Cybersecurity First Principles.
Rick Howard: [00:00:00] Hey all - Rick Howard here. The episode you are about to listen to is the first in a planned multishow series regarding how to think about cybersecurity strategy. And after saying that, I can hear all of you groaning out loud and feel you reaching for your phones to swipe right because the last thing that you want to hear as you walk your dog in the neighborhood catching up on podcasts is another talking head pontificating about cybersecurity strategy. But hang with me. I think you might be surprised. I've had this notion for a while now that the way the network defender community goes about building our infosec programs - it's all wrong. It feels like that scene from "Jurassic Park" and one of my favorite actors Jeff Goldblum.
0:00:48:(SOUNDBITE OF FILM, "JURASSIC PARK")
Jeff Goldblum: [00:00:48] (As Ian Malcolm) I'll tell you the problem with the scientific power that you're using here. It didn't require any discipline to attain it. You know, you read what others had done, and you took the next step. You didn't earn the knowledge for yourselves, so you don't take any responsibility for it.
Rick Howard: [00:01:05] In terms of cybersecurity, it just feels incremental. We progressively take the next steps without wondering if the previous steps that we took have taken us down the right path. We don't challenge the initial direction we set upon. We just keep taking another step. It's like we're walking in the woods with no landmarks to speak of, wondering if we will reach our destination. What we really need to do is stop for a second, take a look at the road map and maybe take a bearing with a compass. We want to see if we are still going in the right direction and maybe challenge some of those early decisions we made in our trip that got us lost in the woods in the first place.
Rick Howard: [00:01:56] My name is Rick Howard. You are listening to CSO Perspectives, my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. This episode, we're going to take a hard look at some of our basic cybersecurity assumptions, essentially tear down our current infosec program and rebuild it from the ground up using a basic set of security practices. What we're talking about here in this first episode of the series is first-principle thinking.
Rick Howard: [00:02:35] A CISO's world can be daunting. There always seems to be way too many things that we must do in order to protect our organizations from a cyberattack. In my early days, I really struggled with this. The projects that me and my teams pursued became an endless collection of things in the to-do pile with no priorities. This day-to-day grind eventually devolved into fixing the crisis of the day. Whatever fire popped up that day was the thing that we would throw all of our resources toward. The crisis became the priority, and because that is all we did, we never put into practice anything that would prevent the fires from popping up in the first place.
Rick Howard: [00:03:15] All of those fires are known in the industry today as technical debt. You can never move forward to innovate for your company because you spend your time every day fixing and updating the things that you have already built. There is no time to add things because you are constantly trying to keep the old things up and running. Doing the job in that old-fashioned way is exhausting. I would get overwhelmed with a number of things on the to-do list that seem to grow faster than I could address them. And forget about measuring any kind of forward progress other than counting the things in the done pile. I needed another way.
Rick Howard: [00:03:52] Just a side issue here - this situation is exactly the subject of the Cybersecurity Canon Hall of Fame book called "The Phoenix Project." That book was my introduction to the world of DevOps and DevSecOps and how automation and the management of that automation can help you reduce that technical debt and move forward with your security program. But at the time, DevOps hadn't become a thing yet, and I was struggling. And then I listened to an NPR story about two British mathematicians, Alfred Whitehead and Bertrand Russell. They published a book called "Principia Mathematica" in 1910 that attempted to rebuild the language of math from the ground up using a small set of first principles. They recognized some inconsistencies in the current set of rules used by the math community.
Rick Howard: [00:04:43] You could use the same rules to get to different and absolutely correct results - something called the Russell paradox. In a precision engineering world, that was a recipe for disaster. So they went back to the drawing board, threw everything out and started from scratch. It took them 80 pages to mathematically prove that one plus one equals two. In a footnote, Whitehead and Russell famously wrote this line. And I quote, "the above proposition is occasionally useful," end quote. And you all thought that math nerds were not funny.
Rick Howard: [00:05:18] The idea of first principles has been around since the Greek age of sophistry. Aristotle spoke about the concept some 300 years B.C.E. I'm quoting here. "In every systematic inquiry where there are first principles or causes or elements, science results from acquiring knowledge of these," end quote. Two thousand years later, Rene Descartes talked about the concept in his book "Principles of Philosophy" published in 1644, quote, "In order to study the acquisition of knowledge, we must commence with the investigation of those first causes, which are called principles," end quote. In our modern day, when asked about how he approached the concepts of electrical autonomous cars, affordable solar energy and economic spaceflights, Elon Musk didn't say that he looked at what NASA had done during the Apollo and spatial emissions and took the next step. Instead, he threw all of that out and started over with first principles - a gutsy move, for sure, but that is probably why he is a gazillionaire and I am not.
0:06:23:(SOUNDBITE OF ARCHIVED RECORDING)
Elon Musk: [00:06:24] First principles is kind of a physics way of looking at the world. And what that really means is you kind of boil things down to the most fundamental truths and say, OK, what are we sure is true or as sure as possible is true? And then reason up from there.
Rick Howard: [00:06:40] First principles in a designated problem space are so fundamental as to be self-evident, so elementary that no expert in the field can argue against them, so crucial to our understanding that without them, the infrastructure that holds our accepted best practice disintegrates like sand castles against the watery tide. In other words, you get the Russell paradox. They are atomic. Experts use them like building blocks to derive everything else that is known in the problem domain, like Bertrand Russell needing 80 pages block by block to prove a simple math concept. And that's the key. Each building block depends on the previous.
Rick Howard: [00:07:20] If this way of thinking seems as appealing to you as it does to me, the logical next question then is what is the network defender's ultimate first principle? Where do we begin? What is the absolute first principle building block for the security professional? What is the foundation that we are going to install in order to build our entire infosec program wall on? As you can imagine, I have some thoughts about this.
Rick Howard: [00:07:46] Back in the dinosaur days, before Apple invented the iPhone and we all used dial-up modems to access the internet and thought we were pretty cool doing it, my peers and I used to think that every security issue was a potential catastrophe. We would run around the hallways like our hair was on fire, screaming at anybody who would listen that the wolf was at the door and if we didn't do something right now, the world might possibly end.
0:08:08:(SOUNDBITE OF SCREAMING)
Rick Howard: [00:08:11] Now that I'm older and wiser - my wife would just say that I'm fatter and lazier - I don't have the energy to do that anymore. If I'm honest with myself, too, that wasn't the right approach anyway. Many network defenders might be thinking that preventing all breaches is the ultimate first principle. But that is a fool's errand.
0:08:30:(SOUNDBITE OF FILM, "FERRIS BUELLER'S DAY OFF")
Jeffrey Jones: [00:08:30] (As Ed Rooney) Wake up and smell the coffee, Mrs. Bueller. It's a fool's paradise. He is just leading you down the primrose path.
Rick Howard: [00:08:38] By pursuing that strategy, it leaves no flexibility to respond after discovery, and it doesn't account for how you have protected your important data with your zero-trust program. It leaves the defender no maneuver room. But if you want to go down that road, it should at least be to prevent all successful adversary campaigns and not just breaches. We know that cyber adversary groups have to complete a sequence of actions along the intrusion kill chain in order to be successful. If they negotiate 99 out of the 100 actions but fail the 100th, then who cares? They didn't succeed. They breached a victim zero's laptop but failed to negotiate across the rest of the intrusion kill chain to find the information they have come to destroy or steal. Preventing breaches is important, but it is probably not the most important thing.
Rick Howard: [00:09:29] If a cybercriminal gang compromised Kevin's laptop but failed to steal anything from the company before we kicked them out of the network, is that a success story or failure? By using the prevent-all-breaches metric, the Kevin situation means that I failed. In my mind, the truth is 180 degrees in the opposite direction. In my mind, the infosec team succeeded.
Rick Howard: [00:09:52] So let's not use prevent all breaches as our very first principle. But even using prevents successful adversary campaigns as a first principle does not quite feel atomic enough, either. It still feels too black and white, too binary. It needs more nuance. What I mean by nuance is that we don't want a strategy that is similar to the husband points system that my wife tracks at the Howard house. Whenever I do something positive for the family or for my kids or for her, she updates the ledger in her head in a positive way.
Rick Howard: [00:10:26] Think of it as similar to the Facebook like mechanism for running the Howard family. If I do something positive, I get another like. Where it diverges from the Facebook system is when I do something stupid. If I screw up, which is often - and, by the way, with great effect - my wife immediately reduces the positive entries in my ledger all the way down to zero, regardless of how many positive likes were in there before the incident. Hey, don't judge. It works for us. After 35 five years, let's not argue with success. It is just that a zero-tolerance system like that might be good for my marriage, but it is not a good model for our infosec program.
Rick Howard: [00:11:07] Besides being impossible to accomplish, that zero-tolerance mentality doesn't help us build a strong first principle wall. Everything we build on top of that first principle wall would come crashing down as soon as a cyber adversary group successfully completed its campaign. And then what do you tell your boss? Sorry, boss, we failed; all that money we spent on the wall didn't do what I promised. I don't know about you, but I don't want to be in that situation.
Rick Howard: [00:11:37] Instead of a binary metric that we either did something or did not do something, we should be thinking in terms of a sliding scale, something like a probability range, how our first principle Wall should drive us closer to reducing the probability of a cyber adversary running a successful attack campaign against us. That gives us some planning room. We can tell a boss that we spent, oh, X amount of dollars on a new security tool or a new security function, that we reduced the probability of an adversary group running a successful cyber campaign against us from 5% down to 4%. When we present it in that manner, the leadership can evaluate whether or not the spend for the project was worth the effort. And if it does happen, our first principle building block wall doesn't crumble. We didn't tell the board that we would stop all adversary campaigns; we told them that we would reduce the probability of a successful one.
Rick Howard: [00:12:32] That is getting closer to our absolute first principle. It is no longer a binary question because we have provided a range of probabilities for the leadership to consider. But it's still missing something. It is still too broad and will cause us to spend resources on things that are not important. Face it, not everything in our network is essential. If the bad guys compromise Luigi's laptop and steal the menu from the lunch special in the company cafeteria, maybe we don't need to call the FBI in for that one. He might be a little embarrassed, but the exfiltration of the lunch menu to the APT's command and control server in Tajikistan will not cause the company that much heartburn. So why then would you spend a lot of resources trying to protect it?
Rick Howard: [00:13:19] I don't know about you, but the volume of resources that I typically get to spend on cybersecurity has never been infinite. If you tried to spread that volume thinly over everything, you run out of resources before you run out of things to do anyway, and the projects that you did spend on are not funded completely enough to solve the entire problem. That is like trying to feed a platoon of neighborhood teenagers with one spoonful of Jif peanut butter and a loaf of bread. Nobody is going to be satisfied at the conclusion of that exercise. In other words, focus only on what is material to the business; everything else is nice to have.
Rick Howard: [00:13:58] The risk management team over at Datamaran define materiality this way - quote, "a material issue can have a major impact on the financial, economic, reputational and legal aspects of a company as well as on the system of internal and external stakeholders of that company," end quote. Now, that is the best, precise and most compact definition of materiality that I have come across. I want to spend my finite resources on protecting material things, not protecting Luigi's lunch menu.
Rick Howard: [00:14:32] After walking through that analysis, it is clear to me that our foundational first principle block, our cybersecurity cornerstone, must address three elements in order to make it stable for the rest of the first principle building blocks to sit upon. First, it must focus on preventing successful cyber adversary campaigns, not just preventing breaches. Second, it must concentrate on reducing the probability that those successful cyber adversary campaigns could happen, not try to stop them altogether. And finally, it must emphasize attack campaigns that would have a material impact on the company and not the ones that are just embarrassing.
Rick Howard: [00:15:17] With all of that, here is my proposed first principle building block for all networked defenders, regardless if they are in academia, government service or commercial entrepreneurship. Here it is. You ready? Reduce the probability of material impact to my organization due to a cyber event. That's it. Nothing else matters. This simple statement is the pillar we can build an entire infosec program on, which begs the question - what's next? If reducing the probability of material impact to my organization due to a cyber event is the thing that we are trying to do, what are the follow-on first principle building blocks that we will install that will help us do that? Just like Whitehead and Russell, what are the essential concepts that will allow us to prove the equivalent of one plus one equals two in our network defender world?
Rick Howard: [00:16:16] In future episodes, I will be talking in more detail about strategies that I touched on today like zero trust, intrusion kill chains and DevSecOps. I will also be talking about ideas that I haven't addressed yet, like resilience, orchestration, intelligence operations, incident response and others, as we build the first principle wall of cybersecurity. Stay tuned.
Rick Howard: [00:16:42] That's a wrap. If you agree or disagree with anything I have said, hit me up on LinkedIn or Twitter, and we can continue the conversation there. The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Engineering and music design by the insanely talented Elliott Peltzman. And I am Rick Howard. Thanks for listening.