2014 10 16_challenge of natural security systems

The Challenge of Natural Security Systems

Rockie Brockway

Information Security and Business Risk Director

Black Box Network Services

@rockiebrockway

Credentials

Disclaimer A

Nothing I say represents past, current or future employers

Disclaimer B

Not a box popper talk

Not a cool tool talk

This is NOT about Darwinian Evolution vs Religion

Arguments are expected

Focused on natural security systems

Generic Problems with InfoSec

It is viewed as a tactical IT function (Reactive)

It is usually not, but needs to be accepted as a business risk management function (Rational)

“Rational behavior requires theory. Reactive behavior requires only reflex action.”- W. Edwards Deming

http://www.fiercecio.com/story/w-edwards-deming-hates-your-approach-it-security/2013-08-19

InfoSec’s Role

Prevent the loss of Business critical data

Protect the Brand

Promote Innovation/Allow the Business to TAKE Risk

What is the organization’s Business critical data?

Who else might find value in that data?

Where does that data actually live?

What are the Business initiatives and goals?

InfoSec’s Problems

<FUD> Insert standard sky is falling breach statistic slide here </FUD>

Organization/Business Reaction?

Irony – Big Business arrogance and the natural reaction to their entropy has fueled a larger Big Business of product “solutions”

Buy more blinky lights (apologies to our sponsors)

Hackback?

Legislation/Balkanization

If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect national and/or economic interests, you have completely missed what was wrong to begin with. #FAIL

What problem(s) does this talk address and attempt to Solve?


IT/InfoSec spend increasing, breaches continue to increase

As an Industry we are most likely at least two years behind the innovative and lucrative industry of stealing the data we are trying to protect

Gartner Verizon DBIR

0

200

400

600

800

1000

1200

1400

1600

2008 2009 2010 2011 2012 2013

Breaches

2.9

3

3.1

3.2

3.3

3.4

3.5

3.6

3.7

2007 2008 2009 2010 2011 2012 2013

Spend (T)



Our obsession with static models (e.g. The Problem with Walls)


So what is commonplace throughout most organizations reactionary, static take on security? < cheap “fixes”

Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.




Organizational Entropy


(the natural result of assuming you are smarter than your adversaries)





The current Unnatural state of our business organizations


The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us.

“Business as Usual”

Organizational learning and adaptation is stagnant at best






Can we modify our organizations’ static, reactionary behavior without blatantly telling our CEOs and board members that they are conducting business wrong?

Posit -

Naturally adaptive systems are inherently more secure

Inspirations/Sources

General “Rules of Engagement” for Naturally Adaptable Systems *

* http://www.security-informatics.com/content/1/1/14

They are organized semi-autonomously with little central control

They learn from success

They use information to mitigate uncertainty

They extend their natural adaptability by engaging in a diverse range of symbiotic partnerships

http://www.security-informatics.com/content/1/1/14

1st Point

Adaptation arises from leaving (or being forced from) your comfort zone.

Adding more expensive anti-X/APT/FUD systems is not adapting

Details of Successful Adaptation Techniques (Sagarin)

Decentralized and Distributed organizational systems


The benefits of Decentralized and Distributed organizational systems

Multiple sensors

No preconceived notions

Specialized tasks

Redundancy



The Requirement of a Challenge ( Important/2nd point)

The Requirement of a Challenge

There must be some sort of challenge to initiate competition, cooperation and learning (more on this later)

Finding food/shelter

Finding a lost nuclear submarine

Predicting the outcome of a presidential election

Protecting business critical data




Information sharing, filtering and prioritization


Information use and sharing is as essential to survival as any other adaptation

When used properly, information in survival situations creates and/or reduces uncertainty

Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries (unpredictability).





Symbiosis

Symbiosis

Symbiosis - A working relationship between organisms

Mutualistic - both parties benefitCommensual - one party benefits, one is not affectedParasitic - one party benefits, one suffers

Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism



The requirement of a Challenge


Symbiosis

Competition and Cooperation (3rd point)

Competition between organisms can lead to group cooperation

This group competition can then lead to group cooperation

Group cooperation then increases the effectiveness of the group against other social groups

The Quandary

Successful organizational leadership has little incentive to change

Therefore, business as usual comfort zones will prevent true adaptation

Incentivized adversarial innovation will continue to run away from our static, artificial barriers that we hope might prolong the inevitable

How can we build more naturally secured systems in this environment?

Aren’t we human beings somewhat good at adaptation?

The Big Contradiction

Yes! We humans are quite adaptable.

Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation (BREACH) and then we once again show our amazing adaptability – The problem with Business as Usual

Organizations = Organisms, e.g. self regulating, not static

How can we as amazingly adaptable individual organisms have created systems and institutions so non-adaptable?

The Challenge

How do we end up with systems within organizations that can deal with security problems and respond to them organically and automatically?

The Basics (getting outside your comfort zone)

Introduce challenges, not directives. Without challenges, organizations don't learn. Decentralize your problem solving. No Orders.

Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations.

Take advantage of localized problem solvers, share and distribute information

Promote learning, competition/cooperation and symbiosis

IT Calisthenics

Who here thinks these behavioral and process changes are too radical for your stodgy organization?

Who here is either in charge of a team regardless of size and/or is in a position of influence in such a team?

Who here never raises their hand when asked to raise your hand at a talk?

Everyone with your hands up – this is your homework. Introducing these changes into your small sphere of influence will improve your business unit’s metrics and create competition between other units within your organization

My Challenge to You

Your small successes lead to bigger successes, and in the end we are all the better and naturally more secure

That will lead to cooperation once you realize the goals are the same, leading to group cooperation that then will introduce competition at higher levels and you are now on your way to changing your business culture

All without telling the CEO he’s doing it wrong

Feedback

Rockie Brockway

Information Security and Business Risk Director

Black Box Network Services

@rockiebrockway

2014 10 16_challenge of natural security systems

Internet

business need

business systems

business metrics

business initiatives

business ramifications

business leaders

irony big business arrogance

security intelligence