Cybersecurity the Agile Architecture Way
Identity theft, password breaches, viruses and worms, phishing attacks, Stuxnet—the more we rely upon technology in our increasingly connected world, the greater the risk that we’ll be hacked. Even worse, it seems that the rate at which hacking stories come across the wire is actually increasing, in spite of all the hard work at all the various security organizations, both commercial and governmental. The frightening truth is, perhaps the hackers are actually winning.
The root cause of our vulnerability, of course, is the Internet itself. When the essential elements of the Internet first rolled out—TCP/IP, HTTP, and DNS, to name the most flagrant offenders—no one had any idea how important security would become or just how flawed these enabling technologies were when it came to protecting ourselves from increasingly dedicated and persistent malefactors. Today, that horse has long since left the barn. Maybe we can close the door, sure, but it might not matter anymore.
But let’s not lose perspective: we’ve been using the Internet commercially for less than twenty years. An eternity in what we innocently called Internet Time back in the day, but nevertheless, a mere eye blink in the course of human history. Better to take the long view. Extrapolating today’s trends, can we gain any insight into what the future will hold?
Our crystal ball reveals three possible scenarios. The first: Cyberpunk—hackers continue to gain the upper hand, outstripping any efforts to combat them. By 2100 hackers run the world, which has devolved into feudal tribes of hacker communities battling each other for the remaining scraps of civilization.
The second scenario: Star Trek. The forces of order and rationality overcome those of anarchy and evil, and as a result, we have no qualms about trusting our computers with our lives. Computer viruses may still appear, but we can take care of them routinely in less than 52 minutes.
Finally, scenario number three: more of the same. Hackers continue to become increasingly sophisticated in their attacks, but the forces fighting them do so as well. The advantage shifts back and forth as new attack vectors rapidly appear and are dealt with equally rapidly.
More of the same may appear to be the most likely scenario, as it lacks the science fiction overtones of the other two. In reality, however, it’s the least stable of the three, because it assumes an ongoing balance between hackers and their nemeses—an unlikely situation. The pessimists among us point to Cyberpunk as the inevitable course of events. But what we really want, of course, is to steer from more of the same toward Star Trek. After all, who wouldn’t want our grandchildren to live in the Star Trek universe?
Today’s Software Security Assurance: Heading toward Cyberpunk
Software Security Assurance (SSA) is the process of ensuring that the software we build has adequate security. SSA involves analysis, review, and testing steps that seek to identify potential weaknesses so that the software development teams can lower the risk of potential security breaches to acceptable levels. Fundamentally, SSA describes the best ways we know how to build unhackable systems.
The problem is, it’s not good enough. And furthermore, it’s dropping further and further behind. After all, if SSA actually worked, we wouldn’t have to worry about worms and breaches and the rest. Hello Cyberpunk!
The problem with traditional SSA is that it fundamentally follows a traditional systems approach. In other words, divide and conquer: break up an arbitrarily complicated system into its component elements, analyze the security risks inherent in each component, and take steps to insure that those risks are very low—where we define “very low” in terms of our acceptable risk profile.
There are two core problems with the divide and conquer approach to SSA. The first is what we call the lottery fallacy. If you want to run a lottery with a large jackpot, you want to make sure the chance of any ticket winning is very small. And sure enough, the chance of your lottery ticket being a jackpot winner is smaller than the change of you being hit by lightning—twice. But the chance we’ll have to give away the jackpot is still quite high—and the larger the jackpot, the greater the chance we’ll have to give it away.
Dividing up a complicated system into pieces and lowering the chance of hacking each piece is tantamount to selling lottery tickets—except that hackers are smart enough to figure out how to buy millions of them at a discount. In other words, there’s a really good chance that any valuable target will be hacked no matter how good your SSA is. Yes, the recipe for our Cyberpunk scenario.
Agile Architecture: The Secret to the Star Trek Scenario
When we say Agile Architecture, we’re talking about moving away from the traditional systems approach of “business wants X so build a system that does X” to the complex systems approach of “the business wants to be more agile, so build a system that responds to change and enables the business to leverage change for competitive advantage.” In the cybersecurity context, we want to move away from traditional SSA to building systems that can deal with future attacks (even though we don’t know what they are yet), and furthermore, enable us to take the initiative to prevent future attacks from occurring in the first place. A tall order to be sure, but not quite the science fiction scenario it might sound like.
There are signs that we’ve been making progress in both areas. (I say “there are signs” because I suspect much of the work in this area is secret, so even if I knew about it I couldn’t tell you.) The first area—dealing with unknown future attacks—is essentially the zero day problem. How do we protect our systems from previously unknown attacks, during the window of vulnerability that doesn’t close until we develop a traditional countermeasure? Many approaches to zero day protection already exist, but they tend to address known types of attacks like buffer overflows and the like. In other words, such protection techniques will only work until a hacker comes up with a new type of attack—an example of the back and forth we call the more of the same scenario.
The second area—preventing future attacks—is more challenging, but also more interesting. One example is the HoneyMonkey project out of Microsoft Research. Where a Honeypot is a passive approach—essentially setting a trap for hackers—a HoneyMonkey essentially surfs the Web looking for trouble. The idea is to identify Web sites that install malware before a user happens across them with their browser.
It’s not clear whether the HoneyMonkey project led to commercially available security tools, but in any case, it was only a simplistic example of a tool that could actively seek out and prevent potential attacks. But let’s put our sci-fi hats back on and extrapolate. How would we ever get to the Star Trek scenario unless we take the active prevention approach?
The Biological Analogue
Targeting Star Trek is all well and good, but we need to separate fiction from reality if we’re ever going to beat the hackers (Heisenberg Compensator, anyone?) So, let’s move away from science fiction into the realm of biology. After all, biological systems are well-known complex systems in their own right. How then do biological systems like you and me fight off infections?
At the risk of oversimplifying what are admittedly extraordinarily complicated processes, our bodies have three primary mechanisms for preventing infections. The first is our skin. Simply having a tough barrier keeps out many attack vectors. You might think of skin as analogous to traditional SSA: necessary but not sufficient.
The second mechanism, of course, is our immune system. It’s what differentiates a healthy body from a few hundred pounds of rotting meat. What we need to beat the hackers at their own game is an immune system for our software.
But even immune systems aren’t perfect. And this biological metaphor begs the question: how do we architect and build an immune system for our software anyway? Again with the biological analogue: how did we develop our immune systems? Through millennia of natural selection. Individuals who succumb more easily to infection tend to die off, while those with better ways of fighting off the attackers survive to propagate. Rinse and repeat for, oh, hundreds of millions of years, and presto! The human immune system is the result.
The cybersecurity challenge, therefore, boils down to bringing natural selection principles into our security software development processes. The hackers are diverse, persistent, and imaginative. To fight them, our software must be agile, self-innovating, and able to evolve. The devil, of course, is in the details.
The ZapThink Take
A 1,500 word ZapFlash is hardly sufficient to lay out a revolutionary approach to architecting better security software, even if we had all the answers, which we obviously do not. But the point of this ZapFlash isn’t to solve all our cybersecurity challenges. Rather, we’re trying to make the case that traditional architectural approaches, including those of Software Security Assurance, are doomed to fail eventually—if not today, than at some point in the all-to-near future. If there’s any hope of moving any closer to the Star Trek scenario, it’s absolutely essential that we take an Agile Architecture approach to cybersecurity.
It won’t be easy. And the path from where we are today to where we need to be tomorrow isn’t smooth or continuous—that’s why we consider the move to Agile Architecture a true paradigm shift. But on the positive side, many elements of this revolution are already in place. The first step is thinking about the problem properly. We can only hope that we figure out how to solve the cybersecurity problem before the hackers take over. Or welcome to your worst Cyberpunk nightmare.
Image source: JD Hancock