Thursday, March 6, 2014

Contrarian in Depth

It was announced this week that the CIO of Target resigned following the well publicized breach of credit card data. Target was just one victim of many, but at the center of the story due to their scale.  Scale should be an advantage as it means defenses are well funded, but this was obviously not enough.  I assert that it is because they were far too predictable and conventional.

To understand the predictability of decisions made in the defense of corporations, I must first describe the climate of these corporations and how they are organized.  (Bear with me.)

As with community, township, county, state and nation; what comprises a company is a collection of individuals. How a company behaves is a collection of decisions made by these individuals.  What propels a company is the actions taken, again, by these individuals.

Companies themselves break down into groupings that have distinct accountability and govern themselves, as much as permitted, according to best practices to handle this accountability and all of the responsibilities therein.The leaders of these groupings are the middle management.

The accountability assigned to them allows their leaders to minimize the accountability directly placed upon them.  This is especially important in very large companies.

When the accountability of a particular group is large and unwieldly, these groupings are further pared down into additional groups.

Thus layers and layers of middle management are born.  Those who aspire to move upward in these layers of groups are driven to demonstrate their ability to manage individuals and then groups beneath them.  When you cannot move upward, you build beneath.  Now we have the empire builders.  Each middle manager is permitted to grow groups beneath them by their superiors because their superiors are also driven to demonstrate their ability to manage complex groups.  The ambitions of their managers is harvested for their benefit.

The experienced empire builder signs up for the right amount of responsibility within their org.  These responsibilities must be important enough to raise attention but not so important as to be dangerous to the survival of the empire.

This is the climate in which IT security lives just as any other IT function.

I joined an IT security group just as security was being recognized as a distinct and essential function within a large corporation.  I've seen it grow from a small collection of practitioners and thinkers to a complex organization with its own breakdown of distinct functions.

It's predictable and what's predictable is easier to understand from the outside.  An attacker can make assumptions that are likely to be correct.  The attacker can assume that the target has chosen tools that are common.  The careful middle manager does not take many leaps from what is perceived as common best practices.  If he is asked to choose an anti-behavioral-malware solution, for example, he will choose what's perceived as the best by the industry.

The attacker can assume a well-funded company has FireEye or perhaps Palo Alto Wildfire.  Of course assumptions aren't necessary when the tool chosen is apparent from LinkedIn or can be easily pried from a boastful salesperson.

There are many actions that could be taken to address this.  LinkedIn can be monitored.  The company can subscribe to services that watch for activity that targets the corporation.  Additional solutions can be employed that fill in gaps or otherwise augment the limitations of the primary solutions.  Hell, if the budget permits it, double up the top-of-the-line solutions employed: don't choose the one best solution, choose the two best.

However, could it be a good move to go the other way and choose the less-than-obvious solutions?  A cautious practice of this might be to employ a solution perceived as the best but also one that is perceived as emerging. More radical, and perhaps contrarian, would be to choose a couple that are emerging.

Of course this approach would have the added benefit of embracing innovation in the industry.  Customers with complex requirements are fertilizer for companies with emerging ideas.

One could go further and decide to build solutions from scratch or from collections of available open source tools.  However, this is something that most companies would have a hard time handling because they do not have core competencies in software (unless they are in the security industry).  What's worse is it's much more challenging to build confidence upwards (senior leaders).  It's hard enough to simply get their attention much less convince them that a home-grown idea is the best choice.  It's wiser, it appears, to instead go with the short-hand of sales brochures from large security firms who have top executives giving speeches at conferences.  It's wiser to check the Gartner magic quadrant... the senior leaders will do this after all.

What if Target had taken an unconventional approach while rolling out their point-of-sale systems (POS)?  The Target POS systems that were attacked were actually new implementations very recently rolled out to the stores.  What if they had chosen something not just slightly customized, as was the reported case, but radically different?  What if instead of a windows variant, they were rolled out on OpenBSD or some obscure embedded operating system?  (The common wisdom is that they should have had MFA for the leaked credentials or even should have segmented their systems better and used privileged access management, but this is the walled garden approach which is essentially wishing that the perimeter/firewall convention could live on in perpetuity.)

The answer is that had they made a more contrarian move they would not have been compromised (not this time).  The attacker could make broad assumptions about the retail industry and these assumptions paid off.

Target very likely could not have even conceived of this kind of approach because of the friction across organizations. Who would manage the OS if it was unfamiliar?  How would we harden it?  How would we deploy it?  Who would integrate common card readers with this system?  Would our compliance and vulnerability monitoring tools even provide coverage for such an uncommon system for corporations?  How would we patch it?  For that matter, who would design this?  The security org?  That's not what they do.  Who would champion it?  The CISO?  That would seem too assertive for an org that is essentially a cross-cutting concern.  The empire builders and their empires make the unconventional very difficult.

I had a conversation with a security SME from a local medical device manufacturer.  I briefly spoke to a group about the *Internet of Things(IoT)*.  This had him thinking about his company.  Usually the IoT is about what seems like silly nonsense so far like smart fridges and smart light light switches.  In his industry, however, their IoT involves important tools that save lives or improve them greatly.  Increasingly these devices have an address and, with that, complex integration challenges.  Of course they also have major security challenges.

He bounced an idea off me that involved employing encryption in such a way that it's more difficult to unwind for attackers.  I embraced it for the same reasons I describe above.  I think they should invent to solve their problems.  Further, they should not settle on just one approach, but evolve it and perhaps employ different approaches to different devices (to control their attack surface should one security invention be unwound).  I would normally advise people NOT to invent in the complex area of encryption because this specialized area requires rare talent. However firms like Cryptography Research could aid in the design and vet the solutions prior to deployment.

I assume that even within this device manufacturing company, the same organizational barriers exist.  This will very likely destroy any chance for this idea to be realized.  Security folks aren't easily embraced as visionaries in industries that aren't focused on security.  It would take a rare talent to push this forward.  Unfortunately, the first step this person must take is to understand these barriers and call attention to them as he presents ideas.

Listening for and understanding this organizational friction is in the best interest of those who are ultimately accountable for security.  As the resignation of the Target CIO demonstrates, common best practices are not enough.  Contrarian and even radical ideas must come to the forefront to defend against the increasingly effective adversary.  Not doing what everyone else is doing is key to defense.  Of course, this cannot simply be security-by-obscurity, but well thought out defenses.

Simply building out a bigger security empire is not enough and will probably only make matters worse.  This is what's likely to happen now that Target has a CISO.

Contrarian in depth means that much more thoughtful and innovative remedies must be prescribed and expected from the security org.

No comments: