TechRepublic: Four ways CISOs can move enterprise security into the new normal

Archive for September, 2020

TechRepublic: Four ways CISOs can move enterprise security into the new normal

Posted by

Security is changing rapidly, and the COVID-19 pandemic hasn’t helped. A Cisco roundtable of chief information security officer advisers plotted the course for a secure future.

Excerpt from: Four ways CISOs can move enterprise security into the new normal

It’s time for collaboration, not control. CISOs can’t simply dictate security policy and expect users to fall in line. Not only will workers not fall in line with top-down security directives, they’re also likely to intentionally subvert them to get what they want out of the tech they use at work. “The more constraints placed on users, the more creative they become,” Goerlich said. Savvy users, Goerlich said, can be an asset to a cybersecurity team, helping to secure networks by collaborating with CISOs instead of working against them.

AI and machine learning: CISOs are right to be skeptical. “Training an AI model can take months,” Goerlich said, adding that a rapid change like the kind encountered with stay-at-home orders can throw machine learning models out the window. There were countless alerts and false positives thrown by AI-powered security software at the start of the pandemic, Goerlich said. 

It’s time to embrace a passwordless future. “Passwords have had their time. Nowadays attackers don’t break in, they log in,” Archdeacon said. Goerlich said the transition will be driven by two things: What users expect from consumer devices (e.g., FaceID, Microsoft Hello, etc.), and new security standards like FIDO2 that make passwordless security practical.

Read the full article: https://www.techrepublic.com/article/four-ways-cisos-can-move-enterprise-security-into-the-new-normal/

Wolf’s Additional Thoughts

I’ve taken to calling what happened in March and April as “the Spring when the AIs went insane.” Everyone shifted from working from the office to working from home, and then some shifted back when many were returning to the office. This occurred in three months. Typical general purpose UEBA takes 6-months or more to train. The result was a significant increase in false positives as the human response to the pandemic outstripped the UEBA AI/ML ability to learn. Everything was unusual. Everything was a threat. Everything generated an alert. In other words, the AIs went insane.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

Security is not the control, it is the context – Design Monday

Posted by

Seeing is Forgetting the Name of the Thing One Sees. A fantastic title, right? I was having a coffee meeting with a new product designer a few months back. As can happen, I was pretty wound up, going on about the need for usability and human-centric design in cybersecurity. She told me, “you need to read Seeing is Forgetting the Name of the Thing One Sees.”

The book covers conversations Lawrence Weschler, the author, had over three time periods with Robert Irwin. It gets to the heard of Irwin’s philosophy and approach. Irwin began abstract in the 1960s. He painted lines. He painted dots. But when displaying his work, Irwin noticed the way the art was experienced was influenced by factors outside of his paintings. Any of us who have seen optical illusions with colors and lines understand this instinctively and likely think nothing of it. But to Irwin, who was obsessed with the experience to the point of banning photography, this simply wouldn’t do. Irwin took to replastering and repainting walls, sometimes whole studios, where his art was displayed.

Robert Irwin insisted on controlling the entire experience and this led to the realization that the surroundings were just as important as the artwork itself.

We’ve been slow at coming to a similar realization in cybersecurity. Consider the Web application. A thousand things have to go right for it to work, and a thousand things can go wrong from a security perspective. OWASP framed these issues up into a top 10 list. This simplified the work of developing a secure Web app. However, OWASP initially focused solely on the app itself.  Of the six releases since 2003, only the last two releases included the walls and studios, the vulnerable server components, on the OWASP top 10. We’re slow to recognize the importance of the surroundings.

Robert Irwin’s obsession with the surroundings transformed the artist from painter to landscaper. He has gone on to produce more than fifty large scale projects since 1975.

From the perspective of a designer, we must consider how the new capability fits into the existing cybersecurity portfolio and, more broadly, into the organization. We have to replaster the walls. We must make sure it fits in the studio. From the defensive perspective, this makes a lot of sense. A criminal faced with a strong control will look at the environment for other weaknesses and take advantage of gaps. From the usability perspective, Robert Irwin reminds us that how something is seen is as much about the thing as it is about the overall experience.

Security is not the control itself. Security is the surroundings.

Robert Irwin’s Double Blind exhibit at the Vienna Secession, Austria.
Photography: Philipp Scholz Ritterman

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

The Work of Luck – Design Monday

Posted by

It is the final task of an implementation. The stakes are high. One of your people hits a wrong button. The entire system comes crashing down. My question: Is this good luck, or bad?

For an answer and inspiration, I look to Massimo Bottura. Bottura is a chef and restauranter. At his Michelin 3-star restaurant, Osteria Francescana, a similar situation played out. The pastry chef, Taka Kondo, was platting the final course. One tart slipped. Smash! And to Kondo’s surprise and relief, Massimo Bottura burst out laughing. Good luck! The Oops! I dropped the lemon tart was born. The dessert has become legend.

You can hear Bottura tell the story himself at the video below. For now, I want to turn to the question of how to get lucky. So many things must go right when deploying technology, we can use all the luck we can get.

One factor in seeing the opportunity in accidents is associative barriers. High associative barriers lead to functional fixedness. By contrast, people with low associative barriers tend to find connections and opportunities others don’t. I’ve previously covered techniques to get beyond functional fixedness: discuss an item without naming it, and discussing what an item does rather than it is. (See Play with the spaces between the words.) Here, let’s cover building new associations.

New associations can prime us to turn accidents into good luck. It provides a larger net for catching ideas. The exercise is simple. List the assumptions. Imagine what would happen if the opposite were true. We can (and probably should) do this at multiple stages in designing security capabilities; from the vision to our assumptions about the organization, the security function, the security controls, the tools, and our assumptions about implementation. For example:

  • A tart from a Michelin 3-star restaurants is carefully plated and perfectly constructed.
    • It is messily deconstructed. Innovation: Oops! I dropped the lemon tart.
  • The authenticating security credential is a person’s ID and password.
    • A person can authenticate without a password. Innovation: passwordless.
  • A security perimeter is enforced by the network, that is, by a firewall.
    • A perimeter is enforced regardless of network. Innovation: Zero Trust.
  • Defense-in-depth necessarily means having deep control coverage.
    • Defense can be achieved with only a few controls. Innovation: attack path.

The other factor in finding the opportunity in accidents is time. Rushed people don’t get lucky. Stressed people don’t get opportunities. The psychology of stress and time shows people develop tunnel vision and repeat well-known and practiced techniques. The same is equally true for rushed and stressed projects and initiatives. The same goes for rushed and stressed teams and operations. This is an anathema to getting lucky, of course. We’re highly unlikely to see possibilities and to take them on when in this state. Buffer time and down time create the space for getting lucky.

“Leave a free space for poetry. Leave a free space from obligation. You have to be ready to see what others don’t even imagine,” Massimo Bottura says in the video below. He could be speaking directly to us about designing security capabilities. “Make visible the invisible.”

Massimo Bottura tells the story behind Oops! I dropped the tart.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Mies and IBM Plaza: Knowing When More is More – Design Monday

Posted by

The building came into view. My vantage point was on the Chicago River. It was Valentine’s Day. Now Chicago natives had warned us about the cold February winds. But there my wife and I were, on a river tour of Chicago’s architecture. Frozen to the ship’s deck, we looked up as the IBM Plaza came into view.

Ludwig Mies van der Rohe designed the building in the 1960s. Mies came from the famed Bauhaus school, another of my favorite sources of inspiration. In fact, Mies was the last director of Bauhaus. He moved from Berlin to Chicago in 1937 to head the architecture department of Illinois Institute of Technology. There’s a direct line from Bauhaus to Second Chicago School of architecture. Specifically, in minimizing ornamentation in favor of emphasizing building materials themselves.

It was this modernism which drew IBM to Mies van der Rohe. But there was a problem. Many, in fact, with the building IBM wanted. Computing technology of that age was notoriously hot and power-hungry. Moreover, computer engineers were at a premium, which meant a large workforce with little patience for waiting on elevators. Every minute counted. Moving to the ground, the lot was an oddly shaped. Triangular. It sat partially atop of a train line which restricts the foundation needed for a skyscraper. And to top it off, the site had an agreement to provide storage for the Sun-Times. That’s a lot.

“Less is more” was popularized by Mies van der Rohe. Boil down architectural requirements to the essentials. In cybersecurity, we’ve embraced less is more. You see it in concepts like least privilege, least trust (aka Zero Trust), economy of mechanism, and limited security blast radius. You see it in my security principles; like when I discuss building Roombas not Rosies. Less is more is a reminder to take a minimalist approach.

Even from the Chicago River, you can feel the minimalism of the IBM Plaza. The exposed vertical beams, the glass and steel materials on full display. Less is more. But it’s more than it seems. The building has more than double the elevators of a comparable building. The cooling system is similarly over-powered. Designed by C.F. Murphy, the HVAC is tuned for 1970s era computing. Mies also made several floors to be taller to support raised flooring, and reinforced to support the weight. The building is subtly shifted back to make use of the lot, with weight shifted back onto a strong foundation. This feature explains the open pillars in front and allowed Meis to neatly avoid the question of the railway. Less is more? If anything, much of the IBM building is overdone.

Less is more is not a call for doing less. It is a reminder to save our energies to do more where it counts. It is a reminder to pour the savings into solutions for the problem at hand. When we save resources for priorities, less isn’t loss.

IBM moved into IBM Plaza in 1971. For more than three decades, the building was the Chicago office of the tech giant. “The building was declared a Chicago Landmark on February 6, 2008 and added to the National Register of Historic Places on March 26, 2010.” Today, the building at 330 North Wabash is known as the AMA Plaza. It stands as a testament to Ludwig Mies van der Rohe’s ability to balance less and more.

The design lesson: More of what matters is more.

The floating foundation of 330 North Wabash, Chicago. Photography by Ryan Cramer.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Build Roombas not Rosies – Design Mondays

Posted by

The Jetsons debuted this month in 1962. The cartoon depicted a family living a hundred years in the future, 2062. The swooping architectural style, with the quite fun name Googie, serves as the visual language of the future in shows from The Incredibles to Futurama. The everyday gadgetry in the Jetsons foreshadows today’s drones, holograms, moving walkways and stationary treadmills, flat screen televisions, tablet computers, and smart watches.

Remember color television was on the very cutting edge of technology when The Jetsons debuted. This list is impressive. But that smart watch? That last one wasn’t by accident.

The dominant smart watch in 2020 is the Apple Watch, designed by Marc Newson and Jony Ive. In an interview with the New York Times, Marc Newson explained his fascination with the Jetsons lead him into the world of design. “Modernism and the idea of the future were synonymous with the romance of space travel and the exotic materials and processes of space technology. Newson’s streamlined aesthetic was influenced by his Jetsonian vision of the future.” I imagine the first time Newson FaceTimed Jony Ive on an Apple Watch, they felt the future had finally arrived.

Designing the future has constraints that imagining the future lacks.

For starters, people and culture constrain innovation. Consider George and his flying car, Elroy and his jetpack, and space tourism. All these are technically feasible in 2020. But I wouldn’t trust a young boy with a jetpack, nor would most of us have money for a trip to the moon. Another constraint is technical complexity. Sure, we have talking dogs. But the reality is much different from the Jetson’s Astro. And yes, we have AI and robotics. But Siri is no R.U.D.I.

When designing future security capabilities and controls, we need to identify and quantify the constrains. One technique for this is the Business Transformation Readiness Assessment. Evaluate factors such as:

  • Desire, willingness, and resolve 
  • IT capacity to execute
  • IT ability to implement and operate
  • Organizational capacity to execute
  • Organizational ability to implement and operate
  • More factors here: https://pubs.opengroup.org/…/chap26.html

With this evaluation, we can rank what’s feasible against what’s needed. We can act on areas with momentum (desire, willingness, resolve) and build capabilities that can be maintained. But! There’s one additional step.

We don’t need a robot to push around a vacuum when we have a robot vacuum. We don’t need a full AI/ML deep learning platform when we can have a well-tuned SIEM. Implement security in a minimum viable way.

Identify the constraints. Select the security capability the organization is most ready for. Then build Roombas, not Rosies.

Rosie the Robot, The Jetsons, Photography by Brilux.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.