jack whitsitt - yours, anecdotally
TRANSCRIPT
Presently: EnergySec Senior Strategist International Policy DiscussionsPreviously: Hacker Compound Open Source (Honeypots) Managed Commercial Security (Visualization! Correlation!) FBI SOC Enterprise Security Architect ICS-CERT/NCCIC/DHS/INL: National Control Systems IR Government : Public/Private Partnership Development as
Transportation SSAAlso: Artist & Backpacker
About Me
We have been focusing on improving information security and risk management practices to reduce cybersecurity risk.
This focus has likely improved information security practices, but without meaningfully or sustainably reducing cybersecurity risk
This has come at the cost of the resources we will require to displace potentially dangerously entrenched behavior and misaligned markets created as an outcome of
this focus.
Our focus on information security solution spaces may be preventing us from making necessary transformative (as opposed to incremental) improvements because:
Information Security practices and solution spaces do not control or speak to enough of the exposure environment to create sustained, strategic improvements in position
We need to take a wider view.
(Warning: The view may contradict itself and this will be a linear presentation of a non-linear topic)
Why this talk? Thesis
Progress in economics consists almost entirely in a progressive improvement in the choice of models….
[It] is a science of thinking in terms of models joined to the art of choosing models which are relevant to the contemporary world…
[and] it is essentially a moral science and not a natural science…
That is to say, it employs introspection and judgments of value.
– J. M. Keynes to Harrod , 4 July 1938 (Sorta)
Models: How we think
“If you would succeed, you must reduce your strategy to its point of application. Where does one apply strategy? At a
particular place with particular people in mind.”
“Most deadly errors arise from obsolete assumptions”
- Frank Herbert, Children Of Dune
Our Models May Be Our Vulnerability
State of the World
We’re Not Winning
We’re Not Sure Why
We Have Trouble Admitting It
But We’re Going To Fix IT Anyway
State of Security The world already has a lot of cybersecurity “solutions” and
“products” The average information security budget according to
PricewaterhouseCoopers is a staggering $4.1 million According to Gartner, the worldwide Information Security market is
valued at more than $70 billion.
And, yet…
The list to your right contains many, but not all, major Fortune 500 breaches 2011-2014
These are not companies that cannot afford cybersecurity Most organizations are notified by external parties 100’s of days
after breach Cybersecurity is a hard problem that clearly – by any public metric
available - remains unsolved in any sustainable way
97% of networks have been breached (FireEye)
The Bear Has Eaten Us All…
Of Solutions At the Wrong Level Without being Able to Articulate the Problem NISTCSF
– Common Practices– List of things that aren’t sufficient
Cybersec EU, Poland, 2015– Talking Information Sharing at Highest International levels– Conducting, not winning conflict– Same solution spaces provided over and over again– Specificity intersecting with applicability and repeatability
extraordinarily difficult – This has to stop
…And yet we still rely on old models
Scoping Cybersecurity
We don’t agree on much
We do not have a consensus definition “Cybersecurity”
– Neither the problem space nor the discipline– We can’t even decide if there is a <space> between Cyber
and Security– Ask any 5 experts, get 5+ answers
Speaking of experts…..
Cybersecurity Experts (Perspectives)
System Administrators Malware Analysts` Incident Responders Lawyers CISOs Procurement Officials Chairmen of the Senate
Whatever Committee Heads of the NSA Senior Sales Engineers for
Security Companies Hackers Children
• CEO/Executive Board Members• Criminals/Terrorists• Journalists• Developers• Activists• Evolutionary Ecology PhD’s• Diplomats• Control Systems Engineers• Regulators and Auditors• Emergency Managers• Citizens• Operations Staff• Firewall Engineers
Cybersecurity ContextCybersecurity is a huge domain that spans entire cultures, industries, and nations while remaining highly individualized
This means we have to always be cognizant of context, models, and definitions.
To start with, we should ask a fundamental question…
What is a secure system?
Secure system: One that does no more or less than
we want it to for the amount of effort and resources we’re willing to invest
in it.
But what does that MEAN?
Well, first, what is a SYSTEM?
Connected Technology that Processes Information and Produces Output
Technology just a proxy for human decision and action:– Design– Build– Configure– Operate– Test
Our systems are our businesses, nations, and cultures, we’ve just added technology.
Human SystemsFollowing this logic
– Systems are VERY BIG– They have FUZZY BOUNDARIES– They are HARD TO MODEL and EMERGENTLY COMPLEX– Individuals have LIMITED SPHERES OF INFLUENCE on them– But are subject to COMPLICATED IMPACTS FROM OUTSIDE THEIR SPHERE– And we ***STILL HAVE TO MANAGE THESE SYSTEMS***
Our Threat Models must apply to our entire system definition.
So, where do we create boundaries? How does this definition affect security?
Decisions:“Atomic” elements of Cyber Security
Cyber Security State is comprised entirely of a series of authorized decisions made by people in authorized
capacities on a timeline
To Model Systems and Security State, we have to Ask: – Who is Making What Decisions, Why, and How?
A useful filter for determining boundaries and scopes can be created by determining your sphere of influence and asking:– Where on a timeline is your sphere influenced– By which decisions and by whom– For what goals/values– To what kind of effect
How does your sphere of influence affect or not affect others?
Cybersecurity Experts Revisited
CEO/Executives Lawyers Procurement Officials Regulators and Auditors Emergency Managers Operations Staff Chairmen Senate
Committees Heads of the NSA Diplomats Criminals/Terrorists Journalists Citizens
• Children• Activists• Evolutionary Ecology PhD’s• CISOs• Malware Analysts`• Incident Responders• Senior Security Sales Engineers• White Hat Hackers• Firewall Engineers• Developers• System Administrators• Control Systems Engineers
How might these groups of Experts define Cybersecurity?
InfoSec vs CyberSec Use Previous Filter to Group People
– InfoSec• Closer to “Security” Technology• Focused on Mitigation• Short Span of Influence on Exposure Creation• Core competencies in technological exposure mitigation
– Others• Further from “Security” technology• But MORE influence over exposure creation• Greater span of influence in general• Low security technology competency
“Others” have significantly more impact on system security state than “InfoSec”, but are not directly tasked with “Information Security”
Cyber Definitions Revisited Secure system: One that does no more or less than we
want it to for the amount of effort and resources we’re willing to invest in it.
Cybersecurity: The enablement of an environment in which business objectives are sustainably achievable by Information Security, Control Systems Security, and Other Related Security Activities in the face of continuous risk resulting from the use of cyber systems.
Cyber Risk: the possibility that actors will use our systems as a means of repurposing our value chains to alter the value produced, inhibit the value produced, or produce new value in support of their own value chains.
Cybersecurity:Managing a Parasitic Environment?
http://vignette1.wikia.nocookie.net/mutantsgeneticgladiators/images/7/7e/ParasiteQueen.png/revision/latest?cb=20140619191012
Parasites: Value Competition
Cyber Security isn’t a risk.
Error Handling“Others” create cyber security exposure
(mostly)“Others” also limit/define InfoSec scope
InfoSec Programs are primarily “Error Handlers” and relatively non-causal to
cyber security state (this doesn’t mean unimportant)
Island Internet Isolated Security Events Techies (me) without funding or buy-in develop practices Automated Worms Disrupt Business Market need identified and met by selling practices Connected Important Stuff Merging Realities, Conflict and All Entrenched Models and Practices failing to solve for New Reality and New Scope
We started out specialized and then specialized further despite context and problem space expansion and we’ve failed to improve and update models or develop appropriate, specific objectives accounting for our environment*
Now we’re missing important fundamentals in scope, metaphor, language, and strategies and are battling existing investment to fix
(*or, at least, we’ve failed to create effective socialization mechanisms for them)
Tail Wagging the Dog:How did we get here?
Problem Space Framework:What does the Dog Look
Like?
Full Cyber Stack: A Problem Space Framework
Connected, Related Problem Spaces that Affect Cyber Security State:
Problem Space: Humans If Security State is Decisions on a
Timeline, we have to deal with:– Average Ability– Opaque Motivations and Habits– Shaded Risk Perception– Learning Capacity– Conflicting Information Processing
Mechanisms– Personality Conflict– Patterns Not Reality
Problem Space: Technology
Cannot Express Security Directly Requires Core Competency replicated to all
organizations General Purpose Expressly Allows Exposure Evolving Faster than Human Cultural Processes Complexity : Exposure rising directly and infinitely
with complexity
Problem Space: Culture Resistance to Change Blinded (often) in certain Topic Areas Socially, not factually, driven replication of talismanic
memes Simplification of complicated topics Us vs Them: Perspective & Context Awareness Firefighting is Sexier than Exposure Management Language, Conceptual Clarity across Discipline
Borders
Problem Space: Org Behavior Conflict in Hierarchical Value Production Single “System”, but not engineered or
designed Data to Knowledge to Action bandwidth limits Difficult or impossible risk aggregation Limited Resource Allocation (Speed, Accuracy) Insufficient resources hidden by poor risk
perception Organizations don’t feel risk Little Full System (Human) Threat Modeling
Problem Space: Industries
Competition vs Common Need Complex System Boundaries Entrenched Investment (InfoSec!) Indirect connection to Risk (Boiling
Frogs) Competency Required by all: Cannot
maintain
Problem Space: Nations & Body Politic
Geography, Power Delegation, & Proximity
Common Problem Space Consensus Multi-stakeholder Model/Regime
Management Perception Management of Body Politic Tragedy of the Commons
Problem Space: International
Bad Conflict Metaphor: Defender vs Siege – (Creates Compliance Misalignment)
Stability Problems Norms of Behavior & Confidence Building
Measures Information vs Kinetic Warfare Few Capacity Building Missions/Mandates
Problem Space: Global Culture
Predictably reliable infrastructure in order to increase its health/wealth
Freedom to develop practices and norms and boundaries and technologies which exist outside of nation state constructs – as the internet (does it?) breaks without this. This is a matter of opinion?
Tools and techniques and forums and media in which to exist as an independent construct from other sub-power brokers
But why does this matter?
Generally… We have problems to solve They are serious impediments to reducing
cyber security risk They have not been defined or socialized Without definition and socialization, people,
organizations, cultures, nations, etc. cannot work together to solve them
We can convert these gaps into concrete plans of action for resolution – or at least socialize good practice
Specifically…NIST CSF, NERC CIP, C2M2, Top 20, 800-53, etc…..
NONE of these address Exposure Introduction in a meaningful way within organizations
If Exposure is not managed outside of InfoSec, InfoSec costs will continue to go up while effectiveness will go down (due to rising complexity)
NONE of these addresses barriers to sustained implementation of their own advice Organizations are exploited most often because of the gap between “Perceived” and “Actual”
reality
Being able to manage exposure introduction in a sustained manner within the constraints of the outside world requires concerted planning, work,
coordination resources across your businesses, cultures, industries, nations, and the world…
And we have few mechanisms in place to do so.
Expand Clarify Communicate Maintain Use Market Criticize Trash it and Start Over if Needed– We still need one– Let’s just stop repeating ourselves
Improve on This Problem Space Framework?
Think Beyond InfoSec– Broaden Scope Out As Far As You Can Go
Re-Consider your Metaphors and Models from the Ground Up – If Only as a Thought Exercise
Ask how to manage risk without InfoSec– Then build an error handler
Wonder at why we are where we are– And treat common practices as solving an insufficiently
complete list of problems
If nothing else…