Proactive defense vs. offense. Strategy vs. tactics. These themes resonated loud and clear in the high-level talks at Black Hat USA 2018 in Las Vegas.
Dig Deep for Real Change
"We need to be more ambitious, strategic and collaborative in our approach to defense," said Google's Engineering Director, Parisa Tabriz in the opening keynote.
As the world's dependence on increasingly interconnected and complex technology rises, we need to do more digging to find out the structural and organizational security issues that need to change.
Get to the Root Cause
One approach to being more strategic moves beyond isolated fixes to identify and tackle the root cause of problems by asking five why questions; as one question can inform the next.
For example, someone discloses a remote code execution (RCE) bug in your product - your first question might be, why did this bug lead to RCE? Which might lead to - why didn't we discover it earlier?
And why don't we have tests and fuzzers? Why did it take so long to update, and why does it take five weeks to test a security fix? Following this format of asking why can uncover the real root cause, and help prevent similar problems in the future.
Google's Project Zero security team aims to enhance the understanding of offensive security to inform and improve defensive strategies, with a focus on usability for end users.
In an overview of their move to HTTPS in Chrome, Parisa detailed how the team kept the migration alive with quick wins for developers on smaller projects, while recognizing their success kept morale and motivation high during six years. The team did everything from internal TLS poetry slams to public UI change proposals to collaborating on UX research papers on security indicators and modern browser accessibility.
The results showed an increase of pages loaded over HTTPS on Chrome OS traffic, from 45 percent in 2014 to 87 percent, mid-2018 (and 29 percent on Android, to 77 percent for those respective years).
Simplify Code for Better Security
One example of a key, proactive defense project was site isolation that refactored Chrome's code and changed its architecture.
This architectural change and years of investment in site isolation helped quickly protect against CPU-related bugs - like Spectre. But site isolation ended up taking six years, instead of the estimated one. Clear communication and demonstrating positive security impact/benefits was key to keeping the project alive and getting executive buy-in.
Some of the most impactful security projects simplify existing code or systems, rather than adding more complexity - this inevitably leads to better security.
Politics of Defense
Black Hat Founder and member of the Global Commission on the Stability of Cyberspace Jeff Moss echoed the need for a more strategic approach.
Our adversaries have strategies and we have tactics - that's not very good.
If your strategy is to buy good products - you're totally dependent on vendors. Buying good products is a tactic, and offense is likewise very tactic-oriented.
Most of the technology we're currently developing favors offense, including machine learning and reinforcing algorithms. The momentum is on offense, but we're stuck on internal politics when it comes to defense.
But defense can be largely political within an organization, as the questions to be answered include - how much money do you spend? What is your cross-departmental risk strategy? What corporate gems are you trying to protect?
Despite the politics, there has been great progress over the last decade within the information security industry. As Parisa put it - infosec is a rather cynical crowd. But she’s optimistic that we can be cynical for positive change.