Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Yours Anecdotally: Developing a Cybersecurity Problem Space

3,455 views

Published on

Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We're likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we've managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about "Information Security Risk". In fact, it's worth noting that we can't even agree if there is a space between "Cyber" and "Security" when it's written out. This talk will take an anecdotal look at "Information Security Risk", "Cyber<>Security", and use that perspective to suggest areas of research and data gathering that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.

Published in: Technology
  • Be the first to comment

Yours Anecdotally: Developing a Cybersecurity Problem Space

  1. 1. Jack Whitsitt, EnergySec Senior Strategist @sintixerr | sintixerr@gmail.com
  2. 2. Progress in economics consists almost entirely in a progressive improvement in the choice of models…. [It] is a science of thinking in terms of models joined to the art of choosing models which are relevant to the contemporary world… [and] it is essentially a moral science and not a natural science… That is to say, it employs introspection and judgments of value. – J. M. Keynes to Harrod , 4 July 1938 (Sorta)
  3. 3.  Artist  Hacker Compound  Open Source (Honeypots)  Managed Commercial Security  FBI SOC  Enterprise Security Architect  National Control Systems Incident Response  Gov: Public/Private Partnership as the Transportation SSA  Non-Profit Community Building  International Policy Discussions ….and Civilization Escape Artist
  4. 4. We’re Losing, We’re Repeating Ourselves with Increasing Specialization, We Have No Strategy We must learn to Fail, Iterate, and Evolve (better?) or Admit We’re Insane
  5. 5. We have been focusing on improving information security and risk management practices to reduce cybersecurity risk. This focus has improved information security practices, but without meaningfully or sustainable reducing cybersecurity risk This has come at the cost of the resources we will require to displace the dangerously entrenched behavior and misaligned markets created as an outcome of this focus. Our focus on information security solution spaces prevents us from making necessary transformative (as opposed to incremental) improvements because: Information Security might, presently, be largely tangential and non-causal with regard to long term cybersecurity success – Its practices and solution spaces do not control or speak to enough of the exposure environment to create sustained, strategic improvements in position We need to take a wider view. (Warning: The view may contradict itself and this will be a linear presentation of a non-linear topic)
  6. 6.  Island Internet  Isolated Security Events  Techies without funding or buy-in develop practices  Automated Worms Disrupt Business  Market need identified and met by selling practices  Connected Important Stuff  Merging Realities, Conflict and All  Entrenched Models and Practices failing to solve for New Reality and New Scope We started out specialized and then specialized further despite context and problem space expansion and we’ve failed to improve and update models or develop appropriate, specific objectives accounting for our environment* Now we’re missing important fundamentals in scope, metaphor, language, and strategies and are battling existing investment to fix (*or, at least, we’ve failed to create effective socialization mechanisms for them)
  7. 7. Help overcome the flawed strategies we’ve imposed on ourselves by artificially limiting the scope of cybersecurity to InfoSec Suggest areas of research and data gathering that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change.
  8. 8.  Some Famous President Or General (I think):  “There is no seemingly intractable problem I’ve faced whose solution didn’t present itself with an increase of scope”-ish  Famous Penetration Testers:  The companies that eventually keep us from achieving our objectives are the ones that narrowed the scope of their objectives and funded them  Start wide, then focus:  Where are we?  What are we, really?  How do we get OUT of here?
  9. 9.  The world already has a lot of cybersecurity “solutions” and “products”  The average information security budget according to PricewaterhouseCoopers is a staggering $4.1 million  According to Gartner, the worldwide Information Security market is valued at more than $70 billion. And, yet…  The list to your right contains many, but not all, major Fortune 500 breaches since 2011  These are not companies that cannot afford cybersecurity  Most organizations are notified by external parties (“Cyber Healthcare Professionals” re yesterday’s post-lunch talk) 100’s of days after breach  Cybersecurity is a hard problem that clearly – by any public metric available - remains unsolved in any sustainable way 97% of networks have been breached (FireEye)
  10. 10.  Of Solutions  At the Wrong Level  Without being Able to Articulate the Problem  NISTCSF  Common Practices  List of things that aren’t sufficient  Cybersec EU, Poland, 2015  Talking Information Sharing at Highest International levels  Conducting, not winning conflict  Same solution spaces provided over and over again  Specificity intersecting with applicability and repeatability extraordinarily difficult  This has to stop
  11. 11. We do not have a consensus definition “Cybersecurity”  Neither the problem space nor the discipline  We can’t even decide if there is a <space> between Cyber and Security  Ask any 5 experts, get 5+ answers Speaking of experts…..
  12. 12.  System Administrators  Malware Analysts`  Incident Responders  Lawyers  CISOs  Procurement Officials  Chairmen of the Senate Whatever Committee  Heads of the NSA  Senior Sales Engineers for Security Companies  Hackers  Children • CEO/Executive Board Members • Criminals/Terrorists • Journalists • Developers • Activists • Evolutionary Ecology PhD’s • Diplomats • Control Systems Engineers • Regulators and Auditors • Emergency Managers • Citizens • Operations Staff • Firewall Engineers
  13. 13. Cybersecurity is a huge domain that spans entire cultures, industries, and nations while remaining highly individualized As a discipline, it is an amalgamation of existing as disparate as business management, computer science, political science, and even art. This means we have to always be cognizant of context.
  14. 14. http://www.tripwire.com/state-of-security/latest-security-news/vast-majority-maintaining-increasing-cyber-security-spending/
  15. 15. (Source: http://www.commerce.senate.gov/public/?a=Files.Serve&File_id=24d3c229-4f2f-405d-b8db-a3a67f183883 via Lockheed Martin)
  16. 16. Source: https://isc.sans.edu/diaryimages/a207889185ca6b4ccbf43d94e017a663
  17. 17. Prosecute & Convict? Defend? Listen? Convince?
  18. 18.  Cybersecurity MUST be Lensed  Because it is a human problem  And Human Problems are Communication Problems  Lenses can provide the human-specific focus required for communication  Communication lenses are composed of:  Domain: Broad Problem Space Definition  Perspectives: Who is Involved?  Contexts: Which problem piece is in front of us?  Discipline Areas: What tools are available? *These are my definitions only
  19. 19. Cybersecurity: The application of several disciplines to enabling an environment in which specific non-ICT based objectives are sustainably achievable with the aid of Information Security, Control Systems Security, and Other Related Security Practices in the face of continuous risk resulting from the use of cyber systems. Secure system: One that does no more or less than we want it to for the amount of effort and resources we’re willing to invest in it.
  20. 20. Those definitions still don’t describe a problem to be solved, they describe solution sets and objectives.
  21. 21. This is a Domain we can ask specific questions of and turn into lenses…
  22. 22. If InfoSec is an error handler for the overall cybersecurity risk environment, then we’ve let the main system go at the expense of the error handler. For the Error Handler to be the source of stability, it would have to have all or most main system knowledge. So what does the problem space really look like OUTSIDE of InfoSec? Outside of the Error Handler? Managing the following extra-InfoSec domains is a precondition to or a part of effective information risk management
  23. 23. 1. Global 2. Body Political 3. Organizational 4. Individual  Technical … This might be a business problem pertaining to complexity? (In Order. List Likely Not Complete. Threat Exclusion Intentional.)
  24. 24.  Offense/Defense  Individuals and Businesses are NOT defenders  Asking them to participate in global conflict is, in a word, silly  They do not, and will not, have competence or capacity over time  18,500 US Firms with over 500 employees!  Parasite Management  Maintain value Control despite competition for shared, not owned infrastructure  Sustained Resilience: Continuity of Operations, DR  Exposure Management vs Incident Management  Exposure/Environment Management OR ELSE  Information Security is non-causal in Exposure Management  Lack of Exposure Management is an eventual permanent loss  Incidents do not aggregate up to long term risk  The Primary Conflict Model is that of a Siege  Non-combatants not in control of surrounding environment being drained of resources forced to make daily risk decisions that are not pertinent to eventual win  This is true whether or not different threat groups *intend* to put us under siege  Strategic win is possible, not possible under other models  Accounts for resource drainage, supply chain problems, massive externalities problem, etc  Breaking the siege requires building *a* castle (cooperative strategic infrastructure) and*multiple* guilds (regimes)
  25. 25.  Confidence Building Measures & Stability Problems  Unknown Exposure: Game Theory vs Control Based Regulation  Too many actors  Tools too accessible  Norms of Behavior  Some norms support both conflict and stability  Difficulty developing norms in the middle of conflict  Information vs Kinetic Warfare  Intentional Abuse of Conflict Culture & Definitions  Targeting of formal/informal “civilian” information and regimes  Western governance has long term strategic vulnerabilities  Capacity Building  vs Conflict Execution (Retains almost Exclusive Focus)  vs Exposure Management (Done only to aid Conflict)  Same as InfoSec, but larger Also Helps Drive (& Provide Cover for) Localized Civilian Parasite/Siege Conflict Context
  26. 26.  Overall rising hostility under the radar  Sustained non-ICT Regime Instability  Costs in money, trust, unconstrained resilience requirements  Unintended Specific Fallout from General Instability  Systems not functioning as desired in emergencies  High Intensity Conflict resulting from unrelated events
  27. 27.  Business Borders: Disappearing?  Is it more useful to constrain cybersecurity around business borders or supply (and value) chains?  If the latter, is that even possible?  This is only one of several boundary problems)  Un-constrainable? Mesh vs Chains  Since these aren’t really chains, does this become a statistical problem?  Supply chain as a mechanism for risk reduction?
  28. 28.  Geography & Power Delegation  The internet is a form of “geography”  Power Plants are part of the internet, therefore they are geography  They’re also targets  The government is *not* the primary arbiter of power within the borders of this virtual geography  Ooops. This is new.  Geography & Proximity  Everyone is a Neighbor  Have you ever been stuffed shoulder to shoulder in a hot train car with drunk friends, enemies, and strangers?  Ooops. This is new, or at least worse.
  29. 29.  Common Problem Space Consensus  Development  Socialization  Multi-stakeholder Model/Regime Management  Targeting & Engagement  Aligned, Unaligned, Oppositional Stakeholders  Development  Goal Targeting and Rationalization  Language normalization  Practice Development  As opposed to Stabilization  Tragedy of the Commons  Without Ownership of Practices, Infrastructure, or Goals  RealPolitik
  30. 30.  Power  2nd Amendment and the Right to Bear Digital Arms  Responsibilities  Voting Knowledgeably  Participation in Multi-Stakeholder Regimes  Education  Access  Rights of Individual Access vs Rights of Society  Business & Government Customers  Voting, Markets, and Courts intended as arbiters, but…  Social  Perception & Expectation Management  Media!  Health & Safety
  31. 31.  Entrenched Industry Must be Derailed  Costing us time, money, cultural capital  Hijacking regimes  Abstract, tenuous connection to risk  Hope, hope, hope, hope  (Vendor vs Hacker)  Academia not competing  Tools  Behavior Change  Applicability
  32. 32. “The difference between how it’s supposed to work and how it really works is where the vulnerabilities happen,” - Chris Wysopal/Weld Pond (L0pht)  Complexity  Exposure rising directly and infinitely with complexity  Competency  Technical competency required by all, who cannot maintain  Security Express-ability  Lower layers are approximating upper layer expressions
  33. 33.  Exposure Management  Decision Making Capacity Building  Action Capacity (Authority/Responsibility)  Full System (Human) Threat Modeling  Requires Role/Lever reasoning  Fuzzy (but it’s done all the time anyway) Anyone can make a good plan, and one that works, but can it be kept tight enough to achieve goals in the face of constant, organized, trained, funded, motivated, threats?
  34. 34.  We Need Generals  Now Guys with Guns Espousing Tactical Requirements in Place of Strategies to Win  Win = Desired level of risk for desired investment over tim  Formal Roles limit Routing of Knowledge/Capability into available levers  If you’re not selling something, you’re not participating
  35. 35.  Sustained Socialization  Meme-ification - Passive Education  Active Education  Clarity across Discipline Borders  Common Language  Knowledge  Language & terminology  Organic  Hijacked  Perspective & Context Awareness  Trouble Seeing the Big Picture for the Small  Validation & Action
  36. 36.  Psychology  Stakeholders Receptiveness  Distance between action and risk  Conceptual Processing  Ability to Process sufficient incoming knowledge tangential to core life  Analysts vs Engineers  Average is Average  Cannot require or assume exceptionalism
  37. 37.  Wok  Wok Wok  Wok?  W.O.K.  Wok Wok wok wok This is, obviously, a wildly incomplete framework. But it is a start?
  38. 38.  Exposure is primarily created outside of InfoSec (although not “only”)  Informing InfoSec Practices with Business Goals instead of vice versa removes levers  InfoSec practices should INFORM and CONTEXTUALIZE business risk practices INTO cyber risk CONTROLS  Cyber isn’t a risk TO you in most cases;  The risk from cyber to society, industry, and gov CREATES risks to you (Polish Airlines)  Risk management’s job is not limited to a process or approach or framework.  It is, instead, behavioral and decision making capacity building  Awareness is not behavior change  Psych, Marketing, Comms  Target: “Risk Based” often conflated with “Have a Priority” in common practice  Difficult to quantify security management non-security benefits because security management is typically focused on improving security management – even when contextualized by business.  We can perhaps, instead, quantify benefits of non-security activities that benefit security by leveraging dual purpose activities
  39. 39.  Expand  Clarify  Communicate  Maintain  Use  Market  Criticize  Trash it and Start Over if Needed  We still need one  Let’s just stop repeating ourselves
  40. 40.  Goal Development:  Siege Breaking and Parasitic Environment Management (next slide)  Roles to Risk Modeling to…  Create Exposure Management Strategies  Aid Targeted Education for Risk Decisions in Role Context  Mitigate Tech/Process Controls  A Non-Sec Initiative  Integrate Disparate Disciplines into a Cybersecurity Discipline  Business Risk Managers/CFO’s/Psychs/OrgProcess/Marketers/Sociologists against InfoSec…  Socialize QA as applied to Cyber Exposure Creation  This should exist, but perhaps unapplied  Citizens as a DHS Critical Infrastructure Sector  Contextualize abstract risks in existing process  Identify Psychological Motivation Profiles for Targeted Behavior Change  Business Levers that affect security with the most non-security ROI.
  41. 41. Develop cross-environment joint actor strategies to more effectively and sustainably compete for the ability to provide value smack in the middle of a constant conflict that cannot be won against players we may or may not be able to see, know, or influence and whose values and goals may be in support of yours, oppositional to yours, or tangential to yours while, over time ,gradually de- incentivizing the use of cyberspace as a conflict domain.
  42. 42.  Think Beyond InfoSec  Broaden Scope Out As Far As You Can Go  Re-Consider your Metaphors and Models from the Ground Up  If Only as a Thought Exercise  Ask how to manage risk without InfoSec  Then build an error handler  Wonder at why we are where we are  And treat common practices as solving an insufficiently complete list of problems
  43. 43. Jack Whitsitt, EnergySec Senior Strategist @sintixerr | sintixerr@gmail.com

×