By Gregory Hale
Don’t worry about the flash of a vulnerability, just get to, and understand, the root cause of a security issue and most problems will be alleviated.
That was the idea posited by Parisa Tabriz, director of engineering at Google, during her keynote address at Black Hat USA 2018 in Las Vegas, NV.
Forget Hyperbole: Stay True to Security Message
Political Ploy or Not, Industry Needs to Act
Age of Misdirection: Stay Focused, Safe, Secure
Summit: How to Keep Security Balanced
HUG: Cybersecurity Plan of Action
“I have felt we are in reality version of whack a mole,” she said. “We know where problems are, but we have to do more to solve them. It is up to us. I am optimistic.”
“One way to get to the bottom of root cause issues is to keep asking why questions, which often lead to other why questions and then other why questions.”
She gave one example of “why” questions a team could ask after finding a vulnerability:
• Why did this bug lead to RCE?
• Why didn’t we discover it earlier?
• Why don’t we have tests/fuzzers?
• Why did it take so long to update?
• Why does it take five weeks to test a fix?
There is no doubt security is changing and the landscape is increasingly complex
But if users follow these three steps to take, their issues could end up reduced:
1. Tackle the root cause
2. Pick milestones and celebrate
3. Build out a coalition
While Google may have an abundance of resources at their fingertips, Tabriz said, the issues they face are the same problems all companies face.
The two things we have to leverage is becoming more transparent and more collaborative.
In terms of transparency, she talked about one of her jobs at Google with Project Zero. When they started up vendor response varied hugely across the industry. With a 90-day deadline to fix the vulnerability or it gets released, plenty of vendors did not want anyone to know there were product issues. But they went ahead and stuck to their guns and released information after 90 days no matter the company.
“It is tough, but it works. Vendors have (since) had an improved response. One vendor doubled the amount of security updates, while another improved patch response time by 40 percent.
Being more transparent allows everyone to be on the same page and allow for greater knowledge of security issues and then how they can handle them.
In terms of collaboration, Tabriz talked about making sure everyone understands “we are working on similar goals. There has to be an active collaboration of efforts.”
While not mentioned in the keynote, but a classic case of that is the IT-OT schism that has existed in the manufacturing automation sector for years. While it is getting better, the idea the two areas will have to collaborate on a greater basis is becoming clearer.
That collaboration often forces change and “making real change is hard; there is plenty of pushback,” she said. “It upsets some people, but if you don’t upset someone, you are not changing the status quo.”
When you are able to instill some change, take some time and celebrate, she said. Have a small party, or take some time off to blow off some steam. Change is difficult and when it does occur, it should be celebrated.
When Tabriz talked about building a coalition and not just with members of a specific team. She mentioned the massive effort to add site isolation to Chrome. That was a project that was supposed to take one year, but ended up taking six.
“The work came from the team, but the ability to kill the project came from the outside,” Tabriz said. That meant the team had to constantly communicate milestones and successes and where they were going.
“If you are able to band together to tackle problems, you won’t play whack a mole,” she said.
“Security is getting better and we should be proud of the work we have done. Dependence on reliable security is growing,” she said. “People have to be strategic and really think about security.”