LAS VEGAS — The old-fashioned piecemeal way to secure the digital realm isn’t cutting it anymore, especially as technologies evolve rapidly; rather, today's interconnected world calls for a more strategic, collaborative plan that expands the confines of corporate walls.
That’s according to Parisa Tabriz, Google’s director of engineering who's also known as the company's security princess. During her Aug. 8 keynote at Black Hat, she described an increasingly complex cyberlandscape where current tactics are insufficient. To successfully defend data holistically, Tabriz outlined three must-dos, pulling from her experience as head of Google’s Project Zero.
Because believe it or not, even with the range and scale of Google’s resources, Tabriz said her team faces the same problems as the rest of the security community.
Identify and Tackle Root Cause of Problems that are Uncovered
And don’t just be satisfied with isolated fixes.
One way of approaching this is the “five whys” method adopted from the automotive industry, which explores cause and effect.
“You just ask yourself ‘why’ to really understanding underlying issues that cause something,” Tabriz said, and oftentimes asking those questions form the next one. She used the example of someone disclosing a remote code execution vulnerability in a product. You may ask why this single bug led to a remote code execution, which can lead to asking why it wasn’t disclosed earlier, to why the right tests weren’t in place, to why it took so long to update users and so on.
This approach can highlight some of the structural and organizational root causes of bad security.
Google is taking this root-of-cause approach with Project Zero, a team established in 2014 to reduce the harm caused by targeted attacks. And this spans across the tech industry for software and hardware vendors alike, not just Google.
It also “aims to advance the understanding of offensive security to inform and improve defensive strategies,” Tabriz said, as the team tries to achieve the most defensive impact it can from any single discovery, “so doing more than just one-off fixes.”
Essentially, the team is constructing a broad understanding of the exploitation among defenders — the root of the problem — which can lead to structural improvements and security worldwide. And this is about end-user security in general, not particularly Google products.
And Project Zero is doing so by leveraging two tactics Tabriz hopes to see more of across industry: transparency and collaboration.
Be More Intentional in How Long Defense Projects are Pursued
Identify milestones, work toward those milestones and celebrate progress along the way.
One project where Tabriz said Google is succeeding in changing the status quo is shifting the world from http to https, which ensures security of data between a user's computer and the site through Transport Layer Security protocol. Google started driving these efforts for the entire world wide web in 2014, in hopes of seeing a web platform secure by default rather than opt-in secure.
The change had to be gradual and intentional, so Tabriz and her team strategically picked milestones, communicated those to everyone, and maintained energy by celebrating progress along the way.
For example, Tabriz and her team had homemade https cake and pies after a phase was complete, and held a poetry slam, where team members had to create a info security Haiku.
“Find your own ways to celebrate,” Tabriz said. “Gluten free? You don’t have to have cake.” Wise words.
And it all starts with purpose, and remembering that purpose throughout the project.
“I can think of a few greater missions than keeping people safe as the world increasingly depends on technology,” Tabriz said.
Invest in Bold, Proactive Defensive Projects
With a coalition of experts, champions and supporters from outside of security invested in the success of the project in order for those efforts to be successful.
It’s important to understand the threats associated with the project and ways it could fail, to properly defend from them along the way. And working with a larger community and collaborates makes this easier.
"We all need to continue investing in ambitious, proactive defensive projects,” Tabriz said, because even with Google’s internal expertise, it still requires everyone working in technology to “clear the path to a safer future.”
So, ultimately, in the words of the security princess, “be a good team player, don’t be a jerk.”