The first principle of the Agile Security Manifesto is perhaps the most challenging. We state, “The pursuit of security requires that we be more innovative and adaptive than our adversaries.” I’ve been searching for a simple illustration of this principle and here is my attempt at representing it, as well as challenging you to start thinking about the problem in these terms.
We as practitioners must some how find a way to outsmart the “bad guys.” The rub is that we have to do it in such a way that things appear to be normal to our users, they must feel unencumbered, free to do what they feel is right for them, for us, for the business.
This is the problem and, I think fundamentally, why we are at this point in our evolution. Collectively we have come to depend on technology and process to make our world what it is. These technologies and processes have become so important to the functioning of our world that we have wrapped them in more process and validated those processes with more technology. We have gone to extraordinary lengths to actively prevent change to these technologies in the misguided pursuit of stability.
So there we have it. Our misguided pursuit of stability has created our dependence on technology and the failures of that technology ultimately result in catastrophic ripples in our view of the world. We respond by being more regimented, introduce more processes, add another layer of monitoring, and say “that will never happen again.” We do not implement processes that allow us to operate in the presence of failure. We no longer have the ability to respond outside our processes and parameters because stability has prevented us from exploring the possibilities. Our prior successes in implementing this stability, wholly outside the presence of an adversary, has suppressed the need be innovative and adaptive and even the awareness that there is an adversary.
If you think about it in terms of real world analogues you might come up with this:
 |
| Users are the birds, attackers are the squirrels and we are in the middle. |
Squirrels are incredibly motivated to compromise bird feeders. Not because they are lazy but because the payoff is far greater than foraging around for nuts all day. If they get into that feeder they have weeks worth of food available and a consistent and reliable source to return to for it. The birds have food, too, just not as much.
In many ways this is the challenge we face: stopping the squirrels while allowing the birds to feed. We have to be more adaptive than the squirrels, be more innovative in approaching the problem, think outside the box, or perhaps about how we design and protect the bird feeders.
Back to the principle - “The pursuit of security requires that we be more innovative and adaptive than our adversaries.” We are encumbered as practitioners by the need for stability and comfort. We must find ways to overcome these challenges before we can be more innovative and adaptive than our adversaries. We have to find the opportunities to innovate our defenses in ways that do not significantly impact our businesses and users. We have to take the time now to prepare for when the attack comes, be it a drive-by only looking for users' financial information, or targeted at your intellectual property as a stepping stone to the next target. We have to think of ways to know that the compromise is there, ways to force attackers into becoming known, without impacting our users.
To be more innovative and adaptive than our adversaries requires we know a lot more about our networks, users, applications, and weaknesses. As practitioners we have to test them, understand that they are what they were designed to be, and then find creative ways to mitigate risks, and we need to do it in such a way that our users are minimally affected. Only you can do this though, outsiders cannot do it for you, only you are empowered to know these local weaknesses, unless of course the adversary is already there. We have to be able to mitigate these risks while others evaluate making appropriate changes and collectively we have to protect stability in the process.
In the end we must be more innovative and adaptive than our adversaries and the process of getting there will be a challenging one. While I think our technologies are a good step towards enabling adaptive defenses, I also think that it is nearly impossible to implement truly adaptive defenses in any measure of time that approximates “rapid”. The bottom line is that if you don’t start now you will surely discover that it is too late when you needed to have it already.
Photo credit: http://www.gardenvisit.com/blog/2008/09/30/squirrel-proof-bird-feeder-cage/
0 comments:
Post a Comment