I love history. Studying the past constantly reminds me that we are not any smarter than our predecessors, although we have more knowledge available. The challenge of history is to apply its lessons to modern problems in time to positively impact those problems.
I offer this post in response to some of the reporting from the Gartner Security Summit 2008, where pearls of wisdom like the following appear:
What if your network could proactively adapt to threats and the needs of the business? That’s the vision of the adaptive security infrastructure unveiled by Gartner here today.
Neil MacDonald, vice president and fellow at Gartner, says this is the security model necessary to accommodate the emergence of multiple perimeters and moving parts on the network, and increasingly advanced threats targeting enterprises. “We can’t control everything [in the network] anymore,” MacDonald says. That’s why a policy-based security model that is contextual makes sense, he says.
“The next generation data center is adaptive – it will do workloads on the fly,” he says. “It will be service-oriented, virtualized, model-driven and contextual. So security has to be, too.”
Translation? Buzzword, buzzword, how about another buzzword? People are paying to attend this conference and hear this sort of "advice"?
I humbly offer the following free of charge in the hopes it makes a slight impact on your approach to security. I am confident these ideas are not new to those who study history (like my Three Wise Men and those who follow their lead).
Let's go back in time. It's the early 17th century. For literally hundreds of years, European "expertise" with the physical world has been judged by one's ability to recite and rehash Aristotelian views of the universe. In other words, one was considered an "expert" not because his (or her) views could be validated by outcomes and real life results, but because he or she could most accurately adhere to statements considered to be authoritative by a philosopher who lived in the fourth century BC. Disagreements were won by the party who best defended the Aristotelian worldview, regardless of its actual relation to ground truth.
Enter Galileo, his telescope, and his invention of science. Suddenly a man is defending the heliocentric model proposed by Copernicus using measurements and data, not eloquent speech and debating tactics. If you disagree with Galileo (and people tried), you have to debate his experimental results, not his rhetoric. It doesn't matter what you think; it matters what you can demonstrate. Amazing. The world has been different ever since, and for the better.
Let's return to the early 21st century. For the last several years, "expertise" with the cyber world has been judged by one's ability to recite and rehash audit and regulatory views of cyber security. In other words, one was considered an "expert" not because his (or her) views could be validated by outcomes and real life results, but because he or she could most accurately adhere to rules considered to be authoritative by regulators and others creating "standards." Disagreements were won by the party who best defended the regulatory worldview, regardless of its actual relation to ground truth.
Does this sound familiar? How many of you have attended meetings where participants debated password complexity policies for at least one hour? How many of you have wondered whether you need to deploy an IPS -- in 2008? How many of you buy new security products without having any idea if deploying said product will make any difference at all?
What would Galileo think?
Perhaps he might do the following. Galileo would first take measurements to identify the nature of the "cybersecurity universe," such as it is. (One method is described in my post How Many Burning Homes.) Galileo would then propose a statement that changes some condition, like "remove local Administrator access on Windows systems", and devise an experiment to identify the effect of such a change. One could select a control group within the population and contrast its state with a group who loses local Administrator control, assessing the security posture of each group after a period (like a month or two). If the change resulted in measurable security improvement, like fewer compromised systems, the result is used to justify further work in that direction. If not, abandon that argument.
This approach sounds absurdly simple, yet we do not do it. We constantly implement new defensive security measures and have little or no idea if the benefit, if any (who is measuring anyway?) outweighs the cost (never mind just money -- what about inconvenience, etc.) Instead of saying "I can show that removing local Administrator access while drive our compromised host ratio down 10%," we say "Regulation X says we need anti-virus on all servers" or "Guideline Y says we should have password complexity policy Z."
Please, let's consider changing the way we make security decisions. We have an excellent model to follow, even if it is four hundred years old.