Image for post
Image for post

The next 50 years of cyber security.

Making our risks as quantifiable and predictable as the weather.

There’s a massive need for the world to get better at cyber security. Let’s explore specific hurdles that are holding us back… not from the standpoint of the individual or team, but as an industry as a whole.

  1. A lack of transparency into the root causes of data breaches.
  2. A lack of probabilistic methods for those who practice cyber security.

Risk measurement limitations are holding us back.

Only a collective drive from this industry and its communities toward quantifiable methods and goals will allow us to build a future we’re proud of.

Can we “solve” cyber security with a focus on efficiency?

We can look into various industrial histories to understand their rapid acceleration, and our industry’s gaps become clear. I will describe this pattern briefly, and discuss specific goals for the information security industry over the long term.

  • Henry Ford’s obsession with production line efficiency ushered us into a modern age of manufacturing.
  • Meteorology’s big gains began around 1950 when quantitative forecasting met increasingly robust and organized measurement capabilities.

What does it take to start a similar “50 year” effort?

It will require massive collaboration, activism, regulation, and agreeable forecasting methods to take advantage of it.

How would this change a security strategy?

Probabilistic security infrastructure should make our efforts as an industry, disparate security teams, and community, far more efficient and rational.

We’re missing something. It is a beast with many names.

It is roughly described as “quantitative decision making” and it’s a foundation for nearly every industry that has found a way to mature and scale.

Why aren’t we measuring ourselves like other industries?

The root cause of this issue is quite ironic. We do not invest in prolific tracking of data breach root causes.

Security teams operate far too differently from one another.

In my working with many security teams over several years, nearly all exhibit substantial bias and irrational intuitions towards risk by few influential people. The teams I have run have suffered the same, by my own doing. This is especially evidenced by how drastically one company, or team, will approach risk from the next, even within the same competitive sector.

  • “Customer first”. Prioritizing / satisfying customer checklists.
  • “Standards based”. Embraces an industry maturity model or standard.
  • “Threat driven”. Practicing threat intel and prioritizing adversary goals.
  • “Reference organizations”. Be exceptional upon comparison to others.
  • “Detection first”. First class detection allows more lenient security.
  • “One of everything”. Never be accused of negligence.
  • “Metric Driven”. Picking metrics as proxies for “risk” and reducing them.
  • “Chaos” or “Iterative”. Constantly breaking, observing, and fixing.

There are 3 things we need to move ourselves forward.

Our guidance lives in other fields. I pay special attention to the aerospace, nuclear, and especially the industry of weather prediction. I spend most of my open time these days bothering professionals in these spaces. I want to be as full of knowledge on this subject as I am with incident response.

1. Classification language for root causes of a breach.

We are currently too satisfied with the typical availability and quality of breach data. It is unstructured, not timely, not accessible, and rare.

I took a stab at root cause classification: The Blockchain Graveyard.

I have personally tried to take a crack at this classification problem with a focus on cryptocurrency (“c12y”). C12y companies see frequent breaches.

Image for post
Image for post
Blockchain Graveyard Estimations

Other industries demand proper incident classification.

With my attempt at this with the Blockchain Graveyard, it confirmed my beliefs about the difficulties of classifying breaches, but didn’t convince me it wasn’t possible. Part of this reason is that meteorologists are fantastic at classification. In some ways, their problem is easier than ours, in some ways, harder. Most weather is very tightly defined to be compatible with probabilistic forecasting infrastructure.

There’s plenty of optimism around classification.

Our industry is pretty good at classifying nuanced, narrow aspects of security.

2. A root cause must appear in data breach notifications.

Breach notification law is fragmented across the world with varying standards. Even when compulsory, many of these notifications are not publicly available. Today, the opportunity for a proper feedback loop is too often wasted.

Incidents and the circumstances that caused them are going into a black hole every single day.

There’s plenty of reasons why a company would not want to disclose a breach, and plenty more why they wouldn’t want to disclose how it happened. I don’t need to discuss those. What matters is somehow getting this data to be prolific, common, and accessible, and overcoming these barriers.

“Given that we’re in the tax preparation industry, our baseline probability of a W2 related breach is 18% annually.

Our forecast, given our preparations, reduces that to 9%”

This sort of statement shouldn’t feel difficult to obtain and many security people are uncomfortable with such statements.

Nuclear regulation provides centrally accessible root cause data.

The NRC’s Event Notification Reports are a pretty interesting read, coming from an incident response perspective. They are extremely detailed compared to the breach data we are used to. They will cite specific model numbers involved with failures, detailed impacts, and explicit root causes. Example:

Image for post
Image for post
Root cause information for a minor nuclear incident… yesterday.

3. Security efforts must require a probabilistic result.

Just about every concept in the profession of information security can be wielded as a probabilistic tool. Even if you believe uncertainty is extremely high (for instance, the area of APT, and whether you’re compromised), we still have extensive tooling available to measurably reduce our uncertainties about a scenario.

Conclusion

I’d like to be part of an industry that can revolutionize itself.

Written by

Writing about risk, security, and startups.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store