Cybersecurity strategy can learn from baseball and stack defensive resources where they matter most
If you’ve flipped on a Tampa Bay Rays baseball game over the past decade, you might have noticed the defense all stacked onto one side of the field. This is called the shift. The shift has been extremely effective since its inception, cratering the league’s batting average on balls up the middle of the field from .344 in 2014 to just .236 in 2021. What works in baseball works in security as well. If it is your job to protect a company’s network, you can use ASM (attack surface management) to play the shift with your attack surface.
What is the Shift?
In traditional baseball, nine players play nine defensive positions, spread out equally across the field. The thinking behind this strategy was that all parts of the field are equally vulnerable, and therefore the best way to minimize defensive risk is to deploy resources equally. However, no nine players can defensively cover 100 percent of the field of play on a baseball field. As such, when batters are able to put the ball in the gaps between defenders, they are bound to turn them into extra base hits. These are far more detrimental than singles, and mitigating the damage from these plays is often the difference between winning and losing.
This is exactly how modern cybersecurity postures are designed: all of the network is vulnerable to attack, therefore the best allocation of time and resources is scanning the entire network and distributing defense equally. Since extra base hits translate to high-impact attacks in cybersecurity, the industry must undergo the same structural shift that baseball underwent. Using ASM and other threat exposure management tools, organizations can smartly measure areas of risk. This allows them to minimize likelihood of breach by strategically deploying resources in areas most tempting to attackers.
What Can We Learn?
The baseball community underwent a tectonic change when it began leveraging computers to analyze stats and develop strategies. This new data science was dubbed “sabermetrics.” In direct response to Billy Beane’s Moneyball strategy, teams like the Rays began crunching the numbers and very clear patterns began to emerge that challenged their long-held assumptions. Batters have tendencies, meaning certain areas have a much higher likelihood of being attacked.
More to the point, they learned that most players have one side of the field where their hits are far more likely to land, as well as go for extra bases. This revelation led the Rays to begin experimenting with new placements that would ultimately come to be called the shift. They removed defensive players from the low-risk side of the field and stacked them up on the high-risk side – maximizing their coverage in the areas most likely to be hit. Batting averages immediately began to plummet, as the parts of the field which typically led to the lion’s share of batters’ most effective hits, were now covered by defenders.
As soon as a handful of defenses proved the concept of the shift, other teams took notice and it became a widespread practice. The shift offered such a statistical advantage to baseball defenses that to not participate was practically arrogant. The shift altered the offensive baseball landscape to such a degree that a significant push has been made to ban it due to its effectiveness, just as the zone defense was once outlawed in the NBA. The shift is a real-life cheat code and it’s time security took notice.
How Can You Apply The Shift?
Security today finds itself in a similar position to early-2000’s baseball – relying on long standing best-practices that encourage organizations to spread resources equally across the attack surface. But like in baseball, the data suggests there may be a better way, grounded in risk and probability, rather than assets and hours. Taking these lessons into account, you and your security team can have access to the exact same cheat code.
Protecting a network’s attack surface is strategically not unlike defending the area of a playing field. You can use real-world circumstances to map and defend risk areas. Just as it did in baseball, this strategy will undercut the most common and most effective attacks offenders have at their disposal, giving a major advantage back to the defender.
The kicker is, it shouldn’t really have taken a super computer for the baseball community to make this connection. Every single MLB team had watched enough lefties and righties take batting practice to understand that hits to the opposite field were far rarer and that when balls did sneak through on that side, they lacked the power of the full swing. So why didn’t they implement this strategy sooner?
The answer is: groupthink. If most of the world recognizes a single best practice, it is natural to attempt to compete within the confines of those norms. Breaking from the pack is a major risk, particularly in the business world. If you do things differently and fail, you simply look like you didn’t know what you were doing. But as the threat landscape evolves, questioning your own assumptions is the only way to evolve with it.
The mistake the MLB made — which you must not make — was forgetting their opponents are as human as they are. Batters are human — they have tendencies and muscular limitations, and most are righties. Righties tend to have power to the left side. Meanwhile, cyber attackers have bosses, budgets and deadlines, just like you do. And just like you, they cannot afford a misstep that would shine a spotlight on them. This leads them to adhere to certain tendencies. You can use this to your advantage. ASM uses target temptation, a list of attacker traits to create a score-based map of your attack surface (much like the spray charts in baseball pictured above.) Once you understand your attack surface in the eyes of an attacker, your SOC team will have a clear list of actions to take designed reduce risk in the most tempting areas.
- Question your assumptions
- Play proactive defense, rather than reactive defense
- Anticipate your opponent’s weaknesses
- Use ASM to hone in on your most tempting targets
- Deploy defensive resources where they are most valuable
ASM is the shift for cybersecurity. Teams must no longer be faced with blind deployment of assets to account for the possibility of attack across assets. With a single scan of your attack surface, you can crunch the numbers and determine exactly which areas on your attack surface are most at risk.
To understand more about how ASM helps SOC teams defend proactively, read Why Security Needs to Move From Man-To-Man to Zone Defense.