Aaron Shaha, CISO, DarkLight
Sep 21, 2023
Contrary to popular belief in the technology sector, humans are closely intertwined with nature and its patterns.
What is permaculture?
“Permaculture is a holistic design science developed by Bill Mollison and David Holmgren. According to Bill Mollison, permaculture is defined as, ‘A philosophy of working with nature, rather than against it; a practice of protracted and thoughtful observation, rather than protracted and thoughtless action. It involves looking at systems and people in all their functions, rather than asking only one yield of them, and allowing systems to demonstrate their own evolutions.’”[1]Why do I think it’s related?Many things can be decomposed to simpler solutions that nature has patterns for. For instance, we can observe the Fibonacci sequence in shell and plant petal patterns, and even in weather patterns. By delving into the principles of superior design, function stacking, and patterns that have been used over time we can glean valuable insights for enhancing cybersecurity practices. Contrary to popular belief in the technology sector, humans are closely intertwined with nature and its patterns. One of the fundamental shortcomings in today's cyber industry is our failure to plan holistically. We do not consider the full scope of our risk, and Permaculture can offer some solutions for this as outlined below. Among the Permaculture topics we will be exploring is function stacking and complexity, it will show how we need to use patterns of re-use to reduce some of the systemic problems plaguing the cybersecurity community.
PERMACULTURE PRINCIPLES BY BILL MOLLISON
So, what are these Permaculture principles?[2] Let us examine the list presented by the “father” of Permaculture, Bill Mollison. We will delve into each of these principles and explore how they relate directly to cybersecurity.
Principle 1: Relative Location – In Permaculture we should always consider the relative location to avoid Type 1 errors. These errors are mistakes made that are exceedingly difficult or expensive to undo and may impact other projects negatively. Examples may include placing our garden on the north side of our house, preventing the summer sun from reaching our plants. What is the location in cyber? As the military cyber planners would say, this is our “key cyber terrain”[3]. Key cyber terrain can include: office locations, sensitive data locations, limitations to our security (do we need to run wireless?), our Domain Controllers, and more. Just as in Permaculture, we should carefully consider our relative location in cyber to prevent Type 1 errors, for example not having alternate ways to communicate with offsite critical resources.
Principle 2: Each Element Serves Multiple Functions – Permaculture systems should function stack to improve energy use and maximize functionality. For instance, in our permaculture systems, chickens should produce eggs and be used to turn compost and eat insects out of cow manure to feed and keep the numbers of flies down. In cyber, we must address the issue of “stovepipe”, where we have tools that are expensive and only accomplish one task. While it may not be feasible to achieve multiple uses for some capital expenditures (CAPEX), we should, at a minimum, make sure our tools can communicate in an open and transparent way so we can fuse data.
Principle 3: Multiple Elements Support Each Function – The best way to plant trees is to plant them with guilds of supportive plants, such as nitrogen fixing plants planted with fruit trees. Likewise, in cybersecurity, systems must seamlessly collaborate. For instance, consider the synergy of hunters collaborating with tier 2 SOC personnel and the inclusion of pen-testers on the team during off-hours, forming what is known as 'purple teams'.
Principle 4: Prioritizing Energy Efficiency – As we develop our Permaculture design, we want to maximize energy in all things. If we must walk to feed the chickens every day, we should place gardens near that path so we can weed them and harvest vegetables on the way to/from feeding the birds. Our T1’s in our SOC should have the minimum number of windows or “panes of glass” to monitor since the number of places to check exponentially degrades their attention and response times.
Principle 5: Utilizing Biological Resources – Natural solutions, such as improving soil biology are superior to synthetic fertilizers which are akin to strip mining our soil. In cybersecurity the implementation of artificial intelligence (AI) is a viable approach. However, we will always need humans to synthesize data and apply analysis. To illustrate this point, consider requesting AI to produce an analysis of the specific motivations of a cyber adversary targeting a business. Since all cybercrime involves a combination of means, motive, and opportunity, AI tends to generate generic responses, unable to delve into the minds of threat actors. It will only generate generic responses as it cannot read the minds of the actors - at best it can combine previous work and replay it. It takes a human to create a new analysis of these threats in relation to changing external forces. The importance of human interaction in this domain remains steadfast.
Principle 6: Embracing Energy Cycling – A simple example of energy cycling in Permaculture is our analysis of water on land. It is essential to consistently assess how water naturally moves from higher to lower points. We harness the sun's energy to lift water through rainfall and use it as it flows downhill, potentially even converting it into electricity through a small hydro generator at a dam. We want to apply similar thinking to our cyber resources. Cyber Operators spend enormous amounts of energy moving log files around and transforming them from system to system with extract, transform, and load (ETL), but it is rarely easy for the human analysts to do their work with the data. By examining our engineering and workflows to reuse this energy intelligently, we could drastically enhance our cyber operators and situational awareness.
Principle 7: Embracing Small-Scale Intensive Systems – In permaculture, the emphasis is on concentrating efforts within small areas through function stacking, thereby creating small intensive systems. Chickens and gardens should all work together to make compost, feed the hens, feed us, and cycle back biowaste for more compost with chicken manure. In cyber, we must decompose complicated items into a common vocabulary. We cannot continue the current paradigm of each system having its own stovepipe, thus increasing data sizes and complexity overwhelming cyber defenders.
Principle 8: Embracing Natural Plant Succession and Stacking – As of this writing in mid-August, the weather is scorching hot. However, fall is right around the corner. Our plants in the garden will soon end their growing season and I am planning a winter cover crop in my garden to add mulch in the spring when it dies, as well as tame the weeds. This is succession and stacking of our natural systems. We need to think similarly about how our CAPEX works together. Far too frequently, substantial investments in systems fail to integrate data with other resources, leading to the creation of isolated data silos or 'stovepipes.' Subsequently, newly engaged Managed Security Service Providers (MSSPs) may recommend the removal of these systems and the adoption of their own isolated solutions. As a community, we need to engineer smarter solutions, putting an end to the unnecessary stovepipes driven by the pursuit of artificial moats.
Principle 9: Promoting Polyculture and Biodiversity - When we plant our gardens in a Permaculture system, we want to have many species available to prevent and confuse pests, aid beneficial insects, and help prevent diseases. Monocropping leads to overuse of pesticides and fertilizer. We are starting to monocrop in Cyber, or at least build vast fields of corn (AWS) and soybeans (Azure). This may be my most controversial position, but this is a great mistake. History has shown us that a breach against those systems is inevitable, and having all our eggs in one basket is an extremely dangerous play.
Principle 10: Increasing “Edge” Dynamics Within a System - As you walk down the sidewalk or a rural road, examine the edges of the pavement or the tree line. It is in these areas that the grass and other plant life flourish most abundantly. In the natural world, 'the edge' is synonymous with life. In lakes and oceans, fish congregate on the edges of shorelines, or deep-water structure, as it is where their food congregates, and their food’s food; down the rabbit hole. In cyber, we have neglected the edge, except to focus on the external perimeter. By building in proper internal segmentation, we give ourselves more telemetry and a better chance of detection of a potential adversary. It is imperative that we refocus our design strategies towards an intelligent defense-in-depth approach—a practice that, as an industry, we have drifted away from, particularly in the context of mergers and acquisitions (M&A) scenarios.
Principle 11: Natural Patterns Through Observe and Replication – In Permaculture one of the first rules is to take one year to observe the land and learn the natural patterns there. For example, how the water flows, where the wind is from, etc. The cyber realm operates at a much faster pace, leaving us without a full year for observation. Nevertheless, it's essential to periodically elevate our perspective from the tactical to the strategic and assess our cyber environment. It is easy to get caught up in the daily grind and re-evaluation can help us evaluate items we may be missing from focusing too tactically. We should not fight nature; we should learn from it.
Principle 12: Recognizing the Significance of Scale – Scale in Permaculture can range from a small backyard in the city, to massive regenerative agriculture farms and ranches. The scale we work at matters in our solutions, and directly influences what we can accomplish. Drawing from my experience in incident response (IR) and threat hunting, it's evident that most companies typically retain log data for a maximum of 3 months. However, for IR and hunt to conduct comprehensive postmortems and gain the ability to thoroughly assess the scope, actions, and prevalence of adversaries within our networks, a lookback period of 6-12 months is essential. Pay attention to scale, focus energy on telemetry that matters.
Principle 13: The Power of Attitude – This stands alone, and we should closely read it for right thinking in cyber security.
Summary
Much can be gleaned from nature and the established principles of Permaculture. It has been demonstrated how numerous elements of this design science align with cybersecurity, and how they can be adopted to enhance the cyber position. The aspiration is to utilize these elements for streamlining our work, daily life, and the security posture of the networks under our defense.
About the Author
Aaron is the CISO for DarkLight, Inc., a cyber security product startup. He lives and works outside of Colorado Springs, CO and enjoys designing his homestead with Permaculture on his off time.
DarkLight, Inc., is the creator of the cybersecurity software Cyio. Our mission is to turn overwhelmed victims into empowered defenders. Cyio, from the Latin word Scio meaning “to know,” is a knowledge-driven AI platform built as an all-sensor fusion solution to automate as much analysis, management, and reporting as possible. DarkLight provides defenders the insights to know, manage, and prioritize risks impacting their organizations. By bringing focus to what is most important to the business, Cyio improves security while saving time and money.
[1] https://worldpermacultureassociation.com/permaculture/
[2] https://worldpermacultureassociation.com/mollison-principles/
[3] https://ccdcoe.org/uploads/2018/10/d2r1s8_raymondcross.pdf