This document discusses how businesses and organizations have become less adaptable due to post-Cold War arrogance, which has led to increased risks from "unclean conflicts" like espionage and terrorism. It argues that organizations need to switch from reactive security solutions to more adaptive approaches inspired by natural systems. This includes decentralization, redundancy, uncertainty reduction, learning from failures, and promoting competition that leads to cooperation. The challenge is posed to security practitioners to consider introducing these behavioral and process changes within their own spheres of influence to help transform organizational culture.

1. Business Adaptation:
Or how I learned to love the Internet’s Unclean Conflicts
Rockie Brockway
Security Practice Director
Black Box Network Services
@rockiebrockway

2. Credentials

3. Disclaimer A
Nothing I say represents past, current or future employers

4. Disclaimer B
Not a box popper talk
Not a cool tool talk
Dabbles in generic politics
Arguments are expected
Focused on natural security systems

5. June 5, 1942
Bulgaria, Romania, Hungary

6. Korea
Lebanon
Dominican Republic
Vietnam
Iran
Grenada
Beruit
Lybia
Panama
Unclean Conflicts
Iraq I
Sierra Leone
Bosnia/Herzegovina
Somalia
Haiti
Afghanistan
Sudan
Serbia
Iraq II
Pakistan
Yemen

7. Syria
(Syrian Electronic Army)

8. December 25, 1991

9. What country in their right mind would actively engage in any formal
“clean conflict” with the US when you can potentially surpass your goals
through small scale unofficial conflicts, espionage and/or terrorism?
Post-Cold War Mindset - No nation was a credible threat to the U.S. anymore
Our adversaries, both corporate and nation state, have become specialists at
executing "Unclean Conflicts" against our business, innovation and defense
infrastructure
What Happened?

10. This mindset of the post Cold War environment naturally filtered into the
DNA of our own industrial and corporate business culture – our business
leaders, and perhaps to a certain extent, our innovators began thinking
the same way
Our corporations have been trying to define how the rest of the world
conducts business in the same way we as a country try to tell the rest of
the world how to act and run themselves
Theory A

11. Why spend billions of dollars developing technology when you can
purchase stolen technology (or steal it) for a few millions dollars?*
The Rest of the World:
*Corman/Etue RSA talk

12. Organizational Entropy
(the natural result of assuming you are smarter than your adversaries)

13. <FUD> Insert standard sky is falling breach statistic slide here </FUD>

14. No matter what political reasons are given for war, the underlying
reason is always economic
- A. J. P. Taylor

15. Organization/Business Reaction?
Irony – Big Business arrogance and the natural reaction to their
Organizational Entropy has fueled a larger Big Business of product
“solutions”
Buy more blinky lights (apologies to our sponsors)
Hackback
Legislation (SOPA (thank you reddit), CISPA)
If you get to the point where a problem becomes so big that you
need to try to legislate it in order to protect national and/or
economic interests, you have completely missed what was wrong
to begin with. #FAIL

16. InfoSec’s Role
Prevent the loss of business critical data
Protect the Brand
Promote Innovation
What is the organization’s business critical data?
Who else might find value in that data?
Where does that data actually live?
What are the business initiatives and goals?
InfoSec’s Problems
Show of hands?

17. The Problem with Walls
So given the previous slide’s data, what is commonplace throughout
most organizations? < cheap “fixes”
Dikes, levees, firewalls - all examples static security incident reactions
intended to protect against naturally dynamic threats. That eventually
fail.

18. We have defined an environment right now where greed and policy is
reactively dictating business and society
The Unnatural State
Organizational learning and adaptation is stagnant at best
The longer we accept these unnatural systems that our reactive
policies have dictated, the larger the window exists for our
adversaries to catch up and surpass us.

19. “Organizations must learn to live in a world where less and less
information CAN be kept secret, and where secret information will remain
secret for less and less time”
-Joel Brenner
America the Vulnerable

20. Adaptability
2012 DBIR states that 92% of breaches went undetected
(estimates, unclear of sources). Better detection may not be the
right answer
Adding more or improving existing systems is not adapting
Learning from the Octopus, Rafe Sagarin
Adaptation arises from leaving (or being forced from) your
comfort zone.
Firewalls? AV?

21. Adaptability (Sagarin)
The benefits of Decentralized and Distributed organizational systems
Multiple sensors
No preconceived notions
Specialized tasks
Adaptable #Success requires
A challenge
Available resources
Information filtering and prioritization

22. Symbiosis
A working relationship between organisms
Mutualistic - both parties benefit
Commensual - one party benefits, one is not affected
Parasitic - one party benefits, one suffers
Symbiosis creates reactions that are more than just the sum of two
organisms working together - emergent properties that both transform
the organism and transforms the environment around the organism

23. Natural Security Strategies for Organisms (and Organizations)
1) An organism needs to learn within its own lifetime and across
generations (learning is key to adapting)
2) An organism needs a decentralized organizational system
3) It needs redundant features
4) It needs to keep running just to keep up (like with your competition)
5) It needs to reduce uncertainty for itself and create uncertainty for its
adversaries
6) If human, it needs to understand human behavior

24. The Only Options?
But either leaving things in their natural state or building artificial
barriers can’t be our only options.
How can we build more natural and living security systems?
But aren’t we humans exceptionally adaptable?

25. The Big Contradiction
But we humans are quite adaptable.
How can we as amazingly adaptable individual organisms have created
systems and institutions so nonadaptable?
Organizations, like all other systems, are built on synergistic
cooperative arrangements that tend to be self regulating, not static
Yet we rarely leave our comfort zones unless we find ourselves in an
emergency situation and then we once again show our amazing
adaptability – Business as usual

26. The Challenge
How do we design systems within organizations that can deal with
security problems and respond to them organically and
automatically?

27. Information Usage in Adaptation
Information use and sharing is as essential to survival as any other
adaptation
When used properly, information in survival situations creates
and/or reduces uncertainty
Organisms seek to reduce uncertainty for themselves and increase
uncertainty for their adversaries (unpredictability).

28. Competition and Cooperation
Competition between organisms can lead to group cooperation
Group cooperation then increases the effectiveness of the group
against other social groups
This group competition can then lead to group cooperation

29. The Basics
Introduce challenges, not directives. Without challenges, organizations don't
learn.
Amplify, reward and replicate your successes. Innovation comes first and
learning accrues from successful innovations.
Take advantage of localized problem solvers within a centralized organization
Promote learning, competition/cooperation and symbiosis

30. Business Adaptation
Organizations, and therefore Security strategies, must switch from
designing solutions to adapting solutions
A challenge assumes there are many potential solutions, the more
people involved, the more likely we are to find a really outstanding
solution
Move away from giving orders and towards providing challenges. (Aka
Wisdom of Crowds). Orders assume there is only one solution to a
problem
Challenges also introduce competition, which naturally leads to
cooperation

31. How the hell did we get here?
Post cold war arrogance a major variable in today’s Business arrogance
That led to Organizational Entropy
Which itself provided Infosec/Risk practitioners a major information
headache
Which you all here should consider as a challenge

32. Exercise time
Show of hands – who here thinks these aforementioned behavioral
and process changes are too radical for your stodgy organization? –
Keep your hands up
Who here is either in charge of a team regardless of size and/or is in a
position of influence in such a team? – Keep your hands up

33. Everyone with your hands up – this is your homework.
Introducing these changes into your small sphere of
influence will improve all of your business metrics and
create competition between other sphere’s within your
org.
That will lead to cooperation once you realize the goals
are the same, leading to group cooperation that then will
introduce competition at higher levels and you are now on
your way to changing your business culture.
Your small successes are your small successes, they all
lead to bigger successes and in the end we are all the
better

34. Feedback
Rockie Brockway
Security Practice Director
Black Box Network Services
securants.blogspot.com
@rockiebrockway