2013 09 11_business adaptation


Published on

Business Adaptation and Natural Security Systems talk given at GRRCon September 11, 2013

Published in: Business, Technology
1 Comment
  • Read Slide Notes above for full content
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • That’s right, the catalog. I want to thank chris and jeff and everyone else involved in this great con for their organizational efforts and inviting me to come to GRRCon to speak
  • My first boss in IT was Dr. Peter Tippett. In 1992, my senior year at Case Western Reserve University in Cleveland OH I was introduced to Dr. Tippett who mentored me on my senior project on Anti-virus technology. Lots of assembly language, which 21 years later is almost as foreign to me as latin. After I graduated I worked briefly for his company Certus International prior to the Symantec acquisition. I’ve obtained 30+ “certifications” in my career, both vendor and non-vendor. All of which I believe have expired. I recertified my GSEC 3 times and taught it twice. I don’t have to recertify my bachelors degree so I’m basically done with certifications. I work with business risk. My day job entails trend and adversary analysis, security intelligence and business systems and impact analysis, so forgive me if I come off jaded and cynical. But I am.
  • But it should
  • I feel disclaimer B needs a little more attention. My talks can get a little esoteric and sometimes I feel like by not presenting the latest 0-day technical discovery at a security con I’m the equivalent of a political comedian playing to a crowd that came to hear penis jokes.Istill pop boxes and it’s still funI was a pretty good perl jockey in the 90s but business strategy trumps scriptingThis is my “WTF are you actually talking about” question. I’ll repeat it … natural security systems. Stay with me, its pretty cool.
  • We’re going to go on a short field trip. These next few slides are from an earlier talk I gave at Bsides Cleveland and DerbyCon 2012, but they set the stage for the current state security problems all of our collective organizations face and need to adapt to.Does anyone know what this date represents?WWII was the last “clean conflict” the U.S. engaged in. <click>
  • We have a long and unprecedented history of engaging in “unclean conflicts”.
  • Oh, there’s this potential hornet’s nest today as we speak, and their “hacking” subsidiary, the SEA. It’s a brave new world, kids.
  • The day the Soviet Union fell. There are, perhaps, a couple/few ramifications from this global event, but …
  • <click>What country in their right mind would actively engage in any formal “clean conflict” with the US when you can potentially surpass your goals through small scale unofficial conflicts, espionage and/or terrorism?<click>Our adversaries, both corporate and nation state, have become specialists at executing "Unclean Conflicts" against our business, innovation and defense infrastructure<click>WTF?
  • So, the first main point in the first part of this talk is : cold war DNA filters to business DNA and yields global arrogance
  • Meanwhile, why would the rest of our competition and adversaries actually care how we think they should run their businesses?
  • This is one of my favorite terms. It illustrates so much of our collective current business mentality in two words. So elegant.2nd point – organizations are like organisms and have the same need to learn and adapt to new situations
  • 99.9% of today’s organizations are not learning and adapting. Meanwhile there’s a lot of alternative and malicious activity occurring daily
  • AJP Taylor was a british historian. Physical Unclean conflicts have obviously moved into our realm.
  • I believe we all at least recognize the media’s role in In the last several years in publicizing the fact that we’re losing quite a bit of our intellectual property.Our infosec and business publications are overwhelmed with the latest buzzwords and the vendors are touting their latest “solutions” to the buzzwordsBuying more blinky lights is more or less the normWe have a new business model pushing the “hackback” mentality. Now the US and other countries are reactively trying to legislate controls in an effort to “mitigate” everything we as leading nations have completely ignored due to our collective organizational entropy arrogance<click>Irony – Big Business arrogance and the natural reaction to their Organizational Entropy has fueled a larger Big Business of product “solutions”<click> The bottom line is this - If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect the national, as well as global, economy as a whole, you have completely missed what was wrong to begin with. #FAIL
  • I want to take a slide to simply perhaps reiterate what role infosec has in business.<click>And in order to successfully accomplish these tasks we need to at the very least understand the following.<click> Show of hands – Who in your current role in InfoSec is communicated by your business leaders Who knows what your organization’s business critical data is?Who knows where your organization’s business critical data lives?Anyone care to chime in on who might want to steal your data?
  • Most organizations are still looking for the least expensive, most effective “controls” to prevent BYOD threats, APT, Cyber<insert here> and whatever Gartner and Mandiant have determined are the most interesting threats to your business. I might as well say something about The Art of War and Paradigm Shifts so I can at least finish this talk drunk but happy<read second point>Sagarin gives a great analogy to infosec – A species of jumping spider mimics the olfactory signal of an ant colony, moves around unnoticed and simulates the behavior intended to communicate a transfer of larve, getting an easy free meal. What do we call that? Social engineering.The evolution of antibiotic resistant bacteria and viruses is paralleled by the overuse of antivirus for malware mitigation leading to adaptation of malware that is virtually AV resistant
  • <click><read>Especially with policy dictating society, that is completely backwards. Society needs to dictate policy, not the other way around. But this talk is on business, that’s an entirely different talkAnd since this is completely unnatural, and basically driven by power, greed and profit, naturally it is failing.
  • While Brenner’s book is more a source for security product vendor FUD, this quote isexceptionally relevant to the business adaptation argument, as learning is an essential variable to adaptingDesign your systems to assumethe breach
  • 2013 DBIR doesn’t mention anything related to undetection percentages, which was probably wise < Many stats suckRichard Bejtlich said it best when he tweeted out a couple of years ago “Identity is the new corporate perimeter”Adding more or improving existing systems is not adapting“Adaptation arises from leaving (or being forced from) your comfort zone”This last point is key to the next half of this talk<click>If you’re in infosec you need to read this book. I got turned on to this book by some punk named nickerson on the exotic liability podcast. I was intrigued in that it shared similar concepts to James Surowiecki’s Wisdom of Crowds and Steven Johnson’s Emergence, which I have previously applied to infosecAnyone read wisdom of crowds? Scorpion and Iowa Electronic Markets (not for profit) exampleThe rest of this talk is going to be me trying to show why this guy’s work matters to infosec specifically and business generically
  • So sagarin talks about the benefits of decentralized and distributed systems:Multiple sensors have greater chances of identifying unusual change and additional opportunities. – Does anyone here have multiple resources in your organization?Distributed sensors see the environment for what it "is" rather than what it "should" be according to some preconceived notion.Specialized tasks save energy and allow resources to get assigned to important tasks. Expertise and accuracy are unrelated. Diversity is crucial to collectively wise decisions
  • Essentially, nobody can survive on their own. All organisms are constrained in their adaptability at some point, and symbiotic relationships allow us to extend our inherent adaptive capacity to exploit new resources and environments or adapt to their own environment as it changes. <click>3 types of symbiosisMutualisticCommensualParasitic<click>Symbiosis is everywhere in nature and the relationships are incredibly complexI had several clients over a period of time ask me what are my other clients doing to address problem X. I decided to put them together quarterly
  • So what are the key strategies for obtaining natural security states?Learning is key to adaptive survival, not just for an individual but for the generational survivalI’ve touched upon decentralized systems already. In nature there is no room for directives, multiple informational systems adapt quickerRedundancy should be obviousThere is no place in nature for sitting on your laurels, in order to adapt you need to keep up with the competitionUncertainty/unpredictability is about increasing attacker costs, delaying their operation and increasing their potential for errorHi. Social Engineering.But these strategies can still fail because the simplest rule of nature is no organism can do it alone
  • I’ve been talking about natural state security systems, but what does that mean? Should we just leave shit alone and not worry about our current threat landscape? Should we focus on building artificial barriers to thwart the threats to our organizations? No, we have options.Sagarin talks about how nature has provided mangrove forests and wetlands to protect from storm surges, etc. Recently several state governments have recognized these controls and have begun building them back up after clear failures of static, manmade security controlsWe have our userspace. Dave Kennedy talks about the organizational benefits of having hundreds of humansensors through security awareness.The anti awareness argument - just because a control isn't perfect isn't a reason to ignore it outright. Not having all the data is no reason not to look to adapt. The human race has gotten this far, can’t we just rely on our inherent adpatability?
  • We as a speciesare apparently really good at individual adaption under duress, yet we suck at institutional adaption under the constraints of modern day life, since it is “comfortable”Remember - Adaptation occurs when you leave your comfort zone.This is one of the primary reasons our business infrastructure does not adapt well to changing environments like our Internet’s Unclean Conflicts. Most of our businesses culture is comfy in their own zone of revenue generation and profit sharing
  • Information usage and sharing in nature is a vital variable for adaptationUsing information in survival situations can either create or reduce uncertainty. Hmmm. That sounds very much like some of the strategies infosec employs:Unpredictability is about increasing attacker costs, delaying their operation and increasing their potential for error
  • Here’s the third major takeaway:Competition and CooperationIndividualcompetition can lead to group cooperation. This then increases the effectiveness of the groupAs individuals begin to form social groups, the better they cooperate with each other the more effective they are at competing with other social groups All of this competition sparked cooperation is a vital aspect of any organizations ability to adapt and surviveDoes anyone here work for an organization that promotes this type of competition/cooperation internally to further their innovations?The important features of cooperative networks are that they emerge naturally (not mandated) and they are designed to solve specific problems, not solve world peace
  • Orders assume there is one solution to a problem. A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution.Monetary incentives are always good, symbiosis can arise from competition as well as different entities realizing they can solve problems better together (Iowa Electronic Markets)Learning from failure (typical consultant’s advice) is wrong and may result in a single solution for a single problem
  • <click> let sum up and figure out how we actually got here<click> Hey everybody, look! A challenge!
  • Guess what? We all have work to do
  • 2013 09 11_business adaptation

    1. 1. Business Adaptation: Or how I learned to love the Internet’s Unclean Conflicts Rockie Brockway Security Practice Director Black Box Network Services @rockiebrockway
    2. 2. Credentials
    3. 3. Disclaimer A Nothing I say represents past, current or future employers
    4. 4. Disclaimer B Not a box popper talk Not a cool tool talk Dabbles in generic politics Arguments are expected Focused on natural security systems
    5. 5. June 5, 1942 Bulgaria, Romania, Hungary
    6. 6. Korea Lebanon Dominican Republic Vietnam Iran Grenada Beruit Lybia Panama Unclean Conflicts Iraq I Sierra Leone Bosnia/Herzegovina Somalia Haiti Afghanistan Sudan Serbia Iraq II Pakistan Yemen
    7. 7. Syria (Syrian Electronic Army)
    8. 8. December 25, 1991
    9. 9. What country in their right mind would actively engage in any formal “clean conflict” with the US when you can potentially surpass your goals through small scale unofficial conflicts, espionage and/or terrorism? Post-Cold War Mindset - No nation was a credible threat to the U.S. anymore Our adversaries, both corporate and nation state, have become specialists at executing "Unclean Conflicts" against our business, innovation and defense infrastructure What Happened?
    10. 10. This mindset of the post Cold War environment naturally filtered into the DNA of our own industrial and corporate business culture – our business leaders, and perhaps to a certain extent, our innovators began thinking the same way Our corporations have been trying to define how the rest of the world conducts business in the same way we as a country try to tell the rest of the world how to act and run themselves Theory A
    11. 11. Why spend billions of dollars developing technology when you can purchase stolen technology (or steal it) for a few millions dollars?* The Rest of the World: *Corman/Etue RSA talk
    12. 12. Organizational Entropy (the natural result of assuming you are smarter than your adversaries)
    13. 13. <FUD> Insert standard sky is falling breach statistic slide here </FUD>
    14. 14. No matter what political reasons are given for war, the underlying reason is always economic - A. J. P. Taylor
    15. 15. Organization/Business Reaction? Irony – Big Business arrogance and the natural reaction to their Organizational Entropy has fueled a larger Big Business of product “solutions” Buy more blinky lights (apologies to our sponsors) Hackback Legislation (SOPA (thank you reddit), CISPA) If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect national and/or economic interests, you have completely missed what was wrong to begin with. #FAIL
    16. 16. InfoSec’s Role Prevent the loss of business critical data Protect the Brand Promote Innovation What is the organization’s business critical data? Who else might find value in that data? Where does that data actually live? What are the business initiatives and goals? InfoSec’s Problems Show of hands?
    17. 17. The Problem with Walls So given the previous slide’s data, what is commonplace throughout most organizations? < cheap “fixes” Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.
    18. 18. We have defined an environment right now where greed and policy is reactively dictating business and society The Unnatural State Organizational learning and adaptation is stagnant at best The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us.
    19. 19. “Organizations must learn to live in a world where less and less information CAN be kept secret, and where secret information will remain secret for less and less time” -Joel Brenner America the Vulnerable
    20. 20. Adaptability 2012 DBIR states that 92% of breaches went undetected (estimates, unclear of sources). Better detection may not be the right answer Adding more or improving existing systems is not adapting Learning from the Octopus, Rafe Sagarin Adaptation arises from leaving (or being forced from) your comfort zone. Firewalls? AV?
    21. 21. Adaptability (Sagarin) The benefits of Decentralized and Distributed organizational systems Multiple sensors No preconceived notions Specialized tasks Adaptable #Success requires A challenge Available resources Information filtering and prioritization
    22. 22. Symbiosis A working relationship between organisms Mutualistic - both parties benefit Commensual - one party benefits, one is not affected Parasitic - one party benefits, one suffers Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism
    23. 23. Natural Security Strategies for Organisms (and Organizations) 1) An organism needs to learn within its own lifetime and across generations (learning is key to adapting) 2) An organism needs a decentralized organizational system 3) It needs redundant features 4) It needs to keep running just to keep up (like with your competition) 5) It needs to reduce uncertainty for itself and create uncertainty for its adversaries 6) If human, it needs to understand human behavior
    24. 24. The Only Options? But either leaving things in their natural state or building artificial barriers can’t be our only options. How can we build more natural and living security systems? But aren’t we humans exceptionally adaptable?
    25. 25. The Big Contradiction But we humans are quite adaptable. How can we as amazingly adaptable individual organisms have created systems and institutions so nonadaptable? Organizations, like all other systems, are built on synergistic cooperative arrangements that tend to be self regulating, not static Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation and then we once again show our amazing adaptability – Business as usual
    26. 26. The Challenge How do we design systems within organizations that can deal with security problems and respond to them organically and automatically?
    27. 27. Information Usage in Adaptation Information use and sharing is as essential to survival as any other adaptation When used properly, information in survival situations creates and/or reduces uncertainty Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries (unpredictability).
    28. 28. Competition and Cooperation Competition between organisms can lead to group cooperation Group cooperation then increases the effectiveness of the group against other social groups This group competition can then lead to group cooperation
    29. 29. The Basics Introduce challenges, not directives. Without challenges, organizations don't learn. Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations. Take advantage of localized problem solvers within a centralized organization Promote learning, competition/cooperation and symbiosis
    30. 30. Business Adaptation Organizations, and therefore Security strategies, must switch from designing solutions to adapting solutions A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution Move away from giving orders and towards providing challenges. (Aka Wisdom of Crowds). Orders assume there is only one solution to a problem Challenges also introduce competition, which naturally leads to cooperation
    31. 31. How the hell did we get here? Post cold war arrogance a major variable in today’s Business arrogance That led to Organizational Entropy Which itself provided Infosec/Risk practitioners a major information headache Which you all here should consider as a challenge
    32. 32. Exercise time Show of hands – who here thinks these aforementioned behavioral and process changes are too radical for your stodgy organization? – Keep your hands up Who here is either in charge of a team regardless of size and/or is in a position of influence in such a team? – Keep your hands up
    33. 33. Everyone with your hands up – this is your homework. Introducing these changes into your small sphere of influence will improve all of your business metrics and create competition between other sphere’s within your org. That will lead to cooperation once you realize the goals are the same, leading to group cooperation that then will introduce competition at higher levels and you are now on your way to changing your business culture. Your small successes are your small successes, they all lead to bigger successes and in the end we are all the better
    34. 34. Feedback Rockie Brockway Security Practice Director Black Box Network Services securants.blogspot.com @rockiebrockway