Schneier on incident response
Bruce Schneier is a cryptographer and security specialist who is well-known in computer circles even though he has often branched into more general security areas in recent years. His blog is a great source of security news (and, of "quotes of the week" for this page, as readers know). Beyond all that, he travels to many security conferences to give talks, which is just what he did at AppSec USA in Denver on September 18. The keynote topic was "incident response" (IR), which is an area that is finally getting more attention in the security-product space, he said.
Interestingly, Schneier's talk didn't really dwell all that much on IR. Instead, he looked at some trends that are changing the industry, along with some economic principles that are relevant to the computer security market. Along the way, he also described a feedback loop that is used by the US Air Force (USAF) and how it relates to network attacks and the response to them.
Three trends
![[Bruce Schneier]](https://static.lwn.net/images/2014/appsec-schneier2-sm.jpg)
There are three trends that are currently important to the security industry, he said. The first is that we are "losing control of our infrastructure", which is the result of two separate things. The rise of cloud computing "means we no longer have control of our data". Schneier uses Eudora for his email, "but I am a freak". His company (he is the CTO at Co3 Systems, which makes IR tools, as he disclosed near the end of the talk), however, outsources its email to Google.
Moving data to the cloud means that we cannot affect the security of the system any longer, he said. You can't ask Google for more security on your email storage, you just get what they provide. You also have no idea where the actual physical bits of your data reside; they could be anywhere in the world.
We are also accessing our data with devices that we have less control over, which is also a loss of infrastructure control. Mobile devices are often locked down, such that we can't even wipe their memory and storage because there is no access at that level. There are lots of good reasons for locking down devices in that manner, but it does affect security. The business case for companies like Apple and Microsoft to control these devices is quite strong, to the point that Schneier expects to see phone and desktop operating systems converge—to somewhere that is much closer to the "less user control" phone side of that continuum.
The second major trend is that attacks are getting more sophisticated, as we have seen over the last few years. There is a lot of "cyberwar" rhetoric and there is clearly an increase in the capabilities of attackers. He doesn't really like the term "cyberwar", since we are not actually fighting a war in cyberspace, but there are parallels between actual warfare and the internet-based attacks occurring today.
In real wars, you can generally determine who the attacker is by the weaponry used—a tank means a government, since no one else can afford them. In computer attacks, that is not true: everyone is using the same weapons.
You can place attackers on a two-axis graph, where the axes are "skill" and "focus", Schneier said. Script kiddies are clearly low skill, low focus, while attacks like that against Target are from high-skill, low-focus attackers—they didn't want Target's customers' credit card information, they just wanted credit card data. In that case, relative security matters. Since Target was not as well-secured as its "neighbors", it was attacked.
But high-skill, high-focus attacks, like advanced persistent threats (APTs), make for a completely different threat model. APTs are personal for some reason; the attacker wants to get at a particular target. Protecting against that kind of attack comes down to absolute security: is the attacker better than the defender?
As it turns out, we know the answer to that question: yes. When penetration testers attempt to get into a system or network, they essentially always do, he said. We do not know how to defend against targeted attacks. In the history of warfare, as weapons and defenses have evolved, sometimes the attacker has had the advantage and sometimes it has been the defender. On the internet right now, the attacker has the advantage and will for the foreseeable future, Schneier said.
The final trend that he noted was the increasing government involvement in cyberspace. It goes beyond the NSA and other secret services spying on internet activity. There is a "complicated regulatory environment", which means that there is a lot of "legal stuff that organizations have to know and follow". Businesses and other organizations tend to be collateral damage when governments act on the internet—to censor it, conduct espionage on it, or attack adversaries using it. All of that is only going to get worse, he said.
Economics
Schneier then moved into some economic principles that are important to consider when looking at the market of computer-security products. First, network effects are crucial to the success of a product. He cited Metcalfe's law (the value of a network is proportional to the square of the number of connected users) to explain how network effects work for things like SMS, Skype, and Facebook. It is also important to the battle between iOS and Android, or between Mac OS X and Windows. The "big get bigger" due to network effects; Facebook gets bigger because you are going to join the network where your friends are, not the network that is better.
Another important economic concept is fixed vs. marginal costs. For physical products, much of the cost is in marginal costs, whereas in software it is almost all in fixed costs. Creating the first copy of a program costs a lot, but each copy after that costs little to produce. Books are similar, he said. Some printing company could (illegally) start producing copies of his books and sell them for a few dollars, since they would not have to recover the fixed cost by paying him royalties. He could retaliate by temporarily dropping the cost of his book below that of the "competitor", to drive them out of business—which is the tactic that Walmart employs against its local competition, he said.
"Switching costs" is yet another principle that comes into play. It is much more expensive to switch cell phone providers than it is to switch cola brands. He cited Shapiro and Varian's "fundamental theorem" that the total value of a software company is the cumulative cost for its customers to switch to a competitor. In effect, "the higher the switching costs, the more the company can piss you off", he said. AT&T just has to "not suck", while a cola has to be better in some measure.
Another example of high switching costs is trying to move from iTunes to something else: "good luck taking your music" with you. The same goes for trying to move from a Kindle to a Nook (or vice versa). Cell-phone-number portability is an effort to lower switching costs, since a user can switch without having to update all of their contacts, print new business cards, and so on.
The "lemons market" is an idea by George Akerlof that won him the Nobel Prize in Economics. It concerns markets where sellers know a lot more than buyers (i.e. asymmetric markets). In those markets, "bad products drive good products out of the market". If the buyer cannot tell the difference between a good and a bad product, they will buy the bad because it is cheaper, he said. If there are two encryption products on the market, both with the same algorithms, but one is implemented well and the other not, buyers will buy the cheaper one.
This is why "signals" are important. Things like certifications and "those really dumb awards at conferences" are useful. Those are signals that allow the buyers to convince themselves they are buying a "not bad" product. The old adage that "no one ever got fired for buying IBM" is another kind of signal.
The final economic principle Schneier mentioned is "prospect theory", which came from two psychologists. They are the only non-economists to win the Nobel Prize in Economics and they did so by "telling economists that everything they believe is wrong", Schneier said with a chuckle. Unlike previous models, prospect theory shows that humans are risk-averse when it comes to losses, and risk-seeking when it comes to gains.
![[Bruce Schneier]](https://static.lwn.net/images/2014/appsec-schneier-sm.jpg)
This behavior is also observed in other primates, Schneier said. The best explanation he has heard comes from evolutionary biology. If you consider a species on the edge of extinction, even a small loss means they are dead. If they can avoid any chance of that loss, they are better off. But a small gain is worth seeking because it will improve the chances to live to see another day.
That theory explains why it is difficult to sell cybersecurity. It is the same with insurance or burglar alarms, he said. If you go to your boss to say you need something to secure the network, he is likely to point out that you didn't have it last month and the network ran just fine. It is not impossible to sell cybersecurity, but it does require fighting against this basic psychological principle.
Response
In computer security, there is a need for response, because both prevention and detection are imperfect. He used to say that security is a process, not a product, but that was a "strategic idea". If you look at it more tactically, security is both a process and a product. He now talks about "people, process, and technology".
But there is a general idea that people can't help with security. There is a focus on automation for tasks like threat detection and system updates. However, response cannot be fully automated because it requires people to understand and react to what is happening. All attacks are different, the networks are different, the regulatory environments are different, and on and on. Those things are not necessarily different in technical ways, either; they are different in "people ways".
All of that means the people-to-technology ratio goes up for response. If you look at real-world emergency response (e.g. police and firefighters), it is similar. And, like with those organizations, security response needs technology that supports people, rather than replacing them.
That's where the USAF's feedback loop comes into play. An observe-orient-decide-act (OODA) loop is what pilots repeatedly use during a dogfight. If you can perform that loop faster than your opponent, you will win the fight. The USAF uses the OODA loop to evaluate technology—it wants technology that supports the pilot in handling one of those four functions.
The same OODA loop is present in incident response, Schneier said. The speed of handling that loop is crucial. Being faster than the attacker means getting them out of your system. So the security industry needs tools to facilitate the OODA loop.
That means better tools to observe what is happening (observe) and to fill in the context from the outside world (orient), which would provide information like the presence of new malware observed in the wild, an upheaval in some country, or that the company is going through a merger. Tools to help with the decision-making process are needed as well (decide), which is an area that needs a lot more work, he said. Who gets to decide, and how those decisions are audited after the fact, are two important pieces of the puzzle. Finally, there is a need for tools to help take the decision and make it happen (act). All those areas are ripe for new tools and we are starting to see them, he said.
For the security industry, the 1990s were the decade of protection, while the 2000s were the decade of detection. This decade will be the decade of response. But, unlike protection and detection tools, response tools will not suffer the same fate—bad products pushing out the good. Because response tools will be people-oriented, the good products will beat out the bad. Incident response tools and products will change the industry, Schneier concluded.
| Index entries for this article | |
|---|---|
| Security | Incident response |
| Security | Keynotes |
| Conference | AppSec USA/2014 |