Site icon Liquidmatrix Security Digest

We are losing

http://powdercanada.com/2011/10/canadian-avalanche-centre-events/

You are at best fighting a delaying action. You cannot even hold back the tide. We are losing.

Losing means that our current approach to defense is insufficient to stop the the existing threats and adversaries we are facing. I believe that our defenses will be and have been overrun, that we are in constant catch-up mode.

A starting point

Before we start:

Now, go read Dan Geer’s posting on people in the loop, then that golden oldie from Spafford on solving the wrong problem, followed by Mike Murray’s 2009 Hardest Career (or Geer’s why it’s the most challenging) and finally HDMoore’s Law. Then wrap it up with a review of anything tagged #cyber, #APT or #breach.

Rather than linking and referencing every line, I’ll summarise the points from the listed articles to support my argument:

(My apologies to the authors of these august pieces if I misinterpreted, bastardized or did your works any harm – the falling is in me, not in your excellent writing).

Rochambeau

You will lose this fight because we are defenders in an knock-down drag-out fight that we treat as a slow cold war. We are few and our opponents are legion: from skilled hackers sponsored by foreign nations to splinter cell styled anti-sec groups to millions upon millions of malware infested computers. They are smarter than most of us (either in general or in specific domains that count), have critical knowledge before you and can move faster with better automation driving purpose built tools. They will always have more resources to throw at the problem whether it’s actual money, bodies, time or computational power; they are not constrained by budgets, management decisions or project time lines. In some cases they don’t even have to vet decisions with anyone, sometimes they’re just cruel random algorithms.

We cannot win because you operate alone, responsible for the security of thousands of  systems, millions of lines of code across a network with more interconnects than you can count, shepherding users who (irrationally) resist you at every turn, adopting technologies faster than you can track. The tools and resources you rely upon are flawed and incomplete but present to you a view that suggests otherwise, giving you false confidence. The resources you are given grow at a linear rate, if at all; but worse, you are defending against the last threat, not the current one. You probably cannot easily answer the question “what happened?” and you almost certainly cannot answer the question “what’s going on right now?”. You are constrained by rules, employers and operational realities. All they need is one small hole; all you need is a perfect defense and therefore you will lose.

This losing fight happens against a background of more and more of our society being cast into silicon; more of our business processes and decision making happening in software. Our data grows at ever increasing rates and data begets data, brutally compounding as we go. Yet our investment in security does not keep pace with our investment in technology, the colleges and universities pump out many times more engineers and developers each year than they do security practitioners. This is sad, because while we’re not action heroes, we are (like many other quiet professions) defending our economy and our lifestyles against great harm.

The Root of it

We are here because we have outdated beliefs about the scale and capabilities of our adversaries. We’re here because we still use tools and methods intended to handle small volume threats, relying on conceptual archetypes that don’t match reality. Most importantly we are here because we are attempting to think like the multitude of adversaries and beat all of them at all of their own games, yet we are poor emulation platforms at best.

We are all individually losing and it will remain so if we stay on this path of current thinking and practices; if we fail to acknowledge the scope, scale and speed of our adversaries. The cloud (or whatever the technology du jure is) will not save us; it will certainly allow complex feats of engineering and give birth to powerful tools to help the fight, but it is still technology built on the same foundations and governed by the same security practices, the same business thinking that lead us here. Even the most type safe language with the most robust framework is still owned by the a business person who will always prioritize everything above security (even after they’re bleeding from a recent breach).

Now, Bathwater

Place no ultimate reliance in your penetration testers or auditors because they’re most likely less skilled and less aggressive than your actual adversaries. Even if they find nothing, the test wasn’t exhaustive and cannot prove you’re secure, all it can tell you is that you’re perhaps protected against what you were tested for. Do not consider achieving compliance objectives or the greening of your red-yellow-green risk matrices as being secure for those are ultimately exercises in compromise. Perhaps they are acceptable compromises, but still compromises in the face of adversaries that need only the smallest slip.

Recognize that every single defense fails given time, but even more importantly that every defense is inherently incomplete, at best 1% shy of good enough. You cannot rely on single technologies even when using defense-in-depth.

If security is the hardest and most challenging career, then it stands to reason that most of the non-security people you will deal with, even the most profoundly deep engineers and shrewdest business people, will not understand the problem in its entirety. Don’t expect the people you’re charged with protecting to make rational decisions even after your best educational efforts.

A plan, maybe

The following formulation is rough and should sound somewhat familiar to students of new school/big data thinking.

Start with raw data collection, set yourself an arbitrary target of gathering 1,000 data points per user per day (or 10,000 per system) and then invest towards achieving that goal; make sure to think about increasing the diversity of your data sets as well.  Data points come in the form of user actions, system events, file changes, transactions, email flow, security decisions, literally anything that leaves a trace or causes a change in data, anything that could be used to formulate a metric. The initial number of data points is arbitrary, just a starting point to be tuned up or down. Now that you have the data, build out analysis capabilities automating everything you can, stream line everything you can’t. Note that I’m not talking about SIEM, that’s too narrow, you need non-security data points and thinking in the mix too.

Whatever the data tells you, treat it as a hygiene problem or as infection control, not risk management. If your population is vulnerable to a certain problem or exhibiting unwanted behaviour, set up a program that uses multiple techniques to reliably eliminate it and use data to prove progress, augment the techniques as you experience drop off in effectiveness in your journey to 100%. Of course, this is really just another form of risk management, just using different language to evoke support and calibration to match the scale of the problem.

There will be some problems that you don’t need data to identify and some that you don’t have data to prove yet. For the former you can still run hygiene programs and use data to prove a change occurred, for the later simply continue to expand your data collection and analysis program. Initially you’ll be collecting data with limited direction but over time you’ll develop hypotheses and determine the data you need to support them.

With your data collection program in full swing, start creating and inserting security instrumentation into every business and IT process. Your next objective is to direct investments towards increasing coverage of security instrumentation. Use this instrumentation to increase the metrics for driving your hygiene/infection control programs and use each program to push more instrumentation. One of the processes that must be instrumented is your own data collection process; tracking and reporting on its performance will help you understand if you’re properly equipped to analyze the flow of information. As your program matures, focus on increasing the data points collected per dollar and the data points analysed per dollar (these are metrics that could work across sectors).

Compared to the classic risk management approach which attempts to balance likelihood and impact against cost, a hygiene centric program focuses on strengthening the population to be resistant against threats, you are either resistant or you’re not. This approach would permit collaboration across diverse groups, focusing on shared strategies for improving health and eliminating systemic problems. More importantly, it provides supporting data for scaling to meet ever increasing complexity and evolving threats. The best part about this approach is you’re finally in a position to provide evidence that you are secure against specific threats and that’s actually something the business can understand.

While data, even lots of it, won’t allow us to get entirely ahead of the adversaries, it will allow us to respond faster, immunizing parts of the population not yet affected, sacrificing (but eventually curing) a few front runners for all our benefit. These unlucky front runners could signal to the rest of us and enable early detection, and hopefully accelerating our response either through automation or efficiency. We’re starting to see some of that in our anti-malware solutions but it’s limited and disconnected, we need this collective defense to be pervasive, as free as possible, cross technology, cross vendor, cross industry and cross border.

<Fin>

Perhaps hard to believe, but this is not a pessimistic piece and no FUD is intended, while there perhaps is some fear, there is no uncertainty or doubt because you know what we’re doing isn’t working and needs to be better. There certainly are answers, there is certainly a way forward which by necessity leverages all that we have done before. This is an optimistic piece (although the optimism is poorly conveyed) because I think we are, as Geer so eloquently puts it, “… at a cross roads, an inflection point” and now is a great time to build powerful new techniques and practices for our profession.

These ideas are not mine alone and the formulation of this text is entirely dependent on the bigger thinking in the articles I referenced above, hopefully this gives you a new way to talk about the scale and scope of the problem, a way to build a supporting argument for capabilities that can operate at the scale we need to win.

(Many thanks to those that reviewed the first draft, I don’t name you because I didn’t ask your permission but feel free to take credit.)

Addendum

Where to start? Some examples would be nice, no?

Here are a few metrics (and the potential sources), the outcome of collecting data points. Some I’ve used in the past (most created with the help of unnamed colleagues), some I plan to use. Few of these will tell you that something is absolutely wrong, all of them will give you hints necessitating further investigation. Ultimately it’s up to you to decide what question you’re trying to answer and which is the appropriate metric to collect data points for:

These are probably not enough and almost certainly don’t think big enough. There’s lots of data out there already – netflow, server logs, management consoles, application database, ERP systems – so go mine it; have a look at your existing solutions, some may have reports that provide these metrics already. Also look towards your peers in the industry as well your suppliers and customers, establish metric and data sharing relationships with them. Checkout Securosis and Metricon/securitymetrics.org, there are good ideas for metrics and data points there. Once you have the data, the real work begins as you analyse it, flag issues and then respond; the performance of that process (speed, coverage etc…) should also be measured (and then optimized by calculating per dollar invested relationships).

Exit mobile version