State Of The (Snake Oil) Business: A Manifesto For Change
24/04/23 10:09
Ahead of this year’s RSA Conference I have spent some cycles thinking about how far our industry has come, or more precisely, how little we have accomplished. The world is not a safer place, our systems are more complex than ever and threat actors continue to win while defenders burn out.
The modern cyber security industry arguable started in the early nineties with the advent of the WWW. As organizations and individuals rushed to get “online”, little regard was given to basic security principles like Confidentiality, Integrity and Availability. Very few people understood how the underlying technology worked or more importantly how it could fail or be corrupted. The quest for subscribers and fear of missing out fueled exponential growth. “Houston, we have a problem.”, but that realization was too late, the proverbial genie was out of the bottle. Never fear, we will use technology to “fix” technology. Passwords, AV, Firewalls, A/V and IDS to the rescue…
I was one of the many who believed technology could save us from ourselves. In 1998 I started socializing a methodology I developed called AFIRM (Active Forensic Intelligent Response Method). The following year I published a reference architecture & platform called SANE (Security Adaptive Network Environment), which was originally designed for the Air Force SBIR program. Not withstanding my cringe-worthy obsession with acronyms, lack of an accepted taxonomy and a strong conviction that Y2K civil litigation would be a compelling event, it occurs to me that SANE is still relevant.
25 years later, the market has caught up with the vision. A SANE platform is achievable. We could argue some of the nuances, but it effectively represents the capabilities organizations need to actively achieve a business reasonable security posture today. However, between the FUD, Silver Bullets and the “Illusion of Choice” our industry is not driving positive change but expanding the status quo. How can we break this cycle? More swag bags, back-to-back meetings to justify airfare, copious badge scanning to feed next quarter’s cold calls or dueling parties where the vendors outnumber the clients…I think not.
Rather, consider adopting these simple principles when considering the how you spend your limited resources:
This is my call to action and request to our industry leaders as they meet this week in San Francisco. Let’s build SANE systems and protect what matters most!
The modern cyber security industry arguable started in the early nineties with the advent of the WWW. As organizations and individuals rushed to get “online”, little regard was given to basic security principles like Confidentiality, Integrity and Availability. Very few people understood how the underlying technology worked or more importantly how it could fail or be corrupted. The quest for subscribers and fear of missing out fueled exponential growth. “Houston, we have a problem.”, but that realization was too late, the proverbial genie was out of the bottle. Never fear, we will use technology to “fix” technology. Passwords, AV, Firewalls, A/V and IDS to the rescue…
I was one of the many who believed technology could save us from ourselves. In 1998 I started socializing a methodology I developed called AFIRM (Active Forensic Intelligent Response Method). The following year I published a reference architecture & platform called SANE (Security Adaptive Network Environment), which was originally designed for the Air Force SBIR program. Not withstanding my cringe-worthy obsession with acronyms, lack of an accepted taxonomy and a strong conviction that Y2K civil litigation would be a compelling event, it occurs to me that SANE is still relevant.
25 years later, the market has caught up with the vision. A SANE platform is achievable. We could argue some of the nuances, but it effectively represents the capabilities organizations need to actively achieve a business reasonable security posture today. However, between the FUD, Silver Bullets and the “Illusion of Choice” our industry is not driving positive change but expanding the status quo. How can we break this cycle? More swag bags, back-to-back meetings to justify airfare, copious badge scanning to feed next quarter’s cold calls or dueling parties where the vendors outnumber the clients…I think not.
Rather, consider adopting these simple principles when considering the how you spend your limited resources:
- Know what matters most. Understand your organization’s mission, stakeholders and risk register. Effective governance is more important than technology. #CultureCounts
- Don’t be in a rush to buy more technology. If your tech is not “optionally transparent” it can easily become a liability. Leverage the latent capabilities present in your current estate. Consider removing two technologies for every new technology brought into your environment. #OptimizeValue
- Humans matter. Make it easy to do the right thing and hard to do the wrong thing. #HumanFirewall
- Automate whenever possible. Humans only need to be involved when discretion is required. Automate everything else. However, beware of automating a broken business process. That is a sure-fire way to fail at scale. #FailAtScale
- Adopt meaningful metrics and score your decisions accordingly. Learn from your mistakes as they are often very expensive. Treat them as an investment not as an embarrassment. #MeaningfulMetrics
This is my call to action and request to our industry leaders as they meet this week in San Francisco. Let’s build SANE systems and protect what matters most!