How Can We Build an Agile Robust Resilient (Cyber)Security Defense System?

first published on LinkedIn on September 5, 2018

There is NO way to accomplish this - we can not do it in principle (i.e. one can not build a system that possesses all three properties at the same time - added to clarify as per prof Ganna Pogrebna's comment). This is because these properties are mutually exclusive (*see a caveat).

Indeed, by definition, Agility (=Flexibility) is "the inherent capability to modify a current direction to accommodate and successfully adapt to changes in the environment", whereas Robustness refers to "the ability to endure such changes without adapting", with Resilience being "the ability to survive these changes despite severe impact".

So, what can we do?

First, there will be always a trade-off. Second, different problems would call for different solutions.

Now, how can we identify those problems where the best solution (robust / flexible / resilient in the right combination of the properties) would fit the purpose? And what those solutions / capabilities actually are?

What about we use that beloved “risk-based” approach as our selection process, but not in the way we know it?

What if considering different statistical distributions (that better describe the different problems we face) we then identify solutions that better fit for the purpose?

I will not give you here a crash course on statistics, but rather recommend you to listen to a great short talk by Dave Snowden that explains the above better than I could do.

And now let’s apply this knowledge to our field:

- where the Gaussian curve works (e.g. opportunistic actors) we shall use robustness (i.e. compliance regime to control frameworks, Top 5/10/20 approach, best practice, cyber hygiene, CISSP BoK, etc.) – I do see based on the empirical evidence it would work here relatively well;

- in the Pareto world (e.g. targeted attacks by motivated actors a.k.a. APT, catastrophic incidents caused by the inconsiderate user, etc.) the previous approach just does not work (i.e. even compliant environments fall victims of successful targeted cyber-attacks or gross negligence) – so, what would work here then?

Some time ago, with support of my management and encouragement and contribution by my colleagues and friends, I publicly shared Enterprise Cyber Security Reference Architecture where I defined and recommended to consider the capabilities that form resilient (i.e. early detection and fast recovery) defenses. Together with robustness (i.e. preventative measures), those shall work across both statistical distributions (or in other words, across different problem domains).

How do I know? I do not! Or better say, I do not have data to prove it, however, we do see some empirical evidence in favor (e.g. those who, despite on inability to fully prevent the compromise, detected and responded to the APT compromises in a timely manner successfully minimized the impact of the events). And I formulate the statements the way, that you can prove me wrong should that be the case.

What I, however, do know is that what I suggest was specifically designed for early detection and fast recovery (i.e. resilience) and is different from the conventional approach, which was not designed for the environment we now live in. And where you use something outside of the designed purpose – it will usually fail as we already witnessed for millennia.

And finally, you shall ask: “Where will the Agility come from?” In my view, the Active Cyber Defense part of the Reference Architecture shall provide the agility that you are looking for.

* Notably, it does appear Agile and Resilient can coexist depending on the desired end state of the system (added to clarify as per prof Ganna Pogrebna's comment). But why? Perhaps it is deeply rooted in the nature of the Pareto-defined problem space as both of these properties work better there. Also, whilst Robust solutions will fail in the Pareto world, Agile and Resilient ones can work in Gauss-defined problem space. However, it will be too exhausting (i.e. expensive) to constantly respond to the large volume of the insignificant events in the Gauss world, and yet it is possible and will offer an advantage when Robust fails.

To conclude as a Take Away: “The future belongs to those who recognize the need for strategic agility and with that comes the approach based on resilience rather than robustness.” – Dave Snowden, founder and chief scientific officer of Cognitive Edge.

NB: I do not pretend this to be the final version of the truth. However, I do see it as an evolution of the traditional conventional approach designed to address the challenges we face, and encourage us all to take a critical look at it, and collectively improve.

#think #analyze #cyberrisks #cyberthreats #cyberattack #risk #infosec #security #APT #informationsecurity