Parisa Fabriz, Director of Engineer at Google, ascended a round stage at Black Hat 2018 that had been covered until moments earlier with a projection of the moon’s surface. The whole celestially themed warm up to the speech, with copious smoke effects and spinning spotlights, seemed a tad overproduced. The moon like stage sat against a backdrop of shooting stars and floating galaxies.
The presentation, though, was definitely rooted in earthly reality. This included a moment when I had to wonder what kind of industry we have where a woman, who is highly impressive person, a talented engineer and a capable manager, is expected to deliver her keynote wearing high heels. I’d like to see Satya Nadella keynote the Inspire show in six-inch stilettos. Just sayin’. But, I digress.
Seriously, though, this conference is taking place in an atmosphere of heightened alarm in cyber security circles. We have election hacking coming up in the Fall. Russian hackers are inside American nuclear power plants. Indeed, as Fabriz shared, “The security of computers is now the security of the world.” Despite all of these ominous signs, though, the tone of the keynote as well as the introduction by Jeff Moss, the founder of the Black Hat Conference, was optimistic.
Her talk focused on how and why companies in the tech industry need to come together and do the hard work of attacking root causes of security vulnerability. In her view, with the right approach, it will be possible to make computers more secure.
Fabriz led off by confessing that, as a child, she had cheated at the arcade game of Whack-a-Mole by enlisting her brothers to whack moles on either side of her – all the better to amass prize tickets. (She explained she didn’t feel the need to apologize for this transgression in front of 5,000 hackers.) Also, although she didn’t realize it at the time, cheating at Whack-a-mole was a great preparation for a career in cyber security.
For the uninitiated, Whack-a-Mole involves hitting plastic moles (sort of like mice) that pop out of holes in a board. The more you can whack back down into their holes, the more points you get. Playing the game is a lot like chasing down the latest malware. You’re never really finished. A new one is popping up before you’ve bashed the last one on the head.
“We have to stop playing Whack-a-Mole with threats,” Fabriz said. “We need to be more collaborate and strategic,” adding, “We have to make things better. It is up to us.”
To this end, she suggested three steps that vendors in the tech industry should take:
- Identify and tackle root causes. Don’t be satisfied with isolated fixes.
- Be more intentional in long arc defenses. Identify milestones and celebrate progress to stay motivated.
- Invest in bold, proactive projects. Build a coalition of champions and builders outside of security.
On this last point, Fabriz stressed that all tech vendors, not just those in security, ought to step up and at least try to address the root causes of security problems. Indeed, as she has seen what looks like a vulnerability may actually be an architectural or coding error much deeper down the stack.
Fabriz discussed how she has borrowed the root cause analysis concept from the auto industry, where it was first pioneered by Japanese car makers. Thus, in the same way that it’s possible to determine that a crankshaft tends to crack more when it’s made of steel from a defective smelter, tech vendors can ask “why” repeatedly until they uncover the true cause of a security problem.
For example, if there’s a remote code execution vulnerability, she suggested asking the “Five Whys” – Why did this bug lead to remote code execution? Why didn’t we discover this bug earlier? Why didn’t anyone write tests that cover this? Why does it take so long to update? This approach can highlight structural and organization drivers of problems.
Google’s Project Zero, which she oversees, has the mandate of reducing the harmful impact of Zero Day attacks. Her team is not aligned with any specific product or service at Google. They have reported over 1400 vulnerabilities since 2014, found in operating systems, browsers, apps, firmware and hardware.
Their goal is to have an offensive strategy, to do more than one-offs. They want to build a pipeline of vulnerabilities. This sounds good, but as she has learned, it can be difficult to get other vendors to go along. There are power imbalances between security researchers and large companies, for example. Just because some discovers a vulnerability does not mean that a giant company will act on it. The solution has been to impose a 90-day disclosure policy. The vendor has 90 days to fix the problem before it is disclosed publicly by the Project Zero team.
This works. One vendor has improved patch response times by 40%. Another doubled security updates annually. Yet another now sees 98% of issues reported by Project Zero fixed within the 90-day period.
Still, change is hard. Root causes, by their essence, tend to emerge from culture and organizational structures, neither of which is easy to change. Success requires commitment to collaboration and change management. Transparency helps, as does celebrating success.
According to Fabriz, this is the moment to embrace this change. Systems are growing complex and vulnerabilities are getting more serious. Collaboration for root cause analysis is essential for strong security going forward.