On the Approachability of Problems

"The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore all progress depends on the unreasonable man."
George Bernard Shaw

The response to my most recent post has been intriguing insomuch as it was completely predictable and expected (though nonetheless disheartening). The few people who've commented have generally said things like "unrealistic" and "unimplementable" and "already been done, failed." Ironically, none of these criticisms are true, nor are they even necessarily knowable. Sure, there have been other attempts at strict compartmentalization (see Qubes OS), but those attempts aren't a true analog for what I suggested. I digress...

The purpose behind my post here is twofold. First, framing problems is imperative to solving them. Frame a problem in the wrong way and you'll either find no answer, or worse, you'll find a woefully inadequate (or even regressive) answer. Second, we as an industry need to stop being total a**holes when presented with new ideas and open our minds to future possibilities. There's nothing worse than hearing about a new approach, idea, technology, whatever, and immediately responding negatively. What's up with that? Rude, to say the least. Again, I digress...

Framing problems is really what I want to talk about today. The ability to shift our thinking to alternative viewpoints is incredibly critical when thinking about how to solve various problem states. In the example of my endpoint security post, the shift in thinking is to realize once and for all that the current framing of the problem makes it unsolvable. We have ample history now to clear demonstrate that how we're attacking (traditional OS) endpoint security simply isn't reasonable, rational, or pragmatic. As such, time to pivot.

Solving Endpoint Security

"Insanity: doing the same thing over and over again and expecting different results."

As a security architect, I've come to truly loathe the endpoint security space. The "answer" seems to be an unending stream of "yet another agent" to layer onto an endpoint, usually just to supplement another tool that's insufficient. Rarely, if ever, can I remove one of these tools (like AV! I still have AV after all this time?!), which means I get to encounter all sorts of conflicts and problems, and for what benefit? Why am I investing hundreds of thousands for incredibly small incremental gains? Insanity...

Part of the challenge with endpoint security is the problem state. As it stands today, we're typically stuck in a traditional general purpose OS environment with very little useful segregation. We deploy tools that live inside this general environment and then hope that a) they keep functioning, b) don't introduce more problems, and c) are somehow able to get enough visibility to assert reasonable control. Sheer folly. It's like trying to estimate the size of an infinite universe from an ant's perspective.

Putting aside specialized solutions deployed to endpoints for solving non-endpoint problems (like monitoring or controlling data movement)... the core focus of endpoint security /should/ be focused on monitoring for state changes. Unfortunately, in a general OS environment, this is very difficult because there are rarely clean, clear boundaries that can be watched for these state changes. In the mobile world we see this problem moving to a slightly more tenable position wherein wrappers and containers can be deployed to better define boundaries, which then enables watching for state changes. We're also starting to see this in production applications that leverage a container-based micro-services architecture. All of which leads me to an interesting thought:

unikernel+containers+sidecars=secure endpoint!

Ten Feet Tall and Covered in Mud

Those who know me know that I'm not overly concerned with being liked, per se, so long as I'm not often wrong and not generally thought an idiot. However, by the same token, it's sometimes nice to be wanted, and maybe even appreciated, from time to time. Now more so than in the past, heading into RSA 2016 in a few short weeks, I'm starting to realize that the temporary career boost from my time at Gartner has faded and my dance card for the event is remarkably empty.

This phenomenon of transitioning from "leading analyst firm" to "mere mortal" has been interesting. While I'm now enjoying my new environs, it certainly did not start out that way with the first post-analyst experience. If nothing else, it has certainly confirmed my concerns over the state of the industry, instilled throughout my time as an analyst.

Specifically, it seems that no matter how far we'd like to think we've come as an industry, we're still generally losing ground and - more importantly - losing the battle and the war. A friend and I were just discussing earlier today the abysmal state of things and just how bleeding common it has become to encounter teams and organizations where everyone is running around with their hair on fire, trying to "do something to help," but as often as not simply making things worse.

How did we come to such a point in the industry wherein we're able to stand on the shoulders of giants and still be mired in mud? Paradoxical, to say the least, but also greatly distressing. Are we so far behind in our maturity and technological advancement? Alas, I think it may be true that for every step we take forward as the security industry, we're continually leapfrogged by our adversaries, who neither think linearly, nor have to worry about dealing with an asymmetric environment wherein we must succeed all the time and they must only be lucky once. It hardly seems fair.

Fortunately, I think there's an out, if we're only savvy and brave enough to entreat it. Alas, pricing on various automation tools still seems to be relatively high, and continually targeted at the F250 companies. However, less expensive options, such as Ansible, Puppet, Chef, and even Jenkins (to name a few), increasingly provide a reasonable starting point for security automation and orchestration, not to mention the FOSS tool FIDO from Netflix, as well as the potential for greater market accessibility for Invotas Security Orchestrator, which has been acquired by FireEye.

We'll have to see how things pan out, but I'm cautiously optimistic that we may eventually get our collective heads above water... but only by shifting away from human-dependent paradigms to ones underpinned by creative, proactive automation that scales.

Interviewed by Balabit

I was interviewed in December 2015 by Balabit for their monthly eXPRTLK column, which was published in January 2016. I hope you'll find my responses interesting and, dare I say, insightful. The full story is here:
http://csiblog.balabit.com/blog-posts/exprtlk-benjamin-tomhave

Back to Blogging, Changed Jobs Again

Well, hi there! It's been a while. Sorry about that. It seems my personal site blogging has curtailed the past *mumble mumble* months. ;)

So, here's the deal: I changed jobs in March. It sucked. Badly. I knew by the 2nd day that I'd made a horrible error. But... going back wasn't an option... and so, I looked for a forward step. Which took a while.

Over the Summer I thought it'd be fun to, ya know, once again suffer a depressive episode that included drinking myself into oblivion one night, expressing rather dark thoughts to my wife (while blacked out) that led to my relinquishing my booze for a few months and going dry. But I digress...

The good news is: I'm feeling much better! I've changed jobs, heading over to Ellucian to play security architect for my manager from AOL days (the only person who's managed me successfully for more than 12mos).

The other good news is that I'm finally getting the writing bug back and hope to start contributing here again on a regular basis. I've done some writing over the past couple months, but all for clients, not for myself. Time to change that up a little bit.

Given my security architecture focus, spanning traditional data centers to hosted/colo to cloud/AWS, my hope here is to be equally broad in focus. As such, don't be surprised if I touch a lot of topics going forward.

And, best of all, if there are specific topics you'd like to see address, please hit me on twitter and I'll do my best to produce a post on the topic!

Must Read: The Lafayette Campaign

Given the ongoing primary races for the two "major" parties, the timing of Andy Updegrove's The Lafayette Campaign couldn't be much better. It's a sequel to his most excellent first Adversego thriller, the Alexandria Project.

In The Lafayette Campaign, our intrepid computer security hero Frank Adversego is asked by a super-secret intelligence agency to investigate electronic voting fraud. The farther down the rabbit hole he goes, the crazier things get. The cast of characters seems straight out of the GOP slate. The story will leave you wondering if, as voters, we really do have an actual choice.

By the end you'll be eager for Updegrove's next story in the series. I highly recommend getting your copy now!

I contributed a piece to the Norse Security Dark Matters blog a few weeks back.

It's Time to Kill the General Purpose Browser

Another week, another critical Adobe Flash vulnerability (CVE-2015-3113), complete with active exploit in the wild. Adobe encourages everyone to patch right away, but is there more you should do?

In fact, here in 2015, with a constant stream of broken apps, broken browser, broken plugins, and breach after breach after breach, I'm left to wonder: Why are we still using general purpose browsers at all anymore? Are they, and their associated plugins, doing more harm than good?

Continue reading here...

I'm pleased to announce the formation of Falcon's View Consulting! This new business will initially be available on a part-time basis to provide security architecture advisory, "consulting CISO," and cybersecurity product marketing and strategy services.

More details will provided in the near future, but until then I wanted to get the official word out there. Feel free to ping me on Twitter (@falconsview) or email me (tomhave-at-secureconsulting-dot-net) for more information. I look forward to hearing from you!

The Policy Trap

It's that time of year again: time to update the policies! This annual exercise is always a source of great enjoyment for me (no, not really). After all, there's nothing like having the non-technical flailing about as they try to force-feed technical requirements down the throats of IT without explaining, justifying, or providing any factual basis for asking. If there's something most techies love, it's an over-the-top policy recommended by external auditors.

Quite frankly, policies are the precursor to, and embodiment of, the checkbox-compliance mindset. We all know how well that's worked out for us thus far. I mean, looking at all the data breaches we're not having thanks to compliance and policies, right? Hahaha... oh.

RSA 2015: Security Mega-Con!

It was another record year for the RSA Conference USA, with a reported 33,000 attendees (an increase, I believe of 8-10k year-over-year). This year also saw the first truly full-scale double-expo event with both Moscone North and South sporting packed expo spaces with more vendors than seemed possible or reasonable. Impressive growth for our industry, to be sure, though as always in many ways it raised more questions than provided answers.

Due to limited personal funding, my trip was short (Tu-Th) this year, so I missed out on the DevOps Connect event Monday, which I heard was phenomenal. I also didn't get a chance to look at Innovation Sandbox, though given prior year experiences I wasn't too disappointed. I did wish I could have caught Amit Yoran's first opening keynote as RSA big chief, but alas it wasn't to be...

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Recent Comments

  • Danniel: SANS Top 20 controls are not controls. Its like a read more
  • Ben: I hope that it's not so dire. I think there read more
  • Tunde: The question at the back of mind now is: How read more
  • Dan Raywood: I met you at the Barracuda party, introduced myself with read more
  • Ben: Hi Jack, Thanks for the comment. I've read the context read more
  • Jack Whitsitt: Ben - while you're correct in almost all of your read more
  • Ben: Hi Amith, This review is now near 4 years old. read more
  • Amith Sarma: Hi Ben, A very valuable feedback on the book. Thanks. read more
  • Ben: Hmmm, thanks for catching that, Rob! I was going off read more
  • Robert David Graham: Minor correction: Dell was founded in 1984, not 1994. read more

Archives

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10