One of the most influential books I have read on information security is The New School of Information Security by Adam Shostack and Andrew Stewart. There’s a lot to it and I highly recommend reading it, but the basic premise revolves around using more data to make informed decisions. Think of it a bit as a Moneyball for information security.
The security industry desperately needs more new school practices. We are an industry largely driven by Fear, Uncertainty, and Doubt (FUD) along with demagoguery and secrecy. This has not been serving us well. We have been pushed a list of controls listed as “best practices” with little to no data to prove this. Stack on top of this, we as practitioners have been highly resistant to sharing information that could lead to the learnings other similar industries have achieved.
Previous to founding HoneyApps, I was the CISO for a large ecommerce company. In my six-year tenure I became envious of the fraud team and what information they were able to glean and share from other anti-fraud practitioners across the industry (even competitors!). Through large groups such as the Merchant Risk Council, fraud professionals were openly sharing tactics and learning from each other on what’s effective and what’s not. They would share not only anti-fraud controls that ultimately better the industry, but could even openly discuss specifics around fraud rings, tactics and failed controls and effectively block and react to them as a result. But in information security, the situation is much worse. Not only are we not sharing this information, but those on the other side are! In a recent post on VentureBeat covering the O’Reilly Strata Conference, they discussed how online criminals are sharing information and resources to make the most of their opportunities. To quote:
“They are probably ahead of the curve on cooperating with their competition. I think it will be a long time before Pepsi has a serious conversation with Coke, but surprisingly Japanese Yakuza will talk to Chinese triads, one cartel may talk to another if it has a specific area of expertise.”
But combine this with the lack of information sharing in our industry, and the situation is unacceptable. From a recent blog post from Adam Shostack:
“But in information security, we keep our activities and our outcomes secret. We could tell you, but first we’d have to spout cliches. We can’t possibly tell you what brand of firewall we have, it might help attackers who don’t know how to use netcat. And we certainly can’t tell you how attackers got in, we have to wait for them to tell you on Pastebin.”
Our lack of sharing is preventing us from learning what works and what doesn’t. While most of us tout that “security by obscurity” doesn’t work, we still practice this daily. My long-term vision of what we deliver at HoneyApps is one that changes this. While we fully understand security vulnerabilities and remediation are only a piece of a larger risk management program, there are still significant learnings to be had. We are working towards building out additional services to allow practitioners to not only make sense of their vulnerability management and remediation program but to also learn from the other practitioners. Many of these services will be free and open.
We are heavy believers in “The New School” and will look to apply meaningful data to help make better security decisions. I recommend checking out the blog based on the book. I hope it provides you with a new school way of thinking allowing for more informed decisions based on evidence over myths and legend.