LAS VEGAS -- Keynote speakers for infosec conferences often play to the crowd with flowery quotes about how the security community is the real leaders of change, but Parisa Tabriz, director of engineering at Google, took a slightly different approach with her Black Hat 2018 keynote by describing -- in detail -- the actual work required to enact that change.
Some of the themes Tabriz hit on were familiar to the Black Hat audience -- focusing too much on flashy vulnerabilities and hacks rather than root causes and the broader impact that can be made by infosec -- but the tone of her keynote felt different. Rather than an impassioned speech meant primarily to inspire, Tabriz set out to instruct the audience with specific yet simple actions.
According to Tabriz, the way to make things better breaks down into three broad steps: tackling root causes, choosing milestones and celebrating achievements, and building a coalition outside of security.
"Often, we can't tell the exact form of potential threats to come, but we have to still invest proactively in defensive projects that promote core security principle -- isolation, containment, simplicity," Tabriz said. "Now, when the benefits aren't immediately clear, which is common in proactive defensive work, it's important to communicate upwards and outwards and get people outside of your immediate security team to invest in the project."
Tabriz, who manages both the Chrome security and Project Zero teams at Google, used examples from each to teach the audience at Black Hat about how much work it takes, and how many ways a project can fall apart, regardless of if it is a major security change or something seemingly much smaller.
"Defense happens over the long arc. It's very hard to measure progress because it happens over time. We don't have great objective ways to measure it and some metrics are bad. It takes a long time, positive signals are very rare, and I think that's why it's harder to celebrate and recognize and talk about defenders," Tabriz told reporters after the keynote. "But I think it's really important to do and I hope that we can take some attention because at the end of the day, that's what actually makes things better."
Tabriz was also careful to note the wider impact one vendor can have even when faced with criticism. She talked about how the Project Zero team faced a lot of pushback from the industry when first implementing its strict 90-day disclosure policy because historically, vendor response to fixing security issues varied widely across the industry and often involved negotiations between researchers and vendors.
"Project Zero's strategy is to build a practical offensive security research pipeline to advance the broader understanding of exploitation amongst vendors. That ultimately leads to structural improvements and better end-user security for the world," Tabriz said. "In total the vast majority [95%] of the issues reported by Project Zero are now fixed within the 90-day disclosure period. That's up from 25% that the researchers experienced prior to deadlines being made standard. That's a huge, huge change.
"Making fundamental change to the status quo is hard, but necessary. It absolutely leads to upsetting people. If you're not upsetting people, you're not changing the status quo."
Proactive defense of root issues
Tabriz offered real-world examples of changing the status quo in her own organization with the massive effort to add site isolation to Chrome. She said the Chrome team at Google identified potential threats based on the fundamental architecture of the browser in the form of cross-site attacks.
"We didn't know exactly when the wave of attacks would come and when they would move from render compromise to install malware, to render compromise to steal cross-site data, but we knew the incentives were there for a shift to be inevitable," Tabriz said. "With that realization, our security team started a second solution effort in 2012. This was an effort to rearchitect the browser and mitigate this risk."
Tabriz described how the work of developing site isolation in Chrome took six years -- far more than the one year originally estimated -- and ended with a not-so-flashy demo showing that the browser "didn't crash." But all of that work gave Google "a huge head start" when the Spectre attacks were identified, and even more granular site isolation was needed to protect users.
"Chrome already had a huge amount of the ground work laid to protect users from a whole class of new bugs. No one would have predicted that something as big as Spectre would come along. But we did know where the assets were and [we] were attacking that root problem for a number of years," Tabriz said. "We all need to continue investing in ambitious proactive defensive projects."
Celebrating goals and avoiding failure
Part of the key to success was setting goals and celebrating achieving those goals, Tabriz said. Being mindful to celebrate milestones was a good practice to keep the teams motivated during long-term projects, but those milestones also acted as a beacon to other teams outside of security and even with other vendors that changes were in the works.
"Part of my job is to make sure my team believes change is possible and stays optimistic over the long run," Tabriz said and described the process of changing the HTTPS badges in Chrome. "We celebrated a lot of the transitions in public. The milestones, each one of them, resulted in pushback and also the occasional hate mail. But it served a really important purpose: They were a reminder to the world that this was coming and they put a very clear deadline for people to work towards."
Of course, in spite of hard work and clear deadlines, there are many ways a project can fail, Tabriz said, including management killing the project because unexpected delays aren't explained properly or a lack of support from the wider team or outside vendors. She described how the Chrome site isolation team was able to build a coalition during its efforts through communication, positive attitudes and generally "being good citizens."
"The insight for the core work stemmed from that 10-person site isolation team, but the ability to kill progress came from outside of that team. To make a project like this work at scale, you have to build a coalition of experts in many different roles and champions for your project," Tabriz said. "Our community may be able to find the right problems and technical solutions, but we rely on everyone working in technology to clear the path to a safer future."