SlideShare a Scribd company logo

2013 09 11_business adaptation

Download as PPTX, PDF
R
rbrockway

Business Adaptation and Natural Security Systems talk given at GRRCon September 11, 2013

BusinessTechnology
1 of 34
Business Adaptation: Or how I learned to love the Internet’s Unclean Conflicts Rockie Brockway Security Practice Director Black Box Network Services @rockiebrockway
Credentials
Disclaimer A Nothing I say represents past, current or future employers
Disclaimer B Not a box popper talk Not a cool tool talk Dabbles in generic politics Arguments are expected Focused on natural security systems
June 5, 1942 Bulgaria, Romania, Hungary
Korea Lebanon Dominican Republic Vietnam Iran Grenada Beruit Lybia Panama Unclean Conflicts Iraq I Sierra Leone Bosnia/Herzegovina Somalia Haiti Afghanistan Sudan Serbia Iraq II Pakistan Yemen
Syria (Syrian Electronic Army)
December 25, 1991
What country in their right mind would actively engage in any formal “clean conflict” with the US when you can potentially surpass your goals through small scale unofficial conflicts, espionage and/or terrorism? Post-Cold War Mindset - No nation was a credible threat to the U.S. anymore Our adversaries, both corporate and nation state, have become specialists at executing "Unclean Conflicts" against our business, innovation and defense infrastructure What Happened?
This mindset of the post Cold War environment naturally filtered into the DNA of our own industrial and corporate business culture – our business leaders, and perhaps to a certain extent, our innovators began thinking the same way Our corporations have been trying to define how the rest of the world conducts business in the same way we as a country try to tell the rest of the world how to act and run themselves Theory A
Why spend billions of dollars developing technology when you can purchase stolen technology (or steal it) for a few millions dollars?* The Rest of the World: *Corman/Etue RSA talk
Organizational Entropy (the natural result of assuming you are smarter than your adversaries)
<FUD> Insert standard sky is falling breach statistic slide here </FUD>
No matter what political reasons are given for war, the underlying reason is always economic - A. J. P. Taylor
Organization/Business Reaction? Irony – Big Business arrogance and the natural reaction to their Organizational Entropy has fueled a larger Big Business of product “solutions” Buy more blinky lights (apologies to our sponsors) Hackback Legislation (SOPA (thank you reddit), CISPA) If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect national and/or economic interests, you have completely missed what was wrong to begin with. #FAIL
InfoSec’s Role Prevent the loss of business critical data Protect the Brand Promote Innovation What is the organization’s business critical data? Who else might find value in that data? Where does that data actually live? What are the business initiatives and goals? InfoSec’s Problems Show of hands?
The Problem with Walls So given the previous slide’s data, what is commonplace throughout most organizations? < cheap “fixes” Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.
We have defined an environment right now where greed and policy is reactively dictating business and society The Unnatural State Organizational learning and adaptation is stagnant at best The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us.
“Organizations must learn to live in a world where less and less information CAN be kept secret, and where secret information will remain secret for less and less time” -Joel Brenner America the Vulnerable
Adaptability 2012 DBIR states that 92% of breaches went undetected (estimates, unclear of sources). Better detection may not be the right answer Adding more or improving existing systems is not adapting Learning from the Octopus, Rafe Sagarin Adaptation arises from leaving (or being forced from) your comfort zone. Firewalls? AV?
Adaptability (Sagarin) The benefits of Decentralized and Distributed organizational systems Multiple sensors No preconceived notions Specialized tasks Adaptable #Success requires A challenge Available resources Information filtering and prioritization
Symbiosis A working relationship between organisms Mutualistic - both parties benefit Commensual - one party benefits, one is not affected Parasitic - one party benefits, one suffers Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism
Natural Security Strategies for Organisms (and Organizations) 1) An organism needs to learn within its own lifetime and across generations (learning is key to adapting) 2) An organism needs a decentralized organizational system 3) It needs redundant features 4) It needs to keep running just to keep up (like with your competition) 5) It needs to reduce uncertainty for itself and create uncertainty for its adversaries 6) If human, it needs to understand human behavior
The Only Options? But either leaving things in their natural state or building artificial barriers can’t be our only options. How can we build more natural and living security systems? But aren’t we humans exceptionally adaptable?
The Big Contradiction But we humans are quite adaptable. How can we as amazingly adaptable individual organisms have created systems and institutions so nonadaptable? Organizations, like all other systems, are built on synergistic cooperative arrangements that tend to be self regulating, not static Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation and then we once again show our amazing adaptability – Business as usual
The Challenge How do we design systems within organizations that can deal with security problems and respond to them organically and automatically?
Information Usage in Adaptation Information use and sharing is as essential to survival as any other adaptation When used properly, information in survival situations creates and/or reduces uncertainty Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries (unpredictability).
Competition and Cooperation Competition between organisms can lead to group cooperation Group cooperation then increases the effectiveness of the group against other social groups This group competition can then lead to group cooperation
The Basics Introduce challenges, not directives. Without challenges, organizations don't learn. Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations. Take advantage of localized problem solvers within a centralized organization Promote learning, competition/cooperation and symbiosis
Business Adaptation Organizations, and therefore Security strategies, must switch from designing solutions to adapting solutions A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution Move away from giving orders and towards providing challenges. (Aka Wisdom of Crowds). Orders assume there is only one solution to a problem Challenges also introduce competition, which naturally leads to cooperation
How the hell did we get here? Post cold war arrogance a major variable in today’s Business arrogance That led to Organizational Entropy Which itself provided Infosec/Risk practitioners a major information headache Which you all here should consider as a challenge
Exercise time Show of hands – who here thinks these aforementioned behavioral and process changes are too radical for your stodgy organization? – Keep your hands up Who here is either in charge of a team regardless of size and/or is in a position of influence in such a team? – Keep your hands up
Everyone with your hands up – this is your homework. Introducing these changes into your small sphere of influence will improve all of your business metrics and create competition between other sphere’s within your org. That will lead to cooperation once you realize the goals are the same, leading to group cooperation that then will introduce competition at higher levels and you are now on your way to changing your business culture. Your small successes are your small successes, they all lead to bigger successes and in the end we are all the better
Feedback Rockie Brockway Security Practice Director Black Box Network Services securants.blogspot.com @rockiebrockway

Recommended

2014 10 16_challenge of natural security systems
2014 10 16_challenge of natural security systems2014 10 16_challenge of natural security systems
2014 10 16_challenge of natural security systemsrbrockway
 
Planning in the Business Ecosystem
Planning in the Business Ecosystem Planning in the Business Ecosystem
Planning in the Business Ecosystem Maya Townsend
 
Stepping Up to Operational Safety Excellence
Stepping Up to Operational Safety ExcellenceStepping Up to Operational Safety Excellence
Stepping Up to Operational Safety ExcellenceLarry McCraw
 
Carrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyCarrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyAnthony Raja Devadoss
 
High-Reliability Organizations: Managing Risk In Complex Operating Environments
High-Reliability Organizations: Managing Risk In Complex Operating EnvironmentsHigh-Reliability Organizations: Managing Risk In Complex Operating Environments
High-Reliability Organizations: Managing Risk In Complex Operating EnvironmentsWilson Perumal and Company
 
not just another out door company
not just another out door company not just another out door company
not just another out door company Syed Ahmed Harun
 
Complexity Performance Management Global Corporate Citizenship 091105 Draft 1.10
Complexity Performance Management Global Corporate Citizenship 091105 Draft 1.10Complexity Performance Management Global Corporate Citizenship 091105 Draft 1.10
Complexity Performance Management Global Corporate Citizenship 091105 Draft 1.10morelfourman
 
Awakening the field
Awakening the fieldAwakening the field
Awakening the fieldPhilippe Bailleur
 

Recommended

2014 10 16_challenge of natural security systems
2014 10 16_challenge of natural security systems2014 10 16_challenge of natural security systems
2014 10 16_challenge of natural security systemsrbrockway
 
Planning in the Business Ecosystem
Planning in the Business Ecosystem Planning in the Business Ecosystem
Planning in the Business Ecosystem Maya Townsend
 
Stepping Up to Operational Safety Excellence
Stepping Up to Operational Safety ExcellenceStepping Up to Operational Safety Excellence
Stepping Up to Operational Safety ExcellenceLarry McCraw
 
Carrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyCarrot or stick? - How culture shapes organizational safety
Carrot or stick? - How culture shapes organizational safetyAnthony Raja Devadoss
 
High-Reliability Organizations: Managing Risk In Complex Operating Environments
High-Reliability Organizations: Managing Risk In Complex Operating EnvironmentsHigh-Reliability Organizations: Managing Risk In Complex Operating Environments
High-Reliability Organizations: Managing Risk In Complex Operating EnvironmentsWilson Perumal and Company
 
not just another out door company
not just another out door company not just another out door company
not just another out door company Syed Ahmed Harun
 
Complexity Performance Management Global Corporate Citizenship 091105 Draft 1.10
Complexity Performance Management Global Corporate Citizenship 091105 Draft 1.10Complexity Performance Management Global Corporate Citizenship 091105 Draft 1.10
Complexity Performance Management Global Corporate Citizenship 091105 Draft 1.10morelfourman
 
Awakening the field
Awakening the fieldAwakening the field
Awakening the fieldPhilippe Bailleur
 
Introduction to Systems Thinking
Introduction to Systems ThinkingIntroduction to Systems Thinking
Introduction to Systems ThinkingAnupam Saraph
 
Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...
Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...
Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...Christoph Stueckelberger
 
Building a Safety Culture - Dodge Data and Analytics Report
Building a Safety Culture - Dodge Data and Analytics ReportBuilding a Safety Culture - Dodge Data and Analytics Report
Building a Safety Culture - Dodge Data and Analytics ReportProcore Technologies
 
Trauma in Organizations - Webinar
Trauma in Organizations - WebinarTrauma in Organizations - Webinar
Trauma in Organizations - WebinarPhilippe Bailleur
 
Checklist for the Agile Manager
Checklist for the Agile ManagerChecklist for the Agile Manager
Checklist for the Agile ManagerJurgen Appelo
 
Safety culture
Safety cultureSafety culture
Safety cultureWei Chiao Kuo
 
Defining Safety Accountability
Defining Safety AccountabilityDefining Safety Accountability
Defining Safety AccountabilityJames Roughton
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook SecurityRogers Communications
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceJack Whitsitt
 
Fusionmex lecture #103
Fusionmex lecture #103Fusionmex lecture #103
Fusionmex lecture #103Olivier Blanchard
 
ETHICS01 - Introduction to Computer Ethics
ETHICS01 - Introduction to Computer EthicsETHICS01 - Introduction to Computer Ethics
ETHICS01 - Introduction to Computer EthicsMichael Heron
 
Hyper Decision Making Whitepaper - Complete and Final - March 2015
Hyper Decision Making Whitepaper - Complete and Final - March 2015Hyper Decision Making Whitepaper - Complete and Final - March 2015
Hyper Decision Making Whitepaper - Complete and Final - March 2015Dr. Ted Marra
 
Ecosystem markers v1
Ecosystem markers v1Ecosystem markers v1
Ecosystem markers v1Norris Krueger
 
Social media program development success 3 steps
Social media program development success 3 stepsSocial media program development success 3 steps
Social media program development success 3 stepsi-SCOOP
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
 
The small &amp; large business care package
The small &amp; large business care packageThe small &amp; large business care package
The small &amp; large business care packageBlack Sheep Digital Marketing
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Preventing Off-label Sales Promotion
Preventing Off-label Sales PromotionPreventing Off-label Sales Promotion
Preventing Off-label Sales PromotionGood Promotional Practices
 
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...Open Group Panel Explores Changing Field of Risk Management and Analysis in t...
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...Dana Gardner
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
CIS502 discussion post responses.Disaster RecoveryDisaster rec.docx
CIS502 discussion post responses.Disaster RecoveryDisaster rec.docxCIS502 discussion post responses.Disaster RecoveryDisaster rec.docx
CIS502 discussion post responses.Disaster RecoveryDisaster rec.docxmccormicknadine86
 

More Related Content

What's hot

Introduction to Systems Thinking
Introduction to Systems ThinkingIntroduction to Systems Thinking
Introduction to Systems ThinkingAnupam Saraph
 
Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...
Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...
Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...Christoph Stueckelberger
 
Building a Safety Culture - Dodge Data and Analytics Report
Building a Safety Culture - Dodge Data and Analytics ReportBuilding a Safety Culture - Dodge Data and Analytics Report
Building a Safety Culture - Dodge Data and Analytics ReportProcore Technologies
 
Trauma in Organizations - Webinar
Trauma in Organizations - WebinarTrauma in Organizations - Webinar
Trauma in Organizations - WebinarPhilippe Bailleur
 
Checklist for the Agile Manager
Checklist for the Agile ManagerChecklist for the Agile Manager
Checklist for the Agile ManagerJurgen Appelo
 
Defining Safety Accountability
Defining Safety AccountabilityDefining Safety Accountability
Defining Safety AccountabilityJames Roughton
 

What's hot (8)

Introduction to Systems Thinking
Introduction to Systems ThinkingIntroduction to Systems Thinking
Introduction to Systems Thinking
 
Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...
Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...
Towards a Culture of Integrity, Ethics and Transparency: Public and Academic ...
 
Building a Safety Culture - Dodge Data and Analytics Report
Building a Safety Culture - Dodge Data and Analytics ReportBuilding a Safety Culture - Dodge Data and Analytics Report
Building a Safety Culture - Dodge Data and Analytics Report
 
Trauma in Organizations - Webinar
Trauma in Organizations - WebinarTrauma in Organizations - Webinar
Trauma in Organizations - Webinar
 
Checklist for the Agile Manager
Checklist for the Agile ManagerChecklist for the Agile Manager
Checklist for the Agile Manager
 
Safety culture
Safety cultureSafety culture
Safety culture
 
Defining Safety Accountability
Defining Safety AccountabilityDefining Safety Accountability
Defining Safety Accountability
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 

Similar to 2013 09 11_business adaptation

Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceJack Whitsitt
 
ETHICS01 - Introduction to Computer Ethics
ETHICS01 - Introduction to Computer EthicsETHICS01 - Introduction to Computer Ethics
ETHICS01 - Introduction to Computer EthicsMichael Heron
 
Hyper Decision Making Whitepaper - Complete and Final - March 2015
Hyper Decision Making Whitepaper - Complete and Final - March 2015Hyper Decision Making Whitepaper - Complete and Final - March 2015
Hyper Decision Making Whitepaper - Complete and Final - March 2015Dr. Ted Marra
 
Social media program development success 3 steps
Social media program development success 3 stepsSocial media program development success 3 steps
Social media program development success 3 stepsi-SCOOP
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyEnergySec
 
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...Open Group Panel Explores Changing Field of Risk Management and Analysis in t...
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...Dana Gardner
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
CIS502 discussion post responses.Disaster RecoveryDisaster rec.docx
CIS502 discussion post responses.Disaster RecoveryDisaster rec.docxCIS502 discussion post responses.Disaster RecoveryDisaster rec.docx
CIS502 discussion post responses.Disaster RecoveryDisaster rec.docxmccormicknadine86
 
Data Product Teams Ecosystems
Data Product Teams EcosystemsData Product Teams Ecosystems
Data Product Teams EcosystemsEdward Chenard
 
How Can IT Fix the Problems of Stupid Organizations?
How Can IT Fix the Problems of Stupid Organizations?How Can IT Fix the Problems of Stupid Organizations?
How Can IT Fix the Problems of Stupid Organizations?Richard Veryard
 
The Open Group July Conference Emphasizes Value of Placing Structure and Agil...
The Open Group July Conference Emphasizes Value of Placing Structure and Agil...The Open Group July Conference Emphasizes Value of Placing Structure and Agil...
The Open Group July Conference Emphasizes Value of Placing Structure and Agil...Dana Gardner
 
Tuesday 15.30 collaborate up main slides
Tuesday 15.30 collaborate up main slidesTuesday 15.30 collaborate up main slides
Tuesday 15.30 collaborate up main slidesSustainable Brands
 
Anticipating an Attack: A Pre-Breach Checklist
Anticipating an Attack: A Pre-Breach ChecklistAnticipating an Attack: A Pre-Breach Checklist
Anticipating an Attack: A Pre-Breach ChecklistMorrison & Foerster
 

Similar to 2013 09 11_business adaptation (20)

Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem Space
 
Fusionmex lecture #103
Fusionmex lecture #103Fusionmex lecture #103
Fusionmex lecture #103
 
ETHICS01 - Introduction to Computer Ethics
ETHICS01 - Introduction to Computer EthicsETHICS01 - Introduction to Computer Ethics
ETHICS01 - Introduction to Computer Ethics
 
Hyper Decision Making Whitepaper - Complete and Final - March 2015
Hyper Decision Making Whitepaper - Complete and Final - March 2015Hyper Decision Making Whitepaper - Complete and Final - March 2015
Hyper Decision Making Whitepaper - Complete and Final - March 2015
 
Ecosystem markers v1
Ecosystem markers v1Ecosystem markers v1
Ecosystem markers v1
 
Social media program development success 3 steps
Social media program development success 3 stepsSocial media program development success 3 steps
Social media program development success 3 steps
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attack
 
The small &amp; large business care package
The small &amp; large business care packageThe small &amp; large business care package
The small &amp; large business care package
 
Jack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, AnecdotallyJack Whitsitt - Yours, Anecdotally
Jack Whitsitt - Yours, Anecdotally
 
Preventing Off-label Sales Promotion
Preventing Off-label Sales PromotionPreventing Off-label Sales Promotion
Preventing Off-label Sales Promotion
 
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...Open Group Panel Explores Changing Field of Risk Management and Analysis in t...
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident Response
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
CIS502 discussion post responses.Disaster RecoveryDisaster rec.docx
CIS502 discussion post responses.Disaster RecoveryDisaster rec.docxCIS502 discussion post responses.Disaster RecoveryDisaster rec.docx
CIS502 discussion post responses.Disaster RecoveryDisaster rec.docx
 
Data Product Teams Ecosystems
Data Product Teams EcosystemsData Product Teams Ecosystems
Data Product Teams Ecosystems
 
How Can IT Fix the Problems of Stupid Organizations?
How Can IT Fix the Problems of Stupid Organizations?How Can IT Fix the Problems of Stupid Organizations?
How Can IT Fix the Problems of Stupid Organizations?
 
The Open Group July Conference Emphasizes Value of Placing Structure and Agil...
The Open Group July Conference Emphasizes Value of Placing Structure and Agil...The Open Group July Conference Emphasizes Value of Placing Structure and Agil...
The Open Group July Conference Emphasizes Value of Placing Structure and Agil...
 
Tuesday 15.30 collaborate up main slides
Tuesday 15.30 collaborate up main slidesTuesday 15.30 collaborate up main slides
Tuesday 15.30 collaborate up main slides
 
Anticipating an Attack: A Pre-Breach Checklist
Anticipating an Attack: A Pre-Breach ChecklistAnticipating an Attack: A Pre-Breach Checklist
Anticipating an Attack: A Pre-Breach Checklist
 
Chapter 13: Org. Change
Chapter 13: Org. ChangeChapter 13: Org. Change
Chapter 13: Org. Change
 

Recently uploaded

Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionMintel Group
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportMintel Group
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaoncallgirls2057
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Timedelhimodelshub1
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis UsageNeil Kimberley
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creationsnakalysalcedo61
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 

Recently uploaded (20)

Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample Report
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City GurgaonCall Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
Call Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any TimeCall Girls Miyapur 7001305949 all area service COD available Any Time
Call Girls Miyapur 7001305949 all area service COD available Any Time
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage2024 Numerator Consumer Study of Cannabis Usage
2024 Numerator Consumer Study of Cannabis Usage
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creations
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 

2013 09 11_business adaptation

  • 1. Business Adaptation: Or how I learned to love the Internet’s Unclean Conflicts Rockie Brockway Security Practice Director Black Box Network Services @rockiebrockway
  • 3. Disclaimer A Nothing I say represents past, current or future employers
  • 4. Disclaimer B Not a box popper talk Not a cool tool talk Dabbles in generic politics Arguments are expected Focused on natural security systems
  • 5. June 5, 1942 Bulgaria, Romania, Hungary
  • 6. Korea Lebanon Dominican Republic Vietnam Iran Grenada Beruit Lybia Panama Unclean Conflicts Iraq I Sierra Leone Bosnia/Herzegovina Somalia Haiti Afghanistan Sudan Serbia Iraq II Pakistan Yemen
  • 9. What country in their right mind would actively engage in any formal “clean conflict” with the US when you can potentially surpass your goals through small scale unofficial conflicts, espionage and/or terrorism? Post-Cold War Mindset - No nation was a credible threat to the U.S. anymore Our adversaries, both corporate and nation state, have become specialists at executing "Unclean Conflicts" against our business, innovation and defense infrastructure What Happened?
  • 10. This mindset of the post Cold War environment naturally filtered into the DNA of our own industrial and corporate business culture – our business leaders, and perhaps to a certain extent, our innovators began thinking the same way Our corporations have been trying to define how the rest of the world conducts business in the same way we as a country try to tell the rest of the world how to act and run themselves Theory A
  • 11. Why spend billions of dollars developing technology when you can purchase stolen technology (or steal it) for a few millions dollars?* The Rest of the World: *Corman/Etue RSA talk
  • 12. Organizational Entropy (the natural result of assuming you are smarter than your adversaries)
  • 13. <FUD> Insert standard sky is falling breach statistic slide here </FUD>
  • 14. No matter what political reasons are given for war, the underlying reason is always economic - A. J. P. Taylor
  • 15. Organization/Business Reaction? Irony – Big Business arrogance and the natural reaction to their Organizational Entropy has fueled a larger Big Business of product “solutions” Buy more blinky lights (apologies to our sponsors) Hackback Legislation (SOPA (thank you reddit), CISPA) If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect national and/or economic interests, you have completely missed what was wrong to begin with. #FAIL
  • 16. InfoSec’s Role Prevent the loss of business critical data Protect the Brand Promote Innovation What is the organization’s business critical data? Who else might find value in that data? Where does that data actually live? What are the business initiatives and goals? InfoSec’s Problems Show of hands?
  • 17. The Problem with Walls So given the previous slide’s data, what is commonplace throughout most organizations? < cheap “fixes” Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.
  • 18. We have defined an environment right now where greed and policy is reactively dictating business and society The Unnatural State Organizational learning and adaptation is stagnant at best The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us.
  • 19. “Organizations must learn to live in a world where less and less information CAN be kept secret, and where secret information will remain secret for less and less time” -Joel Brenner America the Vulnerable
  • 20. Adaptability 2012 DBIR states that 92% of breaches went undetected (estimates, unclear of sources). Better detection may not be the right answer Adding more or improving existing systems is not adapting Learning from the Octopus, Rafe Sagarin Adaptation arises from leaving (or being forced from) your comfort zone. Firewalls? AV?
  • 21. Adaptability (Sagarin) The benefits of Decentralized and Distributed organizational systems Multiple sensors No preconceived notions Specialized tasks Adaptable #Success requires A challenge Available resources Information filtering and prioritization
  • 22. Symbiosis A working relationship between organisms Mutualistic - both parties benefit Commensual - one party benefits, one is not affected Parasitic - one party benefits, one suffers Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism
  • 23. Natural Security Strategies for Organisms (and Organizations) 1) An organism needs to learn within its own lifetime and across generations (learning is key to adapting) 2) An organism needs a decentralized organizational system 3) It needs redundant features 4) It needs to keep running just to keep up (like with your competition) 5) It needs to reduce uncertainty for itself and create uncertainty for its adversaries 6) If human, it needs to understand human behavior
  • 24. The Only Options? But either leaving things in their natural state or building artificial barriers can’t be our only options. How can we build more natural and living security systems? But aren’t we humans exceptionally adaptable?
  • 25. The Big Contradiction But we humans are quite adaptable. How can we as amazingly adaptable individual organisms have created systems and institutions so nonadaptable? Organizations, like all other systems, are built on synergistic cooperative arrangements that tend to be self regulating, not static Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation and then we once again show our amazing adaptability – Business as usual
  • 26. The Challenge How do we design systems within organizations that can deal with security problems and respond to them organically and automatically?
  • 27. Information Usage in Adaptation Information use and sharing is as essential to survival as any other adaptation When used properly, information in survival situations creates and/or reduces uncertainty Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries (unpredictability).
  • 28. Competition and Cooperation Competition between organisms can lead to group cooperation Group cooperation then increases the effectiveness of the group against other social groups This group competition can then lead to group cooperation
  • 29. The Basics Introduce challenges, not directives. Without challenges, organizations don't learn. Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations. Take advantage of localized problem solvers within a centralized organization Promote learning, competition/cooperation and symbiosis
  • 30. Business Adaptation Organizations, and therefore Security strategies, must switch from designing solutions to adapting solutions A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution Move away from giving orders and towards providing challenges. (Aka Wisdom of Crowds). Orders assume there is only one solution to a problem Challenges also introduce competition, which naturally leads to cooperation
  • 31. How the hell did we get here? Post cold war arrogance a major variable in today’s Business arrogance That led to Organizational Entropy Which itself provided Infosec/Risk practitioners a major information headache Which you all here should consider as a challenge
  • 32. Exercise time Show of hands – who here thinks these aforementioned behavioral and process changes are too radical for your stodgy organization? – Keep your hands up Who here is either in charge of a team regardless of size and/or is in a position of influence in such a team? – Keep your hands up
  • 33. Everyone with your hands up – this is your homework. Introducing these changes into your small sphere of influence will improve all of your business metrics and create competition between other sphere’s within your org. That will lead to cooperation once you realize the goals are the same, leading to group cooperation that then will introduce competition at higher levels and you are now on your way to changing your business culture. Your small successes are your small successes, they all lead to bigger successes and in the end we are all the better
  • 34. Feedback Rockie Brockway Security Practice Director Black Box Network Services securants.blogspot.com @rockiebrockway

Editor's Notes

  1. That’s right, the catalog. I want to thank chris and jeff and everyone else involved in this great con for their organizational efforts and inviting me to come to GRRCon to speak
  2. My first boss in IT was Dr. Peter Tippett. In 1992, my senior year at Case Western Reserve University in Cleveland OH I was introduced to Dr. Tippett who mentored me on my senior project on Anti-virus technology. Lots of assembly language, which 21 years later is almost as foreign to me as latin. After I graduated I worked briefly for his company Certus International prior to the Symantec acquisition. I’ve obtained 30+ “certifications” in my career, both vendor and non-vendor. All of which I believe have expired. I recertified my GSEC 3 times and taught it twice. I don’t have to recertify my bachelors degree so I’m basically done with certifications. I work with business risk. My day job entails trend and adversary analysis, security intelligence and business systems and impact analysis, so forgive me if I come off jaded and cynical. But I am.
  3. But it should
  4. I feel disclaimer B needs a little more attention. My talks can get a little esoteric and sometimes I feel like by not presenting the latest 0-day technical discovery at a security con I’m the equivalent of a political comedian playing to a crowd that came to hear penis jokes.Istill pop boxes and it’s still funI was a pretty good perl jockey in the 90s but business strategy trumps scriptingThis is my “WTF are you actually talking about” question. I’ll repeat it … natural security systems. Stay with me, its pretty cool.
  5. We’re going to go on a short field trip. These next few slides are from an earlier talk I gave at Bsides Cleveland and DerbyCon 2012, but they set the stage for the current state security problems all of our collective organizations face and need to adapt to.Does anyone know what this date represents?WWII was the last “clean conflict” the U.S. engaged in. &lt;click&gt;
  6. We have a long and unprecedented history of engaging in “unclean conflicts”.
  7. Oh, there’s this potential hornet’s nest today as we speak, and their “hacking” subsidiary, the SEA. It’s a brave new world, kids.
  8. The day the Soviet Union fell. There are, perhaps, a couple/few ramifications from this global event, but …
  9. &lt;click&gt;What country in their right mind would actively engage in any formal “clean conflict” with the US when you can potentially surpass your goals through small scale unofficial conflicts, espionage and/or terrorism?&lt;click&gt;Our adversaries, both corporate and nation state, have become specialists at executing &quot;Unclean Conflicts&quot; against our business, innovation and defense infrastructure&lt;click&gt;WTF?
  10. So, the first main point in the first part of this talk is : cold war DNA filters to business DNA and yields global arrogance
  11. Meanwhile, why would the rest of our competition and adversaries actually care how we think they should run their businesses?
  12. This is one of my favorite terms. It illustrates so much of our collective current business mentality in two words. So elegant.2nd point – organizations are like organisms and have the same need to learn and adapt to new situations
  13. 99.9% of today’s organizations are not learning and adapting. Meanwhile there’s a lot of alternative and malicious activity occurring daily
  14. AJP Taylor was a british historian. Physical Unclean conflicts have obviously moved into our realm.
  15. I believe we all at least recognize the media’s role in In the last several years in publicizing the fact that we’re losing quite a bit of our intellectual property.Our infosec and business publications are overwhelmed with the latest buzzwords and the vendors are touting their latest “solutions” to the buzzwordsBuying more blinky lights is more or less the normWe have a new business model pushing the “hackback” mentality. Now the US and other countries are reactively trying to legislate controls in an effort to “mitigate” everything we as leading nations have completely ignored due to our collective organizational entropy arrogance&lt;click&gt;Irony – Big Business arrogance and the natural reaction to their Organizational Entropy has fueled a larger Big Business of product “solutions”&lt;click&gt; The bottom line is this - If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect the national, as well as global, economy as a whole, you have completely missed what was wrong to begin with. #FAIL
  16. I want to take a slide to simply perhaps reiterate what role infosec has in business.&lt;click&gt;And in order to successfully accomplish these tasks we need to at the very least understand the following.&lt;click&gt; Show of hands – Who in your current role in InfoSec is communicated by your business leaders Who knows what your organization’s business critical data is?Who knows where your organization’s business critical data lives?Anyone care to chime in on who might want to steal your data?
  17. Most organizations are still looking for the least expensive, most effective “controls” to prevent BYOD threats, APT, Cyber&lt;insert here&gt; and whatever Gartner and Mandiant have determined are the most interesting threats to your business. I might as well say something about The Art of War and Paradigm Shifts so I can at least finish this talk drunk but happy&lt;read second point&gt;Sagarin gives a great analogy to infosec – A species of jumping spider mimics the olfactory signal of an ant colony, moves around unnoticed and simulates the behavior intended to communicate a transfer of larve, getting an easy free meal. What do we call that? Social engineering.The evolution of antibiotic resistant bacteria and viruses is paralleled by the overuse of antivirus for malware mitigation leading to adaptation of malware that is virtually AV resistant
  18. &lt;click&gt;&lt;read&gt;Especially with policy dictating society, that is completely backwards. Society needs to dictate policy, not the other way around. But this talk is on business, that’s an entirely different talkAnd since this is completely unnatural, and basically driven by power, greed and profit, naturally it is failing.
  19. While Brenner’s book is more a source for security product vendor FUD, this quote isexceptionally relevant to the business adaptation argument, as learning is an essential variable to adaptingDesign your systems to assumethe breach
  20. 2013 DBIR doesn’t mention anything related to undetection percentages, which was probably wise &lt; Many stats suckRichard Bejtlich said it best when he tweeted out a couple of years ago “Identity is the new corporate perimeter”Adding more or improving existing systems is not adapting“Adaptation arises from leaving (or being forced from) your comfort zone”This last point is key to the next half of this talk&lt;click&gt;If you’re in infosec you need to read this book. I got turned on to this book by some punk named nickerson on the exotic liability podcast. I was intrigued in that it shared similar concepts to James Surowiecki’s Wisdom of Crowds and Steven Johnson’s Emergence, which I have previously applied to infosecAnyone read wisdom of crowds? Scorpion and Iowa Electronic Markets (not for profit) exampleThe rest of this talk is going to be me trying to show why this guy’s work matters to infosec specifically and business generically
  21. So sagarin talks about the benefits of decentralized and distributed systems:Multiple sensors have greater chances of identifying unusual change and additional opportunities. – Does anyone here have multiple resources in your organization?Distributed sensors see the environment for what it &quot;is&quot; rather than what it &quot;should&quot; be according to some preconceived notion.Specialized tasks save energy and allow resources to get assigned to important tasks. Expertise and accuracy are unrelated. Diversity is crucial to collectively wise decisions
  22. Essentially, nobody can survive on their own. All organisms are constrained in their adaptability at some point, and symbiotic relationships allow us to extend our inherent adaptive capacity to exploit new resources and environments or adapt to their own environment as it changes. &lt;click&gt;3 types of symbiosisMutualisticCommensualParasitic&lt;click&gt;Symbiosis is everywhere in nature and the relationships are incredibly complexI had several clients over a period of time ask me what are my other clients doing to address problem X. I decided to put them together quarterly
  23. So what are the key strategies for obtaining natural security states?Learning is key to adaptive survival, not just for an individual but for the generational survivalI’ve touched upon decentralized systems already. In nature there is no room for directives, multiple informational systems adapt quickerRedundancy should be obviousThere is no place in nature for sitting on your laurels, in order to adapt you need to keep up with the competitionUncertainty/unpredictability is about increasing attacker costs, delaying their operation and increasing their potential for errorHi. Social Engineering.But these strategies can still fail because the simplest rule of nature is no organism can do it alone
  24. I’ve been talking about natural state security systems, but what does that mean? Should we just leave shit alone and not worry about our current threat landscape? Should we focus on building artificial barriers to thwart the threats to our organizations? No, we have options.Sagarin talks about how nature has provided mangrove forests and wetlands to protect from storm surges, etc. Recently several state governments have recognized these controls and have begun building them back up after clear failures of static, manmade security controlsWe have our userspace. Dave Kennedy talks about the organizational benefits of having hundreds of humansensors through security awareness.The anti awareness argument - just because a control isn&apos;t perfect isn&apos;t a reason to ignore it outright. Not having all the data is no reason not to look to adapt. The human race has gotten this far, can’t we just rely on our inherent adpatability?
  25. We as a speciesare apparently really good at individual adaption under duress, yet we suck at institutional adaption under the constraints of modern day life, since it is “comfortable”Remember - Adaptation occurs when you leave your comfort zone.This is one of the primary reasons our business infrastructure does not adapt well to changing environments like our Internet’s Unclean Conflicts. Most of our businesses culture is comfy in their own zone of revenue generation and profit sharing
  26. Information usage and sharing in nature is a vital variable for adaptationUsing information in survival situations can either create or reduce uncertainty. Hmmm. That sounds very much like some of the strategies infosec employs:Unpredictability is about increasing attacker costs, delaying their operation and increasing their potential for error
  27. Here’s the third major takeaway:Competition and CooperationIndividualcompetition can lead to group cooperation. This then increases the effectiveness of the groupAs individuals begin to form social groups, the better they cooperate with each other the more effective they are at competing with other social groups All of this competition sparked cooperation is a vital aspect of any organizations ability to adapt and surviveDoes anyone here work for an organization that promotes this type of competition/cooperation internally to further their innovations?The important features of cooperative networks are that they emerge naturally (not mandated) and they are designed to solve specific problems, not solve world peace
  28. Orders assume there is one solution to a problem. A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution.Monetary incentives are always good, symbiosis can arise from competition as well as different entities realizing they can solve problems better together (Iowa Electronic Markets)Learning from failure (typical consultant’s advice) is wrong and may result in a single solution for a single problem
  29. &lt;click&gt; let sum up and figure out how we actually got here&lt;click&gt; Hey everybody, look! A challenge!
  30. Guess what? We all have work to do