“People who run ball clubs think in terms of adding players. Your goal shouldn’t be to buy players — it should be to buy wins. And in order to buy wins, you have to buy runs… What I see is an imperfect understanding of where runs come from.” -Peter Brant (Moneyball)
Security can be too hard on itself. IT professionals and their bosses are constantly trying to create a completely secure attack surface. This is, for all intents and purposes, like expecting your starting nine to play perfect ball all year long. Look: baseball seasons are long. There is a new game almost every single day and success or failure comes down to averages and aggregates. In baseball, this is called playing Moneyball.
Your security team is not so different. Luckily, your job is not to throw perfect games every single night, nor is it to bat .1000. Your job is to maintain an effective enough aggregate performance that you are resilient to pitfalls and always have a chance to get back in the game. You’re going to strike out sometimes — that’s the game. But that doesn’t mean you can’t win.
Playing From Behind
Systems will never be perfectly secure. Users will always click links, SOC teams will always miss alerts and new vulnerabilities will always crop up. You have a finite amount of resources to expend in the pursuit of security, and you should be doing so in such a way that maximizes its effectiveness. You don’t need the most security solutions and patches to make your security effective: you need the right ones.
Sure, we’d all like to be the Yankees (or JP Morgan) and stuff a $250 million payroll with all the best talent in the league. But in the real world, security teams are out-manned and outgunned — more like the Oakland Athletics (current estimated payroll: $80 million.) Brute force alone will not be sufficient to hold off opponents in such an environment.
Playing Moneyball on Your Attack Surface
Beane: “You’re still trying to replace Giambi. I told you, we can’t do it… Now what we might be able to do is recreate him. Recreate him in the aggregate.”
In the late 90s, Oakland As’ General Manager Billy Beane was facing a similar dilemma. He was tasked with creating a team that could compete in a league where most teams had double or triple his budget. However, in the face of this challenge, he has been able to bring his team to 11 playoff appearances since 1997. He did this by developing a technique called moneyball.
Beane stripped all the speculation and guesswork out of his process and chose to focus solely on the numbers, rather than the individual players. The golden metric: on-base percentage. He prioritized building a team with a certain on-base percentage and deprioritized all other metrics. He did this to make his team resilient. No matter how much other teams put up big numbers against them, he knew the A’s would always have a fighting chance if they could get baserunners on and move them along in any situation. By focusing on identifying and prioritizing where his resources would be the most valuable, Beane was able to create a winning team even with the odds stacked against him.
You can do the same. With an ASM solution like Randori’s, you can discover and prioritize the most attackable assets on your attack surface with the largest blast radius. This way, your SOC team can start at the top of the list and work their way down. With all your highest-risk entry points eliminated, your aggregate risk will plummet, leading to less work and fewer breaches.
Winning in the Aggregate
In the end, security, like baseball, is a game of probabilities. Your job is to play to the optimal standard your team can, and maximize your probability of success at every turn. But probabilities are the opposite of guarantees. Even when you do everything right, there is always a chance you will lose anyway.
But that’s the game. And if you play the game, you have to love the game. You can rest easy knowing each of your opponents are facing the same uncertainty. Just like in baseball, attackers have to get more than a base hit to get ahead – they have to make it around the bases. To win in security, you need to love the game enough to accept you’re going to miss some plays, but that you’ve built a roster with the right components to trust the process and win in the aggregate, just like Billy Beane. In Security, this means having a strong enough attack surface that you are not constantly scrambling to patch.
Baseball teams know they cannot win 162 games every year; and that’s not the point. The point is to stay in the game, mitigate losses, and stick to your game plan. Billy Beane didn’t have access to any of the data that baseball teams do now. But by focusing on the numbers and reducing risk, he was able to keep up with the big boys with far fewer resources. To arm your team with the same capabilities, sign up for a free demo of your attack surface today.
