Principles Used In the Kentucky Derby That You Should Apply to Cyber Security Right Now
Today I am standing outside WinStar Farm in Versailles, KY. Yes, I said that right it is Ver-Sales, not Versailles as in France.
Many of you may know the name WinStar because in last year their horse, Justify won the Kentucky Derby and went on to Claim the Triple Crown. It is 2019, and they have another horse, Improbable, in the hunt for the Roses.
We love to watch this race, primarily now since my daughter works for one of the Kentucky Thoroughbred training farms that produce these beautiful athletes. Since I was coming down, I took a few minutes to read about the horses and jockeys who will be running in this years event, and it struck me that there are some interesting similarities between the Derby and cybersecurity.
We know that data analysis can identify anomalies before they become problems and allow you to strengthen your security posture. However, perfecting your analytical security bonafides is a cumbersome task for most small businesses.
So, as the Kentucky Derby 2019 draws nigh, it is an excellent time to examine what security concepts we can glean from the sport of horse racing.
This sport employs hundreds of firms with thousands of employees who have one job — look at all the data and evaluate the statistical probability of every single horse running. They must consider everything before assigning odds on each horse. It requires a lot of effort to assess the odds which makes you think that betting with the probabilities would give you the best chance of winning. However, did you know that over the 145 years that this race has been run the pro’s only average a 33% correct prediction? That is not so good especially when you consider all the data they have available. There have been winners whose odds were higher than 50-1. That means that even with all the research and analysis done beforehand no one ever considered the winner to have a chance.
Recently, data analysis has improved, and additional computer models have predicted the actual winner.
In cybersecurity, we did not venture much better, during the past decade, since businesses who have invested copious amounts of money and a significant amount of time and effort in the using expert intelligence tools failed to identify some of the highly publicized breaches before they occurred.
Consider the breach of Target where the culprit wasn’t an obvious target. This breach originated through one of their third-party service vendors. A hacker attacked their systems to penetrate Target’s network. Before this happened would any security professional evaluating their data have calculated this type of attack at less than 50-1 odds? Now, probably but almost certainly not when this attack happened. All the rules established by the professionals and placed in the company’s security products did not stop the hack.
So in cybersecurity is just like in the occasional Derby winner, prediction by any experts does not always result in the expected outcome.
The tactics and techniques that both betters and handicapper’s use to figure the odds of winning are much the same as the analytics that security experts use to evaluate the data flow across a network.
Cybersecurity is much like horse racing. How? It requires thousands of information security professionals and costs billions of dollars to secure business systems. Why? Because in today’s business world there are billions of dollars at risk. These security professionals are highly paid, highly educated engineers and researchers. They have to look at the data and try to guess what the cybercriminal will attack next. In the past, they relied on signatures to determine if the software was current, but with the speed at which the attackers now move, this quickly became an underhanded tactic to match patterns, so they began to implement rules.
With the increased number of sophisticated attacks sometimes happening hourly and the amount of data that needed to be analyzed many of the rules no longer applied and the security experts were faring no better than the oddsmakers at predicting security incidents.
Attacks were continually happening, and their impact and frequency were increasing. Existing security products were not able adequately to predict what would happen. Security professionals appeared to be more like incompetent bookies rather than competent experts who could manage the odds.
However, just because you have the data is not enough, you must be able to turn all of that disparate information into actionable data that provide the insight into future events that allows decision makers to understand the implications of action vs. inaction to the business. Additionally, this analyzation must take place in a manner that is both rapid and efficient.
First off what data do you need, you need the right data to understand completely what is occurring and what might happen in the future.
What types of data are we talking about, when we say “collecting the right data?” It means collecting network traffic data, endpoint data, cloud and identity data, and log information then all that data must get correlated with threat intelligence, vulnerability data, and asset criticality or the relative risk and high dollar cost associated from the failure of that asset or in other words which assets require attention and money to prevent failure.
So using the Kentucky Derby as a comparison, those professional oddsmakers look at a large amount of data, of which any single piece does not give the full picture of performance but taken together can help determine the chances of an unbeaten run. The data they consider includes bloodlines, pedigrees, history of past performance, race wins, training regimens, jockey history, jockey strategies, expected weather conditions, track conditions, breeders/ owners and trainer’s history. The data from all of these sources are used to help predict the odds of winning. Recently something has changed the favorite horse has won the last five Derbies as predicted.
So, let’s get back to today’s SMB. Many today do not have the time or resources to acquire and evaluate the data that is provided by their IT infrastructure. Only 27% collect data from their cloud-based providers, but they do a little better when examining network packets and endpoint data but still average a failing grade of below 50%.
Second act smartly when they analyze all this data to build a foundation of understanding. In Derby terms that means who is going to win the race, this year.
In the world of cybersecurity or horse racing, this is called analytics. Each odds maker or company will need to decide what data they need and then determine how to filter the information down so that they can get a full picture of what the data is telling them. In cybersecurity, this means using security analytics to understand current cyber threats better, how to defend against them.
Using a layered set of analytic tools allows you to observe the activity and actions of each of the types of data so that you can answer questions that will help you to protect your systems better.
What type of questions do the proper analytics help you to answer?
- What’s happening?
- Is the data, abnormal?
- Are there anomalies?
- Is this expected behavior or not?
- Is the activity suspicious?
By answering these question, you will be able to identify and take action against potential threats, prioritize the remediation of any vulnerabilities, identify any changes required to your network architecture design/implementation and identify and respond to any attacks that may be in progress.
A tide change is coming to cybersecurity, driven by new open source advances in big data management. Tools like Hadoop Distributed File System (HDFS) and Elastic search along with machine learning allow algorithms to analyze trends and create behavior baselines for individual user basis by using statistical models and benchmarks to detect new types of attacks very quickly. Then there is the cost reduction in computing hardware and increased computer performance. All these new solutions allow the processing of petabytes of security data with a cost reduction of almost ten-percent of previous computing platforms. That means that threat detection will improve significantly using new security solutions
Thirdly, you need to realize the importance of the context of the data you are seeing and why it is vital to formulate a quick response.
Relying on a single data point can be dangerous as some handicappers have found out. What if there is a sudden unexpected thunderstorm with heavy winds on derby afternoon? Do they immediately change the odds of their favorite horse to one who has a known record for running in rainy, windy weather on a sloppy track? If they do, it has come back to bite them. Relying on only a single data point without considering the other factors often means you will miss important information resulting in an adverse outcome.
However, this happens when the SMB relies on only one type of threat detection. Invariably that can lead to blind spots and poor results. Additionally, if they only use a single analytical method, they may not ever see some abnormal behavior that might be visible with another tool. Therefore, I suggest that you use every data source available and variable analytical tools to locate inappropriate activities across your data streams enabling you to see the full and accurate activity map.
How quickly can you analyze and respond? Did you know that less than 9% believe they can detect threats rapidly? In fact, in most organizations, the average is 4-6 months before they realize a hack occurred.
Then there is the speed at which cybersecurity is changing. That requires that the SMB be able to adapt to keep up with these cybercriminals and their latest tactics which means that your analytical tools need to work in real-time or as close to it as possible. Without such capability, your IT team may find themselves running in the back of the race.
So let’s consider another weather possibility for Derby Day. What if the oddsmakers predict a winner based on a weather prediction of rain, but it turns out to be a perfect spring day. Do they immediately change their assumption on who will win?
As I write this article, Omaha Beach is the favorite to win this year’s Derby. Will he succeed? We won’t know until the race, but if recent trends continue, he’s a better bet than his predecessor five or ten years ago.
Much the same way today’s cybersecurity solutions aren’t perfect, but they are a lot better – than their predecessors and continue to improve.
Security professionals need to be sure they don’t fall into the same trap. As these cybercriminals infiltrate businesses using highly targeted and sophisticated techniques, it is necessary for all businesses to re-evaluate their approach to security. Better data, better analytics, and access to more “horsepower” continue to shift the odds in favor of CISOs.
Our focus can no longer be just about prevention but needs to implement a detection and response system that will include effective data collection methods and multi-variable analytics that can be used to contextualize the data quickly and efficiently —- like an oddsmaker for the Kentucky Derby.