The Red Pill of Resilience (Keynote)

A presentation at Countermeasure in November 2017 in Ottawa, ON, Canada by Kelly Shortridge

Slide 1

Slide 1

The Red Pill of Resilience Kelly Shortridge (@swagitda_) COUNTERMEASURE 2017

Slide 2

Slide 2

Hi, I’m Kelly

Slide 3

Slide 3

“The oak fought the wind and was broken, the willow bent when it must and survived.”

Slide 4

Slide 4

“The more you sweat in peace, the less you bleed in war.”

Slide 5

Slide 5

Resilience is about accepting reality, and building a defensive strategy around reality

Slide 6

Slide 6

Stages of Grief in InfoSec Etymology of Resilience The Resilience Triad: ▪ Robustness ▪ Adaptability ▪ Transformability 6

Slide 7

Slide 7

Stages of Grief

Slide 8

Slide 8

InfoSec is grieving that companies will never be invulnerable to attack 8

Slide 9

Slide 9

Denial – clinging to a false reality “We aren’t really at risk” 9

Slide 10

Slide 10

Anger – frustration that denial can’t go on “It’s your fault that I need security” 10

Slide 11

Slide 11

Bargaining – hope that the cause is avoidable “Maybe we can stop attacks from happening” 11

Slide 12

Slide 12

Depression – despair over the reality “We’re going to be hacked, why bother?” 12

Slide 13

Slide 13

Acceptance – embracing inevitability “Attacks will happen, but I can be prepared” 13

Slide 14

Slide 14

Lack of acceptance feeds solution fragmentation, FUD, and snake oil 14

Slide 15

Slide 15

Security nihilism isn’t the answer. Resilience is. 15

Slide 16

Slide 16

Etymology of Resilience

Slide 17

Slide 17

1858: Engineering – strength & ductility 20th Century: Psychology, ecology, social sciences, climate change, disaster recovery 17

Slide 18

Slide 18

Resilience in Complex Systems

Slide 19

Slide 19

Non-linear activity in the aggregate Intertwined components, unpredictability 19

Slide 20

Slide 20

Infosec is a complex system. Defenders, attackers, users, governments, software vendors, service providers, … 20

Slide 21

Slide 21

Ecological resilience Continually adapt; high degree of instability 21

Slide 22

Slide 22

Chestnut trees in eastern North America’s forests were wiped out by chestnut blight Oak and hickory trees grew in their stead 22

Slide 23

Slide 23

Evolutionary resilience assumes socioecological systems are co-evolutionary 23

Slide 24

Slide 24

Communities can diversify agricultural landscapes and production systems 24

Slide 25

Slide 25

Three central characteristics of resilience: Robustness, Adaptability, Transformability 25

Slide 26

Slide 26

Hurricane Harvey – primary damage was flooding from ongoing rain, not storm surges 26

Slide 27

Slide 27

Resilience is about the journey, not the destination 27

Slide 28

Slide 28

Accept the risk will exist Reduce potential damage & restructure around the risk 28

Slide 29

Slide 29

“A building doesn’t care if an earthquake or shaking was predicted or not; it will withstand the shaking, or it won’t.” – Susan Elizabeth Hough 29

Slide 30

Slide 30

Survival rests on embracing the unknown and accepting that change is inevitable 30

Slide 31

Slide 31

Robustness

Slide 32

Slide 32

Robustness: withstanding and resisting a.k.a. “engineering resilience” 32

Slide 33

Slide 33

Safe development paradox: stability allows risk to accumulate, compromising resilience 33

Slide 34

Slide 34

Focus on just engineering resilience leads to a maladaptive feedback loop 34

Slide 35

Slide 35

Suppressing fires in fire-adapted forests leads to a build up of fuel over time 35

Slide 36

Slide 36

Patching & retroactive hardening of vulnprone systems accumulates risk 36

Slide 37

Slide 37

Levees support further human development in at-risk floodplains 37

Slide 38

Slide 38

“Don’t treat the symptoms of bad planning with structures” 38

Slide 39

Slide 39

Technical controls shouldn’t allow exemption from cyber insurance requirements 39

Slide 40

Slide 40

Artificially creating a stable environment makes the system less adaptive to disruption 40

Slide 41

Slide 41

Coral in marine preserves are less resilient to climate disturbance than “stressed” coral 41

Slide 42

Slide 42

Design & test internal systems with the same threat model as externally-exposed ones 42

Slide 43

Slide 43

Problem: infosec is exclusively focused on robustness – how to stop / thwart / block 43

Slide 44

Slide 44

Infosec’s current goal is to return to “business as usual” post-breach. There is no such thing. 44

Slide 45

Slide 45

Other domains tried defying nature – it doesn’t work 45

Slide 46

Slide 46

Your systems must survive even if users click on phishing links and download pdf.zip.exe’s 46

Slide 47

Slide 47

Robustness is effective when you have diverse and layered controls 47

Slide 48

Slide 48

NYC’s excess heat guidelines: backup hybridpower generators, heat-tolerant systems, window shades, high-performance glazing 48

Slide 49

Slide 49

Diversity helps provide redundancy in uncertain conditions 49

Slide 50

Slide 50

APT BlinkyBoxTM doesn’t help when legit creds are used to access a cloud service 50

Slide 51

Slide 51

Don’t ignore correlated risk. Fragmentation can inject a healthy level of instability to foster resilience. 51

Slide 52

Slide 52

Pitfall of efficiency: more limited space in which your operations can survive 52

Slide 53

Slide 53

Up for debate: manageability via uniformity vs. minimized impact via diversity? 53

Slide 54

Slide 54

Decision trees are useful to map out necessary redundancies 54

Slide 55

Slide 55

Raising attacker cost is the bridge from robustness to adaptability 55

Slide 56

Slide 56

“Attackers will take the least cost path through an attack graph from their start node to their goal node.” – Dino Dai Zovi 56

Slide 57

Slide 57

Adaptability

Slide 58

Slide 58

Adaptability: reduce costs and damage incurred, while keeping your options open 58

Slide 59

Slide 59

Intergov’t Panel on Climate Change (IPCC): Incremental change creates a false sense of security – goal is managed transformation 59

Slide 60

Slide 60

Preserving habitats is unnatural & counterproductive. Wildlife naturally “tracks” ideal conditions. 60

Slide 61

Slide 61

Legacy systems are like preserved habitats. We need to be able to migrate to better conditions. 61

Slide 62

Slide 62

Example: patching inline PHP code Instead: single class for DB queries 62

Slide 63

Slide 63

Static indicators like high coral cover or fish abundance reflect favorable past conditions. Erosion of coral reef resilience is dynamic. 63

Slide 64

Slide 64

Ensure your threat models aren’t based on favorable past conditions 64

Slide 65

Slide 65

Survival strategy: comingle warm-adapted species with cold-adapted cohorts 65

Slide 66

Slide 66

Apps built with legacy systems and libs will not survive in an increasingly open API world 66

Slide 67

Slide 67

Uncertainty and surprise must be baked into your approach 67

Slide 68

Slide 68

Test adaptability to attacker methods with attack simulation or auto playbook testing 68

Slide 69

Slide 69

Chaos Monkey 69

Slide 70

Slide 70

Randomly kills instances to test their ability to withstand failure. It also makes persistence really hard. 70

Slide 71

Slide 71

Design your security architecture for survival even if individual controls fail 71

Slide 72

Slide 72

Rethinking security architecture is hard. The industry offers too much complexity. 72

Slide 73

Slide 73

Containers 73

Slide 74

Slide 74

Containers promote adaptability and support transformability @jessfraz | blog.jessfraz.com/post/talks 74

Slide 75

Slide 75

Containers = “isolated, resource-controlled, and portable runtime environments” 75

Slide 76

Slide 76

Easier to determine root cause Easier to transport to better infrastructure Easier to kill the infection & stop spread 76

Slide 77

Slide 77

Ongoing stress like ocean warming or overfishing makes coral less resilient in the face of cyclones or coral bleaching events 77

Slide 78

Slide 78

Complexity will erode your resilience in the face of new vulns or data breaches 78

Slide 79

Slide 79

Transformability

Slide 80

Slide 80

Transformability = challenge existing assumptions & reorganize your system 80

Slide 81

Slide 81

Prior example: inline code makes it difficult to reorganize your system vs. a single class 81

Slide 82

Slide 82

In disaster recovery policy, ideal is to change location & remove urbanization 82

Slide 83

Slide 83

2011: 6.3mms earthquake hit Christchurch Cost to rebuild of $40bn+ 83

Slide 84

Slide 84

NZ designated a “red zone” where land is too vulnerable & where rebuilding is uneconomic 84

Slide 85

Slide 85

Identify the red zones within your IT systems 85

Slide 86

Slide 86

Choose your own infosec redzone criteria: Publicly exposed, legacy systems, critical data, privileged access, overly verbose, single point of failure, difficult to update, … 86

Slide 87

Slide 87

Example: API consuming critical data should be in “red zone” whether it has vulns or not 87

Slide 88

Slide 88

Identify assets that fall under your red zone criteria & migrate them to a safer system 88

Slide 89

Slide 89

Example: Planned decommission of levees to assist migration Prohibits becoming a permanent “fix” 89

Slide 90

Slide 90

Continually consider how you can prepare in advance for migration 90

Slide 91

Slide 91

Complex systems require collaborative planning across stakeholders 91

Slide 92

Slide 92

Open sharing of protections in place, what risk remains, uncertainties in the approach 92

Slide 93

Slide 93

Partner with engineering – they benefit from flexibility and transformability as well 93

Slide 94

Slide 94

Your role is to manage state transitions. Consider how a resilience approach fits into engineering workflows. 94

Slide 95

Slide 95

2FAC @ Facebook: integrated 2FA into dev workflows without creating friction 95

Slide 96

Slide 96

“You can actually implement security controls that affect every single thing people are doing and still make them love it in the process” 96

Slide 97

Slide 97

Find someone with whom to collaborate & how security can fit into their workflows 97

Slide 98

Slide 98

Ensure your org is learning from prior experiences – foster a security culture 98

Slide 99

Slide 99

Conclusion

Slide 100

Slide 100

Infosec resilience means a flexible system that can absorb an attack and reorganize around the threat. 100

Slide 101

Slide 101

Robustness is optimized through diversity of controls 101

Slide 102

Slide 102

Adaptability minimizes the impact of an attack and keeps your options open 102

Slide 103

Slide 103

Transformability demands you challenge assumptions & reorganize around reality 103

Slide 104

Slide 104

“The history of evolution is that life escapes all barriers. Life breaks free. Life expands to new territories. Painfully, perhaps even dangerously. But life finds a way.” 104

Slide 105

Slide 105

Attacks will evolve. We can evolve, too. 105

Slide 106

Slide 106

Let’s strive for acceptance of our grief, and architect effective and realistic defense 106

Slide 107

Slide 107

The blue pill relegates us to the role of a firefighting cat who’s drunk on snake oil 107

Slide 108

Slide 108

Instead of accepting snake oil, take the red pill of resilience instead 108

Slide 109

Slide 109

“Good enough is good enough. Good enough always beats perfect.” – Dan Geer

Slide 110

Slide 110

@swagitda_ /in/kellyshortridge kelly@greywire.net 110

Slide 111

Slide 111

Suggested Reading ▪ Engineering resilience versus ecological resilience ▪ Resilience and disaster risk reduction: an etymological journey ▪ A strategy-based framework for assessing the flood resilience of cities – A Hamburg case study ▪ Vulnerability, Resilience, and the Collapse of Society ▪ Are some forms of resilience more sustainable than others? ▪ Flood Resilience: a Co-Evolutionary Approach ▪ The oak or the reed: how resilience theories are translated into disaster management policies ▪ Rethinking Ecosystem Resilience in the Face of Climate Change ▪ Building evolutionary resilience for conserving biodiversity under climate change ▪ Complexity and Planning: Systems, Assemblages and Simulations ▪ “Windows Containers” by Microsoft ▪ “The Netflix Simian Army” by Netflix 111