systems to cooperate with us?
If trust in alerting systems is such a big deal, as it is with the GPWS
and alert numbness, what can we learn from how humans learn to
trust each other, and let that influence our design decisions?
In other words: how can we design alerts that support our efforts
to confirm their legitimacy, or our expectations when an alert will
fire?
198. Visibility
Too much
Stop centralising so
much data. Question
your collection criteria.
Look at filtering.
Optimise what you’re
collecting. You have
more visibility than you
need / can handle.
Probably too many
default alerts, paying
too much for data
centralisation. Pare
things back.
Just right
Optimise recognition
for malicious,
informational, etc.
Just right
Tune out recognition
based on user need /
available resources.
Too little
Get the right data for
priority problem sets
and ramp up
recognition.
Get clarity on why
alerts are firing, or
optimise your triage
workflow.
Reconsider your choice
of vendor or the way
you’ve integrated
things.
Too little Just right Too much
Recognition
203. Recognition
problem
<blah>
Data Sources
1 2 1 3 2 4 4 5 2 6
Analytics steps
to solve
1 2 3 4 5
Type of analytic Streaming
Needle /
Haystack
Sort
Filter
Anomaly Search
Feature A
Feature B
Feature C
Platform 1
Feature B
Feature C
Feature D
Platform 2
Feature B
Feature D
Feature E
Platform 3
205. Adversary opportunity within it
Target game space
Attack game space
Vector
Exploit
Attack
Surface
Vuln
Paths to reach target
Exposed weaknesses
Weaknesses the exploit can use
Movement across it
The terrain
Identify Protect Detect Respond Recover
Understand
Means to compromise target
207. Adversary opportunity within it
Target game space
Attack game space
Vector
Exploit
Attack
Surface
Vuln
Paths to reach target
Exposed weaknesses
Weaknesses the exploit can use
Movement across it
The terrain
Identify Protect Detect Respond Recover
Understand
AchieveBalance
Aggregate,
Divide,Filter
Means to compromise target
219. Points of
Evidence
Points of
Evidence
Points of
Evidence
Points of
Evidence
Points of
Evidence
Points of
Evidence
Points of
Evidence
Points of
Evidence
Points of
Evidence
Points of
EvidenceAsset
Point of
Evidence
Control
1
Identify
Fact
1
Assumption 1
Statement of
adversary
opportunity
FAIR analysis
Advisory
Pattern
1
Biz, tech
and
project
context
Project /
Story
220. How do I bring our team around a living picture of our
terrain, activity across it, and adversary opportunity
within it - so that we have shared context to think
through questions like:
- Where are we and what are the conditions?
- What are the patterns of play available to us?
- Which do we select and how do we apply them?
- How do we track progress to target and trajectory?
221. How do I present ‘the facts’ my colleagues need to
make the best possible judgement call based on
available data, (i.e. to accept risk, mitigate risk, get
more data), while also exposing ‘how we should think
about this problem’ by putting facts in the context of
relevant frameworks. Oh, and do so in way that
speaks to their horizon, accountability and concerns.
223. "Strategy is all about observing the landscape,
understanding how it is changing and using
what resources you have to maximise your
chances of success."
- Simon Wardley
224.
225. Tools to reason through
higher order problem, so we
can make wise trade offs.
226. @SWardley’s
two whys
Sun Tzu’s
five factors
Boyd’s
OODA
@SounilYu’s
defense stack
@DantiumPro’s
progression
@CxOSidekick’s
question list
Why of
movement
Landscape
Observe Sensors
Knowledge
Graphs
Where are we,
and what are the
conditions?
Climate
Doctrine Orient Analytics
Understanding
Maps
What are the
patterns of play
available to us?
Leadership Decide Orchestrators Wisdom Filters
Which do we select
and how do we
apply them?
Why of
mission
Purpose Act Actuators
Data Captures
and information
tables
How do we track
progress to target
and trajectory?