There is a small trend these days in cybersecurity circles. Small-group get-togethers where some thinkers and ideas get worked over by small groups of deep-thinking professionals. I have been enjoying very much Metastore’s and Bart van Dongen‘s community. We’ve spent time to dig into some topics that may not be so well explored – and less of the large-scale conference chatter; a day, a room in an interesting location, some good food and extremely good company.
Last time Bart challenged me to work with Simon Sinek’s ‘Better Together’, was a good challenge and a good result to be had at a small event in Antwerp. This time we took on another challenge: the ever-present ‘Innovation’ conundrum. I had been trying to wrap my tongue around a problem I have been working on the past year or more. Innovation is everywhere. And although it is full of its own esoteric ‘language’, it is not so far off things we well know (the Deming Cycle and Design indeed share startling similarities, and this is well before we get to Boyd’s OODA which bearseven more similarities with loops inside of loops.)
And indeed I am pleased to be able to set the ‘ask’ of the day. Making our cyber approaches business friendly and responsive to the challenges our clients face today. How can we prove ourselves fluent in the conversations and ‘buzz’ happening from the Board Rooms to the Lego Rooms? And if we are not in the Lego rooms, we miss the strategy shift before it gets to the Board. Not OK. It’s a double ended stick as well. Securing our innovative and ‘new’ process from as-yet-unforeseen attacks (unforeseen by us perhaps, not by the opponent in many cases sadly enough). But also, we are a young industry, cyber security, too young to be tradition-bound and hide-bound by structure and mistakenly held beliefs. Yet we far too commonly are, and spend countless resources on ‘best practices’ that may be less than optimal.
We have our favorite small team from the Nordic’s, Mnemonic. They have been looking at Managed Security Services for a while now; from a deeply European perspective delivering a global solution. Everything from the way they manage their staff (same absolute bonus, from CEO to administrative functions) through their technical operations shows thoughtfulness. It’s a pleasure. We’ve been chatting up a storm with Tommy about micro-services and cloud based managed security (using it). They have some interesting ideas and although the topic du jour was Incident Management, we were trying to look at Incidents a bit differently as well.
But this one had to make me smile. I am a huge proponent of Clifford Stoll’s book . It has sent so many of us ‘young timers’ on our tour to security as a profession and avocation. It was a pleasure to have the impact validated by new-readers operating deeply in today’s advanced threat landscape who find the words of wisdom just as valid today as when they were first inked in 1989! Here we are, 30 years later, still dealing with some of the same issues.
Well, maybe not exactly the same issues. The issues are getting worse. As someone who often had to deal with earthquakes, well, it is not so wrong to have to place incidents and the cyber situation of today on a logarithmic scale instead of a linear one. It is the only way for capturing the scope and size of the challenges of today in a meaningful way. Yes, automation, data analytics and much more are needed at the granular level and Mnemonic well shows this as their data is tracing this on a moment-by-moment basis at scale for their clients. Doing the same as we have been doing all along is not just falling behind. It is falling behind, exponentially, at scale.
But I have a small issue with logs and incidents, monitoring and alerting. They are past-tense. We need to spend time with them, yes. But the story of the driver who falls half-asleep after long hours of boring driving strikes a chord for our weary cyber professionals with overloads of log and incident data to process. So much of what we do may seem humdrum analytics and indeed sometimes we can only ask for a quiet day. But how to see ourselves in front of these challenges, what ‘design’ lessons to bring from the corporate innovation mantras? And how can we bring our cyber teams along? This is the heart of the Cyber Book Clubs Cyberwayfinder is supporting. Find a small team of like-minded professionals. Look to the thinkers and doers and look forward to where we are going. Explore and try stuff and radically collaborate our way forward.
And Lara Schreuer is here to share another way forward. A different look at attribution while we may have been ignoring an important data point in our commercial space. Indeed, my ‘conventional’ wisdom is that attribution is for nation states and those who are in policing. For the rest of us, (try and) boot them out and get things stabilized and get back to work. Lara presents a cogent argument why this is no longer an option, where and how agencies are coming on line and the legislation is supporting this. She also dives a bit into what the future may look like where this becomes more and more something we can and must ask our logs and incident handling to support. Interestingly, this is a way forward looking in the front-view mirror, ahem.
Lara is working in interesting areas at the intersection of people innovation (she participates in the Cyberwayfinder program) as well as government, legal and political discussion going on surrounding this topic. I have been hearing more and more about another book we must consider reading … Dr Mary Aiken’s The Cyber Effect. We need to understand, those of us who are spending far too much time in the heating pool, what is happening to the minds of the people around us and how cyber-psychology is becoming very relevant. What people do, how they respond online, needs effective models.
This gives a small pause: in my own deck I had been speaking about the intersection of online and traditional frauds. A lunch invitation with Satoshi Nakamoto from Financial Sector colleagues intrigued by the ‘get’ to meet the man behind the myth, was an obvious setup. But to spring the trap a worthwhile exercise. And tracing this forward to my own ‘rant’ after one too many lunches with fintech CEO who do not know Stewart Brand from Patrick Stewart: the impact’s Pace Layers on innovation and adoption and why it was not gaining the traction at our infrastructure level, and why Governance was such a hassle. It’s a very useful model, whether it is blockchain at the Financial Infra level, or a smart-and-hip-super-laser-customer-UX/UI app, but sharing with my colleagues the impact of the online rant (enjoyable for ‘us’ colleagues and utterly ignored by the target audience) was an exercise in catharsis and, ahem, vulnerability management of a different sort. And entirely predictable if you are following Mary Aiken.
Lara walks us through the deeper thinking behind the social matters related to how we have been handling, and a deep-dive is a refreshing reminder that as bad as it is in our cyber domains, at least my office politics seem simple when compared to the geopolitics in attribution at the moment. We have some challenges in our future and it is a welcome discourse to imagine the impacts we can have from a commercial layer on how we approach this moving forward. Also Lara is most eloquent in her ‘pitch’ to have us be better corporate citizens around this.
And this is indeed a welcome exhortation from Lara. As young as we are, there is more than a few bad-best-practices that we are guilty of and a strong argument is to be made that our answers of yesterday, based upon a fortress/citadel model, do not at all work in today’s interconnected environment. Especially if we consider the interconnectedness as deriving from everything from Facebook-election-hacking to smart-phone bullying to the retreat from rule-of-law and a distrust of institutions.
We, as security practitioners, are to do better to bolster our ‘democratic’ processes and to support necessary attribution such that we can usher in a new digital future, securely. We have recently lived through a Black Swan moment. That we did not necessarily recognize this as an Incident across our industry and drive concretely reactive changes in our own approach to our security layers is a failure. A failure to learn and to react.
But this room is not an easy sell. The Q&A on attribution, with all of its inherent problems is a given. Why we do not wish to engage and spend the resources is also a given. With the real challenges of our distributed reporting and judicial system it is not small matter. But in this discussion regarding Incident Response and thinking differently, radically collaborating
We are experimenting with some things. The Hostage Negotiation effort with Interventis and Calvin, and Timo is exciting. Their reception in Central Europe and into the UK is strong. Yes, this is a hot topic of the moment. But it is critical when working with ex-Police to respect where they come from. Ultimately protecting and serving, and not just the one-offs. At Geopolitical level. Also our Masterclass series. Working with our leaders and executives to bring them along on this journey so they can lead to that secure interesting innovative future-state. The one where we all wish to live.
Yet one can never get too far away from the quiet dragon that is Kali – a real-time real-world experience. It is almost a pleasure to retreat to the comfort of trying to be quieter, to hear more loudly, gather more data. I’m reminded of the images scattered throughout Europe of the great lizard being stepped on by figures with gleaming swards, spears and etc: an apt metaphor.
When next you are growing frustrated at the hectic pace and non-stop frenzy that is your ‘usual’ cyber conference event <ahem, we know who we mean> , perhaps it’s time to consider a smaller and more thoughtful venue. Invite some interesting minds to share some interesting forward looking ideas. Look beyond that IOT hack of 10 seconds ago. Look to what we are building. Find some people whose forward view you wish to share. And if in doubt how, ask Bart, am sure he has some suggestions.