THE DEFENDER’S DILEMMA: CISO’s and Execs to the right of me… APT’s and Hackers to the left… Here I am stuck in the middle with you.
The Defender’s Dilemma:
This week I came across a tweet from @violetblue about an article she wrote for ZDnet on a RAND study that had recently been published. The report; “The Defenders Dilemma: Charting A Course Toward Cyber Security” The report ostensibly showed that the end game for information security was as predicted by 99.9999 percent of the information security workers in the world today. Simply put, there is no winning the game and you should really just listen to the WOPR and not play at all. How about a nice game of chess?
All kidding aside though, many in the game know that there is no winning the cyber war. All you can do is perhaps win battles. Endless battles. The war will never end unless by some miracle someone uses the Nash Equilibrium Theorem to bring all the game players to the table and stop the game with wins all around. I somehow doubt that this will happen, just as much as I doubt that the same model can be used against Da’esh but that is a story for another day.
What this report is telling us though is pretty much common knowledge within the community and I have to wonder just how many execs, which come out of this report not too well as to their cognizance on the issues, will actually you know, read the report in the first place. It would seem that this reports 169 pages is another echo within the INFOSEC echo chamber that once again the executives will not see, hear, or understand because there are too many words to read. Honestly RAND, after you say all these things you really even expect them to read the executive summary and understand it all?
Sampling Problems and Conclusions:
Eh.. Still, even if someone like me were to try to synthesize this report into a comestible for the exec set, I would still have to deal with the fact that I dislike your sampling data and some of your conclusions up to and including your heuristic model ten years into the cyber future. Honestly, what the ever living fuck RAND? Let me start with your sampling of CISO’s out there in the wide wide cyber world.
As a result of interviewing 18 CISOs, we drew three sets of conclu- sions: those we expected, those that confirmed our suppositions, and those that came as surprises.
Eighteen CISO’s? EIGHTEEN? Holy what the bad statistics Batman! How do you even think you can conclude much of anything from such a small sample of the pool out there RAND? I read that and I literally felt like I had just re-heard one of those old ad’s where “Nine out of ten dentists approve!” What bullshit is this? Ok, let’s forget the whole thing about sampling and statistics, ya know, math and just go with the logic here of talking to only 18 guys. How do you know that these guys aren’t idiots? How engaged are these people? How efficacious is their leadership? I mean all of these things matter when you are asking people for their considered opinions for some kind of study! This number reminded me of a quote from “Back To School” with the late Rodney Dangerfield.
Thornton Melon: [in college bookstore] Hey, you guys get everything you need?
Jason Melon: Oh, yeah, we got it.
Thornton Melon: Good… Hey! What’s with the used books?
Jason Melon: Well, what’s wrong with used books?
Thornton Melon: They’ve already been read!
Jason Melon: Yeah, and they already been UNDER-LINED, too. Get it?
Thornton Melon: That’s the problem. The last guy who under-lined them, he could have been a maniac! Hey, get these guys some new books. Huh? Get some new books, will ya?
The sample is important kids and RAND just screwed the pooch on that one. Which brings me to another interlude they had in the report that shows you just how important this is.
Oh.. Wait… What am I thinking? I mean how many CISO’s are or were actual practitioners with real world technical experience out there huh? Now that would a statistic that is rather important to the comprehension of the issue in the first place right? Evidently RAND doesn’t think that this is an important data point in this study though. So yeah, we have “CISO’s GONE WILD” here as well as some seemingly tuned in responses from the whopping sample of 18 respondents that finished an average 15 out of 20 questions on their questionnaire. With these stats these guys may as well be Ponemon for fucks sake!
In the executive summary they lay out their conclusions from this study and surprisingly I agree with many of them but from long experience in the field not from 18 CISO’s answering nearly twenty questions. Most of these are just common sense really and logical conclusions and there was no need for a survey however poorly constructed to get to the answers. However there are some gems in there.
The conclusions we expected were as follows:
•Security postures are highly specific to company type, size, etc.,
and there often are not good solutions for smaller businesses.
•The importance of intellectual property varies with the individual
•Cybersecurity is a hard sell, especially to chief executives. ….Yes, yes it is.
•Although CISOs generally lack a way to know whether they are
spending enough on cybersecurity, they split between those who
think spending is sufficient and those who feel more is needed.
….. So 50/50? Uhhh Clue please?
•Air-gapping, wherein networks are electronically isolated from
the Internet, can be a useful option. (In a softer form, it is com-
patible with tunneling through the Internet but otherwise not
interacting with it).
……. NO. WAY. How long have we been saying this?
•Responding to the desire of employees to bring their own devices
(BYOD) and connect them to the network creates growing
…… WORST fucking idea EVER.
•CISOs feel that attackers have the upper hand, and will continue
to have it.
…… Well duh, they do. It’s asymmetric warfare you idiots!
The conclusions that confirmed our suspicions were these:
•Customers look to extant tools for solutions even though they do
not necessarily know what they need and are certain no magic
……..But Mandiant and others are more than willing to sell you a “wand”
•When given more money for cybersecurity, a majority of CISOs
choose human-centric solutions.
……..What? Where? WHO?!?! FO FUCK SAKES SHOW ME! Oh yeah.. 18 CISO’s DERP.
•CISOs want information on the motives and methods of spe-
cific attackers, but there is no consensus on how such information
could be used.
.…What have I been saying? They want it but really it’s USELESS hear that TI firms?
•Current cyberinsurance offerings are often seen as more hassle
than benefit, useful in only specific scenarios, and providing little
…..But they are all the rage in making sure your ass is covered.
•The concept of active defense has multiple meanings, no standard
definition, and evokes little enthusiasm.
….Yes, well they have not met Dave Aitel or any of the other boys who cry CYBER PEARL HARBOR!
•CISOs lack a clear vision on incentives
… Um not being fired?
•Information-sharing tends to live within a web of trust.
….And next to the land of the unicorns with gumdrop kids
•CISOs tend to be optimistic about the cloud, but, apart from
those who sell cloud services, most are willing to be only cautious
…CLOUD IS THE NEW CYBER VIAGRA! But it isn’t the CISO’s choice remember that CEO guy?
•CISOs are likely to assign lower priority to security-as-a-service
…Well, yeah, I mean you wanna outsource everything and have nothing to control?
•CISOs, in general, are not ready to concentrate their purchases
from a single vendor (but also are not sure that heterogeneity is
the best solution, either).
…Meh, I have seen a lot of eggs in one place lately.
The conclusions that came as surprises were the following:
•A cyberattack’s effect on reputation (rather than more-direct
costs) is the biggest cause of concern for CISOs. The actual intel-
lectual property or data that might be affected matters less than
the fact that any intellectual property or data are at risk.
…Ummm yeah, if you have no CUSTOMERS then you don’t have REVENUE right? WTF.
•In general, loss estimation processes are not particularly compre-
… Loss estimation of future events.. Say heard of the Cat in box paradox?
•The ability to understand and articulate an organization’s risk
arising from network penetrations in a standard and consistent
matter does not exist and will not exist for a long time.
…Uhh what? WTF? If you are pwn3d and your shit stolen you are fucked. Simple.
God.. What a wankery waste of time having to read all that drivel. It gets worse though as they philosophize on future events with heuristics. WOOOOOO! Now that’s a read! I had to extra coffee up for that nonsense. Look, if you want to study this shit great, but unless you have a solution to the problem why waste my time? Oh, and yeah, I will be the only one reading it all because I have taken a poll of my own that shows EXECS DON’T FUCKING READ THIS SHIT NOR MUCH ELSE THAT SECURITY PUTS OUT!
I have linked the document above so go ahead if you like pain and read the whole 169 pages. I did and look how well adjusted I am!