Risk

12/8/2017
10:30 AM
Chris Nelson
Chris Nelson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

What Slugs in a Garden Can Teach Us About Security

Design principles observed in nature serve as a valuable model to improve organizations' security approaches.

Next year marks the 40th anniversary of a book that changed the world: Bill Mollison and David Homgren's Permaculture One, which described a set of agricultural and social design principles that mimic the relationships found in nature.

"In practice, permaculture is a growing and influential movement that runs deep beneath sustainable farming and urban food gardening," Michael Tortorello wrote in The New York Times. "You can find permaculturists setting up worm trays and bee boxes, aquaponics ponds and chicken roosts, composting toilets and rain barrels, solar panels and earth houses."

What does this have to do with information security? I believe there's remarkable synchronicity between permaculture and security and that the use of design principles observed in natural ecosystems can serve as a valuable model to improve organizations' approaches to security.

Think about the challenges of protecting an enterprise: lack of resources (people, technology, budget, or any combination thereof), competing priorities, balancing compliance requirements and business needs, awareness and training, enforcing policies and standards. 

It's an environment well-suited for the application of permaculture principles, which focus on harmonious integration — working with, rather than against, nature — and embracing collaboration over competition. Permaculture, a portmanteau of "permanent agriculture," embraces three basic ethics: care of the Earth (or, in this case, the system), care of people, and reinvestment of the surplus.

These three ethics guide 12 design principles that can be as useful in setting up and administering security systems as in agriculture, but we don't need to go that deep in the weeds here (pun intended).

It's also useful to think about the six permaculture zones and how they can be used to prioritize work. Permaculture zones are used to organize design elements based on frequency of use or need. The lowest number (0) denotes the most frequently touched, while the highest (5) is equivalent to wild land, requiring no human effort to produce anything.

How do security concepts line up with this zoned approach? For the purpose of illustration, let's assume the following: You receive 25 to 50 alerts from your intrusion detection system (IDS) per day. You update your malware system or respond to alerts 10 times per week. You review VPN logs once a day. And you deploy code once per day, with integrated static code analysis.

Using this information, you can begin to align your tools with specific zones: IDS is in Zone 1 because these alerts happen frequently and are a strong indicator of compromise but don't involve much interaction time. Malware issues have a pattern similar to IDS alerts, but the incidents are less frequent, pushing them out to Zone 2. VPN log reviews and static code analyses fall into Zone 3, thanks to less-frequent occurrences but a need for greater human intervention during such occurrences.

These are not hard-and-fast rules. If you do multiple code commits per day, for example, static code analysis would fall into a lower-numbered zone. Essentially, zone alignment is based on the number of times you need to touch the security control. It's a great way to begin the application of the design principle — from patterns to details.

Some additional practical applications of permaculture in security:

The problem is the solution. Slugs are a problem in the garden. But if you add ducks, the slugs become a food source for them. And then the ducks provide eggs. In technology, an equivalent might be the training opportunities that arise when software developers deliver code that has vulnerabilities. By identifying vulnerabilities committed at an individual developer level, you can then tailor specific training material toward that user. This reduces the burden on the whole team, because they avoid mandatory training on material for which they've already demonstrated competence. This is a challenging concept for some people — whether something is positive or negative is entirely determined by how you view it.

Get the most benefit from the least change. In the physical world, a dam site might be chosen because it delivers the most water in relation to the least amount of earth that has to be moved. In the IT security world, an equivalent goal might be to remove admin rights from workstations, thereby immediately dropping the percentage of malware infections. This is a single action that can have a far-reaching positive effect on an entire organization.

Seeking order yields energy. Disorder consumes energy to no useful purpose, whereas order and harmony free up energy for other uses. By embedding operations staff into development teams, for example, you can avoid inefficiencies caused by engineers attempting to simultaneously manage systems while writing code.

Learn to harness natural cycles. Every cyclical event increases the opportunity for yield. Consider the software development life cycle and the plan-build-run model: both are examples of technological cycles that can make identification of IT security defects easier by coupling different tools to disparate stages.

Permitted and forced functions. Key system elements may supply many functions. However, if you force too many functions onto an element, it will buckle under the weight. Order is achieved by balancing simplicity and complexity.

Work with nature rather than against it. Pesticides destroy beneficial as well as destructive insects; the following year brings an explosion of pests because there aren't any predators to control them. If your security controls cause inconvenience to your users, they'll bypass them. When we build IT security policies and controls that function within the flow of the organization, enhanced security is the natural outcome.

Despite our many attempts to disrupt her, Mother Nature has been managing the world pretty efficiently for many millions of years. Permaculture reminds us to listen to what she tells us and apply this insight across every aspect of our lives. The lessons for information security are dramatic.

Related Content:

As Senior Director of Security and IT at Distil Networks, Chris Nelson leads the security and compliance initiatives across the organization by the use of permaculture for design of policy, standards, audit, and risk assessment. He works with customers, partners, and internal ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...