It is the privilege of the young to have a belief that all questions will have answers, and the grace granted those with experience to not laugh so hard at the young that a muscle is pulled.
No matter how ridiculous the buzzword, advanced the data set and well-designed the powerpoint slide, the fact remains that security work is largely the art of making an educated guess sound like less of a guess and more of a certainty, taking action upon that guess, and hoping that you’ve guessed correctly.
We all fear the dark and things we do not understand, it’s human nature to try and add layers of control and understanding regardless of how correct these may be. Thousands of years ago a rustle in the grass may indeed have held an animal viewing us as dinner, and so a jump and flee may have been what saved us from being a tasty snack, but safe in the suburbs we can be relatively certain that the bush in our lawn does not hold a lingering terror, but, short of checking every bush every time, we can’t actually know.
But to prevent a total mental breakdown we all lie to ourselves, that lessons of the past can be future prologue and that with enough information gathered, the future holds no dangers in its shadows. So while a hasty embarrassed glance at a bush after a particularly scary movie may be performed, the actual need to establish presence or absence of lions found in the bushes in our yards goes largely un-addressed.
But within the tech space we learn of new far more dangerous lions daily, and depending on where and how we live and the state of our lawn, the sheer magnitude of the work required may find even brave souls scuttling for new careers.
The security space has been created to handle the most human of fears, fear of the future dangers but is also both governed by, while at the mercy of, this uncertainty. This drives saturation, fragmentation and irrational behavior among buyers and sellers, and the larger the organization, the more moving parts, and the more dangerous in both number and style of attack, its lions.
Because the challenge is so dynamic, committing technological, organizational and financial resources to a specific tactic is counterproductive — and bound to fail. It’ll only be a matter of time before the next major breach renders an approach ineffective.
Regardless of the varying motives and approaches pursued, both those charged with defending and attacking systems, can only operate within the constraints dictated by human tendencies and behavior. The security of any organization is only as good as its implementation and use over time, and that effectiveness can only be measured in the context of their interaction with the people they were built to protect.
Security risks do not simply appear but are born out of how people choose to share information with one another, the implementation of this desire being expressed in coding errors, implementation errors, configuration errors (just a few examples), the digital manifestation of that most human of desires, to connect.
The security space has been created to handle the most human of fears, fear of the future dangers but is also both governed by, while at the mercy of, this uncertainty.
“The lions are coming!” scream the highly visible marketing campaigns. “They will eat you you up!” shout people selling lion hunting weapons. The fact that no one will survive the furious lion onslaught is made clear over and over in security dashboard after security dashboard, and yet the parent company remains somehow mystifyingly calm. In fact seeming far more interested in attracting and retaining customers, successfully competing in an evolving market, operational BAU and downtime.
The natural question being why, is the powerpoint not working? Is the demo not communicating the personal danger? Are the tooling dashboards not driving action? Is there perhaps a 3 letter acronym that should be used more often? Perhaps yet another dashboard claiming to have KPIs to drive action?
The truth is that what may have started as a reasonable fear, may over time have morphed, and what once had been prioritization and pragmatism begins to falter under the weight of time and feelings of rejection. From this place of isolation and desperation is born a desperate attempt to escape the feeling of inadequacy, and regain a sense of control, often irrespective of the outcome or impacts on technology or staff.
The confusion brought on by misunderstanding the job of security to foster robustness rather than resilience. Patching systems, often starting with those legacy or with internet exposure, where it is assumed that attacks or exposures are most likely to occur. But this effort can lead to further development on these same systems under the flawed assumption that the system being patched, solving the security challenge and resulting in systems that should have long ago been removed from an environment becoming ever more enmeshed. Solving security bugs as a singular, binary state, input validated to stop an XSS attack, may cause further splinters within the database schema adding layers of complexity, a WAF configuration updated, may in fact be adding hours of maintenance cost to an already overburdened operational team.
This behavior is born of the misleading presentation of the problem as one based on reduction of risk. Rather than seeing the risk as a certainty, with the goal being to change the circumstances in which it manifests itself enough so that the least amount of damage is eventually done.
Security hubris has placed an emphasis on the ability to predict where an attack may come, the isolation of the security practitioner becoming the perceived need to trying to look under every bush, in every yard, at every moment, eventually leading to viewing devs and operational teams as hopelessly unaware gardeners. The only thing that truly matters is outcome, the system will either survive the attack, or it won’t. And while it may be comfortable to say ‘we told you so’ and that ‘we saw it coming’ both are the responses of an attempt to regain a sense of control, but offer no actual solutions to a system brought down, and data exposed.
We must recast our focus as we build security within our systems, embracing risks as a natural part of every environment.
Where it is less important to be able to name each individual lion and it’s unique impact, but rather to create a systems built on the understanding that attack and change is inevitable, and thus systems and structures must grow around this fact rather than attempt to grow more robust when faced with this reality.
One could define that a civilization begins when its members begins to care for those within their group who through injury or circumstance can not care for themselves. When a member of this group is injured, the larger group will be measured by its ability to heal around a wound sustained by the individual, adapting to new circumstances quickly. Success is then re-defined not in terms of an individual being either eaten or not eaten by potential lions, but by the larger group’s capacity to endure.
About Siren Hofvander
Siren Hofvander is a Secure Development Consultant, working remotely in Europe focused on building person centered security into platforms and processes. She has a love of security process design, automation, infrastructure, and goals of ridding the world of security dogma and ‘because I said so’ism. When not at work Siren spends a great deal of time trying to figure out what her dogs are doing or have in their mouths, mentoring security juniors, playing board games, reading, and trying to find her keys/wallet/phone.