CSO Perspectives 6.29.20
Ep 13 | 6.29.20
Cybersecurity first principles: end of season summary.

Rick Howard: Rick Howard here. You're about to listen to the final episode of Season 1 of the "CSO Perspectives" podcast. Not to worry. We are building Season 2 as we speak, and you should start seeing those episodes appear in your podcast feed in a couple of weeks. Admittedly, when we started this thing back in April, we weren't quite sure what form it would take. We knew that each podcast would have a supporting written essay to go along with it, but that was about it. The first shows covered cybersecurity subjects that piqued my interest, like metrics and cyber novels and the dark web and artificial intelligence and SASE. I just love saying SASE, anyway. And by the way, if you haven't listened to that one, you should definitely go back and do so. I believe it is a better way for deploying our security stacks in the near future. But I digress. All of that was kind of a hodgepodge of things - interesting, but no through line.

Rick Howard: In May, I started talking about my own personal, unified theory of cybersecurity based on first principles. That had some legs, some sort of coherence. And at this point, eight essays and podcasts in on cybersecurity first principles, you might be asking yourself, why? Why did I go to the trouble? Why is first principle thinking so important to the network defender community? Why is this a better way to build an infosec program than, say, the NIST cybersecurity framework, or another one called COBIT, which stands for Control Objectives for Information and Related Technologies Framework for IT systems? Man, that's a mouthful. Or even the ISO standards, like 27002, which is the International Standard Organization Specifications for an Information Security Management System, or ISMS, or even a handful of others that you might be familiar with. Well, I'm glad you asked.

Rick Howard: My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. This is show number eight in a series that discusses the development of a general purpose cybersecurity strategy using the concept of first principles.  We are wrapping up the season, and I wanted to highlight some of the more important points. Let's start with why a first principle approach is better than just adopting, let's say, the NIST cybersecurity framework. 

Rick Howard: And let me just say upfront that the NIST cybersecurity framework document is a remarkable piece of research and statement of best practices. It is probably one of the finest examples of a coordinated public-private partnership that the network defender community has ever manifested. One of its keys to success is the collaboration between the U.S. government and other thought leaders and stakeholders from the commercial sector and the academic community. 

Rick Howard: With Executive Order 13636, President Obama tasked NIST - and that stands for the U.S. government's National Institute of Standards and Technology - to build a cybersecurity framework for the country's critical infrastructure that focused on information sharing and risk management. NIST's approach to building that framework was to be inclusive with the network defender community. Within a very short year, the NIST team organized a travelling roadshow that went around the country to conduct five in-person workshops and online webinars designed to collect pertinent information about the subject and later to comment on the draft work product. 

Rick Howard: In February 2014, NIST published version 1.0 of the document and updated it to version 1.1 in April 2018. But in 2016, a survey conducted by Tenable of over 300 IT and security professionals found that over 40% of respondents had adopted the framework as a best practice. And in my wanderings around the world, I have found that most network defenders believe it represents the industry's current best practice, even if they haven't adopted it. In every measure, that is a success. And the thing that makes the NIST framework, unique compared to laws like GDPR and HIPAA and PCI, and other standards work like COBIT and the ISO standard, is the cultivated public-private partnership. In the first podcast of this first principles series, I said that the network defender community has been incrementally improving itself since its inception back in the 1990s. We saw what others were doing, tried to emulate them, and then we took the next step. And this gives me the opportunity to play my favorite Jeff Goldblum clip from Jurassic Park.


Jeff Goldblum: (As Ian Malcolm) I'll tell you the problem with the scientific power that you're using here. It didn't require any discipline to attain it. You know, you read what others had done, and you took the next step. You didn't earn the knowledge for yourselves, so you don't take any responsibility for it. 

Rick Howard: I love that movie and especially Jeff Goldblum’s performance as Dr. Ian Malcolm. When he tells John Hammond that if The Pirates of the Caribbean breaks down at Disneyland, the pirates don't eat the tourists. How great is that?

Rick Howard: But the NIST Cybersecurity Framework is similar to that incremental thinking. The NIST researchers polled a bunch of us and crafted a consensus document regarding the best ideas around what everybody was doing. That is fabulous. It represents the network defender community's current best guess as to what an infosec program should look like. My only issue with it is that it doesn't pause long enough to contrast what everybody is doing to what everybody should be doing. 

Rick Howard: Don't get me wrong. If you pursue nothing but the NIST cybersecurity framework to enhance the security posture of your organization, your program will be strong and better than most others. But what I'm trying to avoid is the cybersecurity equivalent of Russell's paradox in mathematics. 

Rick Howard: Back in the early 1900s, the math community could legitimately calculate two different but absolutely correct answers to a math problem using the same set of math rules. That’s the Russell Paradox. Clearly, that is not a great situation. In 1910, Two British mathematicians, Alfred Whitehead and Bertrand Russell, published a book called Principia Mathematica that attempted to fix that situation by rebuilding the math rules from the ground up using a small set of first principles. 

Rick Howard: The equivalent of the Russell paradox in cybersecurity is deploying strategies that are accepted best practices but give you inconsistent results. It all comes down to - what exactly are we trying to achieve with our infosec program? 

Rick Howard: Buried in the executive summary of version 1.0 one of the NIST Cybersecurity Framework, I found this line as a statement of purpose. Quote, "through the Cybersecurity Enhancement Act of 2014, NIST must identify a prioritized, flexible, repeatable, performance-based and cost-effective approach, including information security measures and controls that may be voluntarily adopted by owners and operators of critical infrastructure to help them" - and here's the important part - "identify, assess and manage cyber risks." Is that what we're trying to do? Help critical infrastructure operators identify, assess and manage cyber risks? Perhaps. But is that the most important thing? It's crucial, for sure, but is it the most essential thing to do? I don't think so. 

Rick Howard: In the first podcast in this first principles series, I walked the reader through my thinking about the concept of first principles as it applies to cybersecurity. The idea is that if you want to build something grand, like the Cybersecurity Framework, you have to first reduce it down to its essence and then build it up from there. The essence becomes the foundation of the entire thing, the expression of purpose, the aspiration.

Rick Howard: And yet they are so fundamental as to be self-evident; so elementary that no expert in the field can argue against them; It is not that the NIST Cybersecurity Framework and the others don't have the proper ingredients for a good infosec program; they do. They have many of them. But they are not atomic and interlocking. They don't represent a strategy because they don't build on each other to accomplish something. They don't place a stake in the ground to guide us on our infosec journey. They are, essentially, an endless to-do list that many security professionals have trouble finishing. Collectively, they provide the network defender community with little insight to describe what we are trying to accomplish, and that is the reason to think about frameworks through a first principle lens. 

Rick Howard: In the first podcast, I proposed that the essence of what every cybersecurity professional is trying to do with their infosec program, the foundation, the reason for it to exist, is this - reduce the probability of material impact to my organization due to a cyber event. In every essay and podcast in the series, I have reiterated that simple statement. That's it. Nothing else matters. It is the pillar on which we can build an entire infosec program. 

Rick Howard: The next essays and podcasts in the series continued with the infosec wall metaphor. If reducing the probability of material impact is the absolute first principle of our program, what are the interlocking and essential capabilities required to build that strong infosec wall? We talked about six to start. The first brick was zero trust. Zero trust is a network design philosophy about where we store our data and who should have access to it. 

Rick Howard: In the last five years, the number of places organizations store their data outside of their traditional perimeter has exploded. We have data center space. We have mobile users. We have SAS applications - a lot of them. We have cloud environments, both IaaS and PaaS. In many cases, we have hybrid cloud environments with multiple cloud providers like Google, Microsoft and Amazon. And we still have data behind the perimeter. I call these storage areas data islands. And remember - the zero-trust brick is passive. In other words, everything we do to implement our zero-trust program has nothing to do with how adversaries actually attack our systems. 

Rick Howard: Any zero trust control we install is general purpose designed to defeat a generic adversary. But the idea of zero trust is that the active employees logging into the network in the morning should not willy-nilly grant them access to all of our data islands. There should be some notion of need-to-know. Network architects designed employee access with the assumption that the network is already compromised and limits employee access in order to reduce the probability of data destruction or data theft. In other words, if hackers compromised the credentials of an employee, they can't use those credentials to cause material damage. 

Rick Howard: The next brick on the infosec wall is intrusion kill chains. It is the mastery to deploy prevention controls at each phase of the attack sequence for all known adversary campaigns. When you realize that there are less than 100 adversary groups running something smaller than 500 adversary campaigns on the internet on any given day, you begin to understand that it's possible to build defensive campaigns designed specifically to defeat every one of them. 

Rick Howard: Contrast that to the passive zero trust approach. This strategy is active. We know that cyber adversaries have to string a series of actions across the intrusion kill chain - recon, delivery, exploitation, command and control, lateral movement and exfiltration - in order to accomplish their mission. It is conceivable that you could deploy prevention and detection controls at every stage, instead of simply deploying a prevention control for some technical weakness, with no relation to how the adversary operates. We deploy prevention and detection controls designed to specifically defeat all known adversaries. This will exponentially decrease the probability of material impact due to a cyber event because, even if the adversary gets around one of your controls, they'll run into the very next one in the intrusion kill chain defensive campaign. 

Rick Howard: Resilience is the next brick on our wall. It is the dexterity to continuously deliver the intended outcome, despite adverse cyber events. Having the capability to continue supporting internal and external customers in the middle of a withering cyberattack demonstrates to the world that, even though the attack is damaging, it is not material to the business. In other words, even if a ransomware attack encrypts our financial information stored in some Amazon S3 bucket, we can still operate the business because we have a hot copy of that data stored somewhere else. We designed the network so that there is no material impact to this kind of threat because the business runs on a system of systems that is redundant and consistent. 

Rick Howard: Risk assessment is the next brick. It is a precise forecast regarding the current probability of material impact due to a cyber event to our organization. Since our atomic first principle involves reducing probability, it becomes imperative that we have the means to calculate what the existing probability is. In order to do that, network defenders must expand their understanding of probability. It is more than counting marbles of a specific color falling on our urns that we all learned in our probabilities and stats class back in college. 

Rick Howard: We take our lead here from Dr. Ron Howard and his theory of decision-making. His concept of probability is that it is a precise definition of what we know about a problem domain. From my perspective, I know that the risk question we answer must have three components. It must first have a precise quantitative probability estimate, not some imprecise qualitative assessment like high, medium or low. It then must focus on things that will be material to the business. Anything else is not necessary and a waste of resources. Finally, it must be time-bound. As we expand our notion of probability, we must remember what George Box, the famous British statistician has said, quote, "All models are wrong. Some are useful," end quote. Choose a simple model first, and then continue to enhance it and make it even more useful. 

Rick Howard: OK. So we laid the foundation, and then we put four bricks on top - zero trust, intrusion kill chains, resilience and risk assessment. This next brick is the beginning of the second course of the wall because it supports all the other bricks underneath it. It's called cyberthreat intelligence operations, and it is the methodology of turning raw information into intelligence products that leaders use for decision-making. The process itself is simple - get leadership's guidance on what information they need to help them with their decisions, break this guidance down into smaller and more manageable questions, seek information to answer those questions, develop products to answer those questions with the information at hand, deliver those products to leadership and, finally, get guidance from leadership about whether the products were useful or not. 

Rick Howard: Like I said, cyberthreat intelligence operations can and should be used to inform all of the other essential security bricks on the infosec wall. But the most likely use is to inform the intrusion kill chain brick. If we’re going to build and deploy intrusion kill chain obstacles for all the known adversary attack campaigns, then we need a way to collect the latest campaign changes for all of the adversary groups. And I know they have some crazy sounding names that most times include ferocious animals in the title like bears, and dragons, and longhorns, and kittens. OK - maybe not ferocious but you get the idea. For the sake of this discussion, let’s just call the lot of them Panda Kittens. We need to craft prevention controls to defeat all of the Panda Kitten groups somewhere in the neighborhood of 100 in total on any given day and coordinate the deployment of those controls to the security stack across all of our data islands.

Rick Howard: The last brick on our infosec wall, tucked up tight against the cyberthreat intelligence brick, is DevSecOps. It is the competence to run your digital business with code. Manual processes are brittle, and they break on a regular basis. They accumulate technical debt. They require humans to stop what they are doing enhancing the business in order to spend time fixing a broken or degraded existing system. The key is deploying infrastructure as code. This paradigm shift from managing the network by manual processes to relying on an engine of an autonomous system of systems enables the organization to deploy layers of consistency and security across the entire enterprise. Those layers provide the mechanism - the lever, so to speak - to reduce the probability of material impact across the other pillars in the first principle infosec wall. 

Rick Howard: For zero trust, it is one thing to manually install your policy in one of your key SAS applications. It is quite another to be able to do it across all SAS applications at the push of a button. For intrusion kill chains, It is one thing to deploy newly handcrafted firewall rules designed to defeat a single adversary group across the intrusion kill chain. It is quite another to track all 500 Panda Kitten campaigns quickly and efficiently and install prevention controls designed to defeat them for every phase of the attack sequence, on the security stack across all data islands.

Rick Howard: For risk assessment, it is one thing to spend weeks manually calculating our risk forecast. It is quite another to have a daily recalculation based on the current state of the network and new evidence about the changes a to all of the Panda kitten attack campaigns. For resiliency, it is one thing to manually swing your systems away from a compromised data set to an uncorrupted data set. It is quite another to have a DevSevOps system discover the situation and automatically pivot to the clean data set before anybody notices. 

Rick Howard: For cyberthreat intelligence, It’s one thing to have your intelligence team track a single attack campaign and make recommendations to the network operations team about what prevention controls to deploy. It’s quite another to build a system that collects the latest intelligence about all 500 Panda kittens, builds the correct prevention controls for the current security stack across all data islands, and then deploys them automatically.

Rick Howard: In this first season of podcasts and essays, I've made an argument that the way the network defender community has incrementally improved itself might need a reboot. Every year, cyber-adversaries improve their craft. And every year, the network defender community responds to the new methods. In the 25 years I've been doing this, we've never seemed to gain the advantage, though. It's almost like our method is not working. But it is the only thing we know, so we keep doing it over and over and over again. This kind of thinking has led us to focus on the tactical prevention of malicious technical things from penetrating our networks instead of concentrating our efforts on more strategic goals like protecting the business. Rethinking our strategies through a first principle lens will help us do that. It allows us to decide what the most important thing is for our organization and build the supporting infrastructure from there. 

Rick Howard: And that's a wrap, not only for this episode but for the entire first season. We are busy working on Season 2 right now, but we would love your feedback. Hit me up on LinkedIn if there are things you would like us to do in Season 2. And tell your friends - we always have room for one more listener. The CyberWire's "CSO Perspectives" is edited by John Petrik an executive produced by Peter Kilpe. Mix, sound design and original music by the insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening, and we'll see you at Season 2.