LAS VEGAS – The complexity of the cybersecurity landscape is at an all-time high, with security researchers, vendors, third-party ecosystems and even governments all trying to come to a consensus for making the cyber-world a safer place.
For security experts, navigating these choppy and crowded waters means embracing partnerships across these stakeholders, according to Parisa Tabriz, director of engineering at Google.
During her keynote today at Black Hat, she advocated taking a proactive approach to locking down security, with solid, long-term plans and a policy of reaching out to other participants in the fight to make things more secure — she cited Google’s march to make the web 100 percent HTTPS and its Project Zero vulnerability disclosure team as good examples. Identifying an issue and then implementing a well-thought-out approach to tackling it, rather than randomly swatting at threats as they come up, should be an imperative, she noted.
“To be successful, we have to stop playing a game of Whack-a-Mole and we have to do three things,” she said during her Black Hat talk. “First, we need to identify and tackle the root cause of problems; second, we have to be more intentional in how we pursue long-term defensive projects; and finally, we have to invest in full, proactive defensive projects.”
When it comes to identifying and tackling the root causes of security issues, Tabriz said that vendors and the security community alike need to look at the cause and effect behind the threats themselves, including how they arise and how they are disclosed.
For instance, Tabriz said, for a remote code execution (RCE) bug, the vendor would need to identify why the vulnerability led to RCE, why it hasn’t been discovered earlier and how long it might take to update end users (and why).
Google Project Zero has taken important steps to proactively address software flaws, including the introduction of a 90-day disclosure policy for vulnerabilities. Tabriz said that this has had the effect of putting pressure on vendors who would otherwise lack an incentive to prioritize security. Project Zero, founded in 2014, has since then has reported over 1,400 vulnerabilities, she said.
“Project Zero aims to advance the understanding of offensive security to inform and improve defensive strategies,” she said. “Speaking to those short deadlines over the years has helped with better strategy, innovating, and investing in institutional and structural change — both technical and organizational.”
This ultimately has led to more transparency and collaboration, Tabriz said – and more results, including, according to Google’s research, one large unnamed vendor doubling its security updates, and another improving patch response time by as much as 40 percent.
She noted that another way to tackle the sometimes seemingly-impossible task of promoting secure measures in a complex landscape is to become more structured and methodical when it comes to how projects are pursued, by identifying milestones and working toward them – and celebrating along the way.
On this front, she highlighted Google’s initiatives to encourage the web community to switch from HTTP to HTTPS protocol for web pages, so that site traffic is encrypted and protected against malware injection and eavesdropping. Google recently updated Chrome so that users visiting an HTTP website will see an easily noticeable warning label that the site is “not secure.” This is the latest in a series of steps that have methodically rolled out Google announced in 2016 that it would be encouraging encryption on the web by slowly and steadily moving in on HTTP sites with warning notifications.
“A change like this had to be gradual and intentional,” Tabriz said, adding that team worked to achieve goals like floating the UI proposal publicly, publishing a user experience research paper and publishing an HTTPS transparency report.
Finally, investing and committing to bold projects will help solidify security measures across the board, she noted; as seen in Google’s efforts with Chrome site isolation. Google recently introduced new security mitigations for its Chrome browser to defend against recently discovered Spectre variants. But the efforts that ultimately ended up mitigating these attacks were in development long before Spectre and Meltdown side-channel flaws first came to light in January, Tabriz said.
Above all, looking for active engagement with other types of stakeholders should be a directive, she said.
“Even when the benefits aren’t immediately clear, we need to communicate upwards and outwards, and get people involved in security,” she explained. “We need to build out coalitions of champions and supports beyond security experts. The world’s reliance on safe technology is increasing, [and] we have to be more ambitious and strategic.”
Jeff Moss, the founder of Black Hat, agreed, noting that how this works in practice is still being uncovered. He cited third-party partner agreements, and even Facebook’s Cambridge Analytica scandal, has gone to show how business models are “running smack into political models.”
“Business models connect the worlds’ users, but are now dealing with governments who may want to control content for the stability of society,” he said from the stage at Black Hat. “There will be some conflict there… we’re seeing that play out on a global scale.”