INTRODUCTION

Map out your future-but do it in pencil. The road ahead is as long as you make it. Make it worth the trip.

-Jon Bon Jovi, American singer, songwriter,
guitarist, and actor

Who Is This Book For?

This is about rethinking cybersecurity from the ground up using the idea of first principles. I will explain what I mean by that in Chapter 3, "Zero Trust," but at a high level it's a list of fundamental truths that serves as the foundation for building your cybersecurity program. That said, my intention for writing the book was to target a broad swath of security practitioners in three groups.

The first group consists of security executives. These are my peers, colleagues, and the people who work for them in the cybersecurity industry supporting the commercial sector, government circles (both policy and technical), and academia. With this first principles notion, my intent is to challenge how these network defender veterans think about cybersecurity. I am going to suggest that for the past 25 years, we've all been doing it wrong and that a reexamination of first principles will guide us back to the right path and will help us disrupt our current thinking to pursue defensive postures that have a higher probability of success.

The second group consists of the newbies coming into the field. These would be young and fresh-faced college graduates, government civil servants transitioning into the commercial sector, and career changers who are tired of what they have been doing and look to cybersecurity to be more interesting and lucrative. I am going to give this group a foundational framework based on first principles to build their knowledge, including the first principle historic background so that they can understand the current state of the cybersecurity landscape and an idea of where we all might be heading in the near future.

The last group will consist of teachers and students at the elementary through graduate levels. Within the cybersecurity discipline there exist numerous, valuable, and fascinating by-waters of study that many students and educators feel are loosely connected and, because of the volume, quickly become overwhelming. First principles will be a framework for your curriculum. I will lay out how to tie everything back to cybersecurity first principles that will allow them to chart a course through the volume of material they need to get through.

That said, there are typically three kinds of organizations that network defenders work for: commercial, government, and academia. I can make an argument that there are two different categories of government network defenders too: traditional defense (like their commercial and academia peers) but also offensive cyber for espionage and continuous-low-level-cyber-conflict (cyber warfare purposes). I will discuss the former and not the latter.

Lastly, since the early Internet days, organizations typically fall across a network defense spectrum between the haves and the have-nots, and where they fit within that range normally depends on how big the organization is (not always). On the have-not side, these are organizations that are small (like startups and city/county governments) where they barely have enough resources to keep the lights on. On the have side, these are typically large organizations (like Fortune 500 firms) that have more resources than they know what to do with. I will cover first principle strategies and tactics that any infosec program should consider regardless of size. Fully deploying all of these strategies and concepts would be expensive, something reserved for the have side of the spectrum. That said, these ideas are not checklists. They represent ways to reduce the probability of material impact. Depending on your environment, some will work better than others. Especially for the have-nots, where possible, I highlight where you can pursue these ideas on a shoestring budget.

What the Book Covers

First principles in a designated problem space are so fundamental as to be self-evident; so elementary that no expert in the field can argue against them; so crucial to our understanding that without them, the infrastructure that holds our accepted best practice disintegrates like sandcastles against the watery tide. They are atomic. Experts use them like building blocks to derive everything else that is known in the problem domain. All new knowledge gained in the problem domain is dependent on our previously developed first principles. That means there is an absolute first principle, the principle that starts everything.

The Internet started to become useful to academia, government, and the commercial sector sometime in the early 1990s. As it did so, cyber bad guys discovered that the Internet might be valuable for their chosen activity too: crime, espionage, hacktivism, warfare, and influence operations. Organizations began hiring people like me, network defenders, to prevent these "black hats" from being disruptive. In the early days, the network defender community made a lot of assumptions about how to do that. Twenty-five years later, many of those best practices turned out not to be first principles at all; mostly they were first and best guesses. Twenty-five years later, it's time to reset our thinking and determine what our baseline cybersecurity first principles are and what the ultimate cybersecurity first principle is.

I make the case for the atomic cybersecurity first principle, explains the strategies necessary to achieve it, and consider the required tactics, techniques, and procedures for each.

Writing Conventions

Here are a few conventions I use in the book to aid in your understanding.

Cybersecurity

I use the term cybersecurity as a catchall for the work that practioners do. Over the years, the community has adopted manysynonyms that have the same meaning. Here are just a few:

• Digital security
• IT security
• Information technology (IT) security
• Information security (infosec)

For my purposes, they all refer to the same thing and I use them interchangeably.

Cybersecurity Professionals

The same goes for the phrases we all use when we describe each other.

• Infosec practitioners
• Network defenders
• Security practitioners
• Security professionals

For my purposes, I also use them interchangeably.

Organizations

There are generally three types of organizations that invest in the cybersecurity people-process-technology triad: commercial companies, government organizations, and academia. Where I refer to one of the three, assume that I am talking about all of them. When I'm not, I will call it out explicitly.

The Cybersecurity Canon Project

The Canon project (cybersecuritycanon.com) is a security professional community effort to identify all the books that cybersecurity professionals should read. I founded the project in 2013, and at the time of this writing, it is sponsored by Ohio State University. I refer to many Hall of Fame and Candidate books that the reader might find useful. On the web page, readers will find book reviews of those books and many others.

Rick's War Stories

I've been working in the cybersecurity industry for more than 30 years. Along the way, I have had experiences that some readers might like to hear about. I call them war stories. Many are only loosely connected to the topic at hand, and some may have no connection at all (I just liked them). I've re-told some of them here. That said, I realize that some readers might want to just read the meat of the book (like one of my editors, Steve Winterfeld, who just wants to skip over the war stories). I have color coded the text of my war stories differently (in gray), like this section, to make it easier for the readers who stand with Steve.

Book Website

Whiles doing the background research, I created supplemental materials that helped me organize my thought process. They include the following:

• Agile Manifesto
• Bayes Success Stories (summarized from Sharon McGrayne's book, The Theory That Would Not Die)
• Chaos Engineering Historical Timeline
• Referenced Cybersecurity Canon Hall of Fame Books
• Cybersecurity Historical Timeline
• Cybersecurity Intelligence Historical Timeline
• Encryption Historical Timeline
• Equifax Hack Timeline
• Identity and Authentication Historical Timeline
• Kindervag's Nine Rules of Zero Trust
• Red Team, Blue Team Historical Timeline
• RSA Security Hack Timeline
• SDP (Software Defined Perimeter) Historical Timeline
• Research Summary on Why Heat Maps Are Poor Vehicles for Conveying Risk

You don't need these materials to understand my main thesis, but some of them might be useful or at least interesting.

For more information, please visit thecyberwire.com/CybersecurityFirstPrinciplesBook.

Road Map

I cover a lot of material. If you find yourself getting lost in the blizzard of ideas and can't remember where you are in relation to the overall thesis, refer to Figure 1. Read it from the bottom up. The first box is...