Almost 70 years since the first computer bug was discovered, there has been decades of research done on Information Security theory and practice. Yet, despite vast amounts of money being spent, innumerable academic papers, mainstream media obsession, and entire industries being formed, we are left with the impression that the risk is growing, not receding. Why? Some argue a lack of data, but data clearly exists. We're likely generating it, in some areas, faster than humans will ever be able to process it. Perhaps, after all of this effort, we've managed to box ourselves into metaphors and first principles that might be inappropriately constraining how we think about "Information Security Risk". In fact, it's worth noting that we can't even agree if there is a space between "Cyber" and "Security" when it's written out. This talk will take an anecdotal look at "Information Security Risk", "Cyber<>Security", and use that perspective to suggest areas of research and data gathering that are either lacking or should be made more accessible to the markets, industries, and individuals driving risk management change. In an industry filled with data, perhaps an examination of empty space might be helpful.
2. Progress in economics consists almost entirely in a progressive
improvement in the choice of models….
[It] is a science of thinking in terms of models joined to the art of choosing
models which are relevant to the contemporary world…
[and] it is essentially a moral science and not a natural science…
That is to say, it employs introspection and judgments of value.
– J. M. Keynes to Harrod , 4 July 1938 (Sorta)
3. Artist
Hacker Compound
Open Source (Honeypots)
Managed Commercial Security
FBI SOC
Enterprise Security Architect
National Control Systems Incident Response
Gov: Public/Private Partnership as the Transportation SSA
Non-Profit Community Building
International Policy Discussions
….and Civilization Escape Artist
4. We’re Losing, We’re Repeating Ourselves with
Increasing Specialization, We Have No Strategy
We must learn to Fail, Iterate, and Evolve (better?) or
Admit We’re Insane
5. We have been focusing on improving information security and risk management practices to
reduce cybersecurity risk.
This focus has improved information security practices, but without meaningfully or sustainable
reducing cybersecurity risk
This has come at the cost of the resources we will require to displace the dangerously entrenched
behavior and misaligned markets created as an outcome of this focus.
Our focus on information security solution spaces prevents us from making necessary
transformative (as opposed to incremental) improvements because:
Information Security might, presently, be largely tangential and non-causal with regard to long
term cybersecurity success –
Its practices and solution spaces do not control or speak to enough of the exposure environment to
create sustained, strategic improvements in position
We need to take a wider view.
(Warning: The view may contradict itself and this will be a linear presentation of a non-linear topic)
6.
7. Island Internet
Isolated Security Events
Techies without funding or buy-in develop practices
Automated Worms Disrupt Business
Market need identified and met by selling practices
Connected Important Stuff
Merging Realities, Conflict and All
Entrenched Models and Practices failing to solve for New Reality and New Scope
We started out specialized and then specialized further despite context and problem
space expansion and we’ve failed to improve and update models or develop
appropriate, specific objectives accounting for our environment*
Now we’re missing important fundamentals in scope, metaphor, language, and
strategies and are battling existing investment to fix
(*or, at least, we’ve failed to create effective socialization mechanisms for them)
8.
9. Help overcome the flawed strategies we’ve imposed
on ourselves by artificially limiting the scope of
cybersecurity to InfoSec
Suggest areas of research and data gathering that are
either lacking or should be made more accessible to
the markets, industries, and individuals driving risk
management change.
10. Some Famous President Or General (I think):
“There is no seemingly intractable problem I’ve faced whose
solution didn’t present itself with an increase of scope”-ish
Famous Penetration Testers:
The companies that eventually keep us from achieving our
objectives are the ones that narrowed the scope of their
objectives and funded them
Start wide, then focus:
Where are we?
What are we, really?
How do we get OUT of here?
11.
12.
13.
14.
15.
16. The world already has a lot of cybersecurity “solutions” and “products”
The average information security budget according to
PricewaterhouseCoopers is a staggering $4.1 million
According to Gartner, the worldwide Information Security market is valued
at more than $70 billion.
And, yet…
The list to your right contains many, but not all, major Fortune 500 breaches
since 2011
These are not companies that cannot afford cybersecurity
Most organizations are notified by external parties (“Cyber Healthcare
Professionals” re yesterday’s post-lunch talk) 100’s of days after breach
Cybersecurity is a hard problem that clearly – by any public metric available
- remains unsolved in any sustainable way
97% of networks have been breached
(FireEye)
17.
18. Of Solutions
At the Wrong Level
Without being Able to Articulate the Problem
NISTCSF
Common Practices
List of things that aren’t sufficient
Cybersec EU, Poland, 2015
Talking Information Sharing at Highest International levels
Conducting, not winning conflict
Same solution spaces provided over and over again
Specificity intersecting with applicability and repeatability
extraordinarily difficult
This has to stop
19.
20. We do not have a consensus definition “Cybersecurity”
Neither the problem space nor the discipline
We can’t even decide if there is a <space> between Cyber
and Security
Ask any 5 experts, get 5+ answers
Speaking of experts…..
21. System Administrators
Malware Analysts`
Incident Responders
Lawyers
CISOs
Procurement Officials
Chairmen of the Senate
Whatever Committee
Heads of the NSA
Senior Sales Engineers for
Security Companies
Hackers
Children
• CEO/Executive Board
Members
• Criminals/Terrorists
• Journalists
• Developers
• Activists
• Evolutionary Ecology PhD’s
• Diplomats
• Control Systems Engineers
• Regulators and Auditors
• Emergency Managers
• Citizens
• Operations Staff
• Firewall Engineers
22. Cybersecurity is a huge domain that spans entire
cultures, industries, and nations while remaining highly
individualized
As a discipline, it is an amalgamation of existing as
disparate as business management, computer science,
political science, and even art.
This means we have to always be cognizant of context.
34. Cybersecurity MUST be Lensed
Because it is a human problem
And Human Problems are Communication Problems
Lenses can provide the human-specific focus required for
communication
Communication lenses are composed of:
Domain: Broad Problem Space Definition
Perspectives: Who is Involved?
Contexts: Which problem piece is in front of us?
Discipline Areas: What tools are available?
*These are my definitions only
35. Cybersecurity: The application of several disciplines to
enabling an environment in which specific non-ICT based
objectives are sustainably achievable with the aid of
Information Security, Control Systems Security, and Other
Related Security Practices in the face of continuous risk
resulting from the use of cyber systems.
Secure system: One that does no more or less than we want
it to for the amount of effort and resources we’re willing to
invest in it.
36. Those definitions still don’t describe a
problem to be solved, they describe
solution sets and objectives.
37. This is a Domain we can ask specific questions of and turn into lenses…
38.
39. If InfoSec is an error handler for the overall cybersecurity risk
environment, then we’ve let the main system go at the expense of
the error handler.
For the Error Handler to be the source of stability, it would have to
have all or most main system knowledge.
So what does the problem space really look like OUTSIDE of
InfoSec? Outside of the Error Handler?
Managing the following extra-InfoSec domains is a precondition to
or a part of effective information risk management
40.
41. 1. Global
2. Body Political
3. Organizational
4. Individual
Technical … This might be a business problem pertaining
to complexity?
(In Order. List Likely Not Complete. Threat Exclusion Intentional.)
42. Offense/Defense
Individuals and Businesses are NOT defenders
Asking them to participate in global conflict is, in a word, silly
They do not, and will not, have competence or capacity over time
18,500 US Firms with over 500 employees!
Parasite Management
Maintain value Control despite competition for shared, not owned infrastructure
Sustained Resilience: Continuity of Operations, DR
Exposure Management vs Incident Management
Exposure/Environment Management OR ELSE
Information Security is non-causal in Exposure Management
Lack of Exposure Management is an eventual permanent loss
Incidents do not aggregate up to long term risk
The Primary Conflict Model is that of a Siege
Non-combatants not in control of surrounding environment being drained of resources forced to make
daily risk decisions that are not pertinent to eventual win
This is true whether or not different threat groups *intend* to put us under siege
Strategic win is possible, not possible under other models
Accounts for resource drainage, supply chain problems, massive externalities problem, etc
Breaking the siege requires building *a* castle (cooperative strategic infrastructure) and*multiple*
guilds (regimes)
43. Confidence Building Measures & Stability Problems
Unknown Exposure: Game Theory vs Control Based Regulation
Too many actors
Tools too accessible
Norms of Behavior
Some norms support both conflict and stability
Difficulty developing norms in the middle of conflict
Information vs Kinetic Warfare
Intentional Abuse of Conflict Culture & Definitions
Targeting of formal/informal “civilian” information and regimes
Western governance has long term strategic vulnerabilities
Capacity Building
vs Conflict Execution (Retains almost Exclusive Focus)
vs Exposure Management (Done only to aid Conflict)
Same as InfoSec, but larger
Also Helps Drive (& Provide Cover for) Localized Civilian Parasite/Siege Conflict Context
44. Overall rising hostility under the radar
Sustained non-ICT Regime Instability
Costs in money, trust, unconstrained resilience
requirements
Unintended Specific Fallout from General Instability
Systems not functioning as desired in emergencies
High Intensity Conflict resulting from unrelated events
45. Business Borders: Disappearing?
Is it more useful to constrain cybersecurity around
business borders or supply (and value) chains?
If the latter, is that even possible?
This is only one of several boundary problems)
Un-constrainable? Mesh vs Chains
Since these aren’t really chains, does this become a
statistical problem?
Supply chain as a mechanism for risk reduction?
46. Geography & Power Delegation
The internet is a form of “geography”
Power Plants are part of the internet,
therefore they are geography
They’re also targets
The government is *not* the primary arbiter
of power within the borders of this virtual
geography
Ooops. This is new.
Geography & Proximity
Everyone is a Neighbor
Have you ever been stuffed shoulder to
shoulder in a hot train car with drunk
friends, enemies, and strangers?
Ooops. This is new, or at least worse.
47. Common Problem Space Consensus
Development
Socialization
Multi-stakeholder Model/Regime Management
Targeting & Engagement
Aligned, Unaligned, Oppositional Stakeholders
Development
Goal Targeting and Rationalization
Language normalization
Practice Development
As opposed to Stabilization
Tragedy of the Commons
Without Ownership of Practices, Infrastructure,
or Goals
RealPolitik
48. Power
2nd Amendment and the Right to Bear Digital Arms
Responsibilities
Voting Knowledgeably
Participation in Multi-Stakeholder Regimes
Education
Access
Rights of Individual Access vs Rights of Society
Business & Government Customers
Voting, Markets, and Courts intended as arbiters,
but…
Social
Perception & Expectation Management
Media!
Health & Safety
49. Entrenched Industry Must be Derailed
Costing us time, money, cultural capital
Hijacking regimes
Abstract, tenuous connection to risk
Hope, hope, hope, hope
(Vendor vs Hacker)
Academia not competing
Tools
Behavior Change
Applicability
50. “The difference between how it’s supposed
to work and how it really works is where
the vulnerabilities happen,” - Chris
Wysopal/Weld Pond (L0pht)
Complexity
Exposure rising directly and infinitely
with complexity
Competency
Technical competency required by all,
who cannot maintain
Security Express-ability
Lower layers are approximating upper
layer expressions
51. Exposure Management
Decision Making Capacity Building
Action Capacity (Authority/Responsibility)
Full System (Human) Threat Modeling
Requires Role/Lever reasoning
Fuzzy (but it’s done all the time anyway)
Anyone can make a good plan, and one that works, but can it be kept tight
enough to achieve goals in the face of constant, organized, trained, funded,
motivated, threats?
52. We Need Generals
Now Guys with Guns Espousing Tactical
Requirements in Place of Strategies to
Win
Win = Desired level of risk for desired
investment over tim
Formal Roles limit Routing of
Knowledge/Capability into available
levers
If you’re not selling something, you’re not
participating
53. Sustained Socialization
Meme-ification - Passive Education
Active Education
Clarity across Discipline Borders
Common Language
Knowledge
Language & terminology
Organic
Hijacked
Perspective & Context Awareness
Trouble Seeing the Big Picture for the Small
Validation & Action
54. Psychology
Stakeholders Receptiveness
Distance between action and risk
Conceptual Processing
Ability to Process sufficient incoming
knowledge tangential to core life
Analysts vs Engineers
Average is Average
Cannot require or assume exceptionalism
55. Wok
Wok Wok
Wok?
W.O.K.
Wok Wok wok wok
This is, obviously, a wildly incomplete framework.
But it is a start?
56.
57. Exposure is primarily created outside of InfoSec (although not “only”)
Informing InfoSec Practices with Business Goals instead of vice versa removes levers
InfoSec practices should INFORM and CONTEXTUALIZE business risk practices INTO cyber
risk CONTROLS
Cyber isn’t a risk TO you in most cases;
The risk from cyber to society, industry, and gov CREATES risks to you (Polish Airlines)
Risk management’s job is not limited to a process or approach or framework.
It is, instead, behavioral and decision making capacity building
Awareness is not behavior change
Psych, Marketing, Comms
Target: “Risk Based” often conflated with “Have a Priority” in common practice
Difficult to quantify security management non-security benefits because security
management is typically focused on improving security management – even when
contextualized by business.
We can perhaps, instead, quantify benefits of non-security activities that benefit security by
leveraging dual purpose activities
58.
59. Expand
Clarify
Communicate
Maintain
Use
Market
Criticize
Trash it and Start Over if Needed
We still need one
Let’s just stop repeating ourselves
60. Goal Development:
Siege Breaking and Parasitic Environment Management (next slide)
Roles to Risk Modeling to…
Create Exposure Management Strategies
Aid Targeted Education for Risk Decisions in Role Context
Mitigate Tech/Process Controls
A Non-Sec Initiative
Integrate Disparate Disciplines into a Cybersecurity Discipline
Business Risk Managers/CFO’s/Psychs/OrgProcess/Marketers/Sociologists
against InfoSec…
Socialize QA as applied to Cyber Exposure Creation
This should exist, but perhaps unapplied
Citizens as a DHS Critical Infrastructure Sector
Contextualize abstract risks in existing process
Identify Psychological Motivation Profiles for Targeted Behavior Change
Business Levers that affect security with the most non-security ROI.
61. Develop cross-environment joint actor strategies to more
effectively and sustainably compete for the ability to
provide value smack in the middle of a constant conflict
that cannot be won against players we may or may not be
able to see, know, or influence and whose values and
goals may be in support of yours, oppositional to yours,
or tangential to yours while, over time ,gradually de-
incentivizing the use of cyberspace as a conflict domain.
62. Think Beyond InfoSec
Broaden Scope Out As Far As You Can Go
Re-Consider your Metaphors and Models from the Ground Up
If Only as a Thought Exercise
Ask how to manage risk without InfoSec
Then build an error handler
Wonder at why we are where we are
And treat common practices as solving an insufficiently complete
list of problems
When submission time came, for this, I hadnt spent a lot of time doing hard research, but sometimes that’s ok…because thinking about models can be a valuable precursor to getting data….especially in a new space like cybersecurity (and I use the word intentionally) here….and especially when you think that perhaps existing models are deeply off. Many times, though, we’re stuck in the grind, though, and cant really focus on deep, big picture, abstract thoughts. But this year, I did have that chance….to very literally think about the forest for the trees
Left to Escape Ebola Zombies
Came back, turns out I made an effectively prioritized decision that had nothing to do with my perceived risk and executed a really well performed solution that improved my life, but not in a way I anticipated. Actually, no, I had goals, changed environmental factors, and suddenly my decision making capacity and effectiveness improved
But out there, eventually you run out of things to say to yourself and you start challenging your fundamentals…and this is what this talk is really about; Do we really know what the forest looks like, or are we getting lost in the trees? How do we find a way out?
Why is this? Why are we doing so poorly? What am I trying to get at with this talk….bad metaphors and targeted problem spaces
. A grab bag of solutions, not very related to each other, or maybe through bad metaphor, but we lose so many good ideas over time, turnover, repetition for lack of a common idea of what it is we’re solving for. Framework….
What am I trying to get at with this talk….bad metaphors and targeted problem spaces (is infosec even relevant? <stories…guys with guns, history of infosec as bandaid practices and models and conflicts and perimeters and defense in depth …….. And then targeted problem space. A grab bag of solutions, not very related to each other, or maybe through bad metaphor, but we lose so many good ideas over time, turnover, repetition for lack of a common idea of what it is we’re solving for. Framework…. SOMEWHERE ANSWER WHY MY FRAMEWORK…NEXT? “SO, WHERE ARE WE?”
Wide Scope, narrow in. (pull from class, puzzle pieces, quote)