Right? Just wait for my slides to come off. Here we are. So my name is English Hubert. I'm an architect at RSA and funeral RSA for 20 years now. And about 10 years ago, RSA came up with a game theoretical model for analyzing it security scenarios. And at that time I had no idea what game theory actually is. So I thought I better read up on that. And it came a bit of a hobby for me. And you know, you may actually know game theory a little bit. Maybe just hurt the words. So in this presentation, it's a keynote. It's not a scientific lecture here, but I'll show you how to use game theory in the scenario of deciding where should you run stuff? Now it could be IM and that will be the focus, but it can essentially be anything. Yeah. Any solution that you can either make the decision, run it OnPrem or in the cloud. That's what I will use game theory for. So game theory, for those of you that don't know, this is a definition. Yeah. Game series is study of mathematically models of conflict and corporation between intelligent and rational decision makers. Now we are on intelligent. I know that because we here at EIC, are we all rational?
Not all the time. If you think irrational all the time, you haven't fallen in love yet. Yeah. I'm hopelessly romantic. So game theory can be used as an alternative maybe to this gut feeling. You know, I think this is the right way and game theory, mathematical models. If they, if the model is good, it helps you make a better decision based on facts. Now, game series is used extensively in things like economics, social studies, for example, to analyze corporation and conflict between multiple parties. Yeah. So this could be anything, a competition in a marketplace military, for example, doesn't really matter. You can apply to pretty much everything. Yeah. If the model is good. Now, if you actually read up on game theory, I want to like, you know, pick up a book. If you're still into books or read a, you know, watch a YouTube video, you stumble over the prison's dilemma.
I'll start like raising the knowledge here in the room, hopefully a little bit. And the prison's dilemma works like this instead of simple game and was like that you and a friend of you commit a crime. Police catches you. They cannot convict you off like the big crime, like a burglary only for lesser crime, but they really want to get, get you for the big one. So they put you in separate rooms and they make both of you the same offer. If you tell them your friend did it, you walk free, your friend gets 12 months in jail. If both of you say the other one did it. You both get six months in jail. And if none of you talks both only get one month in jail. So what, what would you do in this case? Now, if you think about this, you might have a feeling like, ah, you know, I'll go for, I'm not saying anything or I might actually I'll just say the other one did it.
Yeah. So whatever decision you make, yeah. Might be just a gut feeling. I, I think I'll do this, especially if it's actually a true friend, you may actually say, no, I'm not saying anything, but that's not rational. Let's look at this from a rational point of view. We all of axle. So put it in a little table. This is the game and a little table. Yeah. So as you can see, if both cooperate with each other, they spend one month in jail. If one of them is defecting, the other one is not it's 12 months and zero months. Otherwise it's six months for both. Now, if you are rational, you don't care. What happens to your friend? That's not rational. Let's trust. That's something rational. Let's be rational. So let's just assume you are player yellow. We don't care what player blue faces. We only care about us in this table.
You pretty much clearly see that. You know, if you are yellow, you see that if player blue cooperates. Yeah. You should defect why you should blame the other. Why? Because zero is higher than minus two. And also if the other one defects, you should also defect because minus six is higher than minus 12. And of course it's a symmetric game. Yeah. Because it's the same for both sides. If you put this into the table, we have this minus six minus six, that's the stable solution. This is the solution to the game that this is the spreadsheet that says nobody should pick anything else because they don't have a reason to do so that by the way is called a Nash equilibrium. Yeah. John Nash, Nobel price winner. That's the guy, the movie a beautiful mind was all about. So this is an easy game. One off fine.
Huh? So you may actually have picked like corporate corporate because you're a good human being. Yeah. But you shouldn't, you really should defect every time. But what about if we actually play this game repeatedly? If we play this game repeatedly, that means we do commit a crime. Constantly. The police keeps getting us caught and keeps making us the same offer. So we are not really super smart criminals. Just be clear. If that game is played over multiple rounds, it changes this game completely because to make a good decision, you would need to take in consideration what happened previously and what might happen in the future. So if you play against somebody that constantly defects, maybe you shouldn't incorporate all the time because you spend a lot of time in jail. So it changes the setup completely. And yeah, you actually have to think about what happened in the past.
ITIF games are much closer to what, what you experience in real life. Yeah. You and the neighbor. Yeah. You borrow tools across and you, you get the chainsaw. He can steal the lawnmower. Yeah. If over time your neighbor ends up with your entire tool set. Yeah. You're not playing it correctly. Yeah. You're trusting. And he's just defecting all the time. So you should change the strategy now. Incomes are a flip it. Yeah. So RSA flip it. That's the game model developed by RRC labs and Ron vest. Ron is the R in RSA. And at that time, so 10 years ago, almost exactly 10 years ago, when this was published, the goal for flip, it was to develop a basic signs of cybersecurity, specifically in scenarios where there's complete loss of data or complete loss of control. So anything can fit in there. So you could think about if somebody breaches a key management system, this is actually when we started looking into this.
Yeah. So key management, complete compromise of key management, all keys are leaked. Could be somebody breaches, an MFA solution. Yeah. And all the MFA authenticates basically get hacked, could be anything around these scenarios. The second thing is this theft of the resource, this taking over the resource is covert and stealthy. So you, as the defender, you don't realize this happened immediately. Yeah. Just like in real life, you know, they attackers don't come in with, you know, blazing guns. Yeah. And just take over and yeah, they do it silently. That's the whole point. And at that time, the thing really was like, you know, we don't have like basic science to do stuff. You know, we, we rely gut feeling. It's like, you know, it's like, I think the experience shows that we do this and they went, no, we want to see if we can put this in, in formulas.
In math. Yeah. Game theory is math. I'm not showing math formulas here. So don't worry. Yeah. It's just about breakfast time for home office users. Yeah. So it's a bit early for that. So flip it is iterative game. It's played over a long period of time, potentially forever. Just like we do in real life. We have to be the defenders all the time until eternity. Yeah. I think the best case scenarios is that at one point in time, we are gonna die. So it will be over, but it will go on forever. Just like flip it. So flip it is about two players battling over resource essentially. And then important parts comes. First of all, attackers and defenders can move at any time. So it's not just a turn base game where attacker defender attack a defender, know each one of them can move at any time, which was pretty unique at that time.
And if you actually into computer games, this is much more like comment. And Concor not like final fantasy nine or BDO escape. And I lost half the audience with that one. So a tech can move at any time as was the defenders. The only way to find out if that resource you're battling over is still under your control is you have to make a move. Also, if that resource turns out not to be under your control, you also have to make a move. In other words, that resource doesn't just come back to you by magic. Yeah. Going on having control of the resource of a certain period of time is a benefit to you. That sounds logically the longer you have control of resource, the better for you. Maybe you make money with that resource. Maybe you don't lose as much. If you control that resource, doesn't matter.
It's a benefit to you. And also those moves, they cost and they cost you and they cost the defender important. Yeah. Just you can make a move. You cannot just make, move, move, move. Because every move costs. Same is true for the attacker. By the way, keep that in mind. There's a little one version of flip it. There's a little online version. The URL is here as well. And this is one round I played essentially. So over this period of time, I'm player blue obviously. And I made four moves. Those are little dots there at the bottom and player red. Yeah, that was the computer made six moves and still had less control over the resource. So this round I won, there were multiple rounds. I lost, I just picked the one for the screenshot where I won. Makes me look better. So you may think, how do I win it?
Flip it me also still think what the heck does it have to do with IM I get to that. So how do you win it? Flip it so flip. It might not be just about how you win, but maybe not lose as much. Yeah. Just like in real life. So best strategies to win it. Flip it. First of all, don't use periodic moves. If you facing a half way, intelligent attacker that adapts to your strategy, product moves just don't work those 60 or 90 days, password resets that we all have to face completely and utterly useless. Yeah. Because the attacker will know what happens after X days. Yeah. Can adapt easily. Same is true for other things. If you do periodic system purchase or virus scans, they're gonna like every Monday morning, eight o'clock doesn't really work against an intelligent attacker. And we have to assume we are facing intelligent attackers.
The other thing is, if you play fast enough, you may force the other player out. Why? Because of economics. Yeah. They don't control the resource often enough and their move costs keep getting up because then you have to make a move and then to take it back. Yeah. So when we get to move costs in that in a, in a bit. Yeah. But if you play fast enough, you may force them out. Random moves are highly effective if you move, make it. So that it's appears random or it's random. Yeah. Cause it's unpredictable. So the attacker doesn't know when you made a move, by the way, actually, if you flip it around, this is excellent for attackers to find a strategy. Yeah. So yes we are the defenders we can move. We can use that. The attackers could use that as well. So two main principles here, first of all, you should arrange it so that your move costs are slow as possible.
Well, at the same time, arrange it, that the attack as move costs are as high as possible. What does that mean? Yeah. If you have a well-oiled machine. Yeah. Everything is, most of it is automated and everything, your move costs are probably lower and throw everything at the attacker. Yeah. MFA zero trust and whatnot. Yeah. Makes the move cost of the attacker higher at the same time, you should arrange the game so that your visibility into the state of the system is as high as possible. But arranging it that the visibility of the attacker into the system is as low as possible. So have good monitoring. For example, while trying to hide stuff from the attacker could be encryption. Yeah. Some obscurity, obscurity. Yeah. Security through obscurity doesn't work, but obscurity actually does work as like a cheap way as an additional layer. It does work.
So flip it, some of the conclusion that we can take from flip it again, this is a keynote, not a scientific presentation here, but on a high level, it actually is a good model for defensive, for defensive strategies against Delphia attacks. And I mentioned actually was meant for cybersecurity, but you can actually, and others actually applied, flip it to scenarios like defending a mountain pass. It doesn't really matter what type of resource it actually is. Yeah. It's just that the attacks are stealthy and that everybody can make a move at any time and their move costs associated with it. That's basically it.
You have to design a system and have to keep everyth in the back of your head that the systems are completely compromised. And that, again, that can be anything. Yeah. MFA system hacked your CRM system completely hacked and all exposed or loss of service. Yeah. Anything you can think of. Yeah. And the system could be anything from a single server network, whole company doesn't matter. It's as sponsor, as big as you like aggressive play can force out the attacker. Now this is sometimes true. Sometimes not. If you are facing a nation state as your, as your attacker, they probably have deeper pockets than you do. Right. But if they're somewhat equal, you can actually force out an attacker by playing fast enough. If you wanna play fast enough, you have to make sure you move costs are low by the way. So anything that's highly automated will help.
So in general, yeah. What does that mean? Monitoring visibility is key because that makes the move cost to uncover if you still own the resource more effective. Yeah. So anything you can do there, log management, packet capture, good identity governance, for example, to see which identities and accounts exist with access to what all good controls. Yeah. That make move costs for the other one more expensive. The more, the better. Yeah. But you have to keep your move costs into consideration as well. Having a response plan. Because if you have to take back that resource, you should have it as fast and as efficiently done is possible. Remove. So reduce your move costs. Yeah. And make sure that the plan matches the resource. Yeah. A disaster recovery plan. That's 10 years old and doesn't match what you currently have is useless. Yeah. Governance also, by the way, takes care of that, that, you know, the whole system matches and everything is nicely running smooth system.
And then finally you have to have the people that make the magic work. A lot of this can be automated. Lots of it should be automated to reduce move costs, but they always will be the human factor. So coming finally to the question, should you run something as a service? And I now use the generic term cloud security provider could be anything in security. So it could be MFA. Some IM component IGA. Pam could be a VPN web filtering doesn't really matter. So the cloud security provider should have better visibility, better controls and better procedures than you do now, who you'd think that they can do a better job running stuff on premise than a cloud security provider. Hands up, just be honest, none of you, or you're just, you know, still sleeping. So if you have the idea that you can run it better, you are not normal.
Yeah. The normal it personal in a normal company, we are not normal. Yeah. We hate the IC. Yeah. So we are not the normal it person, normal it personal tries to make that, you know, that windows XP box on the manufacturing floor working again while having to manual provision three accounts and fixing the firewall. Yeah. And they most likely cannot run a security solution as good as a cloud provider. If you look at it from a flipped point of view, in terms of move costs, for example, and visibility cloud security provider has a lower move cost. If they detect an attack on one of their customers, they can put mitigation in place and apply it to all other customers as well. So the move cost per customer is lower for the cloud security provider while they have a larger visibility, a bigger visibility. However, it must be said on the negative side, they are really juicy targets.
Yeah. If you, as an attacker compromise a cloud security provider, you can potentially compromise all that customers did happen. Yeah. It's nothing theoretical. This did happen and will happen. Yeah. So this actually speaks against using a cloud security provider pros and cons. What you will see that, well, first of all, this list is not complete. Yeah. If you put thought into it about the move cost visibility, the list will be longer. But what you will see is that you will always find pros and cons and this list is highly individual. Yeah. So the examples that I have here can look differently for you, for your company, for your customers. If you run everything on prem, I agree. You can actually do a better job. You can, if you have the resources, the people to run something efficiently and securely, you can do a better job than a cloud security provider.
I firmly believe that it comes at a cost. However, you remove yourself from a dependency of a third party. Yeah. If you think about a cloud security provider, you, for example, cannot completely monitor that environment. That's the whole point of it. And you removed abstracted. So you don't have complete visibility into their system. You only see what you control. If you, if you can completely monitor your own system, you have better visibility. For example, if there's an outage, like you don't really care. I run everything on premise. I don't really care what happens in the cloud. So it's increased visibility for the defender at best. Probably. I don't think you can run it any cheaper potentially. Yeah. But it definitely increases your visibility and potentially decreases visibility of the attacker and increases their move cost. Yeah. Especially if things like supply chain attacks, think about somebody.
If you have a supply chain and the entire supply chain happens to use the same cloud security provider, you take one, you get all of them, you breach the entire chain, whereas everybody's running it on-prem they have to individual breach every single system. So what does it mean, for example, for MFA? And this is where I put my product head on. Now, again, it's, it's a highly individualist and you know, you come maybe to different conclusions, but what this should show you is that no matter which decision you made or about to, about to make, if you decide, Hey, cloud is cool, let's go towards the cloud four, for example, MFA or IGA. That might be the correct decision. Yeah. But if you reevaluate it, it might be that, Hey, you know what? Running it on. Premise does have some bands on the other hand, if you say no, no, no.
I'm not going to the cloud here. Yeah. Way too insecure. Be honest with yourself. Yeah. Analyze it and think about it, about move costs for you, for the attacker, but visibility for you and the attacker. And you might come to the conclusion and say, Hmm, you know what? Maybe I should look into the cloud for security solutions. So security, you can actually have the best of both worlds. You can run MFA in the cloud. Yeah. Use the MFA solution from RSA in the cloud with all the things like a password less and five, two, and risk based authentication, SSO, and all the bells and whistles. You can also run it OnPrem or you do it as a hybrid. And there you have the advantage that should anything happen with the cloud. You're still secured on premise. It's not failing open. Yeah. If an attacker can make the cloud to go offline or appear to be offline your systems, don't go in a fail Oak mode and say, you know what?
Password is enough. They happen already. It's a valid text now for MFA. Yeah. That you make it appear. The stuff is, is offline. And everybody just goes, you know what? In this case just do passwords doesn't happen with secure ID. So am I saying, by the way, am I English from RSA saying that secure ID cloud will be compromised or will go offline? No, I'm saying you should prepare for that. Right. That's different. There's you should have a plan and you should assume that this happened across all vendors. Yeah. So I'm not singing any anyone out here, but keep in mind that coming back to flip it. Yeah. Analyze it. You have to assume that something will breach. Eventually you should have a plan. You should vision move, move costs and high visibility. If you wanna talk more about this, about game theory, about computer games. Yeah. Common con for example, BDO gate or Q ID meet me at booth nine. I don't think they have numbers there down there, but like in the ground floor, there's our booth. Thank you.