Archive for the ‘Buzzwords’ Category

eSecurity Planet asked us to cover the announcements at RSA this year. Here’s the first part of our coverage:

If 2009 was a lackluster year for security product sales, you certainly wouldn’t know it from some of the vendors on the floor this year at the RSA® Conference in San Francisco. In contrast to last year’s show, attendance appears up – both from delegates and vendors alike. However, things aren’t all rosy. A number of vendors opted not to rent space on the show floor citing economic concerns. Though RSA is not quite back to “heyday” levels from a few years ago, if this year’s show is any indication, the security industry is showing signs of life despite global economic setbacks.

So what is everyone here to learn about? Surprisingly, much of the attention of show attendees is not on completely new themes, but in re-examination of an existing topic that has been with us for some time now. Cloud computing, a logical conclusion of the increasing move to both off-premises and virtualized environments is of primary interest to both vendors and delegates here at the show. RSA President Art Coviello set the direction and tone of the official program with his well-attended cloud-focused keynote and it’s clear that interest in these topics has not waned – in fact, if anything, it’s increased. And vendors are pushing this agenda pointedly as the cloud meme dominates the show floor.

For the rest of our write-up, please click over to eSecurity Planet.

My dad is a man of few words. However, one of the things that I remember him saying when I was in high school that has stayed with me the rest of my life happened when I was struggling to learn Calc from a teaching-challenged educator. In a completely uncharacteristic move, he (a statician at the time) said “Son, whenever somebody needs Calculus to prove their argument they’re trying to pull one over on you.” Now whether or not you agree with this, you have to admit it’s funny. I thought it was hilarious at the time (probably because it was so out of character for my dad) and I think it’s equally hilarious now.

So where am I going with this, right? Well, I’ve noticed that there has been quite a bit of interest in the security community about how to use game theory to approach the topic of security. For example, I’ve noticed that folks are using game theory to understand terrorism, it’s being used to understand network security, and so on. Now, when I first started hearing about folks doing this, I was excited and interested. But the more I’ve looked at what’s coming out, the more disappointed and cynical I’ve become. In fact, I’m tempted to start applying my Dad’s dismissive attitude toward Calculus to game theory (i.e. “whenever a security person starts quoting game theory, they’re trying to pull one over on you.”) Now, I haven’t quite reached that level of cynicism just yet, but I’m close. I understand that given the popularity of using game theory in this context, it’s possible that I could get flamed hardcore about this post; however, I feel like I need to say what I need to say. Here’s why I think it’s difficult to use game theory to understand security:

Security is non-zero-sum: Game theorists classify games as being either zero-sum or non-zero-sum. This is a fancy way of differentiating games where winning by one player comes at the total detriment of another player (zero-sum: the gain of one player comes at the loss of another player) vs. games where achievement by one player does not proportionately impact other players (non-zero-sum: it is possible for one player to gain without another player losing.) Despite what might seem intuitive on the surface, the typical security scenario is non-zero-sum. Really, it is. OK, ok – you’re going to say that if someone is trying to defend a machine and somebody else hacks it, that their victory means your defeat (hence it’s zero-sum), right? Well, that’s true. Or you might say that if someone is trying to steal your money and you’re trying to keep it, that that’s zero-sum too. And you’d be right. But these are all discrete parts of a bigger game – these things are all individual competitive *strategies* that are part of a larger picture. Ask a typical security professional, for example, whether the goal of their job is to “defend all the servers at any expense” – the answer you’d get would be “no” – that’s not the job; the job is, “help our business to understand their risk and operating accordingly” right? Meaning, an attacker could “win” (cause damage, steal money, etc.) at the same time that we’re still doing our jobs (i.e. we win too – they get whatever it is they want – money, resources, data, etc. – and we get what we want – our business keeps operating despite the loss). See, non-zero-sum. So what does that mean for the game-theory approach? Well, based on what we know about non-zero-sum games, we know that “Non-zero-sum games differ from zero-sum games in that there is no universally accepted solution. That is, there is no single optimal strategy that is preferable to all others, nor is there a predictable outcome. Non-zero-sum games are also non-strictly competitive, as opposed to the completely competitive zero-sum games, because such games generally have both competitive and cooperative elements. Players engaged in a non-zero sum conflict have some complementary interests and some interests that are completely opposed.” Interesting; “no universal solution” and “no predictable outcome”? That certainly jives with anecdotal experience. In short, non-zero-sum games are the most difficult to analyze.

Security is asymmetric:meaning, there is a different strategy for all players. A game like chess is symmetric because the goal/strategy of black is identical to the goal of white – checkmate the king using the same rules for movement of pieces. A game like “Deal or no deal” however, is asymmetric because the strategy of the banker is different from the strategy of the contestant. Now apply this to security; is the strategy of the hacker the same as the strategy of the firewall admin? Obviously not. So what does that mean to the broader question? It means that goals and strategies of individual players have to be taken into account when formulating a strategy – whcih in turn means that approaches to using game-theory for security will need to examine the different strategies used by “offense” and “defense” as well as consider their (as we stated above, not always contradictory) goals. Again, asymmetric games are the hardest to analyze

Security is infinitely-long: when are you “done” defending your firms assets? 2007? After 20 times hackers try to break in? How about never? The hardest games to understand are those that do not have a finite set of moves, as is the case in security. And guess what, infintely-long games are the hardest to analyze

Imperfect and Incomplete Information: no player knows the strategies and/or the moves of the other players; as you probably guessed, imperfect-information games are the hardest to analyze

Security is a Simultaneous Game: all players can move at any time. Additionally, players are not required to move in response to other players. The simultaneous game is the hardest to analyze.

So, that’s it. Now, I’m not saying that you can’t ever use game theory to understand subsets of the security problem. However, I am saying that understanding the broad security picture is hard using game theory and that certain aspects of security make it harder to analyze than a more controlled situation like chess. Now, maybe we don’t need to understand the whole picture in order for this technique to be useful; however, I would argue that it’s important to keep in mind where game theory helps and where it doesn’t the next time you come across somebody pitching it as a security tool.