the rising tide raises all boats: the advancement of science of cybersecurity
TRANSCRIPT
The Rising Tide Lifts All Boats: The Advancement of
Science in Cybersecurity
Laurie Williams North Carolina State University
https://alisonhinksyoga.wordpress.com/2013/09/09/a-rising-tide-lifts-all-boats/
My Intentions: You Leave Here With …
� Greater awareness of a scientific software security research agenda
� A greater understanding of techniques for collaboratively doing large-scale research
� Some new thoughts about doing more scientific-ish and less engineering-ish research
� Even … reflecting on some things about life in general
It’s been quite the year alreadyZNET
http://www.zdnet.com/pictures/worst-largest-security-data-breaches-2015/3/
Why the Science of Security?
� “… nagging perception that too much of the research is opportunistic, lacks rigor, has weak methodology, and fails to produce material advances on underlying hard problems.”
(NSA BAA Industry Day)
http://www.blazingcatfur.ca/wp-content/uploads/2015/06/logo_ouch-620x443.png
Carnegie Mellon NC State University of Illinois –
Urbana Champagne http://www.leftlion.co.uk/articles.cfm/title/the-three-musketeers/id/1539
2010 Release
http://www.dailymail.co.uk/tvshowbiz/article-1085791/Free-DVD-The-Four-Musketeers-todays-Mail-Sunday.html
University of Maryland
2014 Re-release
The three missions of the Science of Security Lablets � “Solve” hard security problems through the
application of scientific research
� Advance research methods in the context of cybersecurity to build a sound science of security
� Build a science of security community
Seven lessons � Stand on the shoulders of giants.
� Through focus, progress is made.
� Through diversity of opinion, creativity and unity is born.
� It’s so easy to fall back to “engineering-ish” research.
� Those humans cannot be abstracted away.
� Hard questions lead to great(er) insight.
� Through collaboration and unity, we can change on a larger scale.
1. Stand on the shoulders of giants.
https://www.linkedin.com/pulse/standing-shoulders-giants-6-apis-instant-saas-success-nick-boucart
ESE
Giants Focus Diversity Engineering Humans Questions Collaborate
Remind me: What’s the actual problem?
� “… Nagging perception that too much of the research is opportunistic, lacks rigor, has weak methodology, and fails to produce material advances on underlying hard problems.”
(NSA BAA Industry Day)
http://thebsblog.com/2015/10/09/oops-wrong-diagnosis/#prettyPhoto/0/
ESE Intervention
“OK” Research Results
Intervention “Much better”
Research Results
Why do we need “much better”? • More credible, convincing, substantiated • More impact (other researchers, the practice of software
engineering/practitioners/real people!) • Enable meta analysis, combining of results, theory/law
building
ESE Intervention
“OK” Research Results
Intervention
* Books
* Guidelines
* Meetings
* Journal
* Education
* Conference
“Much better” Research Results
http://www.deogloria.org/standing-on-the-shoulders-of-giants/
Mary Shaw (ICSE 2002 data) Types of software engineering research validation
Shaw, M., Writing Good Software Engineering Papers, Proceedings of the 25th International Conference on Software Engineering, IEEE Computer Society, 2003, pp. 726-736.
Success of Intervention? � A quasi-experiment on the intervention
� Top 4 journals (TSE, IST, JSS, ESE) � 1992-2002 versus 2006-2010
� Result: Paper quality significantly associated with year
Kitchenham, B., Sjoberg, D, Dyba, T., Brereton, P., Budgen, D., Host, M., Runeson, P., Trends in the Quality of Human-Centric Software Engineering Experiments – A Quasi-Experiment, IEEE Transactions in Software Engineering, Vol. 39, Issue 7, pp. 1002 - 1017, July 2013.
Science of Security Copycats � Guidelines
� Seminars
� Research plan reviews
� Workshops
� Conference (Hot SoS)
� IRN-SoS
The Rising Tide: Leading by Example
Jeff Carver, University of Alabama
http://www.themunicheye.com/news/The-Science-Behind-Superman-3057
2. Through focus, progress is made.
1. Thing 1
2. Thing 2
3. Thing 3
4. Thing 4
5. Thing 5
6. Thing 6
7. Thing 7
8. Thing 8
Do This!
DON’T DO THIS!
You wouldn’t do it anyway.
Giants Focus Diversity Engineering Humans Questions Collaborate
Hard Problem 1: Scalability and Composability
Challenge
� Develop methods to enable the construction of secure systems with known security properties.
http://itnewscast.com/book/export/html/62241
Hard Problem 2: Policy-Governed Secure Collaboration
Challenge
� Develop methods to express and enforce normative requirements and policies for handling data with differing usage needs and among users in different authority domains
Hard Problem 3: Predictive Security Metrics
Challenge
� Develop security metrics and models capable of predicting whether or confirming that a given cyber system preserves a given set of security properties (deterministically or probabilistically), in a given context.
Hard Problem 4: Resilient Architectures
Challenge
� Develop means to design and analyze system architectures that deliver required service in the face of compromised components
http://thecybersaviours.com/intrusion-detection-system-ids
Hard Problem 5: Human Behavior
Develop models of human behavior (of both users and adversaries) that enable the design, modeling, and analysis of systems with specified security properties
http://1000awesomethings.com/2011/02/23/302-grandma-hair/ and http://garysreflections.blogspot.com/2011/02/chinese-hackers-now-hitting-major.html http://www.my-programming.com/2011/10/how-to-become-a-programmer/ http://www.govconexecutive.com/2011/02/executive-spotlight-joseph-cormier-of-gtec/
Science of Security Focus 1. Scalability and composability
2. Policy-governed secure collaboration
3. Encryption algorithms
4. Predictive security metrics
5. Intrusion Detection
6. Resilient architectures
7. Human behavior
Do This!
DON’T DO THIS!
http://lorettalovehuffblog.com/
3. Through diversity of opinion, creativity and unity is born.
https://www.reddit.com/r/pics/comments/1aw3f3/pathway/; http://www.bbc.co.uk/bristol/content/image_galleries/tunnel_gallery.shtml http://www.thomthom.net/gallery/everything/tunnel-vision/ http://davemeehan.com/cycling/ojos-negros-tunnel-vision
Giants Focus Diversity Engineering Humans Questions Collaborate
Carnegie Mellon NC State University of Illinois –
Urbana Champagne http://www.leftlion.co.uk/articles.cfm/title/the-three-musketeers/id/1539
4. It’s so easy to fall back to “engineering-ish” research.
http://user47329.vs.easily.co.uk/wp-content/uploads/2014/08/Science-v-Engineering-Wordpress3.jpg
Giants Focus Diversity Engineering Humans Questions Collaborate
May be just a “subtle change”
http://www.pxleyes.com/photoshop-contest/20606/makeover.html
Can you tell me WHY yours should be better?
http://memegenerator.net/instance/59256035
Principles, Theories, Laws, Hypotheses … Science
“… nagging perception that too much of the research is opportunistic …”
5. Those humans cannot be abstracted away.
https://securityintelligence.com/the-role-of-human-error-in-successful-security-attacks/
Giants Focus Diversity Engineering Humans Questions Collaborate
6. Harder questions lead to great(er) insight.
“The quality of your answers is in direct proportion to the quality of your questions.” --Albert Einstein
Giants Focus Diversity Engineering Humans Questions Collaborate
Those “pesky” and ever-present hard questions
� Where’s the science?
� How are you doing at solving those hard problems?
� Can you show that the lablet is achieving its outcomes?
http://www.findmemes.com/eye-roll-memes
7. Through collaboration and unity, we can change on
a larger scale.
https://bizpsycho.files.wordpress.com/2015/05/colored_puzzle_connection_1600_wht_9893.png
Giants Focus Diversity Engineering Humans Questions Collaborate
Lablet (4)National Security Agency Sub-Lablet (26)
UNL
CUDC
PENN
PITT
NAVY
UVA
GWU
RICEUTSAUTA
UA
UNCCNCSU
VT
USC
UC
UC BERKELEYICSI
UIUC IU
IIT
PU
WSU
CMU
GMU
UNC UMD
RIT
NSA
Science of Security Lablets & Sub-Lablets NEWCASTLE (UK)
NDSU
UNL
CURSA
CCTDC
BC
SC
MITLL
POTSDAM
MIT
SIEMENS
RUTGERSAT&TPENN
ARL
PSUPITT
NAVY
UVA
GWU
HPHC
NLM-NIH
NU
UMICH
VERISIGN
RPIUALBANY
UCFRICEUTSAUTA
TX A&M
UA AUBURN
GT
UNCCNCSU
VU
VT
UNM AFRLUSC
UC
LLNL
HPSU
FUJITSUGOOGLE
UC BERKELEYICSI
SYMANTEC
L&C
UW
INL
UIUC IU
IIT
UW-MADISON NWU
PU
WSU
CMU
GMU
UNC UMD
UH MANOA
PC
RIT
NSA
Lablet (4)National Security Agency Sub-Lablet (26) Collaborator (64)SURE (4)
Science of Security Lablets, Sub-Lablets, and Collaborators NEWCASTLE (UK)
UOFW
UVIC
IMDEA
NOVAUP
UPVEPFL USI
UWAR
LEEDSLU
KENT
OXFORD
NEWCASTLE (UK)UDS
JWGUMPI-SWS
UiO KTH
IUT
THUBUAA
SMU
UNIMELBANU
VUW
ULISBOA
Science of Security International Sub-Lablets and Collaborators
Sub-Lablet (26) Collaborator (64)
Agile Manifesto authors: It is in their collaboration and cooperation that they revolutionized the software industry. We need to work together to beat the attackers!
Seven lessons
� Stand on the shoulders of giants.
� Through focus, progress is made.
� Through diversity of opinion, creativity and unity is born.
� It’s so easy to fall back to “engineering-ish” research.
� Those humans cannot be abstracted away.
� Hard questions lead to great(er) insight.
� Through collaboration and unity, we can change on a larger scale.