1 / 30

Business Adaptation: Or how I learned to love the Internet’s Unclean Conflicts

Business Adaptation: Or how I learned to love the Internet’s Unclean Conflicts. Rockie Brockway Security Practice Director Black Box Network Services @ rockiebrockway. Credentials. Disclaimer A. Nothing I say represents past, current or future employers. Disclaimer B.

vicky
Download Presentation

Business Adaptation: Or how I learned to love the Internet’s Unclean Conflicts

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Business Adaptation: Or how I learned to love the Internet’s Unclean Conflicts • Rockie Brockway • Security Practice Director • Black Box Network Services • @rockiebrockway

  2. Credentials

  3. Disclaimer A Nothing I say represents past, current or future employers

  4. Disclaimer B Not a box popper talk Not a cool tool talk Focused on natural security systems Dabbles in generic politics Arguments are expected

  5. June 5, 1942 Bulgaria, Romania, Hungary

  6. Yemen Pakistan Iraq II Afghanistan Sudan Dominican Republic Vietnam Lebanon Haiti Beruit Korea Serbia Unclean Conflicts Iran Somalia Grenada Lybia Bosnia/Herzegovina Panama Sierra Leone Iraq I

  7. December 25, 1991

  8. Post-Cold War Mindset - No nation was a credible threat to the U.S. anymore What country in their right mind would actively engage in any formal “clean conflict” with the US when you can potentially surpass your goals through small scale unofficial conflicts, espionage and/or terrorism? Our adversaries, both corporate and nation state, have become specialists at executing "Unclean Conflicts" against our business, innovation and defense infrastructure What Happened?

  9. Theory A This mindset of the post Cold War environment naturally filtered into the DNA of our own industrial and corporate business culture – our business leaders, and perhaps to a certain extent, our innovators began thinking the same way Our corporations have been trying to define how the rest of the world conducts business in the same way we as a country try to tell the rest of the world how to act and run themselves

  10. The Rest of the World: Why spend billions of dollars developing technology when you can purchase stolen technology (or steal it) for a few millions dollars?* *Corman/Etue RSA talk < inspired

  11. Organizational Entropy (the natural result of assuming you are smarter than your adversaries)

  12. Reaction? Buy more blinky lights (apologies to our sponsors) Hackback Legislation (SOPA (thank you reddit), CISPA) Irony – Big Business arrogance and the natural reaction to their Organizational Entropy has fueled a larger Big Business of product “solutions”

  13. InfoSec’s Role Prevent the loss of both replaceable and irreplaceable data* Promote Innovation Protect the Brand What are the business initiatives and goals? What is the organization’s business critical data? Where does that data actually live? Who else might find value in that data? * More Corman/Cognitive Dissidents blog

  14. Information Problems Everything we deal with in #infosec and #businessrisk is a subset of a bigger set of information problems, and inherently naturally part of larger issues

  15. The Unnatural State We have defined an environment right now where greed and policy is dictating business and society The longer we accept these unnatural systems that our reactive policies have dictated, the larger the window exists for our adversaries to catch up and surpass us.

  16. “Organizations must learn to live in a world where less and less information CAN be kept secret, and where secret information will remain secret for less and less time” -Joel Brenner America the Vulnerable

  17. Adaptability 2012 DBIR states that 92% of breaches went undetected (estimates, unclear of sources). Better detection may not be the right answer Firewalls? AV? Adding more or improving existing systems is not adapting Adaptation arises from leaving (or being forced from) your comfort zone. Learning from the Octopus, RafeSagarin

  18. Adaptability (Sagarin) The benefits of Decentralized and Distributed organizational systems Multiple sensors No preconceived notions Specialized tasks Adaptable #Success requires A challenge Available resources Information filtering and prioritization

  19. Symbiosis A working relationship between organisms Mutualistic - both parties benefit Commensalism - one party benefits, one is not affected Parasitic - one party benefits, one suffers Symbiosis creates reactions that are more than just the sum of two organisms working together - emergent properties that both transform the organism and transforms the environment around the organism

  20. Natural Security Strategies 1) An organism needs to learn within its own lifetime and across generations 2) An organism needs a decentralized organizational system 3) It needs redundant features 4) It needs to keep running just to keep up 5) It needs to reduce uncertainty for itself and create uncertainty for its adversaries 6) If human, it needs to understand human behavior

  21. The Problem with Walls So given the previous slide’s data, what is commonplace throughout most organizations? < cheap “fixes” Dikes, levees, firewalls - all examples static security incident reactions intended to protect against naturally dynamic threats. That eventually fail.

  22. The Only Options? But either leaving things in their natural state or building artificial barriers can’t be our only options. How can we build more natural and living security systems? But aren’t we humans exceptionally adaptable?

  23. The Big Contradiction How can we as amazingly adaptable individual organisms have created systems and institutions sononadaptable? Businesses, like all other systems, are built on synergistic cooperative arrangements that tend to be self regulating, not static Yet we rarely leave our comfort zones unless we find ourselves in an emergency situation and then we once again show our amazing adaptability

  24. The Challenge How do we design systems that can deal with security problems and respond to them organically and automatically?

  25. Information Usage  Information use and sharing can be as essential to survival as any other adaptation Both a key goal and a resultant outcome of using information in survival situations is to create or reduce uncertainty The way receivers of information, both friends and enemies, perceive the signals you are sending is vitally important to your survival. Organisms seek to reduce uncertainty for themselves and increase uncertainty for their adversaries.

  26. Competition and Cooperation  Competition between organisms can lead to group cooperation Group cooperation then increases the effectiveness of the group against other social groups This group competition can then lead to group cooperation

  27. Adaptable Cascades Creates decentralized organization of multiple semi independent problem solvers Accelerates learning by selecting for success Creates redundancy naturally Helps facilitate symbiotic partnerships

  28. The Basics Introduce challenges, not directives (wisdom of crowds). Without challenges, organizations don't learn. Amplify, reward and replicate your successes. Innovation comes first and learning accrues from successful innovations. Take advantage of localized problem solvers within a centralized organization Promote learning, competition/cooperation and symbiosis

  29. Business Adaptation Business, and therefore Security strategies, must switch from designing solutions to adapting solutions Move away from giving orders and towards providing challenges. (Aka Wisdom of Crowds). Orders assume there is only one solution to a problem A challenge assumes there are many potential solutions, the more people involved, the more likely we are to find a really outstanding solution

  30. Feedback Rockie Brockway Security Practice Director Black Box Network Services securants.blogspot.com @rockiebrockway

More Related