Make Security an Inside Job – Design Monday

Archive for August, 2020

Make Security an Inside Job – Design Monday

Posted by

We landed a man on the moon before we had wheeled suitcases. Wait. I’ll do one better. We were orbiting space shuttles before we had wheeled suitcases. I heard this fact years ago and it blew me away. I asked, why?

It took an inside guy solving his problem his way. Picture modern travel luggage. Wheels on the bottom, telescoping handle on the top, right? Robert Plath invented this in 1987 in outside of his day job as a Northwest Airlines pilot. (United States patent 4,995,487, if you’re interested.) It was a classic garage inventor success story. Plath developed and tested the prototypes, the idea took off, and he founded Travelpro and began selling the suitcases under the label Rollaboard.

The first design lesson: the person doing the job is the right person to ask about how to improve the job. Good security is usable security.

A while back, I was consulting on a privileged access management (PAM) security capability. The security objective was that all administration be performed from a dedicated laptop, using a separate credentials, through sessions that were monitored and recorded. Try selling that level of control, that level of friction, and that level of change to the administrators. Yeah. Good luck with that approach.

Instead, we found the Robert Plath of systems administration. Instead of pitching security, we asked him how heavy his bags were to carry. The team approached PAM as an admin productivity project. Wheels on bottom. Telescoping handle on top. The resulting privileged access workstations (PAWs) reduced access time and simplified systems administration tasks. While the PAM controls added friction, due to the insights and efforts of Plath the systems admin, these were offset by time savings. This is the inside edge that collaboration can bring.

Returning to the actual Robert Plath, there’s one more lesson in designing capabilities. Surely, you must be thinking, other people thought to add wheels to suitcases in the first six decades of commercial air travel. You’re right. Bernard Sadow came up with a design decades before Plath. (United States patent 3,653,474, again, if you’re interested.) It’s effectively a traditional suitcase with castors on one side. I have one. Let’s just say it isn’t the easiest luggage to use. But that wasn’t the main problem. Adoption and culture was.

Bernard Sadow made luggage. Robert Plath flew planes. Sadow had to sell into the market. This ran into cultural issues because, back then, one sure way to show your strength as a man was to carry luggage. Plath just handed his prototypes to flight crews. Not only was Plath’s luggage better, suddenly, it was the cool kids’ luggage. In other words, Sadow pitched safety glasses and Plath offered Ray-Bans.

The final design lesson is planning for adoption is planning for success. Good security takes flight when widely adopted.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

CSO: Threat Hunting Explained

Posted by

With attackers lurking undetected in systems for months at a time, threat hunting is becoming an essential element of security.

Excerpt from: Threat hunting explained: Taking an active approach to defense

The goal of the security team has, of course, always been to stop bad things from happening as early as possible, whether that has meant shutting down an attempted hack from the outside or thwarting risky employee behavior.

Enterprise security teams often struggle to keep up, says Wolfgang Goerlich, advisory CISO for Duo Security, a Cisco business unit, which has offered workshops on threat hunting. SOCs are inundated with alerts about possible problems — so much so that they can’t possibly investigate each and every one. Cisco’s 2020 CISO Benchmark Report, in fact, found that 41% of organizations get more than 10,000 alerts a day.

Alert fatigue sets in and can keep security teams from being as effective as they could be. “If you’re constantly getting pinged, you can never think deeply and you can never think broadly,” Goerlich says.

He also points out that alerts generally indicate active attempts to attack and are not necessarily effective in finding threats that are either waiting for an opportune time to attack or are new and thus unknown to the monitoring systems.

Goerlich says he has seen how an overload of alerts coupled with a strictly reactive approach can leave an organization exposed. He led a red team simulating attacks on a company to test its security posture, using various tactics to try to get into the company’s systems. The security team did indeed identify the individual pieces of the attack, with monitoring systems alerting the SOC to phishing emails and malware. But while the security team successfully stopped individual attempts from exploding into full-blown events, they failed to see the big picture that there was an ongoing, multi-pronged coordinated attack.

“When you’re closing tickets in a fast manner — as you should be doing — you miss the full scale of what’s happening,” Goerlich explains.

But threat hunting, with its proactive approach and its focus across the IT stack versus alerts, helps security teams spot such activity.

Read the full article:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

Play with the spaces between the words – Design Monday

Posted by

Federal Express rebranded as FedEx in the early nineteen-nineties. Shorter name. Modern slogan. But what to do about the logo? FedEx brought in Lindon Leader. Leader’s career began with Saul Bass and he had picked up Bass’s uncanny ability to say much using little. In the case of FedEx’s logo, Leader would make a statement without using anything at all. The blank space, the white space, the hole, that’s the genius of the logo that Leader produced for FedEx. When Leader’s team pitched the logo to FedEx in 1994, only the CEO Fred Smith saw it.

What was it? There’s an arrow in the E and the X. Many people know this now. But most of us have had to have the arrow pointed out. Why?

Functional fixedness, that’s the psychological term. The letter E is an E. The letter X is a X. People fix an object in their mind. This prevents people from considering other functions for the object. The example Wikipedia gives is a hammer. People can easily imagine hammering and nailing, but might overlook hammer’s use as a paperweight. Another example is an IT team seeing the service desk tool as only a way to do ticket management, overlooking the tool’s use for workflow automation. It is a problem designers face when specifying tooling for security controls.

One example of functional fixedness happened last year when I was consulting with a team on implementing Role-based access control (RBAC). As often occurs, the team wanted to jump right into tooling. Who were the RBAC vendors? What RBAC products did they need to buy? By talking about RBAC without using the specific term RBAC, we were able to break down the requirements. The team saw the human resources system (HRMS), identity provider (IdP), and lifecycle management in a new light, and were able to use them to deliver the security capability. The E and the X made an arrow.

Another example is in the Zero Trust architecture (ZTA) workshops I run. ZTA is all Es and Xs as vendors push hard to fix their implementation as the only way to do ZTA. I’ve structured the workshop to focus on actions organizations take to achieve ZTA. We spend most of the time on the verbs. Combined with framing the conversation with principles, it becomes much easier to see the functional components and brainstorm tooling to meet those components. Sure, E and X can make an arrow, but how else can we make an arrow?

These are the two ways to unlock creativity. Discuss the thing without naming the thing. Discuss what the thing does rather than what the thing is. Both these lenses enable our minds to find similar things or combine existing things in new ways.

If you want to a fun way to remember these creative techniques for breaking out of functional fixedness, check out Captain Sideways. That’s right: a superhero who helps people solve problems by seeing new perspectives. See Captain Sideways save passengers on a ship by describing a lifeboat without using its name. Then join Captain Sideways again, where he saves the skies by naming verbs of other solutions. (I’m rather disappointed this comic series didn’t go on for more adventures.) Quite fun.

Back to the FedEx logo. In 1994, only the CEO saw the arrow. Even today, most people don’t immediately see it. So why keep this as a logo? Because when we do, it’s like finding a little surprise, and the little surprise brings joy. There’s pleasure in seeing things in a new way, and when those things click into place. Today, the logo is legendary with dozens of design awards and the logo is ranked one of the best of the last four decades.

Play with the spaces between the words to design tooling. By focusing on the descriptions and the actions, we can find new ways to accomplish security controls. We can find the arrow in our own work.

Federal Express (1973-1994) and FedEx (1994-) Logos

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

BizTech: Securing Remote Work in a Transformed World

Posted by

“Now that everyone has shifted to work from home, it’s as if we’ve got 10,000 branches,” Goerlich said. “So the techniques we use aren’t scaling, the approaches we use aren’t scaling, we don’t have the manpower, the technology to possibly secure 10,000 branches.”

Excerpt from: Securing Remote Work in a Transformed World

That added complexity means security approaches that once defined work styles for decades now have to be reconsidered or retired — which means the moat needs a rethink.

“We start to talk about traditional IT as being this environment that had a hard-candy shell around it, or a castle with a moat,” said Kevin Swanson, a Microsoft Surface Specialist. “And you protected all of these outside threats from the things that were important to your business on the inside.

“That dynamic is changing.”

Read the full article:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

Let Go of the Past to Design the Future – Design Monday

Posted by

Music originally filled our homes both physically and metaphorically. Radios and phonographs were of polished wood and polished brass. I have a Brunswick Phonograph from this period. It’s larger than my desk. In the 1920s, music was furniture.

A hundred years has completely transformed how we play music. The revolution sparked off in 1934, when Ekco released a radio that shook off the dead wood. Within that spark, there’s a lesson for cybersecurity.

Ekco, or E.K. Cole Ltd. in England, held a design competition. Scores of designers entered. Ekco received scores of designs. At worst, the designs were plastic copies of the furniture. At best, these designs had ornamentation which looked like the radios of the day. Wells Coates entry was a radical departure. But before we get to Coates, let’s talk a bit about the human need to copy what has come before.

Skeuomorph. That’s the design term. Skeuomorphism is one way to take a design one metaphor at a time, by keeping cues that remind people of what came before. A good example today is the Tesla and other electric cars having front grilles, a callback to when air cooled the gasoline engine. Skeuomorphism makes the new feel familiar, but it can also be a trap. Consider that most cars blow air in three directions: feet, face, or defrost. It is a holdover from when a physical tube controlled airflow and the tube only pointed in one direction at a time. Just as there’s no need for a grill, there’s no need for this climate control limitation.

Wells Coates put it this way: “We must not forget that the past all too often obstructs our view of the future.”

Coates looked beyond the past to come up with a round radio, a plastic radio, a radio that came in colors, a radio that was free from skeuomorphism. I wonder how Coates did it. Was it because he was an architect and not a product designer? Was it because, though Canadian, Coates was born in Japan and had traveled the world before he turned 18? Whether being an outsider or having range contributed, or something else, Wells Coates and Ecko redefined the product category. “They started to get a character and identity of their own, a radio-ness about them if you will, that was separate and different from furniture,” designer Dick Powell explained in The Genius of Design. With the Ecko AD-65, “their new identity was forged and off radios went.”

Research into user interface design finds skeuomorphism softens the adoption curve for those familiar with the past products. (See: Affordances and Metaphors Revisited.) But skeuomorph designs don’t do anything for people who are completely new to both the interface and the metaphor.

When protecting the organization, the first question is whether the security capability will be new to the organization or an extension of what’s in place now. If it is an improvement, giving a nod to the past by carrying certain things forward will ease adoption. If it’s completely new, best to throw away the furniture and start fresh.

Let go of the past to design the future.

Ekco AD-65, Designed by Wells Coates

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Reuse and Reduce – Design Monday

Posted by

Expos and tradeshows never end well. When the show’s over, many become ghost towns. Many more end up in the trash. Annually, the estimate is 600,000 tons of waste. So, it’s no surprise the recyclable People’s Pavilion at Dutch Design Week caught my attention.

The People’s Pavilion also gave me insights into a question people frequently ask: how can security programs get the most out of what they have? The answer is complicated because much of security comes from outside of the security program.

Take the CIS Critical Security Controls, for example. At the time of this article, the current version is 7.1 published last April 2019. As you read through the controls, it becomes obvious most are not owned by the security function. More than half the controls are well-configured IT. IT inventory and configuration, IT monitoring, IT backup and recovery. Add a well-configured perimeter, wired, and wireless network. In fact, it isn’t until the last few controls that security takes a front seat. Awareness training, incident response, and penetration testing. IT is the majority and the priority in the CSC.

In the beginning of my career, security was another word for doing IT right. Well-configured IT. This thinking may make a comeback as misconfigurations are rise as a cause of security breaches. In the Verizon Data Breach Investigations Report (DBIR), they write: “Errors definitely win the award for best supporting action this year. They are now equally as common as Social breaches and more common than Malware, and are truly ubiquitous across all industries. Since 2017, Misconfiguration errors have been increasing” and account for more than 40% of errors in the 2020 report.

Back to the People’s Pavilion at Dutch Design Week 2017.  “The building is a design of bureau SLA & Overtreders W. The designers have given a radical new impulse to the notion of a circular economy: the pavilion is made with 100% borrowed materials. Materials from suppliers and producers, but also from Eindhoven residents. Concrete and wooden beams, facade elements, glass roof, recycled plastic cladding: everything is borrowed for 9 days and will be returned to the owners after the DDW.” To demonstrate nothing went to waste, they photographed all the materials when received and when returned. The images were identical, documenting the full process.

When building and implementing a security capability, consider it like the People’s Pavilion, with a majority of the components coming from the IT team. Determine what those parts are. Determine how they’re supplied (with, for example, SIPOC diagrams.) Determine who will be responsible (with, for example, RASCI charts.) Reduce any waste in building the security capability. And finally, to prepare for future projects, design for disassembly.

To get the most out of a security program, begin with the configuration and operation of secured IT. Then reduce any wasted effort and smooth out the hand-off between security and IT.

People’s Pavilion, Dutch Design Week 2017, Photography by Filip Dujardin

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

SDxCentral: Why Cisco Duo’s on a Quest to Kill the Password

Posted by

Things to know about passwordless security: no, criminals will not cut off your thumb or peel the skin off your face to steal your biometrics and hack your network. And yes, C-suite executives always ask Wolfgang Goerlich, advisory CISO at Cisco Duo, this question.

Excerpt from: Why Cisco Duo’s on a Quest to Kill the Password.

“Everybody does,” he said. “We’ve seen so many ‘Mission Impossible’ movies — we know the risk. But here’s the thing: if a criminal is able to clone my biometrics, get ahold of my phone, get ahold of my computer, and bring those both into my home office, and then authenticate as me, and then only open up the applications that I normally open up during business hours, at that point I may just hire him as a contractor.”

He encourages CISOs to “bundle” passwordless with other zero-trust security tools such as identity and access management. “Partnering identity with passwordless is very appealing because we can establish that strong user identity with strong authentication factors without requiring more user effort. So this is a rare opportunity where it can actually reduce the amount of work that they need to do to establish that strong authentication.”

Read the full article:

Wolf’s Additional Thoughts

As part of the design series, I have put forth the idea that being ahead of the curve is being ahead of the criminal. The early adoption of a control — doing something right but rare — has surprising stopping power against common attacks. I expect organizations who are early adopters of single strong factor authentication, passwordless, will have this sort of surprisingly strong defense.

Well, for a while. When adoption reaches critical mass, the criminals will be highly motivated to work around passwordless authentication. We have seen this with strong second-factor authentication and criminals adopting phishing and proxying to bypass this control.

Therefore, my strong recommendation is pairing passwordless with additional anti-fraud measures. Include the device identification in the authentication. Include behavior analytics (where, when, how) to further bolster trust in the authentication. We can predict criminals will work around these authentication methods, so let’s move now to put in place compensating controls to detect and prevent their next move.

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

CyberScoop: Security professionals lose central watering hole with demise of Peerlyst

Posted by

For years, the Peerlyst social network has been a resource for software developers looking for a job or cybersecurity enthusiasts wanting to host meetups across the world. But on Aug. 27, the website will shut down, Peerlyst founder Limor Elbaz said Monday, citing financial pressure.

Excerpt from: Security professionals lose central watering hole with demise of Peerlyst

Cybersecurity professionals lamented the end of the platform. “I took the news hard,” said J. Wolfgang Goerlich, an advisory CISO at Duo Security who has posted nearly 700 times on Peerlyst. “With the Peerlyst going away, we’re losing a central watering hole. The conversations may continue over LinkedIn and Facebook groups. But the loss of a dedicated security social media site will be felt for some time.”

The site also let users plans their own offline meetups in various cities in Asia, Australia, Europe, and North America.

Read the full article here:

Wolf’s Additional Thoughts

I was an early adopter of Peerlyst and a regular contributor. I end up the 22nd most popular user on the site which boasts of serving “70% of security professionals around the world and the site ranks higher than the majority of security companies.” Also? Peerlyst once put my face on the side of a bus during the RSA Conference. So I’m a little biased.

There is tremendous value in community. Apple itself got its start at the The Homebrew Computer Club. I spent many years and cut my teeth as a top poster in the Citrix online community, back in the early 2000s. And in the last decade, more people than I can count had their careers launched through my local security community, MiSec.

I’m sad to see Peerlyst go and am grateful to Limor Elbaz, Evgeny Belenky, and the entire Peerlyst team. My thanks to them for the memories and connections.

To you the reader, I ask this: what community will you build?

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

Start projects like movies – Design Monday

Posted by

Saul Bass forever changed cinema.

Saul Bass designed corporate identities. He created movie posters. In both, his signature style was minimalism and clarity. Consider the iconic AT&T bell logo (1969), or the Magnificent Seven poster below (1960). Clean. Concise. But he is best remembered by his reimagining of the movie title sequence. Originally, the titles were how the film provided credits. And because of this, people naturally ignored them, using the time for a concession run.

Saul Bass saw it differently: “The audience involvement with the film should begin with the first frame. Use titles in a new way to create a climate for the story that was about to unfold.” Take my favorite of his title sequences: Grand Prix (1966). The engine revs. The cars come into view. The engineers and mechanics movements are isolated, amplified, repeated, glorified. Everything about those first few minutes pumps me up. I frankly can’t recall anything else about the film. But I never forgot that intro.

Of course, my reaction was a bit of a problem for studios. “There was a backlash against inventiveness in credit design, first from the industry and then from at least one well-known critic.” Jan-Christopher Horak writes in Saul Bass: Anatomy of Film Design. Quoting Variety in 1957, “An offbeat credit runoff, while pleasing to the patrons, does an injustice to the talent since the audience’s attention is diverted from the names.”

Let’s put Saul Bass’s story aside for a moment and turn towards designing and architecting cyber security capabilities. In the final phase, when planning the implementation, how are we treating the critical beginning of the project?

Most kick-off with the equivalent of running credits while stakeholders are getting popcorn. A 2018 study by the Project Management Institute (PMI) into project failures reflects this status quo. Projects failed due to vision (29%), poor communication (29%), and unsurprisingly, inadequate support from stakeholders and sponsors (26%). We read off the checklist and they check-out.

“In a sense,” says Art of the Title, “all modern opening title sequences that introduce the mood or theme of a film are a legacy of the Basses’ work.” It’s short form storytelling. It’s an entire theme of a movie boiled down to simple ideas well visualized. An opening title sequence frames the movie and creates excitement for what’s to come. If we want our implementation to be successful, this is what our kick-off meeting must deliver.

Start strong. Start with style. Plan the kick-off meetings like Saul Bass planning a title sequence. The project will be our blockbuster. Start it like one.

The Magnificent Seven, Poster by Saul Bass

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.