A Look Back at ‘The State of Incident Response’ by Bruce Schneier
In my continuing series of keynote recaps, I will be covering Bruce Schneier’s keynote at Black Hat USA 2014—yes, it can be called a keynote even though it is more of a briefing. By the way, Black Hat: Next time, please give him appropriate space; people were lining up outside the room waiting to get in because of the lack of space.
I will be sharing what I learned from his speech in my own words with selected graphics. Schneier’s “The State of Incident Response” talk is available online, but if you don’t have an hour to watch that, read this as a recap. Hopefully, it will help you take some action or remind you of your New Year’s resolution to improve security. Finally, I hope this serves as a good resource for those starting in the field who are too focused on their day-to-day cyberdefense role to step back and look at the bigger picture.
Schneier started by talking about three trends in cybersecurity, followed by information technology (IT) economics, a piece of human psychology and how they all affect the security industry. He used that to argue how we need more and better incident response tools and services and how the IT economics change when it comes to these services and tools. He then shared a systems theory from the Air Force and how it can be used to arrive at the proper response.
But first, let’s talk about the trends.
Everything Anywhere via Anything: The Cloud Era
The first trend he mentions is that we are in a cloud era in which individuals and organizations alike are putting more and more data into the cloud. We have different cloud providers for all sorts of information: Who we meet, when we meet, what we eat, where we’ve been, where we’re going, who we’re with, what we’re wearing, what we like, what we don’t like, who we like, what we’re in the market for, what we’re worried about—you get the idea.
Similar things apply from an organizational perspective. Add analytics (big data/metadata), and a lot can be predicted. How many of us—not just us security practitioners—know or care to know the security posture of these services providers in the cloud? We usually don’t even know which OS or hardware they are using. Similarly, how much understanding do we have of the variety of devices we use to access information, or that our children or employees use to access information? The point is, we are losing control over our data.
Attacks Are Getting More Sophisticated
As defenses get stronger, so do the attacks. It is not only the nation-state attackers that are getting more skilled and focused; this is happening all around. The cybercrime market is maturing pretty well, with the supply chain in place, so this provides significant incentives for financially motivated attackers to invest in sophisticated attacks.
In “The State of Incident Response,” Schneier gave an analogy of identifying attackers based on their weaponry. If you were to see a tank on the street, you would not think it belongs to street thugs. However, in the cyberworld, anyone can have any sort of weaponry. I would say that this is true to an extent, but we can still tell a lot about the attacker based on the sophistication level and targets of the attack.
Another important trend is discovering that being relatively secure does not mean you are safe.
To illustrate this, I would like to use the joke about two hikers and an attacking bear. One hiker says to the other, “I don’t have to outrun the bear; I only have to outrun you!” So, for relative security, as long as you are a harder target than those around you, typical criminals would keep stealing from those who are relatively easier to go for.
On the other hand, you may have an advanced persistent threat (APT) or a highly skilled and highly focused adversary (I have no intention of taking sides in the debate about whether an APT is a who or a what) who just wants you or your data. This could be because they hate you or because you have something that they want. These attacks are very persistent, so if you think of it this way, your defense planning may change, too. You need to start thinking about what you would do if these types of attackers get in.
Government Now More Involved in Cyberspace With Policies, Defense and Offense
The third and last trend Schneier talks about is the immense involvement of the government in cyberspace, whether through regulations and policies, the defense of critical infrastructure, the creation of cybercommands, hoarding vulnerabilities or the cyber arms race.
Schneier then shared four principles of IT economics that will help us understand why we are seeing some strange behaviors in the security industry.
He reminded the audience of the often forgotten Metcalfe’s law, which states that “the value of a network is proportional to the square of the number of connected users of the system.” This is true for both real and virtual networks. The more users on a social media site, the more engaging and attractive it becomes. The same is true for the use of a particular brand, OS, instant messenger, etc. This means a single dominant player emerges in the market as it grows. For instance, most people use Facebook because most of the people they know use Facebook.
As is the case in IT, various behaviors emerge when the fixed cost (the cost to develop the first unit) is significantly higher (as it includes design, research and development costs, etc.) than the marginal cost (the cost to produce an additional unit thereafter). Artificial barriers are then put up to increase the marginal cost so competitors can’t compete, and the original designer recovers the cost. Higher fixed costs also make stealing designs very attractive to criminals because they can take on just the marginal costs and sell cheap copies.
On the other hand, if someone has already invested in the high design cost and can protect the product from being replicated, then it can discourage competition, too. For example, since Google has pretty much already driven all around the world, it is hard for someone to duplicate Google Maps and take on the cost. Finally, those vendors who have already recovered their fixed cost can start selling cheaper products, and new vendors will have a hard time selling at a higher price that will help them recover their fixed cost. This is especially true because buyers lack the ability to distinguish between good and mediocre products, as we will see in the last principle of the lemon market theory.
This also drives the trend of market giants continuing to grow. The higher the cost of switching, the more likely customers are to stay with a vendor, even when there is poor customer service. This is what we see around noncompatible formats—making it hard to take your data with you when you leave, paying for data transfers and paying to train new staff on a new product, for example.
Finally, the last economics principle Schneier mentioned is based on the work “The Market for Lemons,” which is essentially the principle that when the buyer knows very little about a product and cannot distinguish between good (cherries) and mediocre (lemons), he or she will buy the one being offered at an average price. Therefore, this practice drives the good products from the market. Schneier added that, in the security industry, this is especially true because the requirements are nonfunctional—how does the average buyer determine which product is a good encryption product? To balance this, the economic concept of signaling comes into play, so you see warranties from the seller, certifications, best practices, references and testimonials.
This is why it is important to be aware of your psychological biases so that you can make more informed decisions.
Prospect Theory and the Security Industry
According to this concept, if we are given a choice between taking $1,000 cash or flipping a coin and getting $2,000, most people will avoid the risk and take the cash. On the other hand, if we are given the option to lose $1,000 right now or go for a coin flip and lose $2,000, most will take the risk and go for the flip. This is what is known as the prospect theory; when it comes to gain, humans are mostly risk adverse, but when it comes to losses, we are risk seekers. Consequently, it is hard to sell security because most people avoid investing in security or underinvest and take the risk of a bigger financial hit if something goes wrong.
Security is a combination of protection, detection and response. We need more response capabilities as we lose control of data with the cloud trend, attacks become more sophisticated and we continue our natural tendency to underinvest in protection and detection. As we are not generally able to distinguish between good and mediocre products, we are more prone to having mediocre-quality defenses. Therefore, response becomes more and more essential.
The State of Incident Response
Now comes the crux of the talk: In reality, security is about people, process and technology. What we’ve been doing is keeping people out of the loop as much as possible because they are considered a liability. We’ve been doing pretty well with respect to having automatic and semiautomatic systems when it comes to prevention and detection.
With incident response, what is changing is the ratio of the importance and involvement of these three factors. The problem with response is that you can’t take people entirely out of the loop, and the ratio of people to technology goes up when it comes to response. This is primarily due to differences in environments, regulations, attacks, economical and political situations, etc., which vary from organization to organization. These differences are more important than the technical considerations.
Moreover, the economics discussed earlier are very different when they concern response as opposed to protection and detection, where there is less of an effect on the network. This is still going to be important because organizations will usually go after big names. There will also be a much higher marginal cost, lower switching costs, less of a lemon market as requirements are functional, less of a first-mover advantage and far fewer national monopolies. So, unlike the area of prevention and detection, better companies, products and services will do better, which is a good thing.
The key here is making a response scale that doesn’t remove people, but rather builds technology to help support people when they complete their critical tasks. The goal is to build resilient systems; we cannot build impenetrable systems, yet they should not be fragile, either.
Since response happens in real time, Schneier then switched over and explained an applicable system theory from the Air Force. The decision cycle to observe, orient, decide and act is called the OODA loop and is widely applicable in any real-time adversarial situation. The key here is speed: If you can make your OODA loop faster than an adversary’s or get inside the adversary’s OODA loop, your response is faster than the adversary’s reaction to your response.
Let’s talk about what OODA means for response. Observing is knowing all that is happening in your network in real time and getting all the data in a place where it can be monitored in real time.
Orienting is understanding what this information means in context—what is happening in the company, what is happening in the greater community, new malware, new zero-day vulnerabilities, what geopolitical situations are happening or what is happening within your organization, such as the release of new software, a merger, layoffs, etc.
Deciding is landing on which action to take, what sort of input is required from different stakeholders (lawyers, executives, public relations, etc.), having the authority to make changes quickly and deciding who will have this authority, who can grant this authority and which process there should be to get it. Acting is implementing all of these decisions. We need powerful, flexible and intuitive tools to take care of the whole ecosystem and help people perform a proper response.
The neat thing about this is that the requirements here are functional, as opposed to the nonfunctional ones in prevention and detection. So, the good will beat out the mediocre. We need to build good things and bring people and technology together to mirror less of IT and more of generic risk management. We can learn a lot from other domains that have been doing this for decades.