To defend networks, we should be able to measure their security performance. I’m going to show you the exact techniques to measure the security of portions of your internal networks, such as anti-virus, malware and anomalous event detection. Then we will apply the same techniques to compare the security of classes of protective security products even though vendors don’t supply such specifications.
Main points covered:
• How to measure security and compare the effectiveness of protective devices as a function of time
• The internal process mechanism is immaterial to system measurement; signature-based A/V, rule-based binary decision making, heuristics, deep learning or any possible hybrid
• Attendees will be introduced and receive the math, the tools, charts and schematics on how to measure their own security
Presenter:
Winn has lived Security since 1983, and now says, “I think, maybe, I’m just starting to understand it.” His predictions about the internet & security have been scarily spot on. He coined the term “Electronic Pearl Harbor” while testifying before Congress in 1991 and showed the world how and why massive identify theft, cyber-espionage, nation-state hacking and cyber-terrorism would be an integral part of our future. He was named the “Civilian Architect of Information Warfare,” by Admiral Tyrrell of the British MoD.
Recorded webinar link: https://youtu.be/F8Fs4yE_CUU
How to Measure the Security of your Network Defenses
2. The Premise(s)
• Current Security Models are 45 Years Old. (Anderson, 1972)
• Next Gen Ain’t Working and the next next-Gen won’t either.
• Digital is not binary.
• The key to network survival is the ability to adapt to change.
• We are stuck. In. Stasis.
• Infinity is why traditional network security has failed.
• Infinity is Our Single Biggest Enemy
14. June 27, 1991
Our computer systems are so
poorly protected, they are “An
electronic Pearl Harbor waiting
to happen.”
“The Civilian Architect of
Information Warfare.”
Admiral Tyrrell, UK MoD
16. I Wanted to Prove Security
Impossible.
Of Course It Is.
Hold On.
Wait.
(crass commercial Plug
coming later…)
17. Security can be measured.
We’ve just been thinking the problem wrong.
• Digital is not binary. Binary conditions rarely exist. There is fuzz
everywhere.
• Security is never 100%. No, never.
• Firewalls, Passwords et al. are the Maginot Lines of network security.
• Infinity is the Enemy. Feedback is a Must!
• Think recursive. Get loopy.
• “At the same time” (simultaneity) only means something at the quantum
level. It’s otherwise meaningless. You really mean “in sync” or “soon”.
• One can never be 100% positive about trust; it is an analogue function.
Therefore, neither 100% or 0% trust is achievable or meaningful.
18. A Philosophical Approach to Cyber-Security
• Kill Absolutism: Min-Max Only. No ‘0’s and no ‘1’s. That’s
called ‘Analogue’.
• Security is Dynamic. Not Static. Trust is Fuzzy.
• Employ Detection in Depth.
• Integrate Analogue Functions to Measure Security
• Insert Feedback. (Pos/Neg/OODA)
• OOB Comm is Required.
• Introduce Negative Time.
Time is the common metric between security,
privacy and risk.
Above All:
Do Not Change
Current Internet
(TCP/IP) Protocols or
Network Architecture.
19. START HERE: Time Based Security (1998)
• Protection (Fortress Mentality Does Not Work)
• P(t) > D(t) + R(t), & P(t) = indeterminate
• D(t) + R(t) = E(t)
• The goal is: [D(t) + R(t)] >> 0
• If, Pt < Dt + Rt, then Et = [(Dt + Rt) - Pt]
• BW / IDBI = 1/E(t)
• Data Loss Risk
20. The Premises of Feedback in Networks
•Static Security is a Fail. Dynamism is Required.
•Without Feedback, Network Chaos is Ensured.
•Apply Min-Max instead of 1s and 0s.
•Think recursive. Get loopy. Squeeze the Loop.
•“At the same time” (simultaneity) only means
something at the quantum level. It’s otherwise
meaningless. You really mean “in sync”.
22. SCADA-like Negative Feedback In Our Personal Lives
• Thermostats: Auto-adjust cooling and heating systems to
dynamically adapt as dictated by the chosen temperature.
• Toilet ballcocks rises with water level; closes a valve that
turns off water.
• Motion detection for room lighting, which also happens to
be time-based.
• Home automation systems.
• Driverless cars.
23. Synaptic Weighting in Neural Networks
The Brain is Analogue, and
Processes Neurally.
Why are we letting the tech
(them!) tell we humans to
think like them?
Constant weighting,
feedback/feedforward, and
updates.
24. •We are only moving
data… not dynamic
control information.
•SCADA/ICS does
both.
Where is Network Security Feedback?
25. • This is the basis of
Analogue Network
Security.
Network Security Is A Bear
26. OODA Loop Feedback
• Apply to Kinetic Conflict
• Apply to Marketing
• Apply to Business
Processes
• It’s a Decision Cycle!
Developed by USAF Col. John B
for Aerial Dog-Fighting
30. My Wife’s Car Does This – Out of Band
• Natural
Human
Feedback
• OOB (Head
Turn)
• Adapted to
Collision
Avoidance
31. I Have Trust Issues
•Trust is NOT
Binary!
•It changes over
time!
•Dynamic Trust
Degradation
•Periodic Trust Re-
Evaluation
32. The Analogue Two (Or More!) Man (Person) Rule
• Alice makes a choice
• Bob must approve
(Feedback)
• Time is the Metric
2 People or Processes
MUST agree.
33. Replace Defense in Depth (Epic Fail) with Detection
in Depth
Sensors on GE (et al) jet engines can produce 10
terabytes of operational information for every 30 minutes
they turn. A four engine jumbo jet can create 640
terabytes of data on just one Atlantic crossing. Now,
multiply that by the more than 25,000 flights flown each
day…”
COMMON DETECTION SENSOR TECHNIQUES:
Optical spectrum. Electromagnetic - DC to 300+
PetaHertz (gamma rays, 3 X 10^21 Hz). Sonic: from
almost 0 Hz to ~250KHz at sea level air. Pressure.
Viscosity. Phase relationships (time). Vibration
(intensity/time). Velocity (time). Acceleration (time^2).
Tuned to specific Chemical Signatures. Echoing &
Doppler. Temperature (time & time^2). Proximity.
Weight/Mass. Flow (time).
50. What Can You Do Now?
•Measure Your Detection Process. You can do this!
•Measure Your Reaction Process. You can do this!
•Measure Vendor Performance: You can do this!
•Compare Products in Test Bed
•Demand Hard Data From Your Vendor!
•Examine Security Process for Intrinsic Feedback
• Where else can Feedback be applied? Code? Human/Cyber/Physical
Pocesses?
51. ISO/IEC 27032
Training Courses
• ISO/IEC 27001 Introduction
1 Day Course
• ISO/IEC 27001 Foundation
2 Days Course
• ISO/IEC 27001 Lead Implementer
5 Days Course
• ISO/IEC 27001 Lead Auditor
5 Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27001
www.pecb.com/events