The security industry has a real problem with perfectionism. It’s either a critical asset or it isn’t. It’s either a vulnerable server or it isn’t. When we look at community vulnerability, we look at things like how many vulnerabilities exist or how many open ports a system has. We think in terms of “yes or no,” “one or zero.” This is causing us all kinds of problems within our industry.
Leveraging probability theory for information security opens the space between one and zero. That’s a very big space with obvious questions. Is this a critical asset: Yes or no? How critical is this asset? Which of those two questions make more sense? Are all assets critical or non-critical? Or are the assets at a level of criticality that we can describe?
When I see an attack in progress and need to decide if it will succeed with a binary view (one or zero), that's an analytical problem much more difficult to solve than determining the prospect of an attack succeeding probabilistically. Another advantage of using probability theory, Bayes theorem, is that I can incorporate new and perfectly rational information into my reasoning as it shows up. I don't have to rethink whether this attack could succeed every time. It just becomes more likely or less likely, based on new information. This is a far more effective way to think about the problem.
Being a Bayesian thinker allows you to articulate and use your degrees of belief. For example: Is the system vulnerable? Probably (72%). Is the attack successful? Maybe (38%). The attacker is trying something else now. What's the chance that will be successful? Potentially (51%). You get my point. When encountering new information, how much should you change your prior beliefs?
Here’s a quick example. You see a person wearing a black hoodie break a window from inside an apartment building, throw a full duffle bag out the window, jump to the ground, and then take off running down the alley. This looks like a burglar, right? Now you smell smoke. How does that adjust your prior judgment of that person being a burglar?
Humans make decisions based on their first impressions and often work to prove them. By adding the additional fact that I can smell smoke, another perfectly rational explanation is that same person wearing a black hoodie must escape their apartment, has packed up important belongings and is running to call the fire department. Only math can be that rational.
Another problem, and the reason we default to binary thinking, is that as humans we have a very hard time understanding small probabilities. What if I have four things altogether that only work once in 10,000 times, and yet they all occur at the same time. How does that adjust the probability? Is it more likely to occur, less likely to occur, or does the probability of occurrence remain the same? The answer is that it is a lot less likely to occur. In fact, it has a likelihood of occurring 1 in 10 quadrillion times.
With these considerations in mind, at Respond Software, we believe it’s time we move away from binary thinking when looking to identify malicious activity in our environments. We believe it’s time to move toward a probabilistic approach. This can only help us gain more certainty about which incidents should be acted on, and which incidents should not take up our valuable incident response resources.
By Greg Taylor-Broun, Product Strategist at Respond Software
Stay up to date with our latest posts by subscribing to our RSS feed.