Business Adaptation:Or how I learned to love the Internet’s Unclean Conflicts

Rockie BrockwaySecurity Practice DirectorBlack Box Network Services@rockiebrockway

Credentials

Disclaimer A

Nothing I say represents past, current or future employers

Disclaimer B

Not a box popper talk

Not a cool tool talk

Dabbles in generic politics

Arguments are expected

Focused on natural security systems

June 5, 1942

Bulgaria, Romania, Hungary

Korea

Lebanon

Dominican Republic

Vietnam

Iran

Grenada

Beruit

Lybia

Panama

Unclean Conflicts

Iraq ISierra Leone

Bosnia/Herzegovina

Somalia

Haiti

Afghanistan

Sudan

Serbia

Iraq II

PakistanYemen

Syria

(Syrian Electronic Army)

December 25, 1991

What country in their right mind would actively engage in any formal “clean conflict” with the US when you can potentially surpass your goals through small scale unofficial conflicts, espionage and/or terrorism?

Post-Cold War Mindset - No nation was a credible threat to the U.S. anymore

Our adversaries, both corporate and nation state, have become specialists at executing "Unclean Conflicts" against our business, innovation and defense infrastructure

What Happened?

This mindset of the post Cold War environment naturally filtered into the DNA of our own industrial and corporate business culture – our business leaders, and perhaps to a certain extent, our innovators began thinking the same way

Our corporations have been trying to define how the rest of the world conducts business in the same way we as a country try to tell the rest of the world how to act and run themselves

Theory A

Why spend billions of dollars developing technology when you can purchase stolen technology (or steal it) for a few millions dollars?*

The Rest of the World:

*Corman/Etue RSA talk

Organizational Entropy

(the natural result of assuming you are smarter than your adversaries)

<FUD> Insert standard sky is falling breach statistic slide here </FUD>

No matter what political reasons are given for war, the underlying reason is always economic

- A. J. P. Taylor

Organization/Business Reaction?

Irony – Big Business arrogance and the natural reaction to their Organizational Entropy has fueled a larger Big Business of product “solutions”

Buy more blinky lights (apologies to our sponsors)

Hackback

Legislation (SOPA (thank you reddit), CISPA)

If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect national and/or economic interests, you have completely missed what was wrong to begin with. #FAIL

InfoSec’s Role

Prevent the loss of business critical data

Protect the Brand

Promote Innovation

What is the organization’s business critical data?

Who else might find value in that data?

Where does that data actually live?

What are the business initiatives and goals?

InfoSec’s Problems

Show of hands?

The Problem with Walls

So given the previous slide’s data, what is commonplace throughout most organizations? < cheap “fixes”

Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.

We have defined an environment right now where greed and policy is reactively dictating business and society

The Unnatural State

Organizational learning and adaptation is stagnant at best

The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us.

“Organizations must learn to live in a world where less and less information CAN be kept secret, and where secret information will remain secret for less and less time”

-Joel BrennerAmerica the Vulnerable

Adaptability

2012 DBIR states that 92% of breaches went undetected (estimates, unclear of sources). Better detection may not be the right answer

Adding more or improving existing systems is not adapting

Learning from the Octopus, Rafe Sagarin

Adaptation arises from leaving (or being forced from) your comfort zone.

Firewalls? AV?

Adaptability (Sagarin)

The benefits of Decentralized and Distributed organizational systems

Multiple sensors

No preconceived notions

Specialized tasks

Adaptable #Success requires

A challenge

Available resources

Information filtering and prioritization

Symbiosis

A working relationship between organisms

Mutualistic - both parties benefitCommensual - one party benefits, one is not affectedParasitic - one party benefits, one suffers

Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism

Natural Security Strategies for Organisms (and Organizations)

1) An organism needs to learn within its own lifetime and across generations (learning is key to adapting)2) An organism needs a decentralized organizational system3) It needs redundant features4) It needs to keep running just to keep up (like with your competition)5) It needs to reduce uncertainty for itself and create uncertainty for its adversaries6) If human, it needs to understand human behavior

The Only Options?

But either leaving things in their natural state or building artificial barriers can’t be our only options.

How can we build more natural and living security systems?

But aren’t we humans exceptionally adaptable?

The Big Contradiction

But we humans are quite adaptable.

How can we as amazingly adaptable individual organisms have created systems and institutions so nonadaptable?

Organizations, like all other systems, are built on synergistic cooperative arrangements that tend to be self regulating, not static

Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation and then we once again show our amazing adaptability – Business as usual

The Challenge

How do we design systems within organizations that can deal with security problems and respond to them organically and automatically?

Information Usage in Adaptation

Information use and sharing is as essential to survival as any other adaptation

When used properly, information in survival situations creates and/or reduces uncertainty

Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries (unpredictability).

Competition and Cooperation

Competition between organisms can lead to group cooperation

Group cooperation then increases the effectiveness of the group against other social groups

This group competition can then lead to group cooperation

The Basics

Introduce challenges, not directives. Without challenges, organizations don't learn.

Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations.

Take advantage of localized problem solvers within a centralized organization

Promote learning, competition/cooperation and symbiosis

Business Adaptation

Organizations, and therefore Security strategies, must switch from designing solutions to adapting solutions

A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution

Move away from giving orders and towards providing challenges. (Aka Wisdom of Crowds). Orders assume there is only one solution to a problem

Challenges also introduce competition, which naturally leads to cooperation

How the hell did we get here?

Post cold war arrogance a major variable in today’s Business arrogance

That led to Organizational Entropy

Which itself provided Infosec/Risk practitioners a major information headache

Which you all here should consider as a challenge

Exercise time

Show of hands – who here thinks these aforementioned behavioral and process changes are too radical for your stodgy organization? –Keep your hands up

Who here is either in charge of a team regardless of size and/or is in a position of influence in such a team? – Keep your hands up

Everyone with your hands up – this is your homework. Introducing these changes into your small sphere of influence will improve all of your business metrics and create competition between other sphere’s within your org.

That will lead to cooperation once you realize the goals are the same, leading to group cooperation that then will introduce competition at higher levels and you are now on your way to changing your business culture.

Your small successes are your small successes, they all lead to bigger successes and in the end we are all the better

Feedback

Rockie BrockwaySecurity Practice DirectorBlack Box Network Servicessecurants.blogspot.com@rockiebrockway