RSAC 2021 Keynote: Bathtubs, Snakes and WannaCry, Oh My! Risk in the Physical and Cyber World

(music) – Hi, I'm Steve Grobman, CTO of McAfee, and I'm afraid of snakes. I'm not the only one. About half of Americans
are afraid of snakes. I'm also a believer in data, and the data tells us this
is an irrational fear. At least in the United States, where only around five people
a year die of snake bites. The number of deaths from stinging insects is 20 times that amount. And the number of people
who die in auto accidents, a thousand times. So why don't we think twice
about getting in a car and driving at 70 miles
an hour on the highway, but are petrified when a snake
crosses the hiking trail. The answer in this case is evolution. The studies have shown that
humans, even small children, are instinctively able to
quickly identify snakes. Researchers believe this
evolutionary ability allowed humans to survive by
avoiding threats in the wild. Our perception of other
risks in the physical world are also miscalibrated, not
due to biology or evolution, but rather the way that they're portrayed in media and culture.

In Texas, where I live, we have a great example
of this. tornadoes. We have tornado sirens, tornado shelters. And when a destructive tornado does occur, it makes a top story on the news with graphic images of
catastrophic destruction. In reality, very few
people die from tornadoes. In 2020, 24 tornadoes killed
76 people in the United States. Seven times at number, 529,
died falling off ladders. If only there was a scientific
approach we could use to measure risk, to help
counteract or bias perceptions. There is. I'd like to introduce
you to the micromort. The micromort, or micro
probability of death, is a unit of risk that represents a one-in-a-million chance of sudden death. This concept was first
introduced by Stanford professor Ronald Howard in 1980. Everything we do has some level of risk. Take driving. Statistically, there's a one
in a million chance of dying in an accident when you
travel 230 miles by car.

Therefore, driving 230 miles
exposes you to one micromort. Driving 460 miles exposes
you to two, and so on. We can use the micromort
to challenge our intuition on what is actually risky and what is not. For example, scuba diving
is surprisingly safe and only three micromorts per dive. And skydiving exposes you
to only 10 micromorts. I'm talking about
parachuting from a plane, not base jumping, which
expose you to way more, 430. This also allows us to
much better understand how risky some very
dangerous activities are. A single attempt to summit
Mount Everest, for example, exposes the climber to 38,000 micromorts. Or think of that as the
same risk as performing almost 4,000 parachute jumps. What does this have to do with cyber? Many of our perceptions
about risk in the cyber world are also miscalibrated, and we need to use the moral
equivalent of the micromort in the way we think about cyber risk.

Just as we do in the physical world, we need to use science based on data to counteract the influence of
social and traditional media and our raw emotions. Organizations worry about
all sorts of threats. Mass malware, we see every hour. Spear phishing attacks
on critical employees we see every day. And the rare nation-state directed attacks that have the potential to be devastating. One observation is that
the frequency of an event is inversely proportional to its impact. We see the exact same thing in nature, whether we're talking about tornadoes, earthquakes, or asteroid impacts. For example, with tornadoes, the Enhanced Fujita Scale
goes from zero to five, with five being the most severe,
yet 89% are EF1 or lower, and only 11% are two,
three, four, or five. The impact of a cyber event
has multiple levels of nuance. We need to consider the lethality
to impacted organizations independently from the global impact.

For example, we see some
events that are high impact, even devastating to a single organization but have limited global impact. Sony, Target, Marriott,
just to name a few. Other events such as WannaCry and NotPetya were catastrophic to numerous
organizations around the world because they spread fast and were indiscriminately destructive. We also need to analyze the
different aspects of the damage resulting from a cyber event. For example, a human-operated intrusion with minimal direct impact, such as stealing internal
planning documents, still leaves the potential for any number of residual back doors and implants. The indirect cost regaining
environmental integrity can be immense. Another area of focus is
whether the risk we face is passive or active. What risks are we exposed
to by simply operating in a technologically advanced world? And what additional risk do
we expose our organizations to as a result of our business decisions? We need to minimize risk
from passive threats such as cloud-based productivity apps. We also need to understand
the risk-reward benefit when we choose to engage
in high-risk areas. Just as a hiker may
willingly climb a mountain even though they know
it's inherently risky, your business might invest
in a new technology, such as the next generation
container capability whose threat surface is
not yet fully understood if the return is significant.

Let's build a model that takes all these factors into consideration. The principle components boil
down to these three vectors. The potential lethality of an event to an individual organization. The number of organizations
that could be impacted and the likelihood of occurrence. This model is all about risk. But remember, risk is the
potential for negative outcome, while an event is the historical record of what has occurred. Past events don't predict future outcomes, but they can provide data
to scientifically assess the likelihood of future scenarios. Think of it this way. Just as we don't know exactly what natural disasters
will impact us next year, we can prepare for
different types of events based on historical frequencies.

Similarly, we don't know exactly
what type of cyber events will occur in the future, but
we can look at frequencies of different scenarios along
the vectors we discussed to understand how to prepare our defenses. So how does what we should worry about align with what we do worry about? To answer this, we analyze
traditional and social media along with the web
activity of McAfee sites related to campaigns and threats. We found that many of the
high-profile targeted attacks that received much
attention were carried out against one organization. Memorable examples include the DNC hack, Equifax, Ashley Madison and OPM. Should we focus this much
attention on high-profile, single organization incidents? Yes and no. Clearly some of these
attacks are newsworthy because they relate to national security, cyber impact to elections, or the impact to the
organization's customers. Additionally, from a
defender's perspective, how a lethal targeted attack occurs is important to understand so
that we know how to prepare for a custom human-operated attack.

But, we need to be careful
not to overemphasize the exact playbook that is
executed in these scenarios. Yes, it's important to ensure
that you're not running a vulnerable version of Apache Struts on your external facing web servers, but it's as important to ensure that no external vulnerabilities exist that could lead to similar exploitation. Conversely, some
campaigns such as TrickBot get little media coverage, but organizations need to pay
greater attention to them. They act as the catalyst for secondary high-attack scenarios. For example, a human-operated
ransomware attack engineered to hold the most
valuable asset for ransom. TrickBot changes its implementation
frequently and impacts an extraordinarily large
number of organizations. Why does SolarWinds get
so much more attention when they both enable
human-operated secondary attacks? Media coverage can inform us about emerging global cyber events, but we need a more science-based approach to optimize our defenses. We need to comprehensively evaluate all events that impact organizations.

If we simplify our three vector
model by dropping frequency, we can examine the relationship
between impact and scale. A starting point is to look
at the high-profile events that we've seen over the last few years in combination with the cyber
threats we see every day. We can then map their impact to the number of organizations affected. Let's break things into
three simple elements we've dealt with for decades. Targeted attacks that affect
a single organization, indiscriminate malware
such as password stealers and ransomware, and nuisance threats, such as PUPs and adware. One of the things that stands out is the inverse relationship
between impact and breadth. But in the last few years, we've also seen the sophistication
of attacks increase, which adds new elements to our chart.

Supply chain attacks. Human-operated ransomware. And one of my favorites, the mega-worms. In this last case, this
is not a new innovation. We've dealt with mass-spreading
worms since the '90s. The ability for an attacker to
use a wormable vulnerability to convert victims into attackers, remains one of the most powerful adversarial innovations of all time. These additional elements
have the same relationship where impact and breadth
are inversely correlated, but we can see the slope has flattened. Innovation has provided adversaries with greater levels of efficiency to deliver lethality to their victims. What do we do about it? How do we defend our organizations? Unfortunately, there's not
a single set of actions or solutions that cover
all of these areas. While it's critical to
focus on the top left and not become the victim
of a targeted attack, we also have to ensure
that critical data files aren't stolen by indiscriminate malware, or that productivity
doesn't grind to a halt due to a deluge of nuisance threats.

We need good cyber hygiene
along with user education to prevent everyday threats, good threat and artificial intelligence for indiscriminate and zero-day malware. And when there's a human
attacker on the other side, we need a combination of
technology and cyber operators to defeat the adversary because
no technology on its own can outsmart or outplay
an advanced attacker. But we shouldn't forget
that these are overlapping. For example, even in an
advanced attack scenario driven by a human actor, good cyber hygiene such as
a well-patched environment will make it harder to find
exploitable vulnerabilities. And good threat and
artificial intelligence limits the attack tools at their disposal.

We have limited budgets and our cyber professionals
can't do everything. So it's critical that
we understand and ensure that the investments we do
make have the strongest benefit as compared to the risk
that they're mitigating. Here's the bottom line. We can't defend our organizations
by acting on gut instinct. Just as is counterintuitive
that in the physical world, an investment in $6
anti-slip bathtub stickers provides a higher return
on risk mitigation than a $4,000 tornado shelter.

Implementing multifactor
authentication likely reduces more risk than mandating
third-party code audits in an attempt to address
supply chain attacks. My call to action for you is this, let's make the best cyber
defense decisions possible. Yes, watch the news and
monitor your Twitter feed, but be hyper-conscious to
counterbalance natural instincts and reactions driven by media and hype. Ensure that every trade-off
and decision you make to defend your organization is based on data and objectivity..

You May Also Like