This year, being 2020 and all, it’s not surprising that security expert Sounil Yu has dubbed the next decade as the Age of Recovery.
In his talk at KubeCon + CloudNativeCon EU Cloud Native Security Day last month, Yu examined how the security technology landscape has evolved, and how that has adapted for new the cloud native world. He offers up this inherently distributed, immutable and ephemeral infrastructure as the true way IT teams — both CIO and CISO — are going to be able to avoid irreparable damage in the barrage of attacks we’re all facing.
How Do You Begin to Organize All the Cybersecurity Tech?
In his previous role as chief security scientist at Bank of America, Yu was tasked with making sense of the security technology landscape — literally thousands of security technologies and vendors and how they fit into a portfolio of capabilities.
With this challenge in mind, Yu created what he’s dubbed the Cyber Defense Matrix — also the name of his upcoming book.
In this matrix, the y-axis features five things you care about. In this case, thinking about the banking giant’s systems, he chose:
The x-axis highlights the five functions of the NIST Cybersecurity Framework:
This two-dimensional visualization allowed him to compare products and to identify gaps in enterprise security infrastructure and practice.
As you can see above (brands were blurred intentionally), there’s quite a strong pattern: crowded on the left — tools to identify, protect and detect — and almost nothing on the right. If you look at the bottom of the matrix, you also see that there’s a strong degree of technical dependency on the identify side but this process shifts toward service-oriented companies, leveraging people to detect, respond and, especially, recover.
It left Yu wondering: Is the cybersecurity industry really solving the right problems?
Looking Back to Learn How Cybersecurity Got Where It Is Today
In order to answer that question, Yu took a trip down memory lane to reflect on the evolution of the chief information security officer (CISO) and team. The reflections are below, alongside the realization that each decade, so far, maps to his Cyber Defense Matrix categories — and perhaps explains the gaps to be filled in the near future.
1980s: Identify Our Assets — IT products got way cheaper, so enterprises started gobbling them up. Then these businesses started asking themselves: Why did we buy this? How is it supporting the business? How critical are they to our business? The solution was IT asset management systems. Yu pointed out there was no tension between CIO and CISO teams because, well, there was no dedicated IT security team at all.
1990s: Protect Our Assets — Systems were under attack by hackers, rather easily gaining footholds in the IT environments. That led to security configuration guides, antivirus software and the infamous network firewalls. The security team was formed to spend most of its time telling IT to turn off at-risk parts. And so the tension began. Yu referred to the security team at this point “just a hobby shop focused on vulnerability management.”
2000s: Detect Intrusions Against Our Assets — This decade was filled with too many logs, alerts and client-side attacks that needed investigation. Out of this rose security intrusion, event management and intrusion detection systems, which helped define alerts for unusual activity, like hackers getting past firewalls. CISO gained more C-level buy-in and were officially put in charge of security management.
2010s: Respond to the Breaches on Our Assets — The realization that so much of the protections laid out in the 90s were easily evaded and were overwhelming analysts with false positives. The tension between the CIO and CISO roles formed a seemingly permanent schism.
“There’s too much conflict of interest between the CIO and the CISO. So in many organizations, the CISO function, the security function splits off as a dedicated business unit,” Yu said.
He said all this led to this decade emerging as either the Age of Recovery or the Age of Resiliency — or both.
Is This Decade the Age of Recovery?
Yu continued his talk asking: What kind of challenges will we face that will affect our ability to recover? What problems will cause irreversible, irrecoverable harm?
He argues this will be attacked on the three traditional security paradigms often called the CIA triad:
- Confidentiality — like Wikileaks and Doxxing
- Integrity — like ransomware and #FakeNews
- Availability — like PDoS, MBR Wiper, and bricking firmware
Yu says that when the industry looks for new security vendors, all it gets is more protect, detect and respond.
“In each of the eras, we faced new challenges that directly undermined our ability to identify, protect, detect or respond. And so we had to develop new solutions to help us overcome each of these challenges. The prior era solutions did not solve the current era’s problems.” — Sounil Yu, Cyber Defense Matrix
The tools that he has found that are fit for recovery and resiliency are:
- Content delivery networks.
- Design principles, such as Copy on Write where Yu says you never erase anything, but rather keep it as pending.
- Docker containers.
- Cloud infrastructure.
- Serverless functions.
He continued that even “buzzwords like blockchain” fit into this resilient future.
Yu pointed out that each of these techniques share in three core design principles that fight the new attack mechanisms:
- Highly distributed solutions mean you no longer have to worry about the availability of a single system.
- If you have services that are immutable, you don’t need to help to maintain system integrity.
- Ephemeral means you don’t have to worry about service availability or confidentiality.
His DIE triad eliminates the need for security at all.
“If we design towards the new paradigms represented by the DIE triad, we need not worry about the CIA triad. In other words, if we can have our assets DIE, why do we need to CIA them?” Yu asked.
He argues we should then further revisit our risk analysis. Traditionally risk is measured by Risk = Likelihood x Impact. But when we see a neverending set of vulnerabilities, which are constantly exploited by more intelligent attackers, this equates to an insurmountable exponential growth.
“Vulnerabilities age like milk and attacker skills age like wine. And the combination of the two means that likelihood is going to increase over time, and, unfortunately, this is out of our control. However what is in our control is impact.” — Sounil Yu, Cyber Defense Matrix
That means focusing not on likelihood reduction — because it’s going to happen — but focusing on impact reduction.
Cloud Native Inherently Reduces Attack Impact, Increases Resiliency
Yu references the notion of pets and cattle — you name, love and care for your pets, but you shouldn’t get long-term attached to your cattle. He says that, before the cloud, just about everything built was a pet.
“We liked hugging our machines, and things like our personal laptops or national ID numbers were pets,” he said.
But always-changing containers, credit card numbers and lambda functions are more like cattle.
So you still CIA your pets, but you treat your cattle like it’s ready to DIE.
So if everything is moving toward the cloud native DIE triad, it’s important to build data and measurements around that. For example, if you want things to be ephemeral or temporary, you’d want to measure how long-lived something is — namely, uptime. Then, illustrated below, you can create an example of a threshold of uptime. The lower the threshold, the fewer the pets.
From there you are able to set targets to lower both the number of pets and the lifetime of your cattle. This in turn makes your organization more resilient.
Ultimately, pets are unavoidable, but Yu says you just have to be aware of when new pets are created, to intentionally protect those pets with CIA, and to strategically build cloud-first to be cattle-first and ready to DIE.
New Cultural and Technical Capabilities
This of course is a culture change as much as a technical change. Create alerts that remind colleagues they are on the verge of creating a pet and giving them the option of decommissioning them instead. Then uncover the pet-like and cattle-like design patterns within your organization.
He points out that it’s hard to get rid of pets once you have them, which is why you want to make sure you aren’t turning cattle into pets. This means avoiding actions like:
- SSH-ing into a container.
- Allowing an asset to live longer than needed.
- Patching in place.
In the end, Yu believes this movement toward live and DIE will finally ease the tension that has developed over the last 40 years between the fragility-fighting CIO and the resilient-striving CISO.
What will truly make systems resilient or event antifragile in 2020? Yu says the creative application of chaos engineering to make systems even more “DIE-like,” pinpointing the vulnerable pets and turning them into cattle. And then just make sure your hopefully fewer and fewer pets still get that special care for high confidentiality, integrity and availability.
Amazon Web Services and the Cloud Native Computing Foundation are sponsors of The New Stack.