Full disclosure: I wasn’t physically at BlackHat 2017. But my colleagues who attended told me about the keynote by Alex Stamos, CSO at Facebook.
When I did a Google search to find the slides, I found that the full talk was recorded and available online. Unfortunately for such an important video, I was surprised to see how few views it had received. So I thought it be worth discussing the parts of his talk that I found the most interesting and inspiring.
First, this talk wasn’t about the practicality of a new attack, a demo of an ATM spitting bills into the air, or some other flashy eye-catching event. Instead he was asking the more fundamental question of how can we, the people in the information security field, help make the future safer. The answer to such a complicated question is probably simpler than you might think.
I believe that, like many things in life, we as security practitioners sometimes forget the basic 80/20 rule (or to the extreme 99/1). I repeatedly hear from prospects and customers that they plan for disaster, which is certainly a good practice. But if this focus on the worst-case scenario dominates their decision-making process, it can actually have a negative effect on their security. If you acted this way in day-to-day life then there is a good chance you would avoid flying, driving, and doing other daily acts that are risky if you think about them from the prism of the extreme case of uncertainty.
Don’t get me wrong, I am not suggesting that we should avoid preparing for the worst. But, we should not let this voice sit alone in the driver’s seat. I believe that alongside measuring risk, it is important to measure the impact. Adding this to the equation adds depth to the picture.
Alex Stamos turned to this concept throughout his talk. , when he mentions that we as humans have the tendency of focusing on the complexity not harm. He noted that we have perfected the way of finding problems without solving the root issues. For me, this is the essence of the talk, because as he correctly noted, adversaries will do the simplest thing to achieve their goal. They aren’t making a living out of complexity.
I’ve seen this over and over in my career. Whenever yet another CVE is published I get questions from all around asking how to protect against it. But rarely do people stop for a second to think - is this a realistic attack or is it just a theoretical attack that will take huge effort to execute such as tapping the CPU on machines to learn about cryptographic keys.
Certainly, there are organizations that are worth the effort of attacking using these vectors, but we have to deal with the simpler issues first. Adversaries aren’t going to do a bunch of intricate, custom work if there are far easier ways to attack.
Preempt publicly available stats prove that there is more exposure than you might think. This data was gathered anonymously from organizations people using Preempt Inspector, our free assessment App (a new version with even more capabilities is on the way).
I have repeatedly seen organizations whose executives use weak passwords, but security personnel are afraid to tell them. I have seen employees with excessive rights or who abuse their privileges, but politically it is inconvenient to make a change. Companies with unused servers and unpatched systems along with many other risk KPIs that affect the overall security posture of the organization much more than the threat of a 0-day or even a targeted attack.
It boils down to two very important slides in the talk. The first describes the way risk vs. harm looks from high level:
Then in more detail:
To paraphrase - the industry is overly focused on the top of the pyramid. While the top of pyramid is important and should not be neglected, most of the real-world harm is caused by the standard issues. In most cases we prevent real harm in our networks not based on how deal with the rare 1%, but rather how we address the 99% every day.
Real change will only come if we focus on the real issues that cause most of the impact.
These are things such as abuse of accounts; anyone heard about users taking shortcuts and (ab)using privileged service accounts to elevate rights and get their work done?
What about users using weak passwords that are easy to break because they are in publicly available password dictionaries? Or unpatched systems that can be exploited? You get the point.
These are not complicated problems, but we see them repeatedly in most networks. I believe that in order to be better we should balance the efforts based on the risk and impact to make sure we address the common real issues, even if they are simple and less sexy to deal with than complexed attack vectors.
I believe that an Identity Centric platform can be a key part of this change. By empowering people and organizations with security that engages with users, adapts to the situation, and automatically responds, we can make them part of the everyday security fabric. Done right we can remove the inconvenience to users, while vastly improving the security posture of the organization. If the goal is to reduce harm, this has to be job one.