April 4, 2020
Dave Elliman  – Security by default

Dave Elliman – Security by default


[MUSIC PLAYING] Security and resilience. One seems to suggest that
it’s a defensive mindset and resilience is some
sort of reacting what do you do when you need
to react positively to some sort of breach. And is it possible? We’ve heard an awful
lot and I think this carries on wonderfully
from before about the type of attacks that we’re
now subject to and the risks that we face. And interestingly, the word
risk will come up later. It’s something that we
don’t necessarily always consider hand in hand with the
way that we make our decisions. So what are we going to do. We’re going to look at why. And we’re going to
define resilience itself a little bit deeper. And then, I’d like to look
at some building blocks. And I’m going to put
it to you that some of the agile and continuous
delivery techniques are natural foundation
elements to enable you to be able to
construct a platform, not just for protection,
because I don’t actually think that there is
actually any protection. You’re going to be in a
constant cat and mouse game now henceforth. But what it will give
you is the flexibility to be able to address things
in a piecemeal fashion enough to be able to
do damage limitation. This definition is
the first definition I found when I was looking
up cyber resilience. Now, cyber resilience is a bit
different from cyber security. Cyber resilience is a
more of a way of thinking. And that way of thinking
uses the tools and approaches of cyber security to try
and keep the lights on. It’s about bringing together
ideas of business continuity and operational concerns
mixed in with cyber security as your tool. The threats now are different. It’s not just that
there’s more of them. It’s not just that
they’re cleverer. It’s the fact that we’re
seeing, over the last 25 years, we have the internet. So there is now a
global framework. On that global framework, we
now, for the last 15 years, have cloud computing, which
is an execution framework. And we now have the ability
to execute and perform attacks on whoever our
rivals might be in a way that we’ve never had before. And that means,
therefore, that you have to think
differently about the way that you’re going
to defend yourself. On top of that, we
have the movement towards analytics
using machine learning, artificial intelligence. The technology’s been
around a long time. And it’s only because we
have available commoditized compute cost effectively
available to us that we can now use
artificial intelligence tools. And therefore, your
adversaries can use those tools against you. So this is the model
that we’ve grown up with, the castle model. It’s human nature. And we can’t get away from how
we naturally think as people. And we’ve grown up thinking that
the way you protect yourself is to build walls
around yourself, and the castle is the
classic example of that. And we do it, obviously,
in our day to day. We build houses. We lock windows. We lock doors it’s a
natural thing for us to do. So when the internet
and ecommerce, and it became monetized and the use
of computation across distances became established, we started
to see the threats emerge. When we understood the threats,
we started building walls. So with those walls
came the ability to breach those defences. Now, sometimes it might
be a battering ram. And other times, it might be
very, very sort of subtle. So this is the
traditional approach, something that we
reported on in our Tech Radar a couple of years ago. That traditional
approaches to security involve getting the people
who know what they’re talking about into
a room with you and laying down the
security recommendations. And they will do
the risk analysis. They will give you the standards
that you have to work to. And they’ll set out the
requirements for whatever products you’re building. Let’s assume that these are
a set of digital products. And they will then
set the infrastructure standards and so forth. And then, they’ll
come back at the end and they will do
a number of things including auditing or
penetration testing, and so forth. But in the meantime,
what’s happened? Anything could have happened. Anything things changed. And you don’t know
the amount of risk that you’ve actually
been addressing throughout that
process because you’ve got no way of monitoring that
risk throughout that process. So no one is actually
taking care of security throughout that process. Now, there are cases where some
people will come and do checks. But there are cases where
people do wait until people meet some form of standard. Now, there’s two
problems with that. One is that what happens
when the standard isn’t met and you have to go in,
your products is delayed. And the second problem
is there are new zero day attacks every day. So we need to change the
way we think about security. We have to build this almost
social model of responsibility that security has to be
everybody’s responsibility in one form or another. Now, where we have the problem
where we have an organization and we have the IT
department, and within IT, we have the specialisms. So there might be risk,
there might be compliance, there might be
security, and so forth. Those people will come and
decree, move away, and then come back and check that
you’ve met the standard. They’re not working with you. There’s no collaboration. There’s no community. So what we have to do
is be able to create a model, an operating model
where people work together. So the key message today is
that everybody is responsible that’s easy to say – we could
send out a memo. You’re all responsible, hey. But actually, to be
absolutely responsible, it needs to be part of
your operating model. So people actually
have responsibilities and know what to do to escalate,
know what to do to check for, know what not to do. Obviously, you’re subject
to direct attacks. You have to worry about the
privacy on the transparency of your data. So you’re now responsible
for the data that you have. But in order for you to be
responsible for your data, you need to know where
and how it’s used. Now, GDPR says that you should
know where and how your data is used. But most people don’t follow
GDPR in anything other than some form of lip service,
and are hoping sincerely that they’re naturally not
audited because they’re going for the bigger fish. But how do you control the data
that isn’t in your systems? So you create your products,
you sell stuff online, or people talk about
you, you offer service. And that information is
out there on social media. It might be something
on TripAdvisor if you’re in the
hoteling business. It could be anything where
information about you is talked about externally. What’s that got to do
with your castle model? Nothing. And there’s nothing
you can do about it. So can you control
the conversations? So some people try to use some
form of sentiment analysis to get out there, be in
the conversation, to try and combat difficult problems. The amount of issues that we see
with supermarkets, especially with deliveries
where somebody gets some really terrible service. So they tweet about it
and all of a sudden, they get a response. Now, that wouldn’t have
been the case with the phone-up customer services
because of that issue we talked about earlier
in the questions. Nobody gets to know about
some of these things. If it’s out there, you’ve
got no control of it. So you’ve got the
data that you’ve got within your organization,
which you would look at as your data or the data
that you’ve derived value from, that you’ve pulled from outside. And then, you’ve
got the data that’s out in the external world that
you’ve got no control over it all. And these things are
happening all over the world. And I think that
just to reinforce that someone is more intelligent
out there, that machine learning being so easily
available now, and so easily adaptable is being seen more
and more as probably the biggest threat. You might have expected
me to talk about things like the behavioural
differences and policy tracking and so forth. These are all good
tools there’s nothing wrong with the use of intrusion
detection systems and so forth. But what I’m trying
to spell out to you is that it’s a question
of when, not if. So we need to think
differently about the way we’re responsible about it and
the way we defend and keep the business running. So we’re running
through a period where the underlying thing,
we talked about the internet, we talked about the
prevalence of cloud, technology is changing fast. So this is an example of
processor execution time. How much your processor
is working for you. And it’s often-used Moore’s Law. Now, there are people that will
extrapolate Moore’s Law out. Ray Kurzweil extrapolated
it to 100 years, looks at the very beginnings
of mechanical computing over the last 100 years
goes right the way up to now and says that you can actually
track that exponentially. And now, we’re at the point
where the end of Moore’s Law. Whether you look at
it from 100 years or whether this goes
from the late ’70s, we’re at the point where
many people consider, and this is something
I’m now buying into more and more, that
we’re at the point where we’re about to hit one
of those other S-curves. And we’ve come to the
end of something which is just a physical constraint. There are other
approaches that are coming that are going to
create a difference in threat and also opportunity. So things are going to change
for the better in some senses and what we can do is more
powerful and more diverse. But the types of attacks need
to be considered as a pair. So if we just look at
this, you can see here they are along the side the blue,
internet social, mobile, and data analytics as these are
sort of foundational elements. And once those
foundation elements have become established,
we get the things in green, which
can grow from them, 3D printing, renewable
energy, internet of things, cognitive systems, and
other technologies. Then, we see this
growth into layers upon layers of platforms
growing upon platforms that enable other things. And I think with the fact that
the cloud now exists and is now commoditized, the fact
that machine learning is available on there,
we’re fast approaching an era where the platform of
internet that was then enabled the platform of cloud computing,
which enables the ability to construct artificial
intelligence, meshes, and so forth. And on that, we have
a number of things that are going to come
in terms of innovation in the next few years. So back to resilience. This is a document
that was issued five years ago by the
Department of Homeland Security in America, in the US. The key point here
is that it talks at the end about the
comparison to cyber security, cyber resilience requires the
business to think differently and to be more agile
on handling attacks. So it means agile in the
dictionary definition of the term it means that it
need to be more responsive, but believe me,
I’ve worked in just about every intractable
organization like you guys do. That you just can’t
consider how you can make things work any
quicker than they do because of the organizational
structures, the politics, everything is set in
stone to such an extent. That to get a
change in place, it feels like you’re moving
the building an inch to the left brick by brick. So continuous
delivery is something that we’ve talked
about in ThoughtWorks for the last decade. We were there having
conversations with people that started DevOps movement. And you may think that this is
a set of instructions, a method, an approach that is simply
to do with deploying software into production. It isn’t. If you’re a digital
business, your products are the things that are
deployed into production. So the ideas or the
responses to change or the security
breaches, whatever it is that comes as a
stimulus into the system, needs to be handled
in a way where it can be analyzed
quickly enough and delivered into a
process that’s predictable. So you need to be able
to get it analyzed, get it delivered
to the people that are going to write the
appropriate software with your digital product
suite to make the changes, get it tested, and get
the appropriate people in a room that can actually do
the analysis at the right time. So this will probably
involve complete change in the way your company
organizational structure works. How do we get the right people
in the room to work together? So it’s very easy to think about
this in the isolated sense. It’s a problem, so we
just get the right people, get the risk guy, get
the compliance guy. And then, maybe get them
to talk to the CISO or one of these delegates and then
work with the delivery team. If you’re not doing that every
day or on some regular basis, then you are not going
to be responsive enough because you’re
going to get so many of these things thrown at you
that these isolated cases are going to become the norm. So you need a way
of deconstructing some of your
organizational structures in your political lines such
that collaborative teams can be deployed, if not
already exist all the time, to come together to create
a whole lifecycle management for your digital products. This is from an article that
I wrote a year or so ago on the lean security
cycle and we have to start thinking in cycles. So agile is about breaking
things down into little chunks and getting the appropriate
quality assurance in place, get the right thinking ahead
of time, but just enough, do the work, do the testing. So you build up these bank
of knowledge and testing and an ability to react
to change because you’ve got that sort of set of LEGO
bricks for your entire estate. Now, if you get something or
you find a breach that occurs. So your detection
systems find something, that you need to go into
response and recovery as quick as you possibly can. So you get the
people together you swarm to get to the response
and the recovery time because you’ve put
the fix into place. Your continuous
delivery pipeline gets that into production
because you’ve already got that process in
places delivering software. And we’ve got tools that are
actually automatically doing sort of security
testing in place. This gets that stuff
done automatically. And then, you can start to
think that somewhat in leisure how you would prevent it. That might be a policy change. But you need to start thinking
more in terms of lean business cycles and eliminating waste. And that enables you to use the
continuous delivery building blocks. But this is just another
take on the same issue. That we have to be able to go
around in a cycle of design, work out who does what,
where we deploy it, and then how we deploy
it to production, and then how we manage a
continuous security cycle. So continuous security. I could be talking about
continuous compliance. It could be continuous anything. As long as we have that
idea of breaking things up into pieces, putting the
appropriate QA around them, and putting the appropriate
tests in place that can be executed in
an automated fashion as far as we possibly
can, it means we build up that bank of
quality and safety over time. So the potential
bottlenecks to this are that we might not
have the capability. So we need to think about this
from a wider point of view. Who needs to be training what? What expertise do we need to have? How do we bring people together? What are the actual
operating model changes that we need to do to bring
people together to work together for the first time? We need to put those
practices in place. And we need to have the
tools that are appropriate. And we need not to
standardize on those tools. We need to have de rigueur
or de facto standards that we use for a while. And when they don’t fit
anymore, you throw them away. So the whole idea of
standardization, of tooling, of software, of techniques,
and skills is wrong. Everyone in software
has said, build it once, deploy in many places. If you think about the
human body and defense against the virus, then one
of the natural solutions to recovering from a virus
or some form of attacker is diversity. So your body will
naturally start to change the way cells
actually are constructed, or the defensive walls on cells. Because if something was to come
in and be able to damage one cell, it will kill them all. So diversity is a
natural defense. And people are now starting to
turn towards natural sciences and complexity as a way of
thinking about the way we need to think about the
future, because it’s just getting too hard and too
hard to think about, too hard to discuss and manage. In order to try and work out
what we need to do first, we need to have risk as a first
class citizen in our toolchain. Most people when
they approach risk, they will look at a framework,
get some expertise in, and they will have a
qualitative approach to risk. So they’ll think, what are the
things I need to worry about? And then, they’ll put some
sort of severity rating on them, 1 to 10. And then, they’ll
look at the frequency of which they think they
predict that might occur, 1 to 5, 1 to 10. And then, they’ll
roll up those things into some sort of number,
and that’s your risk score. Some of them are
more clever and they will have some sort of
statistical weighting attached to it, and some of them
are quite simplistic. But the problem with
this is that that’s guesswork to get to
the qualitative value, the severity of 1
to 10 is a guess. So when you get a
bunch of guesses and roll them up into
an aggregate guess, you’re miles away from knowing
what actually is the risk or how to quantify that risk. You have to be able
to look at something and say, well, how much
is it going to cost me? And the only way
we can do that is by starting to introduce
things like probability. So what’s the probability of a
potential loss that would occur at a particular point in time? And if this happened, how
much would it cost me? So we start to use
other types of models to say, well, that would
be the reputational damage, this is the direct
costs, and so forth. And then, the quantitative
models that we use can start to give us a feel
for how much it’s actually going to cost us. So we’re going to
need to maintain a balance of acceptable risk. So again, you can’t just lock
everything down and just come out of here and say, I
need to control everything, everything needs
to be locked down. We’ve got to have a sensible
approach to how we do this and that needs to be
attached to value. We have to think about things in
terms of an impact assessment. What data is stored? What’s the reason
for storing it? And this takes us back. All of this is very
similar to, what are we supposed to be doing for GDPR? Well, we were supposed to
be constructing data privacy impact assessments. So from the point
of view of privacy that was a walk-through
all your data, who owns what, where
is it, what am I going to do with
it, how do I get rid of it, what’s the linkage
between all these bits of data. And that’s physical
as well as digital. And many of these things
are very much the same. If you’re thinking
about threat and risk, you need to do a threat model. What’s the threat? Where are the bits
in the system? What are the potential things
that are going to attack it? Which brings us to
the only approach that seems to be elevating
now as a replacement from the ‘just build the high
walls around it’. And that’s the Zero Trust model. Zero Trust was a term coined
by Forrester around 2010. And it’s pretty simple really. This is perimeterless
enterprise. So theoretically,
there’s no rules. In practice, there are
still many of the same tools that you have in place. But the idea is that everything
is potentially external. So if we take the
idea of the castle. And we say, well,
let’s take the castle and make lots of little
castles inside the castle, then remove the outer one. That’s more the approach. So how do we do this
in an agile way? Well, one of the things
that we talked about is being able to construct
these small work units and deliver them. But we also talked
about delivering small pieces of software. And those small
pieces of software are things that we
can individually manage so that we can put
protection pieces around them. We can put the
appropriate authorization and authentication around
them, for example, as opposed to having one at the external. So it changes the way you have
to think about the granularity of what you’re doing. So just to finish,
the end of simplicity. Everything is now
more complicated. So we need to think
about the nature of how we think of problems. Historically, we’ve thought
about reducing problems down to the simplest elements
and solving each one, reductionism. But we’re now
finding that things happen, you know
the old expression, the sum is greater than parts. We’re seeing emergent
behavior that’s resulting. So all our distributed
systems or these moving parts within our organization
or enterprise, certain behavior
can happen as a sort of a perfect storm of events
that is hard to reproduce that becomes very difficult. And this is where machine
learning externally can start to harvest
some of these things and start to feed in some
of these chaos scenarios into your environment. That’s the sort of
changing nature of the way we need to think about the
sort of approach to security. That we need to
think about the fact that it’s now
potentially something that is lack of
complex adaptive system. That we need to start
thinking about how all those small pieces that
we deployed, how they talked, and how we’ve protected them,
when they all work together in concert, this happens. So how do we protect
against this? And it’s those things
that we can protect, some of in scenarios and some
of in a completely different way that we need to
think about and we don’t know until we get there
because it’s emergent behavior. So we have to have
this constant iterative approach to investigation to
solving and fixing and moving on, but trust me,
you’re constantly going to be fighting
a losing battle. [APPLAUSE] [MUSIC PLAYING]

Leave a Reply

Your email address will not be published. Required fields are marked *