To make real change, the security industry must challenge the status quo, says Google’s Parisa Tabriz.

As they navigate through an increasingly complex and challenging digital environment, the information security community must take time to reflect on the progress they have made and celebrate milestones.

This is according to Parisa Tabriz, director of engineering at Google, whose keynote at this year’s Black Hat USA sought to offset zero-day-induced gloom by highlighting the industry’s many accomplishments over recent months.

“The environment that we work in is complicated and interconnected,” Tabriz said.

“To make real change, and to persevere while doing it, we need to pick practical milestones. We need to work towards those milestones, and – very importantly – celebrate along the way.”

Reasons to be cheerful

During her keynote, Tabriz, who heads up Chrome security and oversees the Project Zero team, said she was encouraged by the actions of some of the world’s biggest software vendors.

“We are seeing more security patches [and] faster response times in software that the world relies on,” she said. “And that is an improvement to end user security.”

One project giving cause for celebration, Tabriz said, was Google’s ongoing push towards HTTPS and encryption-as-standard, as demonstrated in the subtle, but important UI changes that came with Chrome 68 last month.

Looking elsewhere within Google, in the four years since the launch of Project Zero, Tabriz said the tech giant’s elite team of zero-day hunters have reported more than 1,400 vulnerabilities. 

“In total, the vast majority of security issues that are reported by Project Zero are now fixed within the 90-day disclosure period,” she stated. “That’s up from 25% that the researchers experienced prior to deadline-driven disclosure.”

‘Our current approach is insufficient’

While Tabriz highlighted the need to celebrate industry wins, this was – perhaps inevitably – caveated with a pointed discussion of the myriad challenges faced by the security community in 2018.

“We have made great strides in computer security over the past decade,” she said. “There’s more work to do, the landscape is becoming increasingly complex, and our current approach is insufficient.”

“I think we all need to do a better job of understanding and tackling the root causes of bad security. We can’t be satisfied with only isolated fixes.”

Under pressure

Tabriz said the Project Zero team aims to advance the understanding of offensive security to form and improve defensive strategies.

In many ways, this definition can be extended to apply to Black Hat itself, as the world’s leading security experts convene to shine new light on the software (and hardware) vulnerability landscape, thrash out ideas, and promote their own solutions to increasingly difficult problems.

Global cybersecurity spending is forecast to exceed $1 trillion cumulatively between 2017 and 2021. But still, this jaw-dropping figure pales in comparison to estimates that cybercrime will soon cost the world $6 trillion annually.

The idea that this is an industry under pressure is no more apparent than at Black Hat.

With zero-days being popped left and right, and fresh exploit techniques revealing a whole new attack surface, it’s sometimes difficult not to think that security is a game of cat and mouse that will never end.

Importantly, this pressure – that feeling that the ‘good guys’ are forever destined to be chasing a moving target – is perhaps felt no more acutely than by the white hats themselves.

This was not overlooked by the event’s curators: In addition to the dozens of technical talks, two sessions were laid out to explore stress, burnout, depression, and suicide in information security – issues that by now are all too familiar to those in the industry.

White hats, white collars

During his opening remarks at Black Hat 2018, event founder Jeff Moss said information security was at an important juncture.

“The industry is at the ‘final exams’ stage. It’s like we’ve matured enough that world events have caught up with us and we are now being tested: are we as good as we say we are?”

Moss didn’t discount software developers’ role when it comes to responsibility.

“I’m guessing there’s maybe 20 companies in the world who are in a position to actually do something about raising the level of security and resilience for all of us,” he said.

Vendor issues aside, John McCumber, director of cybersecurity advocacy at (ISC)2, a security certification and training organization, said one of the core themes at the show this year was that there is a need for more information sharing in the industry.

“This is not a new concept, but one that has been repeated for years now,” McCumber told The Daily Swig via email yesterday.

“The technology fix for this is beyond simple and could happen tomorrow. The real issue at hand is that most organizations have data management policies that stymie this type of open sharing environment.”

Unfortunately, McCumber said, policy issues can’t be solved by technology.

“A first step is to ask ourselves, ‘how do our policies align with the need for sharing information?’ Only by tackling that aspect head on will we make any real impact on how our systems and people are able to communicate to mitigate risks.”

Status: Quo

When it comes to promoting structural security improvements, Tabriz said Project Zero’s decision to implement a consistent, 90-day disclosure policy was a key milestone for the industry.

“This removed the historical negotiation between security researchers and vendors, and it actually gives the public access to vulnerability information in a really consistent way,” she explained.

“There’s no doubt that a deadline-driven approach causes short-term pain for large organizations that have to make structural change. And that includes pain within Google.

“But sticking to those deadlines over the years resulted in vendors rallying, innovating, and investing in making structural change – both technical and organizational – that wasn’t happening previously.”

Ultimately, amid a rapidly evolving threat and vulnerability landscape, Tabriz said the security community should always look to challenge the status quo.

“The world’s dependence on safe, reliable technology is increasing,” she said. “And as things get more interconnected, we have to stop playing whack-a-mole.”