We Need More “New School”

Ed Bellis    September 26, 2011

Evidence Based SecurityOne of the most influential books I have read on information security is The New School of Information Security by Adam Shostack and Andrew Stewart. There’s a lot to it and I highly recommend reading it, but the basic premise revolves around using more data to make informed decisions. Think of it a bit as a Moneyball for information security.

The security industry desperately needs more new school practices. We are an industry largely driven by Fear, Uncertainty, and Doubt (FUD) along with demagoguery and secrecy. This has not been serving us well. We have been pushed a list of controls listed as “best practices” with little to no data to prove this. Stack on top of this, we as practitioners have been highly resistant to sharing information that could lead to the learnings other similar industries have achieved.

Previous to founding HoneyApps, I was the CISO for a large ecommerce company. In my six-year tenure I became envious of the fraud team and what information they were able to glean and share from other anti-fraud practitioners across the industry (even competitors!). Through large groups such as the Merchant Risk Council, fraud professionals were openly sharing tactics and learning from each other on what’s effective and what’s not. They would share not only anti-fraud controls that ultimately better the industry, but could even openly discuss specifics around fraud rings, tactics and failed controls and effectively block and react to them as a result. But in information security, the situation is much worse. Not only are we not sharing this information, but those on the other side are! In a recent post on VentureBeat covering the O’Reilly Strata Conference, they discussed how online criminals are sharing information and resources to make the most of their opportunities. To quote:

“They are probably ahead of the curve on cooperating with their competition. I think it will be a long time before Pepsi has a serious conversation with Coke, but surprisingly Japanese Yakuza will talk to Chinese triads, one cartel may talk to another if it has a specific area of expertise.”

But combine this with the lack of information sharing in our industry, and the situation is unacceptable. From a recent blog post from Adam Shostack:

“But in information security, we keep our activities and our outcomes secret. We could tell you, but first we’d have to spout cliches. We can’t possibly tell you what brand of firewall we have, it might help attackers who don’t know how to use netcat. And we certainly can’t tell you how attackers got in, we have to wait for them to tell you on Pastebin.”

Our lack of sharing is preventing us from learning what works and what doesn’t. While most of us tout that “security by obscurity” doesn’t work, we still practice this daily. My long-term vision of what we deliver at HoneyApps is one that changes this. While we fully understand security vulnerabilities and remediation are only a piece of a larger risk management program, there are still significant learnings to be had. We are working towards building out additional services to allow practitioners to not only make sense of their vulnerability management and remediation program but to also learn from the other practitioners. Many of these services will be free and open.

We are heavy believers in “The New School” and will look to apply meaningful data to help make better security decisions. I recommend checking out the blog based on the book. I hope it provides you with a new school way of thinking allowing for more informed decisions based on evidence over myths and legend.

8 thoughts on “We Need More “New School”

  1. Pingback: Thanks, Risk I/O « The New School of Information Security

  2. Christoffer Strömblad

    I agree, but isn’t it about time we stop reiterating what has already been said a million times before? How do you suggest we do this? What are your ideas for actually gathering more data and sharing it?

    One initiative that is attempting to address the issue of “no-data” is VERIS (Verizon Enterprise Risk and Incident Sharing). I think it’s a brilliant idea that we (information security community) should support. Even if it’s not ideal (what is?), it’s a start and it could surely only get better, right?

  3. Ed Bellisebellis Post author

    @christoffer I agree with your assessment of VERIS. Haven’t worked with it and contributed feedback I think it’s a step in the right direction. I disagree that there is “no-data” out there today. Security practitioners are sitting on a mountain of data that often goes unused or overlooked. I recently gave a presentation on building a security data warehouse using both internal and public data, including advocating the use of VERIS. While the data out there is far from perfect, there’s a lot more that we could be using.

    We are working on additional tools to publish here at HoneyApps in hopes of getting additional information sharing and learnings out there. There’s still a lot we can learn from other industries including Fraud Management.

    That said, given what I still run into on a daily basis, re-iterating these ideas are absolutely necessary. While many of us in the echo chamber can say “yeah, yeah I get it”, the vast majority have yet to come to this conclusion.

  4. Christoffer Strömblad

    Not sure I said anything about no-data? I too believe that there is an abundance of data out there, only in fairly unintelligent state.

    The problem I keep running into is organizations reluctance to part with said data, even though there is a below zero chance of anyone identifying it as specific to that particular organization.

    There seem to be a certain, what shall we say, hesitation to anonymized sets of data. Even though this data would be incredibly useful, there is a certain attitude towards contributing. It’s almost as if it’s … bad, to be part of such a data, almost as if it’s a sort of acknowledgement of their failure to protect data (assuming incidents).

    Then you’ve got the type of organization with no incident management what-so-ever, and those that have it, but have not established a corporate culture to reward or “stimulate” reporting incidents. Again there is an incredible tendency to assume that once the technology is in place, problem has been solved.

    ISMS anyone? You know… the software to manage information security? System… application and stuff. I digress…

  5. Alex

    Christoffer,

    As both a developer of VERIS and a NewSchool blogger, you’ve put me in a weird place. Thanks (I think)!

  6. Pingback: A Quick SecTor Recap — HoneyApps - The Blog

  7. Pingback: Are The Feds Going New School? — HoneyApps - The Blog

Leave a Reply

Your email address will not be published. Required fields are marked *