Closing keynote for ISSA Charlotte 5/11/2018

1. The Cost of
Complexity
Aaron Bedra
Chief Scientist, Jemurai
@abedra
keybase.io/abedra

2. This is a talk on
systems theory

3. I want to discuss our
approach to complexity
and problem solving

4. You are all
systems thinkers

5. At least you should
be!

6. Before we dive into
properties of systems,
let’s clear something up

7. Complicated
!=
Complex

8. Complicated: The definition of
insanity is doing the same thing
twice and expecting different
results

9. Complex: The definition of insanity
is doing the same thing twice and
expecting exactly the same
results

10. Complicated systems
are knowable

11. Complicated systems
are controllable

12. Order in complicated
systems is achieved via
best method of operation

13. Stability is achieved via
compliance with the best
method

14. Complex systems are
not knowable

15. A complete description
is impossible

16. A mathematical
description is intractable

17. Complex systems consist of
numerous components that are
interrelated in multiple ways

18. Complex systems are
open systems

25. Order in complex systems
cannot be imposed

26. Security is impossible

27. We live in a world of
open systems

28. But we treat them as
closed

29. We do this because
choice is forced on us

30. Unintentionally treating complex
systems as complicated sets us
up for failure

31. What is the objective
of your system?

32. “If you can't describe what you
are doing as a process, you
don't know what you're doing”
— W. Edwards Deming

33. Tools for Systems Thinkers: The 6 Fundamental Concepts of Systems Thinking

34. Interconnectedness

35. “A system is a set of components that work
together in particular environments to
perform whatever functions are required to
achieve the system’s objective”
— Donella Meadows

36. Everything is
connected

37. The choices we make are
typically not localized

38. And may cause new
emergent properties of
the system

39. When you interfere with the
system’s ability to achieve it’s
objective, it will find a new way

40. Password complexity

41. Emergence

42. Properties of a system
emerge from the interactions
between parts of the system

43. It is those properties that
we must reason about

44. Not the constraints we
impose on the system

45. Our choices create new
emergent properties

46. We must consider the potential
for new emergent properties
based on our choices

48. Do not rely on the expected
outcome, observe the
emergent properties!

50. Feedback Loops

51. “A complex system cannot be
reduced to the behavior or
compliance of individual components”
— Sidney Dekker et al

52. We focus heavily on
feedback loops

53. They are a major part of
every information system

54. Negative, or reinforcing
loops are an inherent part
of any stable system

55. But we lean too heavily
on reinforcing loops

56. The State of Security

57. Reinforcing loops reduce
diversity in the system

58. “Theoretically, success and resilience
in complex systems derives not from
compliance, but from diversity”
— Sidney Dekker et al

59. Synthesis

60. Our ability to see the
interconnectedness is
incredibly important

61. We are all skilled within
some part of the system

62. But most of us fail at
synthesis

63. Not because we can’t
do it

64. But because it’s not a
habit we have trained

65. Some of us have gotten
better at synthesis

66. Talk to your red team
for more information

67. Or your risk team*

68. Or better yet, spend
some time with the COO

69. Causality

70. The system outside our
system puts constraints
on our system

71. Constraints are meant
to be interpreted

72. Meeting a constraint is
about creating an outcome

73. In its truest form, it’s
about causality

74. There are typically
multiple ways to meet a
constraint

75. Or completely
disregard it

76. An effect cannot occur
before its cause

77. Before you react to an
effect, make sure a cause
exists!

78. “Rational behavior requires
theory. Reactive behavior
requires only reflex action”
— W. Edwards Deming

79. To be a great information
security professional you
must understand these ideas

80. While you may be
great at a part or two

81. It’s your understanding of
the system that makes
you truly valuable

82. We all need to get
better at this

83. Let’s bring it back to
our world for a minute

85. Why did it take so long
to fix meltdown?

86. While we understood the
microcode updates, there were
other properties of the system that
weren’t apparent

87. Bricked machines are really
secure, but they don’t help the
system achieve its objective

88. Why haven’t we fixed
Spectre yet?

89. Proposed Options
• lfence() (compiler / static analysis) (V1)
• Retpoline (compiler) (V2)
• cmov (static analysis / type checking) (perf)
• Move to a new architecture

91. Most of these options
require recompilation

92. Or at least starting up
with a new VM/JIT

93. What do we do?

95. What properties of the
system will guide you?

96. If one of the required properties
was high performance, what
does that say about the system?

97. What is the objective
of your system?

98. How do we get better?

99. Take a systems theory
approach to information
security

100. Getting better at systems
• Thinking in Systems: A Primer
• Drift into Failure
• Antifragile: Things That Gain from Disorder
• Introduction to the Modeling and Analysis of
Complex Systems
• https://www.complexityexplorer.org/

101. Getting better at risk
• Measuring and Managing Information Risk: A FAIR
Approach
• Fooled by Randomness: The Hidden Role of
Chance in Life and in the Markets
• How to Measure Anything in Cybersecurity Risk

102. Learn to create closed
models of a system for
analysis

103. Incorporate diversity
into your models

104. Incorporate randomness
into your models

105. Incorporate chaos
into your models

106. But most of all,
incorporate others