A global pandemic. An unprecedented cyberattack. Unrelenting challenges. Despite it all, cybersecurity endured: 2020 tested us – it didn’t break us. We’re an industry built on resilience, a sector that adapts, innovates and evolves. But the next test is coming. So let’s celebrate our strengths, share what we’ve learned and expand our community to continue protecting what matters most.
- It is indeed quite a hill we must climb, and our recent times have certainly felt dark. To the security teams, analysts, engineers, investors, and media tuning in from around the world, welcome. I hope you and your families are safe and healthy. It's been 15 months since we met, right before the pandemic stopped the world in its tracks. And in that time, countless doctors, nurses, and other first responders have been brave enough to be the light for all of us. They've worked tirelessly to save lives, and we owe them our gratitude. I also want to express my deepest thanks to each of you, our digital first responders. When everything was upended, you made sure that kids could still log into their classrooms, researchers could collaborate on vaccines, and governments could serve their citizens. Though I'd prefer to thank you all in person, virtual formats like this symbolize the year we've had, the adaptations we've had to make, and the theme of RSA Conference 2021, resilience. So how has that theme played out over the last year? In 2020, we experienced the first death attributable to a cyber attack; a global software supply chain attack with a blast radius affecting at least 18,000 organizations; social media accounts belonging to former presidents, CEOs, and celebrities compromised by, no less, a 17 year old. These stumbles might suggest that we are not very resilient. A counter-argument, though, is we fended off the largest distributed denial-of-service attack ever recorded, at 2.3 terabits per second, and protected the safety of our water supply. While we have certainly fallen down, every time we have fallen, we have gotten back up. So aren't we pretty resilient after all? Ultimately, being resilient is not good enough; we must be good at resilience. But are we? Let's start by defining resilience. Resilience isn't just about getting up when you fall. To be good at it, we must fall less often, withstand the fall better, and rise up stronger every time. So over the next few minutes, I will walk through three ideas for us to consider in order to get better in our resilience journey. So what on earth do tigers, airplanes, and sewing machines have to do with cyber resilience? Let's find out. March 2020 was unforgettable. It brought the start of the lockdown and the premiere of "Tiger King". 34 million people watched "Tiger King" in its first 10 days. Eventually, 64 million households would tune in. That's an incredible surge, and it got me thinking: how does Netflix ensure that its 203 million subscribers can stream whatever they want whenever they want it? Netflix does not fall down often: less than 30 seconds a week. In 2011, Netflix was preparing to move its content from the data center to the cloud. The new availability and performance were critical to user experience, and they had to design a fault-tolerant architecture within an environment they didn't fully control. So they invented something called Chaos Monkey. Imagine a monkey shutting down production instances and chewing through cables in your data center. By bringing in and building in chaos, this tool accounted for a common type of failure and ensured graceful degradation and survival without any customer impact. In fact, simulating chaos worked so well, it inspired the creation of the Netflix Simian Army, a collection of tools to help prepare for chaos: the latency monkey, conformity monkey, and, yes, for sure, security monkey. It's that kind of engineering that has helped Netflix build a resilient and successful business, and ensured we could all binge "Tiger King". Chaos is a pretty good way to describe our context in cybersecurity: boundless, complex, hyper-connected and dynamic tech stacks sitting on multiple clouds; workloads that move about everywhere; machine and human actors working, playing, learning from anywhere; and the added randomness of malicious actors trying to disrupt, steal, subvert, and instill fear. How can you secure chaos? You can't, you don't. You focus on resilience by embracing chaos. How? One, expect the unexpected; two, trust no one; and three, compartmentalize failure zones. In cybersecurity, to practice chaos and reliability engineering, teams should constantly assess and test their responses. Attack your own network and see if you recorded that attack, because if you don't have visibility, then you don't know what to defend. And once you do have visibility, use threat intelligence to understand your vertical's likeliest antagonists, including their methods. And then in addition to modeling the likeliest attack, make sure to throw in a few unlikely ones in your red and blue team exercise. Zero trust was always important, but in the post-COVID work-from-anywhere-always world, it is an imperative. It is a mindset, not just an architecture. Micro-segmentation, providing layer seven threat prevention, and risk-based continuous multifactor authentication are critical components, but most important of all is to limit trust to what is absolutely required and never elevate trust based on unreliable factors. The global system for mobile communications predicts that IoT connections will reach almost 25 billion globally by 2025, and that might be an underestimation based on the traction of 5G. By some estimates, we are connecting 127 devices to the internet every second. And it's not just connected devices, it's connected organizations and the private data flowing through this value chain. Companies increasingly rely on third parties and on average share confidential and sensitive information with approximately 583 third parties. Yet only a third keep a comprehensive inventory of these third parties. Too many dominoes stacked too tightly together. Look, we can ensure that each domino remains upright. Instead, we have to space them farther apart. What does that mean? Implement third party risk assessments to map your organizational business graph to get a vectorized view of risk. Implement network segmentation and least privilege not just in east-west scenarios or southbound traffic, but northbound as well. It's like wearing a mask. We should wear one not just to protect ourselves, but to protect others. What if the SolarWinds servers were only allowed to talk to the known good, rather than being disallowed to connect to the known bad? Could the Twitter hack have been avoided if the employees had not been trusted to change the email addresses of accounts? By being prepared for chaos, we will fall less often. But despite our best efforts, at some point along our journey, the terrain will shift, the ground will catch our feet, and we will stumble. This next section is about withstanding the fall. In World War Two, the Allies faced a version of this problem. They needed to minimize damage to their aircraft in order to keep them flying. They worked with a statistician named Abraham Wald from Columbia University who examined damaged aircraft that had returned from missions. He saw where the bullets had hit, and used those patterns to recommend where engineers should place additional armor. Before Wald, the military assumed that they should reinforce the areas drawing the most fire. But after looking at the damage, Wald made a counterintuitive recommendation: place the extra armor in the areas that showed the least damage. Why? The aircraft that Wald examined may have been damaged, but had returned safely to base. The unscarred areas had been enough to carry the plane back home. Wald's remarkable insight bears an important lesson for us. Today, we are confronted with a modern version of Wald's problem: there's only so much armor to go around, and too much armor can slow us down. We are all working with limited resources, so we have to prioritize intelligently. We have to protect the areas that represent the greatest risks, not where we see the most holes. NIST Cybersecurity Framework does an excellent job of proposing a risk-based approach to cyber. Here is what DHS Secretary Mayorkas had to say about resilience.
- Pursuing cyber resilience requires a third principle, namely a focus on a risk-based approach. Determining what risks to prioritize and how to allocate limited resources is crucial to maximizing the government's impact.
- The US government faces many cyber missions, and in 2020, CISA ascertained that the US presidential election was foundational to our democracy and we needed to put more armor there. By prioritizing it, CISA protected the cyber aspects of the election. Every organization, not just the federal government, needs to deploy an integrated risk management solution, and implement methods to quantify all risk, including cyber risk. Since the cyber onslaught is unrelenting, we cannot review all that happens. We simply don't have enough human cycles to prioritize cyber incidents. We need to leverage the superpower of the cloud, and apply machine learning and AI to implement artificial prioritization, AI to analyze incidents and prioritize them for response. Extended detection and response, or XDR solutions, that bring all the data from the entire attack surface, network, endpoint, cloud, IoT, et cetera, into one place and leverage cloud-based analytics is a recipe for artificial prioritization. By prioritizing based on risk and protecting what matters most, we will ensure that when we fall, we will withstand it. The third aspect of resilience is rising up stronger when we inevitably fall. So let's review a story about sewing machines to understand this. The Self Employed Women's Association, or SEWA, supports nearly 2 million low-income women, their families, and their communities in India. The pandemic and India's lockdown have been particularly hard for SEWA. But after 49 years of helping its members persevere, SEWA knows the powerful role a community plays in responding to a crisis. When the lockdown forced everyone indoors, women from across SEWA turned to their sewing machines to make masks for government officials, hospitals, and their families. As India braves the second wave of the pandemic, SEWA and other organizations around the world continue to play a critical role in provisioning oxygen, plasma, money, and other supplies. If you have the means, I ask that you consider supporting their efforts. The SEWA story shows that those that belong to a community rise up stronger because they rise up together. In cyber security, I have often stated we must be inclusive to nurture and grow our community. We need to bring not just the security professionals but IT and business as well into our community. We need to find a way to attract diverse and neurodiverse talent. For 30 years, RSA Conference has helped us do just that. Today, we have broader participation, deeper sharing, and wider representation than ever before. We seek your continued engagement as we reimagine the conference for the post-COVID world with hybrid events and a year-round model. Today, I also implore us to consider another idea to grow our community. This is Marcus Hutchins. When he was nine, Marcus took apart his family's computer and the code that operated it. At 14, he created a password stealer. At 15, he ran a botnet of more than 8,000 hacked computers. And then in 2017, he was the individual that found the kill switch for the WannaCry worm, saving the internet. It wasn't a straight and narrow path for Marcus, though he eventually worked his way into a legitimate cybersecurity carrier. He was on the dark side, but became a gray hatter. In 2017, he was arrested and faced a trial for his past misdeeds. The judge's lenient sentence acknowledged his remarkable contribution. This was an act of inclusion and profound wisdom that shows us that we need to find a way to never give up on bright minds and attract them into our community. We need to recruit better than the adversary. Our community has shown remarkable solidarity when one of us falls. We may have competition within the community, but we have each other's back. We are getting better at sharing and learning, so when one of us falls, all of us learn. We all rise up stronger. In 2020, we saw cyber incidents of unprecedented scale and scope. But let's note that we have not yet encountered a global cyber pandemic. Hard as our journey may seem, we have not been fully tested yet, and must remain vigilant. The next leg of a long journey is just beginning. There will certainly be challenges, stumbles, and failures. But I hope that these three examples and the stories behind them will inspire us to go the distance. We can do so by preparing for chaos, prioritizing smartly, and leveraging the power of our community. Tigers, airplanes, sewing machines. And if we do so, we will fall less often, withstand the fall when we do, and rise up stronger. We will get better at resilience. So let me leave you with one last image to carry on your journey. Kintsugi is Japanese for golden seams or golden repair. It is the art of using gold lacquers and resins to restore broken pottery and ceramics. But kintsugi does more than restore, it transforms. It doesn't hide falls and breaks, it highlights them. The golden wound becomes a celebration of the hands that put things back together, a celebration of the purposefulness and learning from the process, a celebration of resilience. So friends, take some time this week to celebrate our resilient journey. Continue to believe in the light even if we can't see it sometimes. Continue to be the light. Thank you.
Security Strategy & Architecture Business Perspectives
cloud security risk management security awareness threat management zero trust
Share With Your Community