Business Adaptation:Or how I learned to love the Internet’s Unclean Conflicts

Rockie BrockwaySecurity Practice DirectorBlack Box Network Services@rockiebrockway

Credentials

Disclaimer A

Nothing I say represents past, current or future employers

Disclaimer B

Not a box popper talk

Not a cool tool talk

Dabbles in generic politics

Arguments are expected

Focused on natural security systems

June 5, 1942

Bulgaria, Romania, Hungary

Korea

Lebanon

Dominican Republic

Vietnam

Iran

Grenada

Beruit

Lybia

Panama

Unclean Conflicts

Iraq ISierra Leone

Bosnia/Herzegovina

Somalia

Haiti

Afghanistan

Sudan

Serbia

Iraq II

PakistanYemen

December 25, 1991

What country in their right mind would actively engage in any formal “clean conflict” with the US when you can potentially surpass your goals through small scale unofficial conflicts, espionage and/or terrorism?

Post-Cold War Mindset - No nation was a credible threat to the U.S. anymore

Our adversaries, both corporate and nation state, have become specialists at executing "Unclean Conflicts" against our business, innovation and defense infrastructure

What Happened?

This mindset of the post Cold War environment naturally filtered into the DNA of our own industrial and corporate business culture – our business leaders, and perhaps to a certain extent, our innovators began thinking the same way

Our corporations have been trying to define how the rest of the world conducts business in the same way we as a country try to tell the rest of the world how to act and run themselves

Theory A

Why spend billions of dollars developing technology when you can purchase stolen technology (or steal it) for a few millions dollars?*

The Rest of the World:

*Corman/Etue RSA talk < inspired

Organizational Entropy

(the natural result of assuming you are smarter than your adversaries)

Reaction?

Irony – Big Business arrogance and the natural reaction to their Organizational Entropy has fueled a larger Big Business of product “solutions”

Buy more blinky lights (apologies to our sponsors)

Hackback

Legislation (SOPA (thank you reddit), CISPA)

InfoSec’s Role

Prevent the loss of both replaceable and irreplaceable data*

Protect the BrandPromote Innovation

* More Corman/Cognitive Dissidents blog

What is the organization’s business critical data?

Who else might find value in that data?Where does that data actually live?

What are the business initiatives and goals?

Information Problems

Everything we deal with in #infosec and #businessrisk is a subset of a bigger set of information problems, and inherently naturally part of larger issues

We have defined an environment right now where greed and policy is dictating business and society

The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us.

The Unnatural State

“Organizations must learn to live in a world where less and less information CAN be kept secret, and where secret information will remain secret for less and less time”

-Joel BrennerAmerica the Vulnerable

Adaptability

2012 DBIR states that 92% of breaches went undetected (estimates, unclear of sources). Better detection may not be the right answer

Adding more or improving existing systems is not adapting

Learning from the Octopus, Rafe Sagarin

Adaptation arises from leaving (or being forced from) your comfort zone.

Firewalls? AV?

Adaptability (Sagarin)

The benefits of Decentralized and Distributed organizational systems

Multiple sensorsNo preconceived notions

Specialized tasks

Adaptable #Success requires

A challengeAvailable resources

Information filtering and prioritization

Symbiosis

A working relationship between organisms

Mutualistic - both parties benefitCommensalism - one party benefits, one is not affectedParasitic - one party benefits, one suffers

Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism

Natural Security Strategies

1) An organism needs to learn within its own lifetime and across generations2) An organism needs a decentralized organizational system3) It needs redundant features4) It needs to keep running just to keep up5) It needs to reduce uncertainty for itself and create uncertainty for its adversaries6) If human, it needs to understand human behavior

The Problem with Walls

So given the previous slide’s data, what is commonplace throughout most organizations? < cheap “fixes”

Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.

The Only Options?

But either leaving things in their natural state or building artificial barriers can’t be our only options.

How can we build more natural and living security systems?

But aren’t we humans exceptionally adaptable?

The Big Contradiction

How can we as amazingly adaptable individual organisms have created systems and institutions so nonadaptable?

Businesses, like all other systems, are built on synergistic cooperative arrangements that tend to be self regulating, not static

Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation and then we once again show our amazing adaptability

The Challenge

How do we design systems that can deal with security problems and respond to them organically and automatically?

Information Usage

Information use and sharing can be as essential to survival as any other adaptation

Both a key goal and a resultant outcome of using information in survival situations is to create or reduce uncertainty

The way receivers of information, both friends and enemies, perceive the signals you are sending is vitally important to your survival.

Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries.

Competition and Cooperation

Competition between organisms can lead to group cooperation

Group cooperation then increases the effectiveness of the group against other social groups

This group competition can then lead to group cooperation

Adaptable Cascades

Creates decentralized organization of multiple semi independent problem solversAccelerates learning by selecting for successCreates redundancy naturallyHelps facilitate symbiotic partnerships

The Basics

Introduce challenges, not directives (wisdom of crowds). Without challenges, organizations don't learn.

Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations.

Take advantage of localized problem solvers within a centralized organization

Promote learning, competition/cooperation and symbiosis

Business Adaptation

Business, and therefore Security strategies, must switch from designing solutions to adapting solutions

A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution

Move away from giving orders and towards providing challenges. (Aka Wisdom of Crowds). Orders assume there is only one solution to a problem

Feedback

Rockie BrockwaySecurity Practice DirectorBlack Box Network Servicessecurants.blogspot.com@rockiebrockway