Stop playing “whack-a-mole” with your security

As security threats become more prevalent across organizations, solutions must have buy-in across the enterprise – not just within the IT department. Equally importantly, organizations must stop addressing problems as they emerge and start being more proactive about undermining those problems before they cause damage.

Those were the key takeaways in a presentation by Parisa Tabriz, a director of engineering from Google. Tabriz spoke at the August Black Hat US 2018 conference in Las Vegas. In the session, the underlying theme was that security professionals must do whatever they can to incentivize firms to make better and more secure products.

It’s surprising, but there are a mere 20 or so companies in a position to influence us globally because they make the operating systems, mobile devices and so on that we all use and rely on. Those companies, therefore, are truly the only ones in a position to influence the direction of security that will affect billions of people.

To that end, Tabriz explained what Google is doing to improve security. She used the analogy of security experts playing the carnival game “Whack-a-Mole,” responding to threats only after they’ve emerged. Real progress comes from a more collaborative, and strategic approach to defense. She recommended three ways forward:

• Tackle the root cause
• Pick milestones and celebrate to stay motivated
• Build out your coalition of supporters outside of security

Tackle root cause

The automotive industry has historically used the so-called “5 Why’s” method to understand the cause and effect behind problems encountered in its processes. That same method should be applied to the security space, Tabriz said.

For example, if someone discloses a code vulnerability, certain questions should be applied to the incident:

• Why did this bug lead to Remote Code Execution, or some other exploitation?
• Why didn’t we discover it earlier?
• Why don’t we have tests for these kinds of problems?
• Why does it take so long to create updates?
• Why does it take five weeks to test a security fix?

This methodology will help organizations get to the root cause of problems, Tabriz said.

She also gave practical examples of what Google is doing in determining root causes.

Among Google’s initiatives is what they term “Project Zero,” which is aimed at making zero-day attacks harder – that is, an attack that happens the same day that a vulnerability is discovered.

Google is increasing its understanding of offensive security to inform defensive strategies, to get past one-off “Whack-a-Mole” defenses. This increased understanding will lead to structural improvements and security for the world, Tabriz noted.

Vendor response to fixing security issues has varied widely, she said, and responses have not always been in favor of end user security. Regardless, because of Project Zero, Tabriz said that vendors handles 98% of fixes within 90 days of being notified.

Tabriz maintained that greater cooperation is needed for better defense. With many more security experts tackling the root causes of security problems, the cost for bad actors to build exploitations among high value targets is increasing. Despite this progress, real change can result in pushback and commotion, Tabriz said. Root causes can be hard to solve, so the heavy collaboration required also demands adept management skills and a thick skin.

Pick milestones and celebrate

Tabriz noted that Google is moving Chrome away from HTTP to HTTPs (HTTP Secure). Without HTTPs, she said, no one can have confidence in security or privacy of anything sent over the web. Making the transition to HTTPs will lead to a web that is secure by default.

Understandably, a change of this magnitude must be both gradual and intentional, Tabriz said. The HTTPS migration therefore has involved strategically picking milestones, and celebrating progress along the way, to give the implementation a sense of momentum.

Today, 87% of pages in loaded in Chrome happen over HTTPs, and 77% of traffic on Android is loaded over HTTPs.

By breaking down the project into more manageable milestones and finding ways to celebrate those milestones, a company can develop the kind of support required for a large scale implementation, Tabriz said.

Build coalitions

Tabriz also recommended that organizations build out their coalitions in creating security processes. Threats and solutions are often clear, she said. You can’t detect the exact form of the threat, but you have to be proactive in how you isolate and contain future threats, which demands working together in getting to the appropriate levels of containment.

Despite good faith efforts to improve security, Tabriz noted that there are potential challenges in implementing solutions – including management killing the project. Delays and holdups will happen at the management level, she said, and to overcome objections you have to become skilled at voicing the value proposition behind the initiative. To see real progress in your security protections, you need to create champions outside of the IT department.

Similarly, a project may end up lacking peer support, which means that to get to the finish line you must learn to be a good team player. Tabriz recommended open communication about changes you plan to make; this will increase buy-in and decrease surprises along the way.

In short, an organization needs to know it can rely on everyone to clear the path toward a safer future – and to stop playing “Whack-a-Mole” with its security.