Schneier on Security
A blog covering security and security technology.
« Who Does Skype Let Spy? |
| Power and the Internet »
January 30, 2013
"People, Process, and Technology"
Back in 1999 when I formed Counterpane Internet Security, Inc., I popularized the notion that security was a combination of people, process, and technology. Back then, it was an important notion; security back then was largely technology-only, and I was trying to push the idea that people and process needed to be incorporated into an overall security system.
This blog post argues that the IT security world has become so complicated that we need less in the way of people and process, and more technology:
Such a landscape can no longer be policed by humans and procedures. Technology is needed to leverage security controls. The Golden Triangle of people, process and technology needs to be rebalanced in favour of automation. And I'm speaking as a pioneer and highly experienced expert in process and human factors.
Today I'd ditch the Triangle. It's become an argument against excessive focus on technology. Yet that's what we now need. There's nowhere near enough exploitation of technology in our security controls. We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.
He's right. People and process work on human timescales, not computer timescales. They're important at the strategic level, and sometimes at the tactical level -- but the more we can capture and automate that, the better we're going to do.
The problem is, though, that sometimes human intelligence is required to make sense of an attack, and to formulate an appropriate response. And as long as that's the case, there are going to be instances where an automated attack is going to have the advantage.
Posted on January 30, 2013 at 12:20 PM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I fairly disagree.
People are the key factor expecially if you consider social engineering: there is no IDS/firewall strong enough to block a phone call a' la Kevin Mitnick.
Giving to users the impression that, whatever they do, there always will be a technology strong enough to protect them is IMHO extremely dangerous because it encourages unsecure and bad habits.
IT works with people and for people, I don't think that people should not be included in the equation of security.
I agree with Bruce. One of the challenges with security is both the threats and vulnerabilities are constantly evolving. Todays technology is good at protecting yesterdays threats and vulnerabilities - it is less good at protecting against unknown attack methods. Technology may well give early warning of an issue, but human power will always be needed in the analysis and mitigation.
Whilst "ditching the triangle" might seem a good idea it's not going to happen for the simple reason our legislature won't alow it.
The law does not deal with people but property and it does this thhrough documentation it calls evidence and law.
Law is a set of ruless that people are supposed to follow or suffer (appropriate?) penalties.
Policy is a form of law break policy and you can expect to suffer penalties such as losing your job etc.
As such policy is considered part of civil (not criminal) law via the laws of contract etc.
Unfortunatly in some parts of the world in particular certain parts of the US Federal prossecuters are trying and in some cases succeding in turning Policy breaches into criminal activities.
Unfortunatly it is currently a one way street in that if an organisation has a policy any person breaching it is at risk of criminal prosecution. However if an organisation breaches it's own policy then that's alright, in many cases it won't even get resolved in civil court if you have the resources to get it there and not stop the organisations lawyers pretending that the contract has no legal binding on them.
Thus like it or hate it aslong as policy is addressed by criminal sanctions where people can be jailed for extensive periods and fined into bankruptcy etc for what in equivalent non technology terms would not even qualify as a misdemeanor then policy is going to be the most important aspect, then the people effected with any technological solutions comming a very very distant third.
Opps forgot to mention in my above,
Processes are defined by policy, and processes are what drives the people and the technology usage behaviour.
Technology is always going to be on the back foot. It has to be built by people (who are working a process), and those people will typically-to-always have a lesser degree of focus and motivation than the attackers.
Security technology is regarded by its purchasers as a trophy or a talisman; the smarter among them understand that people and process are the huge majority of the attack surface, both as to probability and as to potential consequences.
The human component is unreliable but you can't get rid off it. So is he proposing a "re-balancing" or "ditching"? There may be a case for the former but the latter is fantasy.
For a more extreme "technical controls are the solution and the whole solution" fantasy see: "Why you shouldn't train employees for security awareness" (http://www.csoonline.com/article/711412/why-you-shouldn-t-train-employees-for-security-awareness). It's not that the argument isn't without some merit. It just doesn't support his conclusion.
I think it's a false dilemma. Technology, especially of the "soft" variety, is only as good as the analyst / programmer.
Compare the difference between the security that (say) a new kind of material provides to a bank for its vault to that provided by AI (Artificial Intelligence) for a large network. A new material is something physical, something that can't be overcome by a "hack". No one finds a clever way to defeat a new material. They have to do it the hard way, by finding something harder, or whatever.
By contrast, with an APT (Lacey brought up this example...), it's by no means written on the face of things that there *must* be an algorithm capable of sorting through all the millions of syslog entries in a sufficiently intelligent way. Lacking the knowledge that such a thing does exist, we can only do the best we can -- and sometimes that's not enough. And to the degree that it isn't enough, it's because a human being failed to provide a sufficiently good analysis of the problem and therefore come up with an algorithm capable of defending against the range of failure modes of the security system.
Lastly, mixing in the term "artificial intelligence" does nothing. I put it to you - science has yet to distinguish successfully between "artificial intelligence" and "clever algorithms". And since algorithms admit to degrees of effectiveness and completeness, *depending on who designed them* and *for what situation*, it follows that we are stuck with people, for the long run.
. . . the Triangle. It's become an argument against excessive focus on technology. Yet that's what we now need.
Yes, we now need an excessive focus on technology!
Or maybe better writers and editors.
Yeah...but you can't automate life.
We still need checks and balances, and if the timescale of the technology does not match up with the people or processes that are in place to establish security, then that technology is wrong. The argument should be against increasing reliance on technology to handle security. If you don't want a mistaken nanosecond trade to wipe out billions of dollars, technology itself is more the cause of that problem than the solution.
If anything, the main failure I see is that of process. There are all sorts of best practices that just don't get implemented because the proper security procedures are not deemed worth the effort. Even there, maybe the people in charge are at fault, seeing as how the main reason shortcuts are imposed are because someone in management wants to shave off a few dollars and/or ship a product at some arbitrary schedule. Either way, technology is not going to be your savior when it is the tip of the triangle rather than the base.
Goven that the technology that os vi;lnerable to security threats was designed and implemented by people, I think this article has completely missed the point. Security is about people and process - technology is merely a tool for implementing them. The problem goes back to the original people and process that implemented the technology that is vulnerable to other technology.
In reality, the vast majority of companies have turned to technology, and have always banked on technology over people and process. Process takes time to develop, implement, and enforce. People will always find ways around the process, because processes are imperfect, especially when you consider the compromises you must make to meet "the needs of the business". Mind you, I have always been an advocate of clear, documented process, and hiring and educating people, but business simply gets a bigger bang for the buck with technology. They will use technology to create security theater, and give leadership the 'warm-fuzzy' that things are being watched. Technology provides a measure of a paper trail for forensics, or at minimum a CYA. But technology without process for handling issues found, and well trained people to work those processes serves no more of a purpose than another expensive heat generator.
Bruce is spot on, indeed people, process and technologies are important ingredients but the center of gravity of this triad today need to shift toward technology such as automated response to attacks. Incident response procedures today can only respond to incidents and limit the damage. The first layer of proactive defense ought to be automated, adaptive and respond to attacks in real time. Humans can make informed proactive risk mitigation decisions based upon intelligence of threats and put measures in place but are too slow to respond in the case of an attack. A good example are DDoS attacks, without automated detection and systems that can respond to new attacks by deploying new filtering rules in real time automatically it will be too late before new measures are put in place and prevent negative impacts.
A good example are DDoS attacks, without automated detection and systems that can respond . . .
Like it or not, you need people to first characterize what traffic patterns define a DDoS, an then you need a process that defines the response(s) which are appropriate for any given type of attack. The technology is only the very last consideration, and yet we still have people putting that cart before the horse.
Technology is about scaling a solution (for size, for speed, for cost, for whatever), it is not the solution itself. Doing the wrong thing quickly/cheaply/massively is not a technological victory. I can't tell you how many times I've professionally beat my head on that wall . . .
I agree to the article's goal on how unreliable human resources and processes that underline their steps could be, but hold on technology just adapts to what human minds drool into it.
Why worry about the Triangle then?
Even the most formidable fortress is worthless if not manned well.
Often, installing the right incentives and simple measures (I love air gaps) outperform the most elaborate technology.
Remember that the Maginot Line was very advanced technology and proved utterly useless.
The triangle may need rebalancing but it's still basically valid, I see as many situations where the "people" element is the weak spot as I see tech weaknesses.
Technology is the only way to to stop technology centric attacks like DDoS but not that great to stop a good black hat. Security is "managing the unexpexted" not just countering the expected, and technologiy, even AI based technology, is not good at that. To make things worse once defence is "frozen" into technology it often adds vulnerability, ex: the "trivial DoS" that locks accounts by voluntarily exceeding the max password attempts.
Human intelligence is required to make sense of an attack. At this stage, that is, 2012 and where we are, it is still required for even attack discovery. This is true whether the attack is malware, whether it is a network incoming attack, or a network outgoing breach. This is true on security code quality.
Heuristics still are just not that good. Systems today give us many warnings and we humans follow those warnings to discern false positives.
The author has a very strong point, in security as well as other fields: we are not utilizing "big data" tools. These tools could be used in code review systems, in network detection of attacks, in malware heuristics but as yet are not.
We can use those systems to discover undiscovered vulnerabilities in code, not a few of which may be intentional vulnerabilities. Backdoors by individuals, corporate crime, and nation states. We can use those systems to detect undiscovered breaches. And we can use those systems to detect undiscovered malware, sleeper trojans.
But we are not. We are using these systems for the likely impossible task of data mining to find terrorists in crowds where they tend not to be, to try and ascertain emotion from speech... and we are not using them for our big computer security problems. Information security problems.
Information is what we run on. Information is our true food. Religions and politics are made up of information. Science and art. Praise and condemnation, the social fuels are just words.
The internet is the wiring for our societal bloodstream, nervous system, skeletal system being wired down into place. It is important to make it solid, firm. It is not just ecommerce. But ecommerce and government needs can be used to drive that.
Security Operations PPT can be assessed by the maturity models we use for everything else. Regular rebalancing is part of the job. The more mature your operation, the more automated are your processes, controls and oversight. When looking at the portfolio of all of these, I've found this 4-Level model to be useful.
Level 0: Automate everything you can. Use technology for all the benefits described in the comments above.
Level 1: Define and document repeatable tasks. This work gets done the same way every time. Nobody is figuring things out at this level. Look for ways to automate it.
Level 2: Smart people are figuring things out. Rely on documentation and produce more. Turn this work into repeatable tasks that can be managed at Level 1 or automated at Level 0.
Level 3: Break glass, pull alarm. This is the escalation for incident management.
This is a very simple conceptual model and this note is just an overview. Lots of work spans more than one level. Maturity is measured by moving more of the work to lower levels. A good inventory of the processes, controls and oversight helps to track progress towards more effective automation.
People will always maintain an advantage over any process that is in the environment controlled by a computer.
They will lose that advantage when computers gain knowledge as well as data.
You're correct in your assumption, if computers have not yet gained the ability to do "knowledge" as well as data.
So far, I have not seen it.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.