Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity

561 views

Published on

Keynote at the Empirical Software Engineering and Measurement (ESEM) conference in Beijing in October 2015

Published in: Software
  • Be the first to comment

  • Be the first to like this

The Rising Tide Raises All Boats: The Advancement of Science of Cybersecurity

  1. 1. The Rising Tide Lifts All Boats: The Advancement of Science in Cybersecurity Laurie Williams North Carolina State University https://alisonhinksyoga.wordpress.com/2013/09/09/a-rising-tide-lifts-all-boats/
  2. 2. My Intentions: You Leave Here With … —  Greater awareness of a scientific software security research agenda —  A greater understanding of techniques for collaboratively doing large-scale research —  Some new thoughts about doing more scientific-ish and less engineering-ish research —  Even … reflecting on some things about life in general
  3. 3. It’s been quite the year alreadyZNET http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/3/
  4. 4. Top 3 http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/3/ BAD STUFF ALERT!
  5. 5. Why the Science of Security? —  “… nagging perception that too much of the research is opportunistic, lacks rigor, has weak methodology, and fails to produce material advances on underlying hard problems.” (NSA BAA Industry Day) http://www.blazingcatfur.ca/wp-content/uploads/2015/06/logo_ouch-620x443.png
  6. 6. Carnegie Mellon NC State University of Illinois – Urbana Champagne http://www.leftlion.co.uk/articles.cfm/title/the-three-musketeers/id/1539 2010 Release
  7. 7. http://www.dailymail.co.uk/tvshowbiz/article-1085791/Free-DVD-The-Four-Musketeers-todays-Mail- Sunday.html University of Maryland 2014 Re-release
  8. 8. The three missions of the Science of Security Lablets —  “Solve” hard security problems through the application of scientific research —  Advance research methods in the context of cybersecurity to build a sound science of security —  Build a science of security community
  9. 9. The evolution of my journey as a researcher
  10. 10. Seven lessons —  Stand on the shoulders of giants. —  Through focus, progress is made. —  Through diversity of opinion, creativity and unity is born. —  It’s so easy to fall back to “engineering-ish” research. —  Those humans cannot be abstracted away. —  Hard questions lead to great(er) insight. —  Through collaboration and unity, we can change on a larger scale.
  11. 11. 1. Stand on the shoulders of giants. https://www.linkedin.com/pulse/standing-shoulders-giants-6-apis-instant-saas-success-nick-boucart ESE Giants Focus Diversity Engineering Humans Questions Collaborate
  12. 12. Remind me: What’s the actual problem? —  “… Nagging perception that too much of the research is opportunistic, lacks rigor, has weak methodology, and fails to produce material advances on underlying hard problems.” (NSA BAA Industry Day) http://thebsblog.com/2015/10/09/oops-wrong-diagnosis/#prettyPhoto/0/
  13. 13. ESE Intervention “OK” Research Results Intervention “Much better” Research Results Why do we need “much better”? •  More credible, convincing, substantiated •  More impact (other researchers, the practice of software engineering/practitioners/real people!) •  Enable meta analysis, combining of results, theory/law building
  14. 14. Books — 
  15. 15. Guidelines
  16. 16. Meetings
  17. 17. International Software Engineering Research Network (ISERN)
  18. 18. Journal 5-year impact factors for 2014
  19. 19. Education
  20. 20. Conference http://www.infocomrade.com/wp-content/uploads/2011/04/beijing-great-wall.jpg
  21. 21. ESE Intervention “OK” Research Results Intervention * Books * Guidelines * Meetings * Journal * Education * Conference “Much better” Research Results http://www.deogloria.org/standing-on-the-shoulders-of-giants/
  22. 22. Mary Shaw (ICSE 2002 data) Types of software engineering research validation Shaw, M., Writing Good Software Engineering Papers, Proceedings of the 25th International Conference on Software Engineering, IEEE Computer Society, 2003, pp. 726-736.
  23. 23. Success of Intervention? —  A quasi-experiment on the intervention —  Top 4 journals (TSE, IST, JSS, ESE) —  1992-2002 versus 2006-2010 —  Result: Paper quality significantly associated with year Kitchenham, B., Sjoberg, D, Dyba, T., Brereton, P., Budgen, D., Host, M., Runeson, P., Trends in the Quality of Human-Centric Software Engineering Experiments – A Quasi- Experiment, IEEE Transactions in Software Engineering, Vol. 39, Issue 7, pp. 1002 -  1017, July 2013.
  24. 24. http://tinypic.com/view.php?pic=x1a989&s=5#.ViWXMdYyDdk
  25. 25. Science of Security Copycats —  Guidelines —  Seminars —  Research plan reviews —  Workshops —  Conference (Hot SoS) —  IRN-SoS
  26. 26. The Rising Tide: Leading by Example Jeff Carver, University of Alabama http://www.themunicheye.com/news/The-Science-Behind-Superman-3057
  27. 27. http://www.themunicheye.com/news/The-Science-Behind-Superman-3057
  28. 28. 2. Through focus, progress is made. 1.  Thing 1 2.  Thing 2 3.  Thing 3 4.  Thing 4 5.  Thing 5 6.  Thing 6 7.  Thing 7 8.  Thing 8 Do This! DON’T DO THIS! You wouldn’t do it anyway. Giants Focus Diversity Engineering Humans Questions Collaborate
  29. 29. Hard Problem 1: Scalability and Composability Challenge —  Develop methods to enable the construction of secure systems with known security properties. http://itnewscast.com/book/export/html/62241
  30. 30. Hard Problem 2: Policy-Governed Secure Collaboration Challenge —  Develop methods to express and enforce normative requirements and policies for handling data with differing usage needs and among users in different authority domains
  31. 31. Hard Problem 3: Predictive Security Metrics Challenge —  Develop security metrics and models capable of predicting whether or confirming that a given cyber system preserves a given set of security properties (deterministically or probabilistically), in a given context.
  32. 32. Hard Problem 4: Resilient Architectures Challenge —  Develop means to design and analyze system architectures that deliver required service in the face of compromised components http://thecybersaviours.com/intrusion-detection-
  33. 33. Hard Problem 5: Human Behavior Develop models of human behavior (of both users and adversaries) that enable the design, modeling, and analysis of systems with specified security properties http://1000awesomethings.com/2011/02/23/302-grandma-hair/ and http://garysreflections.blogspot.com/2011/02/chinese-hackers-now-hitting-major.html http://www.my-programming.com/2011/10/how-to-become-a-programmer/ http://www.govconexecutive.com/2011/02/executive-spotlight-joseph-cormier-of-gtec/
  34. 34. Science of Security Focus 1.  Scalability and composability 2.  Policy-governed secure collaboration 3.  Encryption algorithms 4.  Predictive security metrics 5.  Intrusion Detection 6.  Resilient architectures 7.  Human behavior Do This! DON’T DO THIS! http://lorettalovehuffblog.com/
  35. 35. 3. Through diversity of opinion, creativity and unity is born. https://www.reddit.com/r/pics/comments/1aw3f3/pathway/; http://www.bbc.co.uk/bristol/content/image_galleries/tunnel_gallery.shtml http://www.thomthom.net/gallery/everything/tunnel-vision/ http://davemeehan.com/cycling/ojos-negros-tunnel-vision Giants Focus Diversity Engineering Humans Questions Collaborate
  36. 36. Carnegie Mellon NC State University of Illinois – Urbana Champagne http://www.leftlion.co.uk/articles.cfm/title/the-three-musketeers/id/1539
  37. 37. Pair Programming http://www.ideachampions.com/weblogs/collaboration.png
  38. 38. 4. It’s so easy to fall back to “engineering-ish” research. http://user47329.vs.easily.co.uk/wp-content/uploads/2014/08/Science-v- Engineering-Wordpress3.jpg Giants Focus Diversity Engineering Humans Questions Collaborate
  39. 39. May be just a “subtle change” http://www.pxleyes.com/photoshop-contest/20606/makeover.html Can you tell me WHY yours should be better?
  40. 40. http://memegenerator.net/instance/59256035 Principles, Theories, Laws, Hypotheses … Science “… nagging perception that too much of the research is opportunistic …”
  41. 41. 5. Those humans cannot be abstracted away. https://securityintelligence.com/the-role-of-human-error-in-successful-security-attacks/ Giants Focus Diversity Engineering Humans Questions Collaborate
  42. 42. https://xkcd.com/538/
  43. 43. https://www.iii.com/sites/default/files/imce/Elizabeth_Image_for_Blog_July_2015.png
  44. 44. 6. Harder questions lead to great(er) insight. “The quality of your answers is in direct proportion to the quality of your questions.” --Albert Einstein Giants Focus Diversity Engineering Humans Questions Collaborate
  45. 45. Those “pesky” and ever- present hard questions —  Where’s the science? —  How are you doing at solving those hard problems? —  Can you show that the lablet is achieving its outcomes? http://www.findmemes.com/eye-roll-memes
  46. 46. 7. Through collaboration and unity, we can change on a larger scale. https://bizpsycho.files.wordpress.com/2015/05/ colored_puzzle_connection_1600_wht_9893.png Giants Focus Diversity Engineering Humans Questions Collaborate
  47. 47. Competition-free zone https://scottmccown.wordpress.com/category/
  48. 48. Lablet (4)National Security Agency NCSU UIUC CMU NSAUMD Science of Security Lablets
  49. 49. Lablet (4)National Security Agency Sub-Lablet (26) UNL CU DC PENN PITT NAVY UVA GWU RICEUTSA UTA UA UNCC NCSU VT USC UC UCBERKELEY ICSI UIUC IU IIT PU WSU CMU GMU UNC UMD RIT NSA Science of Security Lablets & Sub-Lablets NEWCASTLE (UK)
  50. 50. NDSU UNL CU RSA CCT DC BC SC MITLL POTSDAM MIT SIEMENS RUTGERS AT&T PENN ARL PSU PITT NAVY UVA GWU HPHC NLM-NIH NU UMICH VERISIGN RPI UALBANY UCFRICEUTSA UTA TX A&M UA AUBURN GT UNCC NCSU VU VT UNM AFRL USC UC LLNL HP SU FUJITSU GOOGLE UCBERKELEY ICSI SYMANTEC L&C UW INL UIUC IU IIT UW-MADISON NWU PU WSU CMU GMU UNC UMD UH MANOA PC RIT NSA Lablet (4)National Security Agency Sub-Lablet (26) Collaborator (64)SURE (4) Science of Security Lablets, Sub-Lablets, and Collaborators NEWCASTLE (UK)
  51. 51. UOFW UVIC IMDEA NOVA UP UPV EPFL USI UWAR LEEDS LU KENT OXFORD NEWCASTLE (UK) UDS JWGU MPI-SWS UiO KTH IUT THU BUAA SMU UNIMELB ANU VUW ULISBOA Science of Security International Sub-Lablets and Collaborators Sub-Lablet (26) Collaborator (64)
  52. 52. Agile Manifesto authors: It is in their collaboration and cooperation that they revolutionized the software industry. We need to work together to beat the attackers!
  53. 53. Seven lessons —  Stand on the shoulders of giants. —  Through focus, progress is made. —  Through diversity of opinion, creativity and unity is born. —  It’s so easy to fall back to “engineering-ish” research. —  Those humans cannot be abstracted away. —  Hard questions lead to great(er) insight. —  Through collaboration and unity, we can change on a larger scale.
  54. 54. Continuing my journey mariaguedeslisboa.clix.pt
  55. 55. My Intentions Security Collaborative Research Science Life

×