Upload
rbrockway
View
212
Download
3
Embed Size (px)
DESCRIPTION
Business Adaptation and Natural Security Systems talk given at GRRCon September 11, 2013
Citation preview
Business Adaptation:Or how I learned to love the Internet’s Unclean Conflicts
Rockie BrockwaySecurity Practice DirectorBlack Box Network Services@rockiebrockway
Credentials
Disclaimer A
Nothing I say represents past, current or future employers
Disclaimer B
Not a box popper talk
Not a cool tool talk
Dabbles in generic politics
Arguments are expected
Focused on natural security systems
June 5, 1942
Bulgaria, Romania, Hungary
Korea
Lebanon
Dominican Republic
Vietnam
Iran
Grenada
Beruit
Lybia
Panama
Unclean Conflicts
Iraq ISierra Leone
Bosnia/Herzegovina
Somalia
Haiti
Afghanistan
Sudan
Serbia
Iraq II
PakistanYemen
Syria
(Syrian Electronic Army)
December 25, 1991
What country in their right mind would actively engage in any formal “clean conflict” with the US when you can potentially surpass your goals through small scale unofficial conflicts, espionage and/or terrorism?
Post-Cold War Mindset - No nation was a credible threat to the U.S. anymore
Our adversaries, both corporate and nation state, have become specialists at executing "Unclean Conflicts" against our business, innovation and defense infrastructure
What Happened?
This mindset of the post Cold War environment naturally filtered into the DNA of our own industrial and corporate business culture – our business leaders, and perhaps to a certain extent, our innovators began thinking the same way
Our corporations have been trying to define how the rest of the world conducts business in the same way we as a country try to tell the rest of the world how to act and run themselves
Theory A
Why spend billions of dollars developing technology when you can purchase stolen technology (or steal it) for a few millions dollars?*
The Rest of the World:
*Corman/Etue RSA talk
Organizational Entropy
(the natural result of assuming you are smarter than your adversaries)
<FUD> Insert standard sky is falling breach statistic slide here </FUD>
No matter what political reasons are given for war, the underlying reason is always economic
- A. J. P. Taylor
Organization/Business Reaction?
Irony – Big Business arrogance and the natural reaction to their Organizational Entropy has fueled a larger Big Business of product “solutions”
Buy more blinky lights (apologies to our sponsors)
Hackback
Legislation (SOPA (thank you reddit), CISPA)
If you get to the point where a problem becomes so big that you need to try to legislate it in order to protect national and/or economic interests, you have completely missed what was wrong to begin with. #FAIL
InfoSec’s Role
Prevent the loss of business critical data
Protect the Brand
Promote Innovation
What is the organization’s business critical data?
Who else might find value in that data?
Where does that data actually live?
What are the business initiatives and goals?
InfoSec’s Problems
Show of hands?
The Problem with Walls
So given the previous slide’s data, what is commonplace throughout most organizations? < cheap “fixes”
Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.
We have defined an environment right now where greed and policy is reactively dictating business and society
The Unnatural State
Organizational learning and adaptation is stagnant at best
The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us.
“Organizations must learn to live in a world where less and less information CAN be kept secret, and where secret information will remain secret for less and less time”
-Joel BrennerAmerica the Vulnerable
Adaptability
2012 DBIR states that 92% of breaches went undetected (estimates, unclear of sources). Better detection may not be the right answer
Adding more or improving existing systems is not adapting
Learning from the Octopus, Rafe Sagarin
Adaptation arises from leaving (or being forced from) your comfort zone.
Firewalls? AV?
Adaptability (Sagarin)
The benefits of Decentralized and Distributed organizational systems
Multiple sensors
No preconceived notions
Specialized tasks
Adaptable #Success requires
A challenge
Available resources
Information filtering and prioritization
Symbiosis
A working relationship between organisms
Mutualistic - both parties benefitCommensual - one party benefits, one is not affectedParasitic - one party benefits, one suffers
Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism
Natural Security Strategies for Organisms (and Organizations)
1) An organism needs to learn within its own lifetime and across generations (learning is key to adapting)2) An organism needs a decentralized organizational system3) It needs redundant features4) It needs to keep running just to keep up (like with your competition)5) It needs to reduce uncertainty for itself and create uncertainty for its adversaries6) If human, it needs to understand human behavior
The Only Options?
But either leaving things in their natural state or building artificial barriers can’t be our only options.
How can we build more natural and living security systems?
But aren’t we humans exceptionally adaptable?
The Big Contradiction
But we humans are quite adaptable.
How can we as amazingly adaptable individual organisms have created systems and institutions so nonadaptable?
Organizations, like all other systems, are built on synergistic cooperative arrangements that tend to be self regulating, not static
Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation and then we once again show our amazing adaptability – Business as usual
The Challenge
How do we design systems within organizations that can deal with security problems and respond to them organically and automatically?
Information Usage in Adaptation
Information use and sharing is as essential to survival as any other adaptation
When used properly, information in survival situations creates and/or reduces uncertainty
Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries (unpredictability).
Competition and Cooperation
Competition between organisms can lead to group cooperation
Group cooperation then increases the effectiveness of the group against other social groups
This group competition can then lead to group cooperation
The Basics
Introduce challenges, not directives. Without challenges, organizations don't learn.
Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations.
Take advantage of localized problem solvers within a centralized organization
Promote learning, competition/cooperation and symbiosis
Business Adaptation
Organizations, and therefore Security strategies, must switch from designing solutions to adapting solutions
A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution
Move away from giving orders and towards providing challenges. (Aka Wisdom of Crowds). Orders assume there is only one solution to a problem
Challenges also introduce competition, which naturally leads to cooperation
How the hell did we get here?
Post cold war arrogance a major variable in today’s Business arrogance
That led to Organizational Entropy
Which itself provided Infosec/Risk practitioners a major information headache
Which you all here should consider as a challenge
Exercise time
Show of hands – who here thinks these aforementioned behavioral and process changes are too radical for your stodgy organization? –Keep your hands up
Who here is either in charge of a team regardless of size and/or is in a position of influence in such a team? – Keep your hands up
Everyone with your hands up – this is your homework. Introducing these changes into your small sphere of influence will improve all of your business metrics and create competition between other sphere’s within your org.
That will lead to cooperation once you realize the goals are the same, leading to group cooperation that then will introduce competition at higher levels and you are now on your way to changing your business culture.
Your small successes are your small successes, they all lead to bigger successes and in the end we are all the better
Feedback
Rockie BrockwaySecurity Practice DirectorBlack Box Network Servicessecurants.blogspot.com@rockiebrockway