FUDSEC Guest Post

I was asked to provide a guest post for the FUDSEC Blog. After reading so many of the other guest posts I felt a little overwhelmed to put my ramblings alongside those gems. I'm thrilled Craig allowed me the opportunity and look forward to hearing your input. Please enjoy ripping my thoughts into pieces, chewing on them and then letting me know how you really feel!
FUDSEC: Liberate Yourself: Change The Game To Suit Your Needs

Comments are encouraged directly on FUDSEC or you can reach me on Twitter (@rockyd) or reach me on this Blog any way you chose to reach out I'd love to hear your input.



ORIGINAL TEXT FROM FUDSEC.COM POST FOLLOWS:


December 4, 2009
Liberate Yourself: Change The Game To Suit Your Needs

I'm very pleased to have Rocky as this weeks "Fudsec Friday" guest. I've had the pleasure of meeting Rocky in a business context. I quickly came to appreciate he is one of the minority: an information security professional providing true insight and solutions based on real world experience of what works. To put it simply, Rocky "gets it". If you read just one blog post today, read this one. Thanks Rocky!

By Rocky DeStefano

Recently, I was fortunate enough to have the opportunity to listen in on a speech from General Hayden (former Director of the NSA and CIA, in addition to his service as a four star general in the US Air Force). This man has executed at a level most of use only see through fiction writers and movies and he has done so for 30 + years. I provide that backdrop only to say that when General Hayden speaks, I not only listen, I listen intently and replay his words and overall sentiment in my head very carefully. What he said at this event was encapsulated very well by Richard Bejtlich in this blog post so I won’t go into all the areas described in this post. In short, General Hayden’s speech sparked some long-dormant thought in my feeble brain. His thoughts energized me to refocus my thoughts and actions to go beyond the day-to-day struggles we constantly fight. I was stuck in a rut and didn’t even realize it.

In order to navigate our world and interact with it and one another, we as humans had to learn to fly, we had to learn to navigate the oceans, and we had to learn to overcome distances and difficult terrain, by creating solutions to work with the landscape. We’ve done something quite unique though, we created a new terrain and new domain. The domain we’ve created is fundamentally different while at the same time it is every bit as tangible as the natural domains we exist in. The difference is that this information domain is of human ingenuity and therefore in addition to building tools to work within the landscape, we can actually alter the landscape as we see it. This information domain also exists separately as its own entity and as such evolves at a rate much different than the physical domains. Perhaps most importantly this information domain evolves, dies or otherwise is influenced based on our human interactions. It is moldable. Sure I can agree that humans might affect the temperature of the planet every few thousand years by a fraction of a degree, but we can fundamentally change our information domain on a daily basis if we chose to. Think about it, we all know that, it isn’t new, but at the same time it’s quite liberating to think about the fact that we can change the entire game to suit our needs, versus playing by rules we can’t change or worse yet play in an environment that highlights the strengths of our adversary.

As this domain has evolved we have set in motion a series of evolutionary steps based on tactical requirements without really having a strategic plan for where it should be headed. We made decisions along the way that were necessary to get us past a hurdle, but without much rational thought about the impact. To put it simply there is no city planning going on. We’re continually developing “solutions” to meet short term needs. Granted these are real needs, no question, but who is providing the strategic vision of how our decisions will affect how we interact in the future? For far too long we have applied “fixes” that fit the bounds of the information domain as it exists today. It is time to start looking at how we can transform the domain itself to more appropriately suit our needs moving forward. I’m convinced we are in the very earliest of stages in the evolution (perhaps on the doorstep of revolution) with regard to this domain, but unlike evolution on the natural plain this domain can’t and won’t change itself, we must act to influence it to better meet our needs.

Much to my own amusement I see this domain much like a scene from a kids movie - when Jafar turns is transformed into genie in Disney’s Aladdin and he boasts something like “The Power, The absolute Power, The universe is mine to command, to control, to create” and we get it without the constraint of living in a bottle. The constraints that apply only exist in our minds and actions. We need to get out of the mindset of applying protection techniques based on physical realms and focus on evolving the entire environment to better suit our needs moving forward.

I’m certain as we start this dialogue that more fundamental aspects will arise – which is exactly what I hope to elicit from this dialogue but here his where my current thought process has lead me to consider with regards to how to step out of our box and move our eyes towards the horizon. I’ve bundled my thoughts into a few categories, leadership, research and information sharing. I’m sure your thoughts will help us all to refine this into much more!

Leadership: I’ve come to realize that there is no one coming to save us from ourselves here. No government czar, compliance initiative, nor vendor product suite is going to pave the way. Homeland Security, NSA, Military, Congress, The White House – they’ll all continue to play their part, but let’s be honest here they have not and should not drive the overall thought process here. We must all define how we chose to exist in this domain.

Certainly we should encourage government and legal involvement along the way so that they can contribute as appropriate. In the end the government should be involved to enable us to succeed in this domain, not to define how it should be crafted – at least not without our agreement. Yet we wait the announcement of the all mighty czar… it’s crazy. I believe that we can lead from right here, wherever here happens to be. There are dozens of examples, but I chose just a few to highlight some of the decisions we’ve made and how we can start making better ones moving forward.

1. Information Security Leadership. We need to start pushing back at all levels here. It’s my opinion that business’s need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk. Risk to the mission, risk to the business not the risk to an asset. We continue to create irrelevant measurements – irrelevant because they are point in time, against a less-than secure model and on a playing field that is skewed towards the success of our adversary.

As information security professionals how on earth did we let the primary financial driver for security spending be compliance initiatives? We sold our souls because we lacked the knowledge of the business and how to apply what we do in a meaningful way to the business. We let compliance initiatives that promised “measurable” results have their way because we thought we could tag along for the ride and implement best possible solutions given the situation. As I see it we are no better off for this and now our teams have either competing agendas or more work to drive us away from protecting our organizations. Sure we’ve created some “building codes” but do “point in time” snapshots matter anymore when the attacker can mold his approach on a whim?

Partners, Vendors play a critical role in helping us reach our goals; they should also play a role in the thought leadership moving forward. Product and solution vendors have done a great job in developing solutions to meet our defined needs along the way as we’ve evolved in our usage of information systems. We’ve all witnessed some seriously cool steps forward over the last 15-20 years, but recently many of those solutions have been evolutionary in nature, not necessarily innovative, but more and more they are band-aid fixes for problems we’ve encountered or realized.

Don’t get me wrong it is a very necessary evolution, but we’ve hit a point that we need to start thinking about long-term health and welfare of how we interact as humans. We need to find ways to encourage that vendor thought leadership onto a larger more strategic problem-set. I would encourage those customer facing people with consulting and/or vendor organizations to take a very basic consultative approach on a daily basis: listen to your customer’s actual needs, not always what they state as a need (PCI Compliance, etc) but to the goals they are really trying to solve and communicate those findings inwardly to your organization (and in general terms externally to the community). The more inputs for this information stream the more refined the thought process can be. You can’t imagine the amount of information that some of these folks have in their heads they just haven’t been heard appropriately.

To those that manage consultants - please encourage your staff to listen and enable meaningful communications, in fact I would challenge you to incentive your staff to provide this input. Give them the opportunity to buy in to more than just a single technology, but into solving a much greater problem. This may mean some major internal change in thought about how to approach management of teams, customer engagements, support, product development, etc – that’s exactly the point – we need to learn to listen better to the larger picture and not the point in time snapshot.

Those were two very basic examples of how we can lead from wherever we sit in the organization there are literally thousands of other examples out there. I hope you can see that I’m suggesting leadership by example – you can still enable business using these techniques, you just have to get past “the way its been done”.

2. A key component in moving forward has to be a dedicated focus on Research and Development. I mean significant investment in R&D on a national and international scale, information sharing about current and proposed strategies across industries, etc. We need to be pushing our employers, VC’s, governments into broader research initiatives. We need an innovation revolution at this point, not just evolutionary point solutions.

There are some very recent initiatives that show promise, like the announcements by Northrop Grumman that NG is sponsoring information research in conjunction with Carnegie Mellon, The Massachusetts Institute of Technology and Purdue University.

If you will, think of these research opportunities as form of health care for our future, I don’t care how it’s justified but we need to act in support of efforts like this in every way we can, perhaps by offering state or federal tax credits? Certainly I can agree that we need to watch spending and as such we should have to pay for performance, but we need to encourage strategic innovation versus tactical evolution (band-aids). The investment in long-term strategy has been anemic at the federal level. We’ll spend millions on watching the effect of gnat bites on mouse nuts, but we haven’t found the necessary stomach to pay for the ability to effectively comprehend where we’re headed as a species as it relates to communications, business and everyday life.

3. Perhaps the most immediate thing we can influence is better Information Sharing. We need to start thinking about how we can change the IT Domain into something that allows for a level playing field. The old adage “The enemy of my enemy is my friend” applies very well here. It’s ridiculous to think that our teams are better off not talking with industry competition about defensive strategies. The other side is free to share, adapt and overcome as they see fit, yet we tie our own hands and ask for beatings – and hope they don’t hurt too much. I’m really not into S&M. I’d rather retake control – how about you?

A few good examples to learn from already exist, the Defense Industrial Base (DIB) has an information sharing related to APT (Advanced Persistent Threat) detection profiles, and workshops like SANS “What Works” or IANS Summits are a great beginning to this conversation, but in reality they are very limited in reach and only relevant at a point in time. We need to develop more daily interaction at a deeper level.

Summary: I’m in no way suggesting I’m intelligent enough to have all the answers, or to have even fully described the problems, I’m simply stating that we need to elevate our thinking and we must invest in the thought process and commit to the information sharing required to make the decisions necessary so that we may shape our own destiny. As I see it we must all act on the relevant fronts (Leadership, Research, Information Sharing, others?) to better comprehend the changes and position ourselves to be able to make the changes necessary in the future. That’s my starting point, how will you enhance the conversation?

Disclaimer:
The opinions expressed here are my personal opinions. My views and opinions are subject to change based on the input I consume and the analysis I apply to those inputs. Content published here is neither read nor approved in advance by my employer and does not necessarily reflect the views and opinions of my employer.