The State of Incident Response: Black Hat USA 2014 Keynote Recap from Bruce Schneier

In my continuing series of keynote recaps, I will be covering Bruce Schneier’s keynote at Black Hat USA 2014 — yes, it can be called a keynote even though it is more of a briefing. By the way, Black Hat: Next time, please give him appropriate space; people were lining up outside the room waiting to get in because of the lack of space.

I will be sharing what I learned from his speech in my own words with selected graphics. Schneier’s “The State of Incident Response” talk is available online, but if you don’t have an hour to watch that, read this as a recap. Hopefully, it will help you take some action or remind you of your New Year’s resolution to improve security. Finally, I hope this serves as a good resource for those starting in the field who are too focused on their day-to-day cyberdefense role to step back and look at the bigger picture.

Schneier started by talking about three trends in cybersecurity, followed by information technology (IT) economics, a piece of human psychology and how they all affect the security industry. He used that to argue how we need more and better incident response tools and services and how the IT economics change when it comes to these services and tools. He then shared a systems theory from the Air Force and how it can be used to arrive at the proper response.

But first, let’s talk about the trends.

Everything Anywhere via Anything: The Cloud Era

The first trend he mentions is that we are in a cloud era in which individuals and organizations alike are putting more and more data into the cloud. We have different cloud providers for all sorts of information: Who we meet, when we meet, what we eat, where we’ve been, where we’re going, who we’re with, what we’re wearing, what we like, what we don’t like, who we like, what we’re in the market for, what we’re worried about — you get the idea.

Similar things apply from an organizational perspective. Add analytics (big data/metadata), and a lot can be predicted. How many of us — not just us security practitioners — know or care to know the security posture of these services providers in the cloud? We usually don’t even know which OS or hardware they are using. Similarly, how much understanding do we have of the variety of devices we use to access information, or that our children or employees use to access information? The point is, we are losing control over our data.

Attacks Are Getting More Sophisticated

As defenses get stronger, so do the attacks. It is not only the nation-state attackers that are getting more skilled and focused; this is happening all around. The cybercrime market is maturing pretty well, with the supply chain in place, so this provides significant incentives for financially motivated attackers to invest in sophisticated attacks.

In “The State of Incident Response,” Schneier gave an analogy of identifying attackers based on their weaponry. If you were to see a tank on the street, you would not think it belongs to street thugs. However, in the cyberworld, anyone can have any sort of weaponry. I would say that this is true to an extent, but we can still tell a lot about the attacker based on the sophistication level and targets of the attack.

Another important trend is discovering that being relatively secure does not mean you are safe.

To illustrate this, I would like to use the joke about two hikers and an attacking bear. One hiker says to the other, “I don’t have to outrun the bear; I only have to outrun you!” So, for relative security, as long as you are a harder target than those around you, typical criminals would keep stealing from those who are relatively easier to go for.

On the other hand, you may have an advanced persistent threat (APT) or a highly skilled and highly focused adversary (I have no intention of taking sides in the debate about whether an APT is a who or a what) who just wants you or your data. This could be because they hate you or because you have something that they want. These attacks are very persistent, so if you think of it this way, your defense planning may change, too. You need to start thinking about what you would do if these types of attackers get in.

Government Now More Involved in Cyberspace With Policies, Defense and Offense

The third and last trend Schneier talks about is the immense involvement of the government in cyberspace, whether through regulations and policies, the defense of critical infrastructure, the creation of cybercommands, hoarding vulnerabilities or the cyber arms race.

IT Economics

Schneier then shared four principles of IT economics that will help us understand why we are seeing some strange behaviors in the security industry.

He reminded the audience of the often forgotten Metcalfe’s law, which states that “the value of a network is proportional to the square of the number of connected users of the system.” This is true for both real and virtual networks. The more users on a social media site, the more engaging and attractive it becomes. The same is true for the use of a particular brand, OS, instant messenger, etc. This means a single dominant player emerges in the market as it grows. For instance, most people use Facebook because most of the people they know use Facebook.

As is the case in IT, various behaviors emerge when the fixed cost (the cost to develop the first unit) is significantly higher (as it includes design, research and development costs, etc.) than the marginal cost (the cost to produce an additional unit thereafter). Artificial barriers are then put up to increase the marginal cost so competitors can’t compete, and the original designer recovers the cost. Higher fixed costs also make stealing designs very attractive to criminals because they can take on just the marginal costs and sell cheap copies.

On the other hand, if someone has already invested in the high design cost and can protect the product from being replicated, then it can discourage competition, too. For example, since Google has pretty much already driven all around the world, it is hard for someone to duplicate Google Maps and take on the cost. Finally, those vendors who have already recovered their fixed cost can start selling cheaper products, and new vendors will have a hard time selling at a higher price that will help them recover their fixed cost. This is especially true because buyers lack the ability to distinguish between good and mediocre products, as we will see in the last principle of the lemon market theory.

This also drives the trend of market giants continuing to grow. The higher the cost of switching, the more likely customers are to stay with a vendor, even when there is poor customer service. This is what we see around noncompatible formats — making it hard to take your data with you when you leave, paying for data transfers and paying to train new staff on a new product, for example.

Finally, the last economics principle Schneier mentioned is based on the work “The Market for Lemons,” which is essentially the principle that when the buyer knows very little about a product and cannot distinguish between good (cherries) and mediocre (lemons), he or she will buy the one being offered at an average price. Therefore, this practice drives the good products from the market. Schneier added that, in the security industry, this is especially true because the requirements are nonfunctional — how does the average buyer determine which product is a good encryption product? To balance this, the economic concept of signaling comes into play, so you see warranties from the seller, certifications, best practices, references and testimonials.

This is why it is important to be aware of your psychological biases so that you can make more informed decisions.

Prospect Theory and the Security Industry

According to this concept, if we are given a choice between taking $1,000 cash or flipping a coin and getting $2,000, most people will avoid the risk and take the cash. On the other hand, if we are given the option to lose $1,000 right now or go for a coin flip and lose $2,000, most will take the risk and go for the flip. This is what is known as the prospect theory; when it comes to gain, humans are mostly risk adverse, but when it comes to losses, we are risk seekers. Consequently, it is hard to sell security because most people avoid investing in security or underinvest and take the risk of a bigger financial hit if something goes wrong.

Security is a combination of protection, detection and response. We need more response capabilities as we lose control of data with the cloud trend, attacks become more sophisticated and we continue our natural tendency to underinvest in protection and detection. As we are not generally able to distinguish between good and mediocre products, we are more prone to having mediocre-quality defenses. Therefore, response becomes more and more essential.

The State of Incident Response

Now comes the crux of the talk: In reality, security is about people, process and technology. What we’ve been doing is keeping people out of the loop as much as possible because they are considered a liability. We’ve been doing pretty well with respect to having automatic and semiautomatic systems when it comes to prevention and detection.

With incident response, what is changing is the ratio of the importance and involvement of these three factors. The problem with response is that you can’t take people entirely out of the loop, and the ratio of people to technology goes up when it comes to response. This is primarily due to differences in environments, regulations, attacks, economical and political situations, etc., which vary from organization to organization. These differences are more important than the technical considerations.

Moreover, the economics discussed earlier are very different when they concern response as opposed to protection and detection, where there is less of an effect on the network. This is still going to be important because organizations will usually go after big names. There will also be a much higher marginal cost, lower switching costs, less of a lemon market as requirements are functional, less of a first-mover advantage and far fewer national monopolies. So, unlike the area of prevention and detection, better companies, products and services will do better, which is a good thing.

The key here is making a response scale that doesn’t remove people, but rather builds technology to help support people when they complete their critical tasks. The goal is to build resilient systems; we cannot build impenetrable systems, yet they should not be fragile, either.

Since response happens in real time, Schneier then switched over and explained an applicable system theory from the Air Force. The decision cycle to observe, orient, decide and act is called the OODA loop and is widely applicable in any real-time adversarial situation. The key here is speed: If you can make your OODA loop faster than an adversary’s or get inside the adversary’s OODA loop, your response is faster than the adversary’s reaction to your response.

Let’s talk about what OODA means for response. Observing is knowing all that is happening in your network in real time and getting all the data in a place where it can be monitored in real time.

Orienting is understanding what this information means in context — what is happening in the company, what is happening in the greater community, new malware, new zero-day vulnerabilities, what geopolitical situations are happening or what is happening within your organization, such as the release of new software, a merger, layoffs, etc.

Deciding is landing on which action to take, what sort of input is required from different stakeholders (lawyers, executives, public relations, etc.), having the authority to make changes quickly and deciding who will have this authority, who can grant this authority and which process there should be to get it. Acting is implementing all of these decisions. We need powerful, flexible and intuitive tools to take care of the whole ecosystem and help people perform a proper response.

The neat thing about this is that the requirements here are functional, as opposed to the nonfunctional ones in prevention and detection. So, the good will beat out the mediocre. We need to build good things and bring people and technology together to mirror less of IT and more of generic risk management. We can learn a lot from other domains that have been doing this for decades.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…