In 2009, I published My Personal Security Guiding Principles. They hold up well, but my thinking has evolved over six years. Some due to personal maturing, and a lot due to massive changes in our industry.

It’s time for an update. The motivation today comes thanks to Juniper and Rand. I want to start with my update, so I will cover the report afterwards.

Here is my 2015 version:

  1. Don’t expect human behavior to change. Ever.
  2. Simple doesn’t scale.
  3. Only economics really changes security.
  4. You cannot eliminate all vulnerabilities.
  5. You are breached. Right now.

In 2009 they were:

  1. Don’t expect human behavior to change. Ever.
  2. You cannot survive with defense alone.
  3. Not all threats are equal, and all checklists are wrong.
  4. You cannot eliminate all vulnerabilities.
  5. You will be breached.

The big changes are dropping numbers 2 and 3. I think they still hold true, and they would now come in at 6 and 7 if I wasn’t trying to keep to 5 total. The other big change is #5, which was You will be breached. and is now You are breached.

Why the changes? I have always felt economics is what really matters in inciting security change, and we have more real-world examples showing that it’s actually possible. Take a look at Apple’s iOS security, Amazon Web Services, Google, and Microsoft (especially Windows). In each case we see economic drivers creating very secure platforms and services, and keeping them there.

Want to fix security in your organization? Make business units and developers pay the costs of breaches – don’t pay for them out of central budget. Or at least share some liability.

As for simple… I’m beyond tired of hearing how “If company X just did Y basic security thing, they wouldn’t get breached that particular way this particular time.” Nothing is simple at scale; not even the most basic security controls. You want secure? Lock things down and compartmentalize to the nth degree, and treat each segment like its own little criminal cell. It’s expensive, but it keeps groups of small things manageable. For a while.

Lastly, let’s face it, you are breached. Assume the bad guys are already behind your defenses and then get to work. Like one client I have, who treats their entire employee network as hostile, and makes them all VPN in with MFA to connect to anything.

Motivated by Rand

The impetus for finally writing this up is a Rand report sponsored by Juniper. I still haven’t gotten through the entire thing, but it reads like a legitimate critical analysis of our entire industry and profession from the outside, not the usual introspection or vendor-driven nonsense FUD.

Some choice quotes from the summary:

  • Customers look to extant tools for solutions even though they do not necessarily know what they need and are certain no magic wand exists.
  • When given more money for cybersecurity, a majority of CISOs choose human-centric solutions.
  • CISOs want information on the motives and methods of specific attackers, but there is no consensus on how such information could be used.
  • Current cyberinsurance offerings are often seen as more hassle than benefit, useful in only specific scenarios, and providing little return.
  • The concept of active defense has multiple meanings, no standard definition, and evokes little enthusiasm.
  • A cyberattack’s effect on reputation (rather than more-direct costs) is the biggest cause of concern for CISOs. The actual intellectual property or data that might be affected matters less than the fact that any intellectual property or data are at risk.
  • In general, loss estimation processes are not particularly comprehensive.
  • The ability to understand and articulate an organization’s risk arising from network penetrations in a standard and consistent matter does not exist and will not exist for a long time.

Most metrics? Crap. Loss metrics? Crap. Risk-based approaches? All talk. Tools? No one knows if they work. Cyberinsurance? Scam.

Overall conclusion? A marginally functional shitshow.

Those are my words. I’ve used them a lot over the years, but this report lays it out cleanly and clearly. It isn’t that we are doing everything wrong – far from it – but we are stuck in an endless cycle of blocking and tackling, and nothing will really change until we take a step back.

Personally I am quite hopeful. We have seen significant progress over the past decade, and I fell like we are at an inflection point for change and improvement.

No Related Posts