In the study of economics there is a technique called Pareto optimality. Pareto Optimality, or Pareto Efficiency, is a guiding force of economic efficiency. Simply put, it is the principle that there exists a balancing point between opposing interests where neither party benefits more than the other. For example, if we share 10 items between Alice and Bob (for you PKI experts: yes, we went there), and Alice receives five items, and Bob receives the other five, then both parties are happy and we obtain the maximum utility. Seemingly, we have the optimal position.
But, suppose we take one item from Bob and give it to Alice, is he necessarily worse off? And is Alice necessarily better off? If the impact to the parties has not taken away from their happiness, then we have not destroyed the optimal position. How does this relate to cybersecurity? On the surface, it doesn’t. But, thinking like that epitomizes the difference between the good guys and the malicious actors and has led to the asymmetric threat landscape that exists today. It’s actually quite simple. First, we must understand the approach the cybersecurity industry has always taken to defense.
Often the approach championed in the media and tech literature is to find a safeguard providing organizations with a silver bullet (akin to the “winner takes all” mindset): the one defense that will stop every malicious attack. As Jason Soroko explained in his series, "Identity Context: Defense’s Next Play," this just isn’t possible — and likely never will be. As he describes, and I believe 100 percent, this logic (or lack thereof) has created a situation of information asymmetry placing malicious actors two steps in front of the cybersecurity industry. What are we to do? If we approach cybersecurity using Pareto analysis and the objective of finding the position of defense that gives us the most utility, our overall position against malicious actors would improve. If you defend addressable attacks and evaluate the risk associated with valuable assets, a measured and defensible approach to protect systems, information and identities can be found.
This would allow us to stop the easily preventable attacks and focus our defenses on the vulnerable points of ingress that matter most. You cannot stop a sufficiently motivated individual or group, whether in the cyber or physical worlds. However, proper defensive postures that find an optimal balance between threats, risk and vulnerability (in the real world cost is also a factor) will help thwart addressable attacks and make your organization less attractive to the attackers. Assuming there is a portion of attacks you cannot stop given current defensive measures, finding this aforementioned optimal position should drastically reduce your exposure to attacks. If this concept were more widely adopted, maybe the number of consumer records stolen last year would have been significantly fewer. Shockingly, it is reported that 820 million records were stolen, and that figure doesn’t include the Experian breach. Add another 200 million for that incident.
A humorous definition epitomizes the approach taken by the industry: “Insanity: doing the same thing over and over again and expecting different results.” This is exactly the type of linear thinking that has led to the current unstable cybersecurity situation. It is time we start looking to other disciplines for ways of improving defenses and our thinking. Maybe the next step for identity and access management (IAM) will be Pareto-based Security.