Making Security Suck Less

Wednesday, December 15, 2010

Pete Herzog

And so it begins. Some important changes to the current security model necessary to actually improve security have been now made available to the public in the form of OSSTMM 3. Maybe this isn't "the" answer but it's a new road to take us off this rugged path and bring us much farther with much less troubles. If you've read it you'll know that taking on this new model will require big changes in how we think about security and how we act.

Unfortunately, changes don't just implement themselves. At least not in a good way. And not in a way that generally improves security seeing how some smart people already made a rule that entropy favors disorder and chaos. Think of a metal lock wearing away over time and use until it crumbles. Then again, it's really a matter of perspective isn't it? I mean if you're a sock hiding from your pre-arranged pairing then a chaotic bedroom is much more favorable and safer for you than an orderly one. Still, the security changes that need to be implemented in the currently accepted security model most likely won't implement themselves on purpose. They require effort. Which means it's up to you. Yes, change sucks sometimes. But, and here's a little secret, doing security the way we've been told to sucks worse.

The news is full of security failure stories, many of them having done exactly what they were told was right. Many passed compliance requirements. The model is indeed broken. However too many are content sailing a sinking ship than go through the trouble of moving to a better one. Seriously. So who here thinks that the security model they have will always keep them safe? Raise your hand if you do. Really? Wait, let me ask this another way.

How many of you ever had something break when you ran an update or security patch? Raise your hand if you have. How many of you have ever had a virus, scareware, cracks, hacks, or spontaneous reboots even though you've got your wares updated and patches installed? Many of you are keeping your hands up. Ever wonder why this happens? I mean really why and not just repeat like a parrot the justifications companies use as excuses for why this happens? It's because the security model we've been fed and keep getting served is one designed on justifications as a major component. If you've ever had to make an excuse for your security controls like "We can't patch from 0-days fast enough." or "If only we could afford XYZ brand security this wouldn't have happened." then your using justification as a security control.

You should understand that any time you add to and change code it becomes different so things that worked before may now break. Anytime you add or change anything, even a small patch, the attack surface can change for a particular vector. Even if it's a security change to make it safer and better (or maybe especially so) you have changed your attack surface. This puts you in a never ending cycle of patching and scanning to find security in much the way walking one step forward and changing direction will never get you where you want to go. At least not on purpose.

Next, you must take in account the failures in the model don't just come from the outside attacks but in how they don't scale, don't offer enough bang for the buck, and aren't operations friendly. A security model so expensive to initiate that it outweighs the benefits from operations is also a failed one. A security model that doesn't let you understand when you have too much security, too many controls, or too little regard for how operations need to happen is also a failed one.

"Oh, but what about the 0-days?!" I hear some of you say. "Patches and updates are our defense to that threat!" But 0-days are really just a device to prove that you are unready for the unknown. Achieve balance between operations and controls and you are ready for the unknown. It's what the OSSTMM 3 teaches you to do. You should read it.

Now not everything about the old security model is bad. Personally, I really like the Zen feel of it. It's like raking the fine, white, beach sand into those concentric lines and around rocks and dead fish and stuff. It's very Zen. Then as the tide rises, the wind blows, and Frisbees get badly thrown you have to do it all over again in a very Zen way like this: Install. Harden. Configure. Patch. Scan. Patch again. Update. Re-configure. Scan. Patch again. Uninstall. Re-install. Configure. And then you do it all over again! With so much Zen practice it's hard not to become a Master of the security repeat cycle. But you know what else is Zen? NOT doing that. It's less stressful to maintain an existing balance between operations, limitations, and controls then running around and putting out fires.

Years ago we realized that the process of maintaining security outweighed the process of maintaining business. So we tried to measure how much security one needs to have based on one's business operations. It couldn't be done. Not with the old model. It made us estimate risk of something happening and how much that loss would cost us but that only gave us an "informed" opinion of what was enough. Generally, it was more about how much security we could afford rather than specifically which controls were needed where. So we couldn't measure security even though we could test it every which way possible. This was strange because in the physical world, to measure something unbiasedly, you need to test it. The old security model didn't let us have factual, unbiased measurements from our tests. And it wasn't because it's tough to measure something moving. Hell, we can measure how big a comet is as it speeds by much faster than technology changes. No we couldn't do it because we couldn't say what is security. So even though we were knee deep into updating OSSTMM 2, we knew we had to change what we were doing.

Just to get it out of the way, let me say that I don't particularly recommend working on anything for seven years. It's really hard. I especially don't recommend starting something and then three years into it, realize it's broken and start over only to lose most contributors. If we had been commercially backed I'm sure we would have had to publish it anyway, broken and all, and use some good marketing spin and whitewash scrub to sell it anyway. Probably. But we're not. We just couldn't release something that parroted the concepts of the old model. We couldn't do something that perpetuated the problem, even if it did not exacerbate it, because doing so would be very wrong. And lazy.

I learned early that you can't really underestimate the laziness of people. And the security industry has many of them. Except for mostly the vulnerability researchers and hackers (not script kidz), nobody's really improving anything. The vuln researchers are making the net safer by finding new means of attack and the hackers are making the net sing in ways nobody thought possible. They both do it by not being lazy. You need to hack and research to improve the things that aren't working. After all, security is a science to be turned inside-out, tested, and improved. That all requires work. So why is it that so many people noticed that the present security model isn't working did they keep doing it? Why did so many buy into the crap about "There's no such thing as perfect security." and "Security is a process."? Why? Because it justified them not changing things and accepting how things just the way they are. Of course if you don't believe it's true in security, maybe you're too close to it. Take a look at the many other things in life that are not the security industry and where people keep doing the wrong things because society has given them justifications to do so. I won't mention any here because it's clear flame bait. But I'm sure you'll have no problem of thinking of some on your own. Most human beings have the proclivity to live with that which sucks in perpetuity if they think it sucks equally for everyone else too. They do this by making excuses for it.

So we know why we do things that don't work. Because everyone else is too and it's easy to justify it that way. Don't need to learn much then, do you? "Not fair" some of you cry? Yes, you've studied hard. I can see that it's not your fault because the text books, magazines, and trainings all focus on the same things: firewall, IDS, Anti-Virus, patching, updating, and putting all employees on tight leashes. When something gets compromised we scream how they didn't have the right firewall, IDS, AntiVirus, patches, updates, or security awareness training. Or enough of it. But it is your fault if you've committed to this method without challenging it and furthermore, resisting change. Because science is not a place where you have to play by the existing rules and make changes from within. No. The only thing you have to do is prove where the facts come from so others can repeat it. That's science. So we don't need to continue working with the present security model to insinuate improvements. We can hijack this security boat and take it in a new direction. Enough repeating the same justifications! The security industry needs more pirates and less parrots!

So at what point do YOU say "Enough already!"? At what point do you say, "Stop telling us that more security products will be our salvation! Stop telling us that it's okay that the security products fail because the bad guys are more persistent and so we all have the same problem! Stop telling us to justify ourselves and then tell us that the fault is really in our inability to make good risk decisions so you can sell us a risk decision product! Stop doing that! More is not the answer!" But some of you still think it is because the security product hawks have convinced you of that. Society tells us more is good. So it makes sense, right?

They tell you when you're on a battlefield, wouldn't you want MORE tanks and soldiers? Of course you would. They've turned this from security into a war. Cyberwar. Digital Pearl Harbor. So you'll see bigger stakes. They want you to see it as a big problem because little problems sell less products. But think for a minute. It's not like a war. Imagine if those tanks and soldiers didn't act offensively and they just stood guard and acted as gatekeepers then what do you think they'd be? More targets. Sitting ducks. That's what happens when you add more security products. You increase the attack surface. You have now introduced more things the bad guys can attack and damage (don't forget those security products are actually costly assets you've got sitting there now like ducks) and more things that the good guys can screw up. No, data network security cannot be fought like a war and cannot be defended like the physical space. In data networks, more is bad. It's not at all like physical defense. Physical defense is hard and requires offense to work. It's limited severely by physics and the mental capabilities of man. Network security much less so. For example, packets can't take chips off a wall like bullets can. A divider in network security can last indefinitely (as resources allow) but in the physical world they are subject to entropy and therefore disorder. Physical things fall apart over time because physics tells us so. It's a fact. So physical security is really limited by technological inventions that can stretch the physical and mental capabilities of man. It requires many studies and multi-disciplinary sciences to advance. Network security, on the other hand, needs a creative problem-solver with a discipline for writing error-less code. BIG difference.

Now it's okay for you to feel uncomfortable and disagree with me on who knows how many levels. But that discomfort you feel is something you've felt before. And I don't mean it in a woke-up-in-the-wrong-place-and-who-is-that-person-next-to-me kind of way. It's the feeling of dependency on the next better product and the hope for the next better solution. It's the feeling of helplessness and exhaustion from the zero cycle of patch, rinse, repeat indefinitely. I was there too once. It's why we wrote the OSSTMM in the first place. It's why we started ISECOM. And now the last seven years of our work is available to guide you into making a change for the better if you're not lazy.

The late Jack Louis once told me that ISECOM is like a refuge for the lost and disillusioned security professional. People come here to get peace because they see that they're not crazy- the model we're told to use really is broken. And as we present OSSTMM 3 we are making a bold statement on how to fix the problems. We aren't setting our own bed on fire with it. Just the contrary, we are doing this to make peace. Maybe a type of Zen. And what we couldn't prove through a double-blind study, we proved through mathematics and logic. Although we do hope many students will try to prove this new model with actual studies. And it's okay if they prove us wrong in places because this isn't our politic. If we're proven wrong somewhere by you we'll learn how to fix it in the next version. We can do this because we are not devoted to these ideas and we're not lazy. It is a science. And we change with the validity of the proof. Our commitment is only to improving the state of security. I recommend you try that. Stop being committed to a broken model and try out the new one. So grab the new version and start. When things suck, it's important to embrace change. Especially if you do it on purpose.
Possibly Related Articles:
Enterprise Security Security Awareness Security Training
Post Rating I Like this!
Robb Reck Okay, so I read your post, and feel you made some good points about the weaknesses of our current security model. But what you did not do it explain what a better model looks like. I assume that this is an attempt to drive people to read OSSTMM 3, but I believe a summary of what your new model looks like would be a worthwhile addition to this.
Danny Lieberman Mike

How do you monetize a 280+ page methodology?

I downloaded the paper and read through the first 90 pages or so out of 280 and skimmed through the rest. It is a magnificent work in its scope and thought.

Since selling security is already difficult, I just don't see how a complex methodology that customers won't take the time to read let alone understand will bring consultants in this community more billable hours.

Reducing security costs in a practical way for your customer or outsourcing the entire issue into the cloud, are the only answers I know to the question of selling security and frankly, I feel that OSSTM in all its truth, has a high barrier to entry.

You may say - yes, well this will help show the customer how to save money. But stop for a second and consider this: We all know that more security products generally increase risk but installing, configuring and maintaining product is the lifeline for the entire industry so there is a conflict of interests of sorts between vendors, integrators and their customers, that would rather install a product than sit down and think using a complex methodology.

Danny Lieberman Mike

I like being able to offer something new. The question in my mind is how to use something like Trust Metrics to pull in new business.

We've been using business threat modeling for about 5 years ( and it seems to be very effective for both us and clients and I'm always looking for new angles and new pitches to sell

Pete Herzog The article is not just to complain. I am offering a solution. The new model is within the OSSTMM 3. The manual covers many concepts of which add up to make a new model which does not have the same problems as the old model.

As far as its application, to monetize it, there's many, many concepts and practices within that will improve quality, efficiency, and operations which indeed saves money for those building secure infrastructures. This is true whether you're a business owner or a consultant. So it's not about the customer understanding a "complex" methodology but rather the customer getting something better from the consultant; something that has more meaning, specificity, and consistency because they are based on the facts from their specific operations.

However for anyone to think that it has a high barrier to entry is like saying that MRI machines have little value for medicine because they are a high barrier to entry. At one point they were also new. Yet now they are getting more and more use in solving more and more problems. Please don't anyone give up on it before you've read it and tried to understand it before dismissing it.
Robb Reck Asking us to read a 213 page document (at least, that's the size of the PDF I downloaded) is a pretty big hurdle. That's why I requested that you include a summary of what your solution is to all of the problems you outlined. I simply can't spend the kind of time that's required to read this document on the hope that maybe it'd the magic elixir to fix all of IT's security problems. But if you had explained what you are replacing the old security model WITH, if I agree that what you're saying has value, working through this kind of document is worth my time. But in a work environment where resources are scarce and problems are many, spending hours reading every new theory is simply not wise.

Pete Herzog Robb, there's many articles on this ite that answer your question. Search for OSSTMM and read the ones with titles like OSSTMM 3 Review and such. Now, you don't need to read the whole document to get your answers. You can start by reading the foreword or the introduction and see how that works for you. That should only take a few minutes. Then look at the ToC and see where you want to zero in based on what you think is the your biggest problems with security. Because you know that there's problems. Everyone does. So just pick it up and read it in pieces that interest you. It's a manual, not a report.
Robb Reck Thanks, I'll take a poke through those resources.
Danny Lieberman I like to drive to the bottom line. How is this going to get a security consultant new business?

Danny Lieberman Mike

Unfortunately, the best security countermeasures are not determined by being right.

Let's look at OSSTM3 like a VC would:

VCs have 5 gating questions at the first meeting:
1. What are the barriers to entry?
2. What is the TAM (total available market)?
3. How big a business will the product generate and what will be the return on my investment
4. Is there unique, defensible IP?
5. Is it game-changing?

1. What are the barriers to entry?
a. It's a 200 page document, that most customers and consultants won't read let alone adopt.
b. It introduces new concepts, new terms, and begs questions like why is it better than existing vendor-neutral standards like the ISO 2700x series, government driven standards like HIPAA or industry driven PCI DSS 2
c. Methodologies are notoriously difficult to monetize and we don't invest in methodologies

2. What is the TAM (total available market)?
The market consists of external and internal security consultants. Let's estimate the global market for security consultants at about 50,000 people for the sake of argument.

a. One segment is internal consultants with captive customers who trust them. Let's see - have KPMG and PwC Global Security signed up for this methodology? Oh - not yet. Well - call me when you have them signed up

b. A second segment is in house security staffers with the bandwidth and management support to adopt a new methodology. Let's assume that 5% of all in house security staffers fall into this category - say 2,000 people
that don't have signature authority over $500.

3. How big a business will the product generate and what will be the return on my investment
In a best case scenario - 2,000 people x $500 year for licensing the methodology.
That's a nice business for a couple of guys but we don't invest in nice businesses. We invest
in game-changing technology that will give us a 20x return on investment - and exit for $250M

4. Is there unique, defensible IP?
No. It's provided under a Creative Commons license

5. Is it game-changing?
Hard to say. The document has some interesting ideas but it's difficult to see how this would reduce
global security budgets or make existing head count more effective.
Pete Herzog Hey Danny,
Thanks for the VC walk-through but I already went through that 10 years ago. So I can tell you that you're spot-on. I didn't want funding from one but I had a friend who set up the meeting because he thought it would help. Anyway, thanks for that. I think you kinda missed the point over-all so I hope you get a chance to read through and take some time to think about it. Maybe you'll find some useful things in there after all. Oh, and we don't license the methodology for your consulting/services business-- it's completely free for you to apply in that respect. So you don't really have much to lose there.
Rod MacPherson Pete,
I find it amusing that one the one hand you have people complaining that they have to pay if they want a peek at unfinished drafts, but then when you release it to the public for free you get complaints that it's free.

What a strange world we live in.
Danny Lieberman Mike,

I will indeed finish reading the entire document; even half-way through, I see a lot of value in what I've read.

Quality and goodness are not the question - rather the question is whether or not, the security industry will accept the methodology in significant numbers like it has accepted ISO27001.

My VC walk-through is a thought-experiment for possible acceptance of the methodology; not for me personally, but for the security market as a whole. For the record - KPMG is not my yardstick for excellence but they certainly bill out a lot more hours than I do. Granted, there are a small number of Open Source projects that bloomed into commercial success from the grass roots (MySQL and Ubuntu are two exceptional examples) but note that OSSTIM3 is not Open Source Software, it is a methodology with big barriers to entry, no game-changing capabilities and no defensible IP.

You say: The status quo is "how does security make money for me"

But of course, money is what you use to drive your car and buy milk. No individual, no business, policy maker, vendor, consultant nor end user customer make decisions that are not economically related.

With all it's merits - OSSTM3/4 will never mainstream, simply because it doesn't have a business model.
Pete Herzog Sorry Danny, I need to disagree with you on the business model. Many have found or improved their business model with the OSSTMM. We deal with all sizes of companies, militaries, and governments all the time who need security over compliance or have technologies and environments that are so different with threats so far removed from what you have worked with that the OSSTMM is the only thing flexible and thorough enough to secure them. We deal with security consultancies (even the huge yard-stick worthy types) who know hiring OSSTMM certified people gets them employees who are resourceful so they can do the job and do it well from day 1 without extra hand-holding or "landing". They also know that it's easier to keep a client than get a new one and the OSSTMM trust and security metrics let's them get meaningful, unbiased numbers to their clients, help keep their security in perfect balance with operations, and extend projects and contracts by being exactly what their client needs: Security. Your mythical 50,000 may be right as I'm sure we don't/can't reach all the security decision makers and not all will know what to do with it but that doesn't mean many others haven't built a security business model around it already. But we had nearly 200,000 downloads of the manual in the first 48 hours. And it's still going. So somebody must be getting something out of it. Maybe that's not mainstream but if watered-down, ineffective, and biased is mainstream then, being all interconnected, I know we could all use a lot less mainstream security even if it sells well.

We just extended the ability of those who want to find business models using the OSSTMM. In addition to training and business partners, we added the ISECOM Licensed Auditor (ILA) program for companies. We also do independent certification of security audits. Now this area is just starting but it's already growing quickly because customers love having their exact security numbers which makes operations and procurement much easier and sensible.
Pete Herzog Rod, what you find amusing I find so frustrating! I'm open for suggestions ;)
Glenn Norman Pete's openness to suggestions, edits and improvements to the OSSTMM is one of the greatest things about it.
I personally have no problem monetizing the OSSTMM. My clients take to it immediately. I don't charge them for the methodology; I charge them for my time. Most are eager to sign ongoing contracts. All of them are entities eager to save money, time and effort, which is exactly what the OSSTMM is about.
So: while the OSSTMM may not have a business model, I have one that incorporates it. And that model has significantly improved my security practice.
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.