April 2023
State Of The (Snake Oil) Business: A Manifesto For Change
24/04/23 10:09
Ahead of this year’s RSA Conference I have spent some cycles thinking about how far our industry has come, or more precisely, how little we have accomplished. The world is not a safer place, our systems are more complex than ever and threat actors continue to win while defenders burn out.
The modern cyber security industry arguable started in the early nineties with the advent of the WWW. As organizations and individuals rushed to get “online”, little regard was given to basic security principles like Confidentiality, Integrity and Availability. Very few people understood how the underlying technology worked or more importantly how it could fail or be corrupted. The quest for subscribers and fear of missing out fueled exponential growth. “Houston, we have a problem.”, but that realization was too late, the proverbial genie was out of the bottle. Never fear, we will use technology to “fix” technology. Passwords, AV, Firewalls, A/V and IDS to the rescue…
I was one of the many who believed technology could save us from ourselves. In 1998 I started socializing a methodology I developed called AFIRM (Active Forensic Intelligent Response Method). The following year I published a reference architecture & platform called SANE (Security Adaptive Network Environment), which was originally designed for the Air Force SBIR program. Not withstanding my cringe-worthy obsession with acronyms, lack of an accepted taxonomy and a strong conviction that Y2K civil litigation would be a compelling event, it occurs to me that SANE is still relevant.
25 years later, the market has caught up with the vision. A SANE platform is achievable. We could argue some of the nuances, but it effectively represents the capabilities organizations need to actively achieve a business reasonable security posture today. However, between the FUD, Silver Bullets and the “Illusion of Choice” our industry is not driving positive change but expanding the status quo. How can we break this cycle? More swag bags, back-to-back meetings to justify airfare, copious badge scanning to feed next quarter’s cold calls or dueling parties where the vendors outnumber the clients…I think not.
Rather, consider adopting these simple principles when considering the how you spend your limited resources:
This is my call to action and request to our industry leaders as they meet this week in San Francisco. Let’s build SANE systems and protect what matters most!
The modern cyber security industry arguable started in the early nineties with the advent of the WWW. As organizations and individuals rushed to get “online”, little regard was given to basic security principles like Confidentiality, Integrity and Availability. Very few people understood how the underlying technology worked or more importantly how it could fail or be corrupted. The quest for subscribers and fear of missing out fueled exponential growth. “Houston, we have a problem.”, but that realization was too late, the proverbial genie was out of the bottle. Never fear, we will use technology to “fix” technology. Passwords, AV, Firewalls, A/V and IDS to the rescue…
I was one of the many who believed technology could save us from ourselves. In 1998 I started socializing a methodology I developed called AFIRM (Active Forensic Intelligent Response Method). The following year I published a reference architecture & platform called SANE (Security Adaptive Network Environment), which was originally designed for the Air Force SBIR program. Not withstanding my cringe-worthy obsession with acronyms, lack of an accepted taxonomy and a strong conviction that Y2K civil litigation would be a compelling event, it occurs to me that SANE is still relevant.
25 years later, the market has caught up with the vision. A SANE platform is achievable. We could argue some of the nuances, but it effectively represents the capabilities organizations need to actively achieve a business reasonable security posture today. However, between the FUD, Silver Bullets and the “Illusion of Choice” our industry is not driving positive change but expanding the status quo. How can we break this cycle? More swag bags, back-to-back meetings to justify airfare, copious badge scanning to feed next quarter’s cold calls or dueling parties where the vendors outnumber the clients…I think not.
Rather, consider adopting these simple principles when considering the how you spend your limited resources:
- Know what matters most. Understand your organization’s mission, stakeholders and risk register. Effective governance is more important than technology. #CultureCounts
- Don’t be in a rush to buy more technology. If your tech is not “optionally transparent” it can easily become a liability. Leverage the latent capabilities present in your current estate. Consider removing two technologies for every new technology brought into your environment. #OptimizeValue
- Humans matter. Make it easy to do the right thing and hard to do the wrong thing. #HumanFirewall
- Automate whenever possible. Humans only need to be involved when discretion is required. Automate everything else. However, beware of automating a broken business process. That is a sure-fire way to fail at scale. #FailAtScale
- Adopt meaningful metrics and score your decisions accordingly. Learn from your mistakes as they are often very expensive. Treat them as an investment not as an embarrassment. #MeaningfulMetrics
This is my call to action and request to our industry leaders as they meet this week in San Francisco. Let’s build SANE systems and protect what matters most!
Zero Trust Doesn't Have a Part Number!
12/04/23 11:24
There is no part number or SKU for Zero Trust (ZT), regardless what some vendors might want us to believe. Every organization's ZT journey will be different. However, there are some fundamental themes and key characteristics that most successful ZT travelers consider and adopt.
-They assume they are operating in a hostile environment – plan accordingly #securebydesign
-They don’t rush to spend money on point products – pursue “latent capabilities” first #optimizevalue
-They make it easy to do the right thing and hard to do the wrong thing – leverage the human firewall #humansmatter
High-level architectural principles can act as your North Star:
-Dynamic vs static
-Granular vs wholesale
-Automated vs manual
-Segmented vs flat
-Minimized Attack Surface Vs Porous Perimeter
Also consider the reality of how stakeholders use technology. “The Perimeter is Dead. Long Live The New Perimeter. Identity!”, which is my cheeky response to pesky stakeholders who want to access any application, on any device anywhere. Digital identity for people and things play an important part in creating a friction-less user experience without sacrificing system confidence. Practically speaking, “Digital Identity” MUST be considered as part of any ZT journey.
So even though ZT doesn't have a part number, it doesn't mean your organization can't benefit from taking a ZT journey. Which path will you take?
-They assume they are operating in a hostile environment – plan accordingly #securebydesign
-They don’t rush to spend money on point products – pursue “latent capabilities” first #optimizevalue
-They make it easy to do the right thing and hard to do the wrong thing – leverage the human firewall #humansmatter
High-level architectural principles can act as your North Star:
-Dynamic vs static
-Granular vs wholesale
-Automated vs manual
-Segmented vs flat
-Minimized Attack Surface Vs Porous Perimeter
Also consider the reality of how stakeholders use technology. “The Perimeter is Dead. Long Live The New Perimeter. Identity!”, which is my cheeky response to pesky stakeholders who want to access any application, on any device anywhere. Digital identity for people and things play an important part in creating a friction-less user experience without sacrificing system confidence. Practically speaking, “Digital Identity” MUST be considered as part of any ZT journey.
So even though ZT doesn't have a part number, it doesn't mean your organization can't benefit from taking a ZT journey. Which path will you take?
Bliss Index: A Reasonable Response?
05/04/23 18:03
This morning I was honored and excited to be included on a Technology First cybersecurity panel. I was especially stoked to be on the panel with my old friend Brian Clayton and fellow researcher Jeff Hughes. The panel's ambitious objective was to share practical advice on dealing with job burnout and ways to drive positive change that is "Human Friendly". We discussed practical ways to make it easy to do the right thing and hard to do the wrong thing with regard to all things cyber. The session was aptly named "Cybersecurity – Team Burnout and Breaking the Cycle".
The session was very interactive with attendees sharing challenges, real-world experiences and the obligatory references to AI and Killer Robots. The group kept coming back to the human factors side of burnout, churn and operator effectiveness. Security metrics, SLA's, OLA's, role objectives and business outcomes are important to measure, but often tough to define, align and maintain. While it's beyond the scope of this post to catalog all the valuable insights shared, the one that hit home with me was the challenge of measuring "good".
After I left the session, I kept thinking about measuring “good”. “Good” is too subjective, personal and doesn't scale. #FAIL On the flip side, tough problems are often worth solving. How good could it get if we could crack that nut? Perhaps the approach I am taking myself could be applicable. I have a very simple life journey navigation system, which I’ve recently adopted. Simply put, I try to maximize my "Bliss Index"(BI) by working on projects that give me joy, with people that value my time and for the benefit of humanity. It's early days but I find it is decisive, intuitive and removes much of the stress associated with being a cyber security professional. How good could it get if everyone had visibility to their own BI factors? Or visibility to their stakeholder’s BI factors? Or if organizations aligned themselves to harmonize and amplify their BI versus creating BI conflict?
So, I did the obvious thing and asked an AI (chatGPT) how to express BI - "The "Bliss Index" could be expressed as a measure of the level of happiness or contentment that an individual experiences in their life. It could be calculated based on various factors such as overall life satisfaction, emotional well-being, fulfillment of personal goals and aspirations, and positive experiences or moments of joy. The Bliss Index could be used as a tool to gauge the level of happiness in a population or to track an individual's happiness over time. Additionally, it could be used as a benchmark for policymakers to measure the effectiveness of programs or policies aimed at improving people's well-being and happiness."
...out of the mouths of babes.
The session was very interactive with attendees sharing challenges, real-world experiences and the obligatory references to AI and Killer Robots. The group kept coming back to the human factors side of burnout, churn and operator effectiveness. Security metrics, SLA's, OLA's, role objectives and business outcomes are important to measure, but often tough to define, align and maintain. While it's beyond the scope of this post to catalog all the valuable insights shared, the one that hit home with me was the challenge of measuring "good".
After I left the session, I kept thinking about measuring “good”. “Good” is too subjective, personal and doesn't scale. #FAIL On the flip side, tough problems are often worth solving. How good could it get if we could crack that nut? Perhaps the approach I am taking myself could be applicable. I have a very simple life journey navigation system, which I’ve recently adopted. Simply put, I try to maximize my "Bliss Index"(BI) by working on projects that give me joy, with people that value my time and for the benefit of humanity. It's early days but I find it is decisive, intuitive and removes much of the stress associated with being a cyber security professional. How good could it get if everyone had visibility to their own BI factors? Or visibility to their stakeholder’s BI factors? Or if organizations aligned themselves to harmonize and amplify their BI versus creating BI conflict?
So, I did the obvious thing and asked an AI (chatGPT) how to express BI - "The "Bliss Index" could be expressed as a measure of the level of happiness or contentment that an individual experiences in their life. It could be calculated based on various factors such as overall life satisfaction, emotional well-being, fulfillment of personal goals and aspirations, and positive experiences or moments of joy. The Bliss Index could be used as a tool to gauge the level of happiness in a population or to track an individual's happiness over time. Additionally, it could be used as a benchmark for policymakers to measure the effectiveness of programs or policies aimed at improving people's well-being and happiness."
...out of the mouths of babes.
FoFT: Virtual Kidnapping
03/04/23 07:12
File under #FoFT (Future of Fraud Today) - Scammers are still out there committing Virtual Kidnapping (& extortion) by duping victims into thinking their loved ones have been kidnapped and threatening to kill them if they don't pay the ransom. This type of crime is not new (1880 hits on FBI.gov).
However, as criminals create more plausible "Deep Fake" scams and automate they can scale up and become more effective. This in turn motives more criminals to adopt the TTP's for profit. Here is a pretty good primer on how this scam works. If you dissect the components it looks like a lot of other scams; unsolicited (in bound communication), exploiting fears & creating urgency as they abuse some trust credential (caller ID). Many of our current practices to avoid such scams should be effective. However, if our humans are not aware and properly trained they could easily become victims.
Let's spend some cycles coming up with ways to make it easy to do the right thing and hard to do the wrong thing (like paying scammers). Until then, protect yourself and the people you care about by making them aware.
However, as criminals create more plausible "Deep Fake" scams and automate they can scale up and become more effective. This in turn motives more criminals to adopt the TTP's for profit. Here is a pretty good primer on how this scam works. If you dissect the components it looks like a lot of other scams; unsolicited (in bound communication), exploiting fears & creating urgency as they abuse some trust credential (caller ID). Many of our current practices to avoid such scams should be effective. However, if our humans are not aware and properly trained they could easily become victims.
Let's spend some cycles coming up with ways to make it easy to do the right thing and hard to do the wrong thing (like paying scammers). Until then, protect yourself and the people you care about by making them aware.