The Challenge of Natural Security Systems Rockie Brockway Security BSides Boston 2014

challenging National Security Systems so this is me some of that's why I work Black Box Services uh for some of you who Who U uh who know black boxs it's it's the same catalog company um I do business risk and uh some Associated Services as well um The Geek started really early with me and this is not going to translate well as supposed to here but it's all right um so a brief little bit about me uh and my background and why I'm up here talking um I uh I had a really interesting opportunity when I was in college in the early 90s I went to Case Western in uh Cleveland Ohio in my senior year I had the

opportunity to do an internship with this guy uh who had this company that at the time was developing anti uh his name was Dr Peter tippet and some of you may know that name at this point but Dr Peter tippet uh has since become I think he's the chief medical officer of Verizon but but um long story short from these Beginnings where I started in infos second 1991 92 um we were disassembling virus C we got at the time we were getting about 15 to 20 new viruses in uh to disassemble per week this is 9192 right so um essentially then what happens you know luck would have it that is my intro to impr person uh I I um Dr Peter tippet

sold the company that we were um that I was employed at was called Service international to semantic and a lot of our work became the core of more an santic um I founded my own company doing pen testing and all this other stuff um and I I had the opportunity to come over the blackhaw to um develop at the time uh a you know a wheel security uh practice where um you know we're not talking about and I'll kind of touch upon this as we go through some of these some of these slides but you know firewalls are not security from my perspective that's infrastructure um but you know the bottom line here though uh and I'll I'll go through a

couple of disclaimers right I represents one cl um this is not a box popper talk it's not a cool talk um and it's focused on natural security systems now when I say that the the biggest disclaimer here is that this is not about Teran Evolution versus religion so let's just get that out of our minds right now uh this is about natural adaptation and I expect ear so let's get into this there are a number of generic problems with infos so so information security functionally um you know it it today is really viewed as a tactical solution which is inherently reactive we as an industry and in order to protect our client data and allow them to take risk so they can

be Innova inoy really needs to be accepted as a business function it's inherent to all of our organizations as a business function that's where it should be um I'm not going to go through the Dem quote we just keep moving on here so let's talk about infos seex role real quick and then I'll kind of get into the me potatoes here we have to prevent the loss of our business credit that's fairly uh promoting Innovation our job is really to to allow our organizations to take more risks so they can innovate more and then you know be more successful over their competition Etc all of that directly CES in National economies right so we have a large job

here uh but and and then protecting the brand we have BR our problems though are what are these business initiatives and goals right where what is the organization's business cpal data you know let's do some it calisthenics and raise some hands here how many people know what your organization's business critical data actually is a couple a few right how about those of you who do know that do you know where it lives couple a couple few sure about that just check right but that's a core problem for infosite today and and and as we kind of take into this you know as we take into account these types of U these types of problems who else might find Value in

that business critical data is an absolute essential variable in order for us to understand the threat models and be able to you know feasibly protect you know the data itself right this is this is the standard fud slide is about to fall on everybody and a and whatever um indicators of compromise things of that nature right but as we are no offense to our sponsors but as we are kind of inundated by a lot of that fund what are organizational reactions right organizationally we're buying buying more Blinky right hack back legislation I mean this point here is really tied into that legislation which is if we've gotten to the point where we have to legislate our problems we've completely

missed the problem to begin with right and and and the irony is all of this B big business arrogance that is fueling you know the response from the fud and the investment and all these Blinky lights and things of that nature are creating even more Revenue generating businesses successful businesses you know this is not a new story but the the the biggest problem here is that because it's not a new story like like what Jack was saying earlier today why aren't we learning how can we learn right so what does this problem attempt to solve well this um this is a Gartner uh spend it spending trillions over the past 5 years and you know there a little anomalies here and

there but basically it spend has gone up in trillions and this is the Verizon BB over the last 5 years and guess what you know sure there's a little loms here in there but those breaches continue to go up so we're investing in all this stuff how much of effect are we really having with all this investment anyone most people in the industry who are who are in that Innovative kind of um I don't know if you know David Kenn I'm sure many to do uh he's a really really smart guy uh author of the social engineering toolkit he's one of these cats who you know readily admits that we in the information security vertically

are most likely a good two years behind the technical innovations that are incentivized by organized crime in nation state right we're two years behind and that's scary so the second problem that this talk is attempting to solve is our obsession with static models okay and and and we call it the problem with walls and the problem with walls is that like anything else you know let's say it's a dam or a dke or a levy right it's it static purpose is to prevent water from going from point A to point B but over time there's a natural kind of adaptation of water that will eventually kind of get around static controls are static controls and there's no there's no

Dynamic anything with static controls and that's a problem organiz ational enty third point that we're going to talk about and and hope maybe maybe we can you know instill something but organizational entry first of all is one of my favorite terms so elegant organizational entropy is the natural result of assuming you're smarter than your adversary and if you are in that position in that mindset there's no incentive to learn and to get out of your comfort zone and I'll talk about getting out of your out of our comfort zone as we kind of move in through this because that's critical to Natural adaptation and then finally this this unnatural state of our businesses and and when I say unnatural

State

the there's this mentality right that essentially organization um because this learning is because literally no learning right our organizations are staying inside their comfort zones okay what do we call that business as usual right so in order to really kind of have our organizations learn we have to get out of this mindset that this this natural state that we're in which is really unnatural and our organizations must learn to adapt get out of their comfort zone in order to effectively attempt to protect against these these adversarial uh you know technology techniques whatever that we already a couple here behind right and the the solution is not buying all this stuff over here the solution is really kind of

here from a people perspective so these are the problems that that you from a goal perspective I'm trying to you know let's let's see if we can let's see if we can get some ideas around this stuff but as as I go through this there's one there's one thing that's nagging at me is it even feas to convince any organizational like you know can we modify our organizations Behavior without blatantly going to the people who are a profiting and and you know making money and being successful right the CEOs the cios the CFOs and say guess what you're doing it wrong right so let's see um our we're having a really difficult time securing all this business critical data our

organizations are continuing to make money and you know Target right guess how guess where the Target stock price is now back to where it was right the re the profits down still but we have short memories but can we Is it feasible to go and say to to be able to change our organizational kind of makeup and behavior without trying to dismantle the way either up or top down you know managerially our our our organizations are are constructed and I say yes we can have I do believe that it is possible and and through these techniques um techniques techniques I I read a lot a lot of this stuff that we kind of go through is is you know just

me taking things from here and there and saying hey we can apply but here's my posi naturally adapted systems are inherently more secure okay there are these yeah getting ahead of myself take a as we go through um as we go through this I I would very very highly recommend these three books okay uh emergence by Steven Johnson it's the connected lives of PS Rin cities and software the wisdom of crowds by James sueki um was a fantastic read and I'll kind of go through a couple of the examples uh and then learning from the octopus which is phenomenal and I'm going to take I'm going to steal a ton of his content um that guy was a he's a

a natural biologist who was in uh politics for a number of years and and and a lot of what I'm going to be talking about in terms of how can we naturally kind of treat our organizations as organisms and learn how organisms adapt and apply that to our organizations because when we bring it when we break it all down organizations are made up of little Parts here and there just like organisms so there's collaboration there's cooperation and and all of that you know will in my opinion assist in making our organizations more naturally secure so there's a number of Rules of Engagement here right when we talk about naturally adaptive systems excuse me naturally adapted systems are

organized semi-autonomously with little central control decentralization decentralization is a very very touchy topic especially when we're in we're in a business conversation right um learning from your success there's this there's this old adage learn you learn from your failures that's a very incorrect State learn from your your successes the same way a lot of people believe that uh U survival of the fittest is the Darwin you know Mantra well that's actually incorrect as well it's actually survival of good enough right if you're good enough at outrunning the tiger you're going to survive you don't have to be the best Sprinter on the plan right using information to mitigate uncertainty well mitigating uncertainty is a very very interesting topic in

itself because that's really what we are trying to do as information Security Professionals is to mitigate uncertainty right we actually also want to instill a level of uncertainty at our adversaries right so honey pots or intrusion detection anything that will make them maybe not be as confident as they as as they might be in trying to G you know gain access to your business critical data but uncertainty is definitely a big big variable in in all of this naturally adaptive time um and then uh engaging in diverse symbiotic relationships right so that could be at any level of the organization whether or not we're talking about intraorganizational oh do you have a question absolutely U say use

information to a lot of the others emphase your ability to adap your ability to adap for example kind of kind of yeah yeah go ahead so for example let's say like military history examples look at the Russian

troops turned out to be completely inflexible in a halfhazard battle in the city right the other side the chesen side organize their troops in uh very small very mobile groups and they would reorganize they would change their order of battle based on uh what the Russian what based on the problems that the Russians were posing for so they would assemble small groups of three to five people with one guy with an RPG one guy with a sniper rifle two or three guys with assault rif so by ability by their ability to adapt to the situation very quickly by changing how they organized with a much smaller number of Fighters they could maneuver them quickly and they could

a numerically Superior infantry force that was much heavier arm had a lot more armor and had air support but they were sorely lacking so in this example we have one force uh that is inferior Prem much on all measurements with the exception of one their ability to adapt because of their ability to adapt they were able to defeat and um basically deal a BL to a otherwise Superior Force understood yeah so so there's no disagreement in anything that you know that you just said but these are these are just like the four things that contribute to naturally adapted systems that's an example of how some of that was utilized there are other examples you know at the other end

of that Spectrum you know that contribute to naturally adaptive systems but as we kind of go through this I think a lot of it will make sense right and adapation arises when you are when you either get out of your comfort zone or you're pushed out the right and in those instances learning is absolutely one of the one of the biggest variables here adding any of the you know again this this is not adaptation this is not adapting right these techniques start with these decentralized and distributed organ organisms or organizations right and within there the benefits include multiple sensors all right so within infos we we deal with a lot of sensors right so whether it's intrusion

detection sensors you know or or netflow sensors or or whatnot um but multiple sensors with no preconceived notions no preconceived notions means that there's no mandate there's no Direction okay there's no commands right the wisdom of crowds is is basically taking a a sample set of people and putting them giving them a challenge and putting them just letting them go out and and trying to find the best solution for that challenge okay so with no pre preconceived notions multiple sensors within that you know within our sample set of of people who have this challenge right we have um um individuals with specialized tasks or organ organizations with specialized tasks organisms Etc it's all interchangeable in mind

redundancy we obviously all here you know understand the value of redundancy right so the requirement of a challenge this is the second big point right again I I I I really want to emphasize that the lack of having mandates and and and you know this has to be done this way and I want to make sure that this you know this command is is is taken you know through to to finish that's not how successful adaptation works right what happens here is challenges within an organization instill competition competition between the parts right you know and and and you know the same thing with organisms right organisms are competing for let's say food food and then at some point all of the little

smaller parts and pieces realize that they have the same goal and that competition then instills collaboration and cooperation right at a very small part so when that happens there's a there's in in successful adaptation uh examples there's this domino effect where okay here's this little area here and all of its little pieces and parts f figured out that we're going for the same you know the same goal in this Challenge and now we're cooperating well now there's a whole different area over here let's say it's a different business unit or a different set of organisms right with with also now there's competition between these larger areas of the organism or organization and at some point in the you know when they

learn that the goals are all the same then now they're cooperating collaborating and on and on and on um there's a really great example in in the wisdom of crow book about does anybody know what the USS scorpion was it was a nuclear submarine that was lost yeah it was the only American nuclear submarine that was ever lost right so at the time when this went down the head of the Navy and I'm going to going to butcher the story because I don't remember his name but the head of the Navy issued a challenge without throughout the entire department of the Navy everybody from custodian to you know rear Admirals and and basically said okay given what we know we knew we

know the last point of you know they were in the they were in the Atlantic we know the last radio transmission location we know the wind direction we know this and that and that given this given these variables give me your everybody individually right give me your best case what you think happened and where you think that sub is now right and you know they they they got all the results and nobody had anything spot on but when they took the mean of all these hundreds maybe even a thousand answers the the the actual location of the sub once they find it once they found it was 224 yards from where the mean of the of the

crowd figured it out you know said it was going to right that's mindblowing but illustrates this is a challenge and this is how we can utilize this type of you know this type of thought to begin working together and and and enhancing the security of our organizations information sharing filtering and prior organization right so it's obviously sharing is essential you know from from an organizational from an organizational perspective and organisms tend to seek to reduce the uncertainty for themselves we like we talked about and increase the uncertainty for the adversaries symbiosis real quick on symbiosis because I know we're going to run a little late here um but there are different types of symbiosis and I'll

have these slides off because I know this is not the best thing here but um but the really the big point from symbiosis perspective that it creates reactions that are more than just the Su of two organ organisms working together symbiosis uh from a you know from a business perspective from an organization perspective you know is is is critical is critical to this whole competition and cooperation point right so um again the competition leads to group cooperation group cooperation increases the effectiveness against adversarial threat and then um competition leads to group the group competitions lead to group cooperation this is how all of this builds and builds and builds but here's the point right what's the

incentive what's the incentive for us to change this Behavior what's the incentive for our Business Leaders to say you know something we're doing it wrong we're making money that's wrong right what's the incentive business as usual Comfort zones are always going to basically you're going to remain in your comfort zone you can't learn and you can't ad adapt until you get out of your comfort zone right so incentivized adversarial Innovation right and this is what we are all up against this this incentivized adversarial technology right this is the APS and all that stuff this is a big business there's we we do a lot of trending and work with a lot of organizations like you know the bureau and whatnot on on

just kind of like data sharing and Mining and whatnot and a lot of these organizations have seven figure R&D budgets for malware research right this is a business make no mistake about it right there's lots of profit there's lots of margin and and there's lots of ways to now in incentivize the development of this type of technology that is that is you know coming against our controls to try to breach our systems and get our business critical data right we're not doing a lot of that on the let's call defensive you know portion of of of of our organization right so how can we build more naturally secured systems in an environment where our business leaders

are not really going to be acceptable at all or accepting at all of any types of changes within the organization like this but we recognize that it's absolutely necessary if we are have any if we want to have excuse me any chance of further keeping our business you know Innovations and business critical data to our subs but wait aren't we aren't we humans good at it adaptive right um sure absolutely but there's the contradiction is while we are human you know while we humans are good at adaptation all right there's there's all of what we've created all these systems are just are have been um created that are non-adaptable organizations um again this is the

problem problem with the business as usual right we're not getting out of our comfort zones and because we're not doing that we end up with systems that are completely static right the problem with walls static systems static mentality and and no real incentive to kind of get out of our comfort zones so how do we then get systems within organizations that can deal with security problems organically and naturally the basics again introducing challenges within your organizations okay no directives no mandates it's it's the challenge mentality amplify and reward success um the um uh uh I know a lot of organizations now are really kind of diving into um more successful security awareness programs where there they're

incentivizing the populace the user users of the organization when let's say um somebody walks up to the uh to the front gate and wants to come in and and and and you know has a hey I would I want to get my resume to you guys I'm looking for a job here's a here's a thumb drive can you know just copy to your system no no words right incentivize all that that you know that's that's an example of something that should be um should be um I'm bling on just announced throughout the organization that's a really really good incentive um taking advantage of the localized problem solvers and promoting learning the cooperation the symbiosis so who who here has anything to do from

a let's say you know within the it Community any um responsibility from a you know let's say a team leadership or or or management or anything like that do you contribute to teams within your organization that have uh you know who who's a team lead sorry whatever all right but how many also think that that these types of changes are too radical for your organization but why why would why would we think like that right um and and I absolutely agree from the perspective that look if we were to it's not easy to go to the people that run your company and say hey let's try this this isn't working right but this is this is what I would

like to then posit as The Challenge from me to you right this is my challenge of of the natural security the Adaptive process take these ideas and see if you can at a very small at very small parts of your organization apply them right and and and begin thinking in terms of this challenge competition cooperation incentivization naturally your team members the the parts of your organization are going to learn from you know learn from their successes and begin to at a human level be uh essentially get us more secure naturally secure institutions and organizations your small successes will lead to bigger successes and those bigger successes will then ensure not ensure nothing's obviously you know 100%

but will greatly go towards the the more naturally naturally securing your businesses without having to you know in rely on the heavy investment of the latest AP protection application for our clients question well I was thinking about this I think the issue is when you are in it it feels easier to change technology than it is behavior and there and therefore and your specialty is is Tech so you follow what you know and I think it's a challenge if you are in security to think of about Behavior rather than as a policy driven thought Point rather than trying to add new tech but new tech is easy and usually doesn't get you fired you hit you hit it right in the

head right and and and what what what am I talking about right yeah that's it's hard to try to make that happen but guess what get out of your comfort zone right you know that's the challenge that's why this is a challenge of the challenge of natural security systems it's not going to be easy it's going to be hard to even begin starting to have these conversations but in my mind it makes a hell of a lot of sense and and if we can if we can begin to secure our organizations using this type of mentality right and and and understand that you know at the at the end of the day it all about our people right then I

think we have a much more probable probability of success to but look at the end of the day we from a blue team role perspective our job is to delay the amount of time it takes from some somebody to try to breach our protective countermeasures and gain access to right it's a it's a game of time okay and if we can through these types of techniques and you know and build upon the the build upon the the structure that we already have from an infrastructure perspective in these types of controls um that gives us a really really good good uh step ahead of our adversaries uh especially when we talk about this you really it's The Human Side of all

this so I you know really kind of in in closing if we can accomplish this all without telling the CEO that he's not that he's done his job wrong right um and I think that's a success in my mind so um that's that's my feedback that's my presentation any um I I welcome feedback arguments Etc yes it looks like basic what you described about the existing state of affairs is we are essentially building a a rather static defense where ESS build our corus we sitting inside it and somehow I can't see thing throughout the world's entire military history of anyone who ever sure uh also I can't seem to think by that uh through the entire military

history so far uh I can't seem to think of anyone who has has want by being on the defensive absolutely so okay but is that is that a promotion for a hack back mentality you know how do you why by going on the offensive I don't necessarily mean stupidly let go and ha them back that doesn't have to necessarily be the instrument you can stay U you can it doesn't count to be necessarily technical you can find out who your attacker is and you uh other measures how easy is that to do today on the internet finding who you're attacker well there's some ways of finding that out it's not necessarily easy uh but in some cases it may be

doable sure and you may apply pressure it it also depends on what you have right what vertical you have your what Your you know there's a certain level it nation state uh nation state adversaries are not going to go after K through 12 you know kindergarten schools right so they're not I mean you know what's the incentive right going after intellectual property going after you know medical research and all that stuff stuff that stuff that makes a difference yeah stuff that Mak I'm sorry go ahead so there's new laws here from uh the SEC about sustainable and sustainable costs for an IT hat you can go to jail if you don't report what your cost

on sure for an IP loss can you talk about that I don't know much about the the latest I we could talk about adversarial you know cyber War but this is a real law can go to jail yeah yeah I mean like I said I don't I don't have much insight into that specific ruling at all um you know but the bottom line is from an adversar perspective there's an Roi right uh was it Josh Corman talks about adversary Roi right and while security Roi is really kind of a a mythical topic right there's no we're talking about risk and you can't have an Roi on risk but what you can kind of closely more quantify is an

adversary Roi right they have a budget just like we do and so if we can get an understanding of that adversary's capabilities and be able to utilize maybe these techniques or other systems to then you know delay the time that it takes them to try to get your data that at some point can reduce their Roi to the point where it's probably not worth it that's exactly the point here thec is asked to have you define what the cost is for your own intellectual property loss right now if you're software company you can do that in terms of what the value of Ip code was right for other companies it's a lot more it's a lot

more complex no absolutely I absolutely agree I work with organizations that um that they actually don't patent a lot of their stuff because guess what all that stuff's public information right so if they if their competition in China wants to you know spin up a some Factory to do exactly what they're doing but at a third of the cost they can just go to the they could have somebody you know maybe cled or whatever go to the patent office and and say okay there it is that's how they get it um so it's I see it as a very sticky situation obviously what you're talking about U and I'd love to talk about it more

but any other final any other final questions comments am I out of my mind just I really like the comfort zone it strikes me for the in the idea of a village and everybody who's eaten by a lion has actually been hunting outside the village but everybody who stopped to death stop to death inside the village in your comfort zone I like it can I use it go for it all right everybody thank you very much appreciate it