Systems Engineering and the Security Imperative - PowerPoint PPT Presentation

About This Presentation
Title:

Systems Engineering and the Security Imperative

Description:

Solution Fitness. Knowledge Frameworks. Vulnerability. Anticipation. Prudence. Transfor ... Foreign equipment of contractors and employees needs network access. ... – PowerPoint PPT presentation

Number of Views:44
Avg rating:3.0/5.0
Slides: 15
Provided by: Rick8
Category:

less

Transcript and Presenter's Notes

Title: Systems Engineering and the Security Imperative


1
Systems Engineering and the Security Imperative
  • INCOSELas VegasSeptember 15-18
  • Rick Dove
  • Chairman, Agile Security Forum
  • (an open participation initiative in formative
    stage)
  • www/parshift.com/AgileSecurityForum
  • SecurityForum_at_parshift.com

2
Security Strategy Elements
  • Policy Goals, and principles governing how
    goals may be attained.
  • Procedure Proscribed method for satisfying
    policy.
  • Practice Implementation that carries out
    procedure.

Security Strategy Is... a business
system, not a collection of vendor technologies.
3
Examples
4
Information Security - Today
  • The Facts
  • Vulnerability Increasing points and modes of
    attack
  • Threat Increasing attackers and incidents
  • Risk Increasing value available for compromise
  • The Result
  • Time stolen by security measures is increasing
  • Money invested in security measures is increasing
  • Effectiveness and life-cycle of security measures
    are decreasing
  • ROI is Declining!

5
Security's Seven Ignorances of Reality
  • Human Behavior Human error, whimsy, expediency,
    arrogance, ...
  • Organizational Behavior Survival rules rule,
    nobody's in control, ...
  • Technology Pace Accelerating vulnerability-intro
    ductions, ...
  • System Complexity Incomprehensible, unintended
    consequences, ...
  • Globalization Partners with different ethics,
    values, infrastructures, ...
  • Agile Enterprise Outsourcing, on-demand,
    webservices, transparancy, ...
  • Agile Attackers Distributed, collaborative,
    self organizing, proactive, ...

For 50 years of IT-progress, management
policy/procedure/practice has followed behind ...
patching potholes.
6
Maintaining Systems in Unstable StatesTakes
Constant Energy Input
Security Process
Human Behavior
Security Process
Laws Litigation
Penalties Regulation
Rules Threats
Org Behavior
Reality Landscape
Expecting or enforcing ideal and repetitive
behavior ignores reality... and is not a
substitute for Strategy
7
A Rational Strategy Requires New Knowledge
  • A rational view of the problem
  • Reality bites what is its nature?
  • The problem is bigger than technology what is
    its nature?
  • The situation is in constant flux what is its
    nature?
  • A rational view of the solution
  • You are compromised now what?
  • Situation in constant flux what is proactive
    response-ability?
  • Excellence what is its nature?

8
Problem AnalysisKnowledge Frameworks
Problem Analysis Frwks
Agile Security Forum Pathfinder
Initiative www/parshift.com/AgileSecurityForum
include
Focus
Reality Issues
Situation Agility
dealing with
with reactive domains of
with proactive domains of
arising from
Policy
Technology Pace
Systems Complexity
Correction
Creation
Procedure
Agile Enterprise
Globalization
Variation
Improvement
Practice
Human Behavior
Otg Behavior
Expansion
Migraation
Agile Attack Community
(Perhaps More)
Reconfig- uration
Modification
The Bite
Problem Breadth
Situation Flux
9
Solution FitnessKnowledge Frameworks
Solution Fitness Frwks
Agile Security Forum Pathfinder
Initiative www/parshift.com/AgileSecurityForum
include
Excellence Principles
Agile Principles
Reality Objectives
of
with proactive domains of
with reactive domains of
of
Requisite Variety
Self Contained Units
Evolvable Framework
Vulnerability Anticipation
Detection
Parsimony
Plug Compatibility
Elastic Capacity
Prudence
Containment
Delight
Facilitated Reuse
Self Organization
Transfor- mation
Mitigation
Deferred Commitment
Distributed Ctrl Info
Threat/Risk Anticipation
Assessment
Redundancy Diversity
Peer-Peer Interaction
Migration
Recovery
Rick Dove, Response Ability, Wiley 2001
Accountability
Accountability
(proactive)
(reactive)
Situation Flux
Excellence Nature
Assume Compromise
10
Excellence Principles Strawman Framework
  • Requisite Variety
  • Ashby's Law "The larger the variety of actions
    available to a control system, the larger the
    variety of perturbations it is able to
    compensate....variety must match variety."
  • Any effective system must be as agile as its
    environmental forces.
  • Reality-compatible (rational) policy, procedure,
    and practice.
  • Functional Quality.
  • Parsimony
  • Occam's Razor Given a choice between two ...
    choose the simplest.
  • Unintended consequences are the result of
    complexity.
  • Humans can only deal with 5-9 items
    simultaneously.
  • Bounded rationality (Herb Simon).
  • Reduces perceived Risk.
  • Delight
  • Engenders feelings of Trust and Respect.
  • Aesthetic Quality.

11
Reality Objectives - Strawman Framework
Proactive Principles Vulnerability Anticipation
Identify/fix vulnerabilities before
exploitation, sense indirect indicators of
exploitation Prudence Correct vulnerabilities
before exploitation Transformation Change
randomly the elements/nature of security system
Threat/Risk Anticipation Identify and counter
threats and risks before exploitation Migration
Continuous upgrade of security strategy and
components Accountability (Proactive) Identify
perpetrators with traps, glass houses,
disinformation, etc, before damage
Reactive Principles Detection Detect
intrusion and damage quickly Containment
Minimize potential damage scope Mitigation
Minimize potential damage magnitude Assessment
Understand what has been damaged and how
Recovery Repair damage quickly
Accountability (Reactive) Identify the
perpetrators forensically, after damage
12
Early Rational-Security Examples
  • Buffer overflows coders will create them, QA
    will miss them. AMD Solution New processors
    will stop them (shift point of focus).
  • Access-rights to critical resources will be
    abused. Military Solution Two-person access
    required on critical elements.
  • Credit Card Theft eSites will make it easy to
    re-order. SWA Solution Retain the trivial info,
    don't retain the number.
  • MA interconnect will occur quickly. Cisco(?)
    Solution Strategic fast/phased/buffered
    integration process.
  • Known vulnerabilities will exist in systems. HP
    Solution "Active Countermeasures" probe and
    remediate. Sygate Solution Magellan product
    shows real-time network node states.
  • New virus/worm versions defy advance signature
    filtering. HP Solution "Virus Throttle" detects
    infection-speed and stops it. Symantic Solution
    "Generic Exploit Blocking" filters for
    vulnerability exploit-pattern.
  • Foreign equipment of contractors and employees
    needs network access. Sygate solution
    End-point, acceptable-equipment-condition access
    monitor. Anonymous solution AV vendor sends
    updates to employee-equipment.
  • Many/complex/changing passwords users will
    write them down. Dove Solution write all into
    one strongly-encrypted user file.
  • Rogue employees will be bought or go
    postal. Mitigation Assume penetration is a
    natural state and act accordingly.
  • Outsource Centers will become major opportunity
    targets. Mitigation Security-level agreements,
    Compartmentalized hard/soft/wet-ware.

13
Agile Security Forum
Pathfinder Initiative Concept of Operations
This is a map summarizing concept
relationships. It is not a flow chart or
organizational structure. Relationships are read
downward along connecting lines.
Pathfinder Initiative
provides
has
provides
Participant Value
Operating Modes
Market Value
Deliverables
Mission
cause
documented as
create
of
of
Solution Profile
Situation Profile
Broad Pursuit of Strategy
Rational Strategy Profile
Deep Effective Insight
Roadmap for Action
Wake Up Call
of
augmented with
with immediate guidance for
Knowledge Discovery
Community Preparation
developed by
Pathfinder Group
Preliminary Community Agenda
Refined Knowledge Frameworks
conducted by
of
assisted by
Forum Staff
Users and Developers
Media and Research Firms
with
Community Involvement Plan
Rational Practices
Rational Procedures
Real People
assisting
coordinating
providing
representing
Rational Policy
CFO/HR/ CIO/CSO CTO/Mkt
affecting
affecting
working on
Methods Controls
Technology Activities
Real Problems
Logistics, Planning and Facilitation
Community Awareness
Deliverable Construction
developing
Solution Fitness Profile
Situation Reality Analysis
affecting
in
with
Expectations Objectives
Real Time
Management
Initial Knowledge Frameworks
Structured Workshop Procedures
Mission Accountability
of
on
Current Personal Issues
9 Months
see detail maps
14
Rational Security Strategy
  • A strategy that ignores reality
  • is a loosing proposition.
  • Humans and organizations swim in reality,
  • and naturally fight incompatibilities.
  • "Unintended consequences are inevitable.
    Nevertheless, we are responsible both for what
    we do and what we fail to dowith technology and
    strategy."

Pathfinder Initiative Participation
Inquiries AgilityForum_at_parshift.com
Quote from "Frankenstein Today" by Scott
Yoder http//www.msu.edu/marianaj/frank2.ppt
Write a Comment
User Comments (0)
About PowerShow.com