Cybersecurity is really complicated. It is a topic of massive amounts of minute details. From those details, incredibly important big pictures must be formed. Cybersecurity is the art of being situationally aware in chaos.Software engineering is really complicated. It is a topic of massive amounts of ones and zeros. From those bits (1s and 0s) helpful applications must be formed. Software engineering is the art of creating knowledge from big data formed of bits.
Cybersecurity is inherently complex, as is the world of software. How do we make complex things less complex? How do we "get our heads around" all the things in the cyber domain?
We deal with complexity by forming mental models. This is what people mean when they say things like, "I've got to get my head into the problem.", or "I need to get my head wrapped around this." As a programmer for many years, I've trained myself in approaches to deal with complexity. In fact, this is why we moved to embrace Object Oriented Development (OOD); it helped us to get our heads wrapped around the problems we were trying to solve.
“Perhaps the greatest strength of an object-oriented approach to development is that it offers a mechanism that captures a model of the real world.” – Grady Booch[i]
Here is an interesting phenomenon that historically repeats itself: When an innovative new software solution that addresses a really hard problem space is first offered, the software engineers hear “Why is your software so complex? It needs to be easier to install and use.” The truth is that modeling a complex problem is a complex problem. Software complexity tends to be proportional to the problem's complexity. If Cybersecurity was a trivial problem to solve, we could solve it with trivial software.
Good software helps the user by providing higher levels of abstraction over the low level details of the problem. Good software helps the user “get his/her head around the problem” by providing a conceptual model. The expert’s mental model is encapsulated into the software’s conceptual model.
The first and foremost criteria for selecting a software solution should be whether or not it solves the problem. Once that criteria has been met a secondary criteria of ease of use can be evaluated. Don’t make the mistake of selecting a solution that is easy to use, but does not solve the problem.
Adapting to Change
The world of cybersecurity is constantly changing. It is very dynamic. Today’s zero day threats will change and tomorrows will be different. This is just one of the many complexities in cyber. How do we deal with this continual morphing? Well, we do so by allowing our conceptual models to adapt to the changes. This is just one of the complexities in software design, letting the user change the conceptual modeling in the software.
There are multiple conceptual models that must be addressed in cybersecurity software. At a minimum, three models are in the forefront:
- Your network: Both physical and logical topologies must be understood.
- Your adversaries: The risks and threats you face. Threat intelligence from external and internal sources.
- Your business: The business model, business processes, assets, risks, human resources, locations.
All three of these real world things are in a constant state of flux. Therefore the software models of these real world things must constantly adapt to reflect the changes. This mandates that the user(s) be able to modify the models. They must manage and maintain the models so they reflect the real world.
This is not to say that it is solely up to the user. Significant adaptive modeling can be done by others. Other enterprises in the same sector will have similar business models. Enterprises share many of the same adversaries (there is value to threat intelligence services). And of course, much of the hardware that makes up our networks is in common use by others.
It is our commonality that makes standards such as STIX so powerful. STIX is a modeling effort meant to be shared by cybersecurity defenders. Efforts to promote standards to enable automated information sharing help us to deal with complexity by providing us all with a common modeling language. This enables us to share our conceptual models to our mutual benefit.
What do YOU think? Are complex cybersecurity issues causing you chaos?
[i] Grady Booch (1986) Software Engineering with Ada p. 220. Cited in: David J. Gilmore et al. (1994) User-Centred Requirements for Software Engineering Environments. p. 108