Google's Director of Engineering Parisa Tabriz kicked off Black Hat 2018 with a wide-ranging keynote address this morning at the Mandalay Bay Events Center calling the industry's current approach to cybersecurity insufficient.
Tabriz, who also oversees Google's Project Zero, compared the industry's current methodology to a game of Whack-A-Mole, where individual threats are simply beaten down once they become known, or ignored until they become a true problem.
She noted how her frustration level rises when she hears about an attacker who successfully exploits a previously known and patched vulnerability, and suggested several steps she believes any company can put into place to help bolster its defenses:
-
Tackle the root cause.
-
Pick milestones and celebrate.
-
Build out your coalition.
The first suggestion centers on using what Tabriz described as the five “Whys” technique -- essentially, asking the question "Why?" in relation to an issue. until the root cause behind the company's vulnerability is revealed.
“This can help ID bad security methodology," she remarked.
Tabriz cited the Chrome HTTPS rollout as an example of the importance of her second suggestion. She noted that while it was a difficult multi-year project, it was also very important to keep the team's morale up and to ensure it remained focused. Small celebrations, like funny cakes, were used to mark milestones and are something any firm can do, she said.
The end result has been a massive uptick in HTTPS adoption, going from 45 percent in Chrome in 2014 to 87 percent in 2018. Android saw usage jump from 29 percent four years ago to 77 percent today, Tabriz said.
Coalition building, both within a company and with external partners, is also needed to keep cybersecurity projects alive and on track. Tabriz cited the creation of Project Zero as the poster child, explaining how she had to convince upper management that calling out the poor security of its customers after a 90-day disclosure period ends was actually a good idea, at least in the long run.
“There was lots of pushback on the disclosure program and even though it can cause short-term pain it forced vendors to make [much needed] technical and organizational changes,” she said.
These changes can be reflected in the fact that now about 98 percent of the companies fix the problem prior to disclosure, up from only 25 percent earlier in the project's history.
In the four years since Project Zero has been running, it has found about 1,400 vulnerabilities, she told the crowd.
