“Rethinking Security Architecture” or Not

Over at Dark Reading they have a story just in time for the end of the year titled, “Rethinking IT Security Architecture: Experts Question Wisdom Of Current ‘Layered’ Cyberdefense Strategies.”  I didn’t link to it so you will know that it has nothing to say.  Instead I will just quote from the article to give you an idea of the level of thinking going on.

I really think the security industry is completely saturated at this point.  I am not saying there is no talent in the industry, it’s just that people need to differentiate themselves from everyone else’s offerings and that leads to false observations from small sample sets, coining of new phrases for old concepts and of course, fads.  It leads to people saying things like the following and pretending it’s profound or original.

 “The need to develop a robust security architecture framework has never been greater.”

However, 63 percent of organizations have no such framework in place, the study says. “For years, companies have been approaching security as a technical problem, usually by buying products to solve specific problems,” says Jose Granado, principal and practice leader for IT security services at Ernst & Young and one of the authors of the new report. “There hasn’t been much thought put to how those technologies will work together, or to the people and process sides of the equation.”

I have worked in information security for more than twenty years both inside and consulting to large organizations.  I can’t remember a single place whose security team approached “security as technical problem” and this goes back to before companies ever plugged into the internet.  More pearls of wisdom follow:

Vinnie Liu, partner and co-founder of Stach & Liu, a consulting firm that works with large enterprises on security architecture and tests companies’ defense strategies, agrees that enterprises’ historical focus on point solutions has prevented many organizations from developing a broader security strategy.

“The industry has been approaching the cybersecurity problem like the TSA has been approaching the air-security problem,” Liu says. “First the bad guys brought guns on board, so they put in metal detectors. Then somebody put a bomb in his shoe, and now we all have to take our shoes off. Then they found liquid explosives, so now we can’t bring on any liquids. It’s one problem, one solution, with no real thought to the big picture.”

The need for a broad security strategy has been well understood since Sun Tzu, right through von Clausewitz.  The reason TSA is so inept is because it is a government bureaucracy run by arrogant technocrats who are just as interested in increasing their power as they are in your safety.  They respond to political pressures and newspaper headlines.  The TSA, FEMA, EPA, FCC, FDC etc.  a murders row of bad decisions and pathetic responses.  When they screw up they ask for a bigger budget.  Everyone else loses their jobs.

Continuing with more pearls of wisdom:

“The problem is that most of these tools are still signature-based, which means you’re taking a known threat and blacklisting it. So what you’re doing is essentially layering one technology with another layer of the same type of technology,” Liu says. “It’s sort of like putting on a coat, and then putting on another coat that covers the exact same parts of your body, and then wondering why you’re still cold.”

Defense in depth means exactly that “in depth” covering all areas so if you have exposure you either have no management support or you’re incompetent.

Stach & Liu recommends that rather than buying more point technology, organizations should perform a risk assessment that identifies the most sensitive areas of the business, the most likely threats, and a holistic defense strategy — an architecture of technology and processes — designed specifically to protect the business. The risk assessment, along with the definition of the business’ specific security requirements, helps identify top priorities and most likely threats, as well as key goals — such as compliance — in order to develop a comprehensive, practical defense strategy.

At this point I am wondering who this article’s intended audience is, perhaps a someone who knows little about security or someone who thinks they do but doesn’t.

“In the old days, you didn’t change your applications all that often, so you could build a positive defense,” Pao says. “You could put email on one [router] port, Internet traffic on one router port, and have a strategy for defending them through the firewall. Today, we have mobile users, changing applications, and we can’t lock down the desktop anymore. The old ‘M&M candy’ architecture with the hard outside and the soft, chewy center no longer works. It has to be a jawbreaker now — hard all the way through.”

The reason for the hard outside and soft center had more to do with limited budgets than it did with design.  I can’t imagine that has changed.  Making decisions under scarcity is what we must do in every field.  In security you decide what you can protect with the money you have.

The most important piece of developing a security architecture is mapping (or, often, remapping) the organization’s business needs to its security requirements, experts say. Building a security architecture requires not only the buy-in of upper management, but their direct participation.

Guess what, they are too busy to talk to you.  They have lots of other problems getting their focus.  And when you have it, it’s because something went wrong and it’s rarely their fault.  It doesn’t matter if it is their fault because they are not taking the blame.  There are exceptions, of course, when they directly interfere with security but unless the press gets wind someone else will perish.

I could select other quotes from the article but what would be the point? The entire article is just standing up and knocking down straw men with no true insight or anything approaching a rethinking of security architecture.



Measuring Risk Objectively?

In order to manage the complexity of life and the accompanying uncertainties, we build models.  Models by their very nature are reductions, that is, we throw out a certain amount of information.  A historian writing a history of Frankfurt, Germany is not going to concern himself with spots on the floor of the Rathaus in 1888 (unless he is a post-modern reductionist).

Risk is itself an abstraction, it is certainly not real.  Being the victim of a  specific risk, however, is real enough.  A more interesting topic is whether or not risk is objective or subjective.  How we measure matters.  It may impress to show on a slide that the mail gateway anti-virus blocked ten million attempts in the last year, but it matters little when the consequences of a single failure can end the business.

The U.S. legal scholar Cass Sunstein, who coined the term “libertarian paternalism” has commented on how small risks can become distorted in the mind of the public and amplified to the point (normally via mass media) that they influence public policy.  He uses the terms “availability cascade” (from the availability bias) and “probability neglect” to describe the basis for the entire process. The exact same thing happens in any organization where one bad experience leads to ridiculous changes in policy.  In the US think Love Canal or Times Beach.

So when we model a certain risk, it is often driven by emotion or prejudice and key elements are included/excluded.  It may take years to identify the errors.  I could be wrong but I do not think that risk can be measured objectively even with panels of experts since they are subject to the same problems as the lumpenproletariat they feel superior to, bias, group-think, emotional amplification, poor statistical reasoning, priors etc. Because of this, I agree with Paul Slovic, risk is subjective.

Blind to Collapse

There is a very good article on the fall of the Roman empire by Ugo Bardi (h/t Vox Dei).  He applies system dynamics to explain the collapse.

Let’s start from the beginning…with the people who were contemporary to the collapse, the Romans themselves. Did they understand what was happening to them? This is a very important point: if a society, intended as its government, can understand that collapse is coming, can they do something to avoid it? It is relevant to our own situation, today.

In business people use the myth of the boiled frog to explain our inability to see and adapt to the deleterious effects of change.  And while there are those who unflinchingly pursue the truth, they may be only recognized as such in the post collapse analysis.  Decline is inevitable; the venal, the power hungry will eventually seize control (it’s for your own good or the children), the virtue of a culture will be replaced by hedonistic calculus,  technological sophistication reaches its zenith while education its nadir, and everyone tries to saw off a limb while the tree falls.  “I got mine.”  Yes, you did.

Regardless of  how much knowledge we accumulate, no matter how many collapsed civilizations, technological failures or business cases we study, there will always be a new generation who, as Russell Kirk described, “are like flies of the summer” caring little what went before them and nothing for what comes after, who are curious only and I mean that in the medieval sense.   The more complex a system becomes the higher cost to maintain the status quo.  Eventually complexity reaches the point that the problems become insurmountable and from what I have seen the more centralized the decision making authority, the faster the demise.

Kindle Fire Will Not Buy Us Much

There is a post over at Volokh Conspiracy where the author Stewart Baker believes that the Kindle Fire users will ultimately be more secure because Amazon is acting as a big http proxy and by running everything through Amazon’s cloud it will reduce the risk of end point compromise.  Instead of relying on your own ability to protect your device, Amazon will do it for you assuming that they are more knowledgeable than you in information security related matters. I am not nearly as excited for the following reasons:

1.  Without physical security there is no security.  If one has physical access to a device it is quite possible to subvert for nefarious purposes.  Amazon cannot control that and if done well they will not be able to detect it.  Ask Apple about all those jail broken iPhones.  Additionally, many exploits rely on social engineering.  All the hardware in the world cannot stop you from making an error.

2.  A big filtering proxy in the cloud is just another filtering proxy.  At some point its pattern recognition systems will have false positives enough times that users will work overtime to get around them; that, or Amazon will have to loosen up the filtering.  One commenter pointed out correctly that AOL tried this before.

3. Amazon Fire will have its own broswer, which will have its own browser flaws and security problems.  That is inescapable.  Roll your own browser and you have to do your own code audits too, every change introduces new risks and possible regression errors.

4.  Risk will be more non-linear.  We may have fewer security problems but the impact of one will be far more severe.  A heavily defended system is always complex and when a complex systems goes down it is frequently catastrophic in consequence.

5.  Security is expensive.  The more complex the system the higher the cost to defend it.  Security is frequently one of the first areas relaxed when costs are creeping up.  This is normally followed by a security failure of some kind, the firing of the security personnel, an increase in security spending on technological solutions and a return to the beginning.  Think of this as the security personnel scapegoating life cycle.  Amazon will not be immune.

In the end, the entire Amazon Kindle Fire ecosystem is just another system requiring defending with the same kinds of problems as other systems.  I do not share the author’s optimism.

Central Control System Risk

Whenever we have a system whose function is to provide better risk management or security, that system itself will have a control element.  These systems can be attacked and service they provide disabled.

Take, for example, a network intrusion detection system;  is the control console system protected?  Is the back end database on it’s own server or is it part of a shared environment?  Are the updated signatures delivered over a private physical network or at least a separate VLAN?  Are the administrators themselves audited periodically?

What I have seen many times is that the worst security in a company is on the security group’s control systems.  Not because the security group is lazy or incompetent but because they simply do not have the resources to adequately safeguard their own systems.  They are assigned additional duties without additional personnel or it was left out of the budget.  It can happen to the best.  There have been numerous luminaries in the information security field who have been hacked.    Sometimes earning a living takes all your time and there is nothing left for securing your own systems.

If you cannot afford to add the correct number of internal personnel for your Identity Management Solution, Intrusion Detection System, Content Filtering Software etc.  you should contract someone who can and then audit them, regularly.

How Much Security is Enough?

How secure is your company?  Are you spending too much or not enough on security?  How would you know? We don’t have a 1,000 years of statistical data to build orderly models with nice normal distributions (if in fact this is the underlying distribution, most likely not.)

Much of what is spent is to fix an irritation or meet a regulation.  I know a company that first introduced anti-virus into the enterprise because the CEO was angry at all the emails that filled his inbox due to an email virus. In this case it was purely reactive.  When I was a senior security analyst inside a large multinational, we are able to go three straight years without a worm or email virus getting into our network.  This was at a time when Microsoft vulnerabilities were a constant cascade and Microsoft responded to everything released on bugtraq like it was a malicious lie.  We managed this on a relatively small budget and a user base with admin access over their local machines.  It is possible to have tight security without spending a fortune.  Despite this, I knew we were not spending enough on security because we had little to no defense against the insider threat.  The best defense against the insider threat is an ethical corporate culture and good hiring practices, an area often overlooked.  Of the triad in security, prevention, detection and clean up, prevention is frequently the most expensive when using technology.  Prevention is a lot cheaper if you don’t hire losers in the first place or you don’t build up resentment by stealing from your employees with understaffed teams, overworked associates and no bonuses except for the C suite.

At this point lacking a wealth of statistical data, most companies can’t say if they are spending too little or too much unless they ask an outside expert.  If they ask the question inside the company, they will most likely get the answer weighted for self preservation, if they are asking at all.