That’s right, the catalog. I want to thank chris and jeff and everyone else involved in this great con for their organizational efforts and inviting me to come to GRRCon to speak
My first boss in IT was Dr. Peter Tippett. In 1992, my senior year at Case Western Reserve University in Cleveland OH I was introduced to Dr. Tippett who mentored me on my senior project on Anti-virus technology. Lots of assembly language, which 21 years later is almost as foreign to me as latin. After I graduated I worked briefly for his company Certus International prior to the Symantec acquisition. I’ve obtained 30+ “certifications” in my career, both vendor and non-vendor. All of which I believe have expired. I recertified my GSEC 3 times and taught it twice. I don’t have to recertify my bachelors degree so I’m basically done with certifications. I work with business risk. My day job entails trend and adversary analysis, security intelligence and business systems and impact analysis, so forgive me if I come off jaded and cynical. But I am.
But it should
I feel disclaimer B needs a little more attention. My talks can get a little esoteric and sometimes I feel like by not presenting the latest 0-day technical discovery at a security con I’m the equivalent of a political comedian playing to a crowd that came to hear penis jokes.Istill pop boxes and it’s still funI was a pretty good perl jockey in the 90s but business strategy trumps scriptingThis is my “WTF are you actually talking about” question. I’ll repeat it … natural security systems. Stay with me, its pretty cool.
We’re going to go on a short field trip. These next few slides are from an earlier talk I gave at Bsides Cleveland and DerbyCon 2012, but they set the stage for the current state security problems all of our collective organizations face and need to adapt to.Does anyone know what this date represents?WWII was the last “clean conflict” the U.S. engaged in. <click>
We have a long and unprecedented history of engaging in “unclean conflicts”.
Oh, there’s this potential hornet’s nest today as we speak, and their “hacking” subsidiary, the SEA. It’s a brave new world, kids.
The day the Soviet Union fell. There are, perhaps, a couple/few ramifications from this global event, but …
<click>What country in their right mind would actively engage in any formal “clean conflict” with the US when you can potentially surpass your goals through small scale unofficial conflicts, espionage and/or terrorism?<click>Our adversaries, both corporate and nation state, have become specialists at executing "Unclean Conflicts" against our business, innovation and defense infrastructure<click>WTF?
So, the first main point in the first part of this talk is : cold war DNA filters to business DNA and yields global arrogance
Meanwhile, why would the rest of our competition and adversaries actually care how we think they should run their businesses?
This is one of my favorite terms. It illustrates so much of our collective current business mentality in two words. So elegant.2nd point – organizations are like organisms and have the same need to learn and adapt to new situations
99.9% of today’s organizations are not learning and adapting. Meanwhile there’s a lot of alternative and malicious activity occurring daily
AJP Taylor was a british historian. Physical Unclean conflicts have obviously moved into our realm.
I believe we all at least recognize the media’s role in In the last several years in publicizing the fact that we’re losing quite a bit of our intellectual property.Our infosec and business publications are overwhelmed with the latest buzzwords and the vendors are touting their latest “solutions” to the buzzwordsBuying more blinky lights is more or less the normWe have a new business model pushing the “hackback” mentality. Now the US and other countries are reactively trying to legislate controls in an effort to “mitigate” everything we as leading nations have completely ignored due to our collective organizational entropy arrogance<click>Irony – Big Business arrogance and the natural reaction to their Organizational Entropy has fueled a larger Big Business of product “solutions”<click> The bottom line is this - If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect the national, as well as global, economy as a whole, you have completely missed what was wrong to begin with. #FAIL
I want to take a slide to simply perhaps reiterate what role infosec has in business.<click>And in order to successfully accomplish these tasks we need to at the very least understand the following.<click> Show of hands – Who in your current role in InfoSec is communicated by your business leaders Who knows what your organization’s business critical data is?Who knows where your organization’s business critical data lives?Anyone care to chime in on who might want to steal your data?
Most organizations are still looking for the least expensive, most effective “controls” to prevent BYOD threats, APT, Cyber<insert here> and whatever Gartner and Mandiant have determined are the most interesting threats to your business. I might as well say something about The Art of War and Paradigm Shifts so I can at least finish this talk drunk but happy<read second point>Sagarin gives a great analogy to infosec – A species of jumping spider mimics the olfactory signal of an ant colony, moves around unnoticed and simulates the behavior intended to communicate a transfer of larve, getting an easy free meal. What do we call that? Social engineering.The evolution of antibiotic resistant bacteria and viruses is paralleled by the overuse of antivirus for malware mitigation leading to adaptation of malware that is virtually AV resistant
<click><read>Especially with policy dictating society, that is completely backwards. Society needs to dictate policy, not the other way around. But this talk is on business, that’s an entirely different talkAnd since this is completely unnatural, and basically driven by power, greed and profit, naturally it is failing.
While Brenner’s book is more a source for security product vendor FUD, this quote isexceptionally relevant to the business adaptation argument, as learning is an essential variable to adaptingDesign your systems to assumethe breach
2013 DBIR doesn’t mention anything related to undetection percentages, which was probably wise < Many stats suckRichard Bejtlich said it best when he tweeted out a couple of years ago “Identity is the new corporate perimeter”Adding more or improving existing systems is not adapting“Adaptation arises from leaving (or being forced from) your comfort zone”This last point is key to the next half of this talk<click>If you’re in infosec you need to read this book. I got turned on to this book by some punk named nickerson on the exotic liability podcast. I was intrigued in that it shared similar concepts to James Surowiecki’s Wisdom of Crowds and Steven Johnson’s Emergence, which I have previously applied to infosecAnyone read wisdom of crowds? Scorpion and Iowa Electronic Markets (not for profit) exampleThe rest of this talk is going to be me trying to show why this guy’s work matters to infosec specifically and business generically
So sagarin talks about the benefits of decentralized and distributed systems:Multiple sensors have greater chances of identifying unusual change and additional opportunities. – Does anyone here have multiple resources in your organization?Distributed sensors see the environment for what it "is" rather than what it "should" be according to some preconceived notion.Specialized tasks save energy and allow resources to get assigned to important tasks. Expertise and accuracy are unrelated. Diversity is crucial to collectively wise decisions
Essentially, nobody can survive on their own. All organisms are constrained in their adaptability at some point, and symbiotic relationships allow us to extend our inherent adaptive capacity to exploit new resources and environments or adapt to their own environment as it changes. <click>3 types of symbiosisMutualisticCommensualParasitic<click>Symbiosis is everywhere in nature and the relationships are incredibly complexI had several clients over a period of time ask me what are my other clients doing to address problem X. I decided to put them together quarterly
So what are the key strategies for obtaining natural security states?Learning is key to adaptive survival, not just for an individual but for the generational survivalI’ve touched upon decentralized systems already. In nature there is no room for directives, multiple informational systems adapt quickerRedundancy should be obviousThere is no place in nature for sitting on your laurels, in order to adapt you need to keep up with the competitionUncertainty/unpredictability is about increasing attacker costs, delaying their operation and increasing their potential for errorHi. Social Engineering.But these strategies can still fail because the simplest rule of nature is no organism can do it alone
I’ve been talking about natural state security systems, but what does that mean? Should we just leave shit alone and not worry about our current threat landscape? Should we focus on building artificial barriers to thwart the threats to our organizations? No, we have options.Sagarin talks about how nature has provided mangrove forests and wetlands to protect from storm surges, etc. Recently several state governments have recognized these controls and have begun building them back up after clear failures of static, manmade security controlsWe have our userspace. Dave Kennedy talks about the organizational benefits of having hundreds of humansensors through security awareness.The anti awareness argument - just because a control isn't perfect isn't a reason to ignore it outright. Not having all the data is no reason not to look to adapt. The human race has gotten this far, can’t we just rely on our inherent adpatability?
We as a speciesare apparently really good at individual adaption under duress, yet we suck at institutional adaption under the constraints of modern day life, since it is “comfortable”Remember - Adaptation occurs when you leave your comfort zone.This is one of the primary reasons our business infrastructure does not adapt well to changing environments like our Internet’s Unclean Conflicts. Most of our businesses culture is comfy in their own zone of revenue generation and profit sharing
Information usage and sharing in nature is a vital variable for adaptationUsing information in survival situations can either create or reduce uncertainty. Hmmm. That sounds very much like some of the strategies infosec employs:Unpredictability is about increasing attacker costs, delaying their operation and increasing their potential for error
Here’s the third major takeaway:Competition and CooperationIndividualcompetition can lead to group cooperation. This then increases the effectiveness of the groupAs individuals begin to form social groups, the better they cooperate with each other the more effective they are at competing with other social groups All of this competition sparked cooperation is a vital aspect of any organizations ability to adapt and surviveDoes anyone here work for an organization that promotes this type of competition/cooperation internally to further their innovations?The important features of cooperative networks are that they emerge naturally (not mandated) and they are designed to solve specific problems, not solve world peace
Orders assume there is one solution to a problem. A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution.Monetary incentives are always good, symbiosis can arise from competition as well as different entities realizing they can solve problems better together (Iowa Electronic Markets)Learning from failure (typical consultant’s advice) is wrong and may result in a single solution for a single problem
<click> let sum up and figure out how we actually got here<click> Hey everybody, look! A challenge!
Guess what? We all have work to do
2013 09 11_business adaptation
Or how I learned to love the Internet’s Unclean Conflicts
Security Practice Director
Black Box Network Services
What country in their right mind would actively engage in any formal
“clean conflict” with the US when you can potentially surpass your goals
through small scale unofficial conflicts, espionage and/or terrorism?
Post-Cold War Mindset - No nation was a credible threat to the U.S. anymore
Our adversaries, both corporate and nation state, have become specialists at
executing "Unclean Conflicts" against our business, innovation and defense
This mindset of the post Cold War environment naturally filtered into the
DNA of our own industrial and corporate business culture – our business
leaders, and perhaps to a certain extent, our innovators began thinking
the same way
Our corporations have been trying to define how the rest of the world
conducts business in the same way we as a country try to tell the rest of
the world how to act and run themselves
Why spend billions of dollars developing technology when you can
purchase stolen technology (or steal it) for a few millions dollars?*
The Rest of the World:
*Corman/Etue RSA talk
(the natural result of assuming you are smarter than your adversaries)
<FUD> Insert standard sky is falling breach statistic slide here </FUD>
No matter what political reasons are given for war, the underlying
reason is always economic
- A. J. P. Taylor
Irony – Big Business arrogance and the natural reaction to their
Organizational Entropy has fueled a larger Big Business of product
Buy more blinky lights (apologies to our sponsors)
Legislation (SOPA (thank you reddit), CISPA)
If you get to the point where a problem becomes so big that you
need to try to legislate it in order to protect national and/or
economic interests, you have completely missed what was wrong
to begin with. #FAIL
Prevent the loss of business critical data
Protect the Brand
What is the organization’s business critical data?
Who else might find value in that data?
Where does that data actually live?
What are the business initiatives and goals?
Show of hands?
The Problem with Walls
So given the previous slide’s data, what is commonplace throughout
most organizations? < cheap “fixes”
Dikes, levees, firewalls - all examples static security incident reactions
intended to protect against naturally dynamic threats. That eventually
We have defined an environment right now where greed and policy is
reactively dictating business and society
The Unnatural State
Organizational learning and adaptation is stagnant at best
The longer we accept these unnatural systems that our reactive
policies have dictated, the larger the window exists for our
adversaries to catch up and surpass us.
“Organizations must learn to live in a world where less and less
information CAN be kept secret, and where secret information will remain
secret for less and less time”
America the Vulnerable
2012 DBIR states that 92% of breaches went undetected
(estimates, unclear of sources). Better detection may not be the
Adding more or improving existing systems is not adapting
Learning from the Octopus, Rafe Sagarin
Adaptation arises from leaving (or being forced from) your
The benefits of Decentralized and Distributed organizational systems
No preconceived notions
Adaptable #Success requires
Information filtering and prioritization
A working relationship between organisms
Mutualistic - both parties benefit
Commensual - one party benefits, one is not affected
Parasitic - one party benefits, one suffers
Symbiosis creates reactions that are more than just the sum of two
organisms working together - emergent properties that both transform
the organism and transforms the environment around the organism
Natural Security Strategies for Organisms (and Organizations)
1) An organism needs to learn within its own lifetime and across
generations (learning is key to adapting)
2) An organism needs a decentralized organizational system
3) It needs redundant features
4) It needs to keep running just to keep up (like with your competition)
5) It needs to reduce uncertainty for itself and create uncertainty for its
6) If human, it needs to understand human behavior
The Only Options?
But either leaving things in their natural state or building artificial
barriers can’t be our only options.
How can we build more natural and living security systems?
But aren’t we humans exceptionally adaptable?
The Big Contradiction
But we humans are quite adaptable.
How can we as amazingly adaptable individual organisms have created
systems and institutions so nonadaptable?
Organizations, like all other systems, are built on synergistic
cooperative arrangements that tend to be self regulating, not static
Yet we rarely leave our comfort zones unless we find ourselves in an
emergency situation and then we once again show our amazing
adaptability – Business as usual
How do we design systems within organizations that can deal with
security problems and respond to them organically and
Information Usage in Adaptation
Information use and sharing is as essential to survival as any other
When used properly, information in survival situations creates
and/or reduces uncertainty
Organisms seek to reduce uncertainty for themselves and increase
uncertainty for their adversaries (unpredictability).
Competition and Cooperation
Competition between organisms can lead to group cooperation
Group cooperation then increases the effectiveness of the group
against other social groups
This group competition can then lead to group cooperation
Introduce challenges, not directives. Without challenges, organizations don't
Amplify, reward and replicate your successes. Innovation comes first and
learning accrues from successful innovations.
Take advantage of localized problem solvers within a centralized organization
Promote learning, competition/cooperation and symbiosis
Organizations, and therefore Security strategies, must switch from
designing solutions to adapting solutions
A challenge assumes there are many potential solutions, the more
people involved, the more likely we are to find a really outstanding
Move away from giving orders and towards providing challenges. (Aka
Wisdom of Crowds). Orders assume there is only one solution to a
Challenges also introduce competition, which naturally leads to
How the hell did we get here?
Post cold war arrogance a major variable in today’s Business arrogance
That led to Organizational Entropy
Which itself provided Infosec/Risk practitioners a major information
Which you all here should consider as a challenge
Show of hands – who here thinks these aforementioned behavioral
and process changes are too radical for your stodgy organization? –
Keep your hands up
Who here is either in charge of a team regardless of size and/or is in a
position of influence in such a team? – Keep your hands up
Everyone with your hands up – this is your homework.
Introducing these changes into your small sphere of
influence will improve all of your business metrics and
create competition between other sphere’s within your
That will lead to cooperation once you realize the goals
are the same, leading to group cooperation that then will
introduce competition at higher levels and you are now on
your way to changing your business culture.
Your small successes are your small successes, they all
lead to bigger successes and in the end we are all the
Security Practice Director
Black Box Network Services