SlideShare a Scribd company logo

BsidesLV 2014 The Power Law of Information Security

Michael Roytman
Michael Roytman

We need to stop using averages in information security. Breaches and other infosec events are actually power law distributed, not normally disturbed. This means a better analogy is "a 10 year breach" vs an average breach. This talk looks at 3 distinct datasets to illustrate the phenomenon.

Internet
1 of 31
Download to read offline
NORMAL DISTRIBUTIONS RULE EVERYTHING AROUND ME NORMAL DISTRIBUTIONS RULE EVERYTHING AROUND ME Many empirical quantities cluster around a typical value. The dice rolls in these casinos, the number of reporters on the wall of sheep every year, the air pressure, the sea level, the temperature on a sunny BlackHat day in Vegas. All of these things vary somewhat, but their distributions place a negligible amount of probability far from the typical value, making the typical value representative of most observations. For instance, it is a useful statement to say that it is really fucking hot in vegas in August because it never deviates very far from this. Even the largest deviations, which are exceptionally rare, are still only about a factor of two from the mean in either direction and hence the distribution can be well characterized by quoting just its mean and standard deviation. But not everything.
ALEX HUTTON DREAMS OF RISK My name is Alex Hutton and I model risk for a small too big to fail bank. Last year, like every other day, I woke up and built a risk model. Since we’re a bank, we track the prices of a lot of things. For one of these widgets, I built a distribution of price movements. This one is a normal distribution and I assumed that the s.dev was 3%, which is a typical number for daily price movements in financial markets. My boss used this to make some decisions, and was quite happy. We made millions from the tiny everyday price fluctuations and trades.
SHIT GOES WRONG SLIDE Today, however, we are fucked. Today is Black Monday, October 19, 1987 and the S&P drops by 21%. My boss freaks out, the firm is in financial ruin, my kids starve.
How could this happen? Under my model, the probability of a 21% fluctuation is 10^-16, or… nonexistent. So what happened? Well, the distribution of price fluctuations actually has a fat tail. In fact, the mistake I made was using a normal distribution. Take a look at what happens if we use a power law distribution instead.
Probability 0.9 0.99 0.999 10 NORMAL 3.8 7.0 9.2 21 POWER 2.8 7.8 38.5 almost 0 SOMEBODY SET UP US THE BOMB! Now, the chance of a 21% fluctuation is 0.08%, something that my risk model would certainly have included. And, would have certainly changed our behavior on the financial markets. The good news is most financial firms are aware of this phenomenon, and model accordingly (after a few massive failures). In info sec, we’re just not there yet.
MOTHERF*RS SWANS ACT LIKE 
 THEY FORGOT 
 ABOUT Often, as Russell Thomas likes to point out, people mistake events that they did not predict for black swan events. However, ! What makes a "Black Swan event" is not the event itself.  Instead, it is how that event fits into the object-observer system. ! And in fact, the paradigm shift to using power law distributions to describe many of the variables we use in info sec explains away plenty of “black swans” - by making the object-observer system more receptive to rare, high impact events.
THE POWER LAW(S) OF INFORMATION SECURITY @mroytman THE POWER LAW OF INFORMATION SECURITY But in fact, nothing is linear. This talk is about the power laws which occur in information security, what they mean, where i’ve found some, and what to do about them. The research i’ll present is far from done, but it’s a starting point and I hope to make you think twice before using a normal distribution in a model again.
SLIDE WITH FRACTALS WHAT ARE POWER LAWS Power laws are distributions which describe scale-free phenomenon. What this means in lay man’s terms is that the same mechanism is at work across a range of scales, and orders of magnitudes. In fact, power laws are a necessary and sufficient condition for scale free phenomenon. The importance and ubiquity of scale free behavior was first pointed out by Mandlebrot, who coined the term “fractals”. In fractals, we see the same behavior across different scales of length, time, price or any other relevant variable with a scale attached to it.
A quantity is said to follow a power law if it is drawn from a probability distribution that looks like: P(x) ~ Cx^alpha ! alpha is a constant parameter of the distribution known as the exponent, or scaling parameter. typical scaling parameters are in the range 2-3, but there are exceptions.
Lots of things follow a power law power law phenomenon. The oldest (1948) and cleanest statistical regularity in international relations is Richardson's law which states that the severity of warfare is power law distributed. This behavior is not unique to wars, and occurs in natural sciences (traffic jams, earthquakes, biodiversity, coastlines, brownian motion, asteroid impacts, etc) and social sciences (language, wealth, firm size, salaries, guild sizes in world of warcraft, links to blogs). These power laws are considered fingerprints of a "complex" system; although what exactly is meant by complex is transient. These systems generally produce outputs that are patterned, but have no standard(for lack of a better term) size in the Gaussian sense. More often than not, a power law only applies to the values of a distribution greater than some minimum x. In these cases, we say that the tail follows a power law.
FAKE SWANS Tails are vitally important. A power law is an instance of a fat tailed distribution. There exist precise proofs that “sufficiently fat tails” == power law distributions. Measuring how fat a tail is, is actually quite difficult - The question of proving that something is or isn’t a power law, is often reduced to a question of “just how fat the tail is”.
You can’t tell the difference here, but when we go further out…
You can see how much smaller the tails of the non-power law distributions are.
LACK OF PREDICTION Why does this matter? It’s because when the tails are small, we can say meaningful things about the “mean” and variance” of the distributions. With a power law distribution, the mean or variance don’t necessarily stay stable over time. ! An interest aspect of power laws is that the alpha exponent has a natural interpretation. It is the cutoff above which moments of the function do not exist. More familiarly, for exponents less than 2, the variance does not exist, and the central limit theorem does not apply. In effect, even with an infinite amount of data, we cannot say much about the variance of such functions. For exponents less than 1, the mean does not exist. For this reason there is no such thing as an “average flood”. There is instead a 100 year flood, a 10 year flood.
Perhaps we ought to start talking about the target breach as a “10 year breach”. ! But let’s get back to our own industry - why would information security exhibit power law behavior? And where?
First, when two distributions are combined, the fattest tail always wins. This means are you add in power law distributed factors to a distribution the results stay power law distributed. ! Second, Information Security is the combination of a great many factors - the size of the internet, the size of firms, the power of terrorist groups, and the distribution of wealth are just a few of the ones I can think of that are power law distributed. If each has an exogenous effect on infosec, we would expect our own variables to inherit those power law properties.
LAW 1 First, when two distributions are combined, the fattest tail always wins. This means are you add in power law distributed factors to a distribution the results stay power law distributed. ! Second, Information Security is the combination of a great many factors - the size of the internet, the size of firms, the power of terrorist groups, and the distribution of wealth are just a few of the ones I can think of that are power law distributed. If each has an exogenous effect on infosec, we would expect our own variables to inherit those power law properties.
BREACH FREQUENCY BY CVE TYPE P(CVE has breach volume X) = X^-1.5 The Kolmogorov–Smirnov D-value: 0.1134174, xmin: 15, alpha: 1.5 ! The chance that a particular CVE has high breach volume is substantially higher than we previously thought, just like in the hutton example the chance that the S&P dropped by 21% was underestimated.
ONE VULN WILL CAUSE YOUR BREACH (OR A COUPLE) What does this mean for you? It means there are vulnerabilities which have an extremely high probability of causing a breach. Since this breach data comes from how attackers are behaving, having a handle on threat intelligence globally allows you to identify _which_ vulnerabilities are those most likely to cause the breaches. ! It means shifting your strategy away from trying to fix everything, or even trying to fix everything that comes out on patch tuesday, and instead focusing on identifying and remediating the few vulnerabilities which are _most_ likely to cause a breach. THIS is non-linear thinking.
LAW 2 First, when two distributions are combined, the fattest tail always wins. This means are you add in power law distributed factors to a distribution the results stay power law distributed. ! Second, Information Security is the combination of a great many factors - the size of the internet, the size of firms, the power of terrorist groups, and the distribution of wealth are just a few of the ones I can think of that are power law distributed. If each has an exogenous effect on infosec, we would expect our own variables to inherit those power law properties.
Kevin Thormson’s talk tomorrow at 2pm - This talk introduces the VERIS Community Database (VCDB), a research project aimed at gathering news articles about information security incidents, extracting data, and serving as a public repository of breach data suitable for analysis and research
ID THEFT FREQUENCY P(Theft has X victims) = X^-0.7 beta 0.7+- 0.1 Malliart and Sornette, ETH Zurich 2009 (datalossdb). !
STABLE ACROSS INDUSTRIES beta 0.7+- 0.1 Malliart and Sornette, ETH Zurich 2009 (datalossdb).
ONE BREACH WILL MATTER MOST (OR A COUPLE) The takeaway here is that impact is concentrated in the fat tails of the distributions as well - it means we ought to be tailoring our strategies to preventing the one big breach. This also means there’s no average breach, and estimates of potential losses need to plan for scenarios like the black friday that was missed in the opening example.
LAW 3 First, when two distributions are combined, the fattest tail always wins. This means are you add in power law distributed factors to a distribution the results stay power law distributed. ! Second, Information Security is the combination of a great many factors - the size of the internet, the size of firms, the power of terrorist groups, and the distribution of wealth are just a few of the ones I can think of that are power law distributed. If each has an exogenous effect on infosec, we would expect our own variables to inherit those power law properties.
BREACH FREQUENCY BY DAY P(Day has breach volume X) = X^-1.5 The Kolmogorov–Smirnov D-value: 0.1134174, xmin: 15, alpha: 1.5 !
ONE DAY IT’LL HAPPEN TO YOU (OR A COUPLE)
SLIDE WITH WHAT DO WE DO ABOUT IT From Russell: Handling Fat Tails for Decisionmakers ! Here's a list of things that analysts and decision makers can do to successfully cope with the unruliness of very fat tailed probability distributions: 1. To the method of frequentist statistical analysis of historical data, add other methods and other data.  Simulations, laboratory experiments, and subjective probability estimates by calibrated experts are just three alternative methods that can fill in for the limitations of frequentist methods with limited sample data. 2. Resist using colloquial terms like "average", "typical", "spread", or even "worst case".  Using them will only add to confusion, misunderstanding, and mis-set expectations. 3. Communicate and decide using quantiles, not the usually summary statistics mean, standard deviation, etc.  If any summary statistics are used as decision criteria or in models, use quantiles. 4. Put in some effort to estimate the "fatness" of the tail, either parametrically or non-parametrically.  Even a not-very-good fat tail model is much better than one based on thin tails.  There are ways to test how good the alternative models are.   In my opinion, the best academic paper on this is "Power-law distributions in empirical data".
You should model risk differently ! ! michael ! [8:21 AM] You should focus your efforts on identifying things that live in the fat tail or are predictors of it ! ! michael ! [8:22 AM] Bc there is no average ! ! michael ! [8:22 AM] you should never ever use metrics like average vulns closed or something like that 1. Investing to fix 100% of vulns is poor use of resources 2. When the Big Loss event happens, only one or a few vulnerabilities will be exploited 3. Ahead of that (ex ante), you need a systematic method to invest to fix a portfolio of vulns which, with very high confidence, include ALL of the vulns that could be part of the Big Loss event.  These vulns will be strategically positioned in the most likely attack graphs. 4. And here’s how you’d do that in practice ...
Holler! www.risk.io @mroytman
Dan Geer, Power. Law. http://geer.tinho.net/ieee/ieee.sp.geer.1201a.pdf Clauset et al. Power Law Distributions in Empirical Data http://arxiv.org/abs/0706.1062 Farmer and Geanokoplos, Power Laws in Economics and Elsewhere http://tuvalu.santafe.edu/~jdf/papers/powerlaw3.pdf Malliart and Sornette, Heavy-Tailed Distribution of Cyber Risks, http://arxiv.org/abs/ 0803.2256 poweRlaw R Package http://cran.r-project.org/web/packages/poweRlaw/vignettes/ poweRlaw.pdf Gabaix, Some Nondescript NYU Stern Lecture on Power Laws http://pages.stern.nyu.edu/ ~xgabaix/papers/powerLaws.pdf Russell Thomas for graphs and everything he writes on http:// exploringpossibilityspace.blogspot.com/ THANKS! and Alex Hutton

Recommended

Poisson statistics
Poisson statisticsPoisson statistics
Poisson statisticsNarendra Prasad Uniyal
 
Power Law Distributions for Twitter Data
Power Law Distributions for Twitter DataPower Law Distributions for Twitter Data
Power Law Distributions for Twitter DataConor Feeney
 
Cascade Project
Cascade ProjectCascade Project
Cascade ProjectJasonCapehart
 
Revisiting the Generality of the Rank-based Human Mobility Model
Revisiting the Generality of the Rank-based Human Mobility ModelRevisiting the Generality of the Rank-based Human Mobility Model
Revisiting the Generality of the Rank-based Human Mobility ModelDarshan Santani
 
Small business websites
Small business websitesSmall business websites
Small business websitesPete S
 
Information as power
Information as power Information as power
Information as power Mousselmal Tarik
 
Edgard Eeckman: Is internet health information an answer to the doctor's aesc...
Edgard Eeckman: Is internet health information an answer to the doctor's aesc...Edgard Eeckman: Is internet health information an answer to the doctor's aesc...
Edgard Eeckman: Is internet health information an answer to the doctor's aesc...Stiftung Careum
 
LienApp™ Introduction
LienApp™ IntroductionLienApp™ Introduction
LienApp™ IntroductionVADAR Systems
 

Recommended

Poisson statistics
Poisson statisticsPoisson statistics
Poisson statisticsNarendra Prasad Uniyal
 
Power Law Distributions for Twitter Data
Power Law Distributions for Twitter DataPower Law Distributions for Twitter Data
Power Law Distributions for Twitter DataConor Feeney
 
Cascade Project
Cascade ProjectCascade Project
Cascade ProjectJasonCapehart
 
Revisiting the Generality of the Rank-based Human Mobility Model
Revisiting the Generality of the Rank-based Human Mobility ModelRevisiting the Generality of the Rank-based Human Mobility Model
Revisiting the Generality of the Rank-based Human Mobility ModelDarshan Santani
 
Small business websites
Small business websitesSmall business websites
Small business websitesPete S
 
Information as power
Information as power Information as power
Information as power Mousselmal Tarik
 
Edgard Eeckman: Is internet health information an answer to the doctor's aesc...
Edgard Eeckman: Is internet health information an answer to the doctor's aesc...Edgard Eeckman: Is internet health information an answer to the doctor's aesc...
Edgard Eeckman: Is internet health information an answer to the doctor's aesc...Stiftung Careum
 
LienApp™ Introduction
LienApp™ IntroductionLienApp™ Introduction
LienApp™ IntroductionVADAR Systems
 
The truth information, power, upgrades.
The truth information, power, upgrades.The truth information, power, upgrades.
The truth information, power, upgrades.Marie Alcock
 
The Power of Visual Content
The Power of Visual ContentThe Power of Visual Content
The Power of Visual ContentSally Falkow
 
Richard Stirling - Power of Information TF
Richard Stirling - Power of Information TFRichard Stirling - Power of Information TF
Richard Stirling - Power of Information TFosimod
 
Information is Power
Information is PowerInformation is Power
Information is Powerzekivazquez
 
Hacking Drupal - Anatomía de una auditoría de seguridad
Hacking Drupal - Anatomía de una auditoría de seguridadHacking Drupal - Anatomía de una auditoría de seguridad
Hacking Drupal - Anatomía de una auditoría de seguridadzekivazquez
 
The Power of Visual Information
The Power of Visual InformationThe Power of Visual Information
The Power of Visual InformationTeun Spierings
 
The Art of Visual Marketing by Peg Fitzpatrick and Guy Kawasaki
The Art of Visual Marketing by Peg Fitzpatrick and Guy KawasakiThe Art of Visual Marketing by Peg Fitzpatrick and Guy Kawasaki
The Art of Visual Marketing by Peg Fitzpatrick and Guy KawasakiPeg Fitzpatrick
 
Taming Information Chaos with the Power of 2.0
Taming Information Chaos with the Power of 2.0Taming Information Chaos with the Power of 2.0
Taming Information Chaos with the Power of 2.0Judy O'Connell
 
Knowledge is power - why is knowledge management critical to any company
Knowledge is power - why is knowledge management critical to any companyKnowledge is power - why is knowledge management critical to any company
Knowledge is power - why is knowledge management critical to any companyYves-Alain Schwaar
 
Communication. Arun.Vi
Communication. Arun.ViCommunication. Arun.Vi
Communication. Arun.ViArun VI
 
Component Of Communication
Component Of CommunicationComponent Of Communication
Component Of CommunicationPKT
 
Points of distribution
Points of distributionPoints of distribution
Points of distributionChatham EMA
 
Knowledge is power
Knowledge is powerKnowledge is power
Knowledge is powerАйбек Қуандықұлы
 
Security for Human Beings
Security for Human BeingsSecurity for Human Beings
Security for Human Beingszekivazquez
 
Understanding Digital Citizenship & Identity - Updated March 14
Understanding Digital Citizenship & Identity - Updated March 14Understanding Digital Citizenship & Identity - Updated March 14
Understanding Digital Citizenship & Identity - Updated March 14Alec Couros
 
CyberTechEurope.pptx
CyberTechEurope.pptxCyberTechEurope.pptx
CyberTechEurope.pptxMichael Roytman
 
O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalMichael Roytman
 
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsRSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsMichael Roytman
 
Predicting Exploitability
Predicting ExploitabilityPredicting Exploitability
Predicting ExploitabilityMichael Roytman
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Michael Roytman
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Michael Roytman
 
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanWho Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanMichael Roytman
 

More Related Content

Viewers also liked

The truth information, power, upgrades.
The truth information, power, upgrades.The truth information, power, upgrades.
The truth information, power, upgrades.Marie Alcock
 
The Power of Visual Content
The Power of Visual ContentThe Power of Visual Content
The Power of Visual ContentSally Falkow
 
Richard Stirling - Power of Information TF
Richard Stirling - Power of Information TFRichard Stirling - Power of Information TF
Richard Stirling - Power of Information TFosimod
 
Information is Power
Information is PowerInformation is Power
Information is Powerzekivazquez
 
Hacking Drupal - Anatomía de una auditoría de seguridad
Hacking Drupal - Anatomía de una auditoría de seguridadHacking Drupal - Anatomía de una auditoría de seguridad
Hacking Drupal - Anatomía de una auditoría de seguridadzekivazquez
 
The Power of Visual Information
The Power of Visual InformationThe Power of Visual Information
The Power of Visual InformationTeun Spierings
 
The Art of Visual Marketing by Peg Fitzpatrick and Guy Kawasaki
The Art of Visual Marketing by Peg Fitzpatrick and Guy KawasakiThe Art of Visual Marketing by Peg Fitzpatrick and Guy Kawasaki
The Art of Visual Marketing by Peg Fitzpatrick and Guy KawasakiPeg Fitzpatrick
 
Taming Information Chaos with the Power of 2.0
Taming Information Chaos with the Power of 2.0Taming Information Chaos with the Power of 2.0
Taming Information Chaos with the Power of 2.0Judy O'Connell
 
Knowledge is power - why is knowledge management critical to any company
Knowledge is power - why is knowledge management critical to any companyKnowledge is power - why is knowledge management critical to any company
Knowledge is power - why is knowledge management critical to any companyYves-Alain Schwaar
 
Communication. Arun.Vi
Communication. Arun.ViCommunication. Arun.Vi
Communication. Arun.ViArun VI
 
Component Of Communication
Component Of CommunicationComponent Of Communication
Component Of CommunicationPKT
 
Points of distribution
Points of distributionPoints of distribution
Points of distributionChatham EMA
 
Security for Human Beings
Security for Human BeingsSecurity for Human Beings
Security for Human Beingszekivazquez
 
Understanding Digital Citizenship & Identity - Updated March 14
Understanding Digital Citizenship & Identity - Updated March 14Understanding Digital Citizenship & Identity - Updated March 14
Understanding Digital Citizenship & Identity - Updated March 14Alec Couros
 

Viewers also liked (15)

The truth information, power, upgrades.
The truth information, power, upgrades.The truth information, power, upgrades.
The truth information, power, upgrades.
 
The Power of Visual Content
The Power of Visual ContentThe Power of Visual Content
The Power of Visual Content
 
Richard Stirling - Power of Information TF
Richard Stirling - Power of Information TFRichard Stirling - Power of Information TF
Richard Stirling - Power of Information TF
 
Information is Power
Information is PowerInformation is Power
Information is Power
 
Hacking Drupal - Anatomía de una auditoría de seguridad
Hacking Drupal - Anatomía de una auditoría de seguridadHacking Drupal - Anatomía de una auditoría de seguridad
Hacking Drupal - Anatomía de una auditoría de seguridad
 
The Power of Visual Information
The Power of Visual InformationThe Power of Visual Information
The Power of Visual Information
 
The Art of Visual Marketing by Peg Fitzpatrick and Guy Kawasaki
The Art of Visual Marketing by Peg Fitzpatrick and Guy KawasakiThe Art of Visual Marketing by Peg Fitzpatrick and Guy Kawasaki
The Art of Visual Marketing by Peg Fitzpatrick and Guy Kawasaki
 
Taming Information Chaos with the Power of 2.0
Taming Information Chaos with the Power of 2.0Taming Information Chaos with the Power of 2.0
Taming Information Chaos with the Power of 2.0
 
Knowledge is power - why is knowledge management critical to any company
Knowledge is power - why is knowledge management critical to any companyKnowledge is power - why is knowledge management critical to any company
Knowledge is power - why is knowledge management critical to any company
 
Communication. Arun.Vi
Communication. Arun.ViCommunication. Arun.Vi
Communication. Arun.Vi
 
Component Of Communication
Component Of CommunicationComponent Of Communication
Component Of Communication
 
Points of distribution
Points of distributionPoints of distribution
Points of distribution
 
Knowledge is power
Knowledge is powerKnowledge is power
Knowledge is power
 
Security for Human Beings
Security for Human BeingsSecurity for Human Beings
Security for Human Beings
 
Understanding Digital Citizenship & Identity - Updated March 14
Understanding Digital Citizenship & Identity - Updated March 14Understanding Digital Citizenship & Identity - Updated March 14
Understanding Digital Citizenship & Identity - Updated March 14
 

More from Michael Roytman

O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalMichael Roytman
 
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsRSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsMichael Roytman
 
Predicting Exploitability
Predicting ExploitabilityPredicting Exploitability
Predicting ExploitabilityMichael Roytman
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Michael Roytman
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Michael Roytman
 
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanWho Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanMichael Roytman
 
Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Michael Roytman
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
 
Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Michael Roytman
 
Risk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeRisk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeMichael Roytman
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementA Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementMichael Roytman
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMichael Roytman
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OMichael Roytman
 
BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersMichael Roytman
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementMichael Roytman
 

More from Michael Roytman (16)

CyberTechEurope.pptx
CyberTechEurope.pptxCyberTechEurope.pptx
CyberTechEurope.pptx
 
O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability Final
 
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsRSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With Predictions
 
Predicting Exploitability
Predicting ExploitabilityPredicting Exploitability
Predicting Exploitability
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
 
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanWho Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
 
Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data Science
 
Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014
 
Risk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeRisk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach Landscape
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementA Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done Right
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/O
 
BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What Matters
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability Management
 

Recently uploaded

20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdfMatthew Sinclair
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理SS
 
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic ManagementBeyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Managementseank14
 
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...mikehavy0
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformonhackersuli
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样ayvbos
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理F
 
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理apekaom
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样AS
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书c6eb683559b3
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样Fi
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowIdeoholics
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样AS
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 

Recently uploaded (20)

20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic ManagementBeyond Inbound: Unlocking the Secrets of API Egress Traffic Management
Beyond Inbound: Unlocking the Secrets of API Egress Traffic Management
 
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
一比一原版桑佛德大学毕业证成绩单申请学校Offer快速办理
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
一比一原版(Polytechnic毕业证书)新加坡理工学院毕业证原件一模一样
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
一比一原版(UWE毕业证书)西英格兰大学毕业证原件一模一样
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download NowHUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
HUMANIZE YOUR BRAND - FREE E-WORKBOOK Download Now
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 

BsidesLV 2014 The Power Law of Information Security

  • 1. NORMAL DISTRIBUTIONS RULE EVERYTHING AROUND ME NORMAL DISTRIBUTIONS RULE EVERYTHING AROUND ME Many empirical quantities cluster around a typical value. The dice rolls in these casinos, the number of reporters on the wall of sheep every year, the air pressure, the sea level, the temperature on a sunny BlackHat day in Vegas. All of these things vary somewhat, but their distributions place a negligible amount of probability far from the typical value, making the typical value representative of most observations. For instance, it is a useful statement to say that it is really fucking hot in vegas in August because it never deviates very far from this. Even the largest deviations, which are exceptionally rare, are still only about a factor of two from the mean in either direction and hence the distribution can be well characterized by quoting just its mean and standard deviation. But not everything.
  • 2. ALEX HUTTON DREAMS OF RISK My name is Alex Hutton and I model risk for a small too big to fail bank. Last year, like every other day, I woke up and built a risk model. Since we’re a bank, we track the prices of a lot of things. For one of these widgets, I built a distribution of price movements. This one is a normal distribution and I assumed that the s.dev was 3%, which is a typical number for daily price movements in financial markets. My boss used this to make some decisions, and was quite happy. We made millions from the tiny everyday price fluctuations and trades.
  • 3. SHIT GOES WRONG SLIDE Today, however, we are fucked. Today is Black Monday, October 19, 1987 and the S&P drops by 21%. My boss freaks out, the firm is in financial ruin, my kids starve.
  • 4. How could this happen? Under my model, the probability of a 21% fluctuation is 10^-16, or… nonexistent. So what happened? Well, the distribution of price fluctuations actually has a fat tail. In fact, the mistake I made was using a normal distribution. Take a look at what happens if we use a power law distribution instead.
  • 5. Probability 0.9 0.99 0.999 10 NORMAL 3.8 7.0 9.2 21 POWER 2.8 7.8 38.5 almost 0 SOMEBODY SET UP US THE BOMB! Now, the chance of a 21% fluctuation is 0.08%, something that my risk model would certainly have included. And, would have certainly changed our behavior on the financial markets. The good news is most financial firms are aware of this phenomenon, and model accordingly (after a few massive failures). In info sec, we’re just not there yet.
  • 6. MOTHERF*RS SWANS ACT LIKE 
 THEY FORGOT 
 ABOUT Often, as Russell Thomas likes to point out, people mistake events that they did not predict for black swan events. However, ! What makes a "Black Swan event" is not the event itself.  Instead, it is how that event fits into the object-observer system. ! And in fact, the paradigm shift to using power law distributions to describe many of the variables we use in info sec explains away plenty of “black swans” - by making the object-observer system more receptive to rare, high impact events.
  • 7. THE POWER LAW(S) OF INFORMATION SECURITY @mroytman THE POWER LAW OF INFORMATION SECURITY But in fact, nothing is linear. This talk is about the power laws which occur in information security, what they mean, where i’ve found some, and what to do about them. The research i’ll present is far from done, but it’s a starting point and I hope to make you think twice before using a normal distribution in a model again.
  • 8. SLIDE WITH FRACTALS WHAT ARE POWER LAWS Power laws are distributions which describe scale-free phenomenon. What this means in lay man’s terms is that the same mechanism is at work across a range of scales, and orders of magnitudes. In fact, power laws are a necessary and sufficient condition for scale free phenomenon. The importance and ubiquity of scale free behavior was first pointed out by Mandlebrot, who coined the term “fractals”. In fractals, we see the same behavior across different scales of length, time, price or any other relevant variable with a scale attached to it.
  • 9. A quantity is said to follow a power law if it is drawn from a probability distribution that looks like: P(x) ~ Cx^alpha ! alpha is a constant parameter of the distribution known as the exponent, or scaling parameter. typical scaling parameters are in the range 2-3, but there are exceptions.
  • 10. Lots of things follow a power law power law phenomenon. The oldest (1948) and cleanest statistical regularity in international relations is Richardson's law which states that the severity of warfare is power law distributed. This behavior is not unique to wars, and occurs in natural sciences (traffic jams, earthquakes, biodiversity, coastlines, brownian motion, asteroid impacts, etc) and social sciences (language, wealth, firm size, salaries, guild sizes in world of warcraft, links to blogs). These power laws are considered fingerprints of a "complex" system; although what exactly is meant by complex is transient. These systems generally produce outputs that are patterned, but have no standard(for lack of a better term) size in the Gaussian sense. More often than not, a power law only applies to the values of a distribution greater than some minimum x. In these cases, we say that the tail follows a power law.
  • 11. FAKE SWANS Tails are vitally important. A power law is an instance of a fat tailed distribution. There exist precise proofs that “sufficiently fat tails” == power law distributions. Measuring how fat a tail is, is actually quite difficult - The question of proving that something is or isn’t a power law, is often reduced to a question of “just how fat the tail is”.
  • 12. You can’t tell the difference here, but when we go further out…
  • 13. You can see how much smaller the tails of the non-power law distributions are.
  • 14. LACK OF PREDICTION Why does this matter? It’s because when the tails are small, we can say meaningful things about the “mean” and variance” of the distributions. With a power law distribution, the mean or variance don’t necessarily stay stable over time. ! An interest aspect of power laws is that the alpha exponent has a natural interpretation. It is the cutoff above which moments of the function do not exist. More familiarly, for exponents less than 2, the variance does not exist, and the central limit theorem does not apply. In effect, even with an infinite amount of data, we cannot say much about the variance of such functions. For exponents less than 1, the mean does not exist. For this reason there is no such thing as an “average flood”. There is instead a 100 year flood, a 10 year flood.
  • 15. Perhaps we ought to start talking about the target breach as a “10 year breach”. ! But let’s get back to our own industry - why would information security exhibit power law behavior? And where?
  • 16. First, when two distributions are combined, the fattest tail always wins. This means are you add in power law distributed factors to a distribution the results stay power law distributed. ! Second, Information Security is the combination of a great many factors - the size of the internet, the size of firms, the power of terrorist groups, and the distribution of wealth are just a few of the ones I can think of that are power law distributed. If each has an exogenous effect on infosec, we would expect our own variables to inherit those power law properties.
  • 17. LAW 1 First, when two distributions are combined, the fattest tail always wins. This means are you add in power law distributed factors to a distribution the results stay power law distributed. ! Second, Information Security is the combination of a great many factors - the size of the internet, the size of firms, the power of terrorist groups, and the distribution of wealth are just a few of the ones I can think of that are power law distributed. If each has an exogenous effect on infosec, we would expect our own variables to inherit those power law properties.
  • 18. BREACH FREQUENCY BY CVE TYPE P(CVE has breach volume X) = X^-1.5 The Kolmogorov–Smirnov D-value: 0.1134174, xmin: 15, alpha: 1.5 ! The chance that a particular CVE has high breach volume is substantially higher than we previously thought, just like in the hutton example the chance that the S&P dropped by 21% was underestimated.
  • 19. ONE VULN WILL CAUSE YOUR BREACH (OR A COUPLE) What does this mean for you? It means there are vulnerabilities which have an extremely high probability of causing a breach. Since this breach data comes from how attackers are behaving, having a handle on threat intelligence globally allows you to identify _which_ vulnerabilities are those most likely to cause the breaches. ! It means shifting your strategy away from trying to fix everything, or even trying to fix everything that comes out on patch tuesday, and instead focusing on identifying and remediating the few vulnerabilities which are _most_ likely to cause a breach. THIS is non-linear thinking.
  • 20. LAW 2 First, when two distributions are combined, the fattest tail always wins. This means are you add in power law distributed factors to a distribution the results stay power law distributed. ! Second, Information Security is the combination of a great many factors - the size of the internet, the size of firms, the power of terrorist groups, and the distribution of wealth are just a few of the ones I can think of that are power law distributed. If each has an exogenous effect on infosec, we would expect our own variables to inherit those power law properties.
  • 21. Kevin Thormson’s talk tomorrow at 2pm - This talk introduces the VERIS Community Database (VCDB), a research project aimed at gathering news articles about information security incidents, extracting data, and serving as a public repository of breach data suitable for analysis and research
  • 22. ID THEFT FREQUENCY P(Theft has X victims) = X^-0.7 beta 0.7+- 0.1 Malliart and Sornette, ETH Zurich 2009 (datalossdb). !
  • 23. STABLE ACROSS INDUSTRIES beta 0.7+- 0.1 Malliart and Sornette, ETH Zurich 2009 (datalossdb).
  • 24. ONE BREACH WILL MATTER MOST (OR A COUPLE) The takeaway here is that impact is concentrated in the fat tails of the distributions as well - it means we ought to be tailoring our strategies to preventing the one big breach. This also means there’s no average breach, and estimates of potential losses need to plan for scenarios like the black friday that was missed in the opening example.
  • 25. LAW 3 First, when two distributions are combined, the fattest tail always wins. This means are you add in power law distributed factors to a distribution the results stay power law distributed. ! Second, Information Security is the combination of a great many factors - the size of the internet, the size of firms, the power of terrorist groups, and the distribution of wealth are just a few of the ones I can think of that are power law distributed. If each has an exogenous effect on infosec, we would expect our own variables to inherit those power law properties.
  • 26. BREACH FREQUENCY BY DAY P(Day has breach volume X) = X^-1.5 The Kolmogorov–Smirnov D-value: 0.1134174, xmin: 15, alpha: 1.5 !
  • 27. ONE DAY IT’LL HAPPEN TO YOU (OR A COUPLE)
  • 28. SLIDE WITH WHAT DO WE DO ABOUT IT From Russell: Handling Fat Tails for Decisionmakers ! Here's a list of things that analysts and decision makers can do to successfully cope with the unruliness of very fat tailed probability distributions: 1. To the method of frequentist statistical analysis of historical data, add other methods and other data.  Simulations, laboratory experiments, and subjective probability estimates by calibrated experts are just three alternative methods that can fill in for the limitations of frequentist methods with limited sample data. 2. Resist using colloquial terms like "average", "typical", "spread", or even "worst case".  Using them will only add to confusion, misunderstanding, and mis-set expectations. 3. Communicate and decide using quantiles, not the usually summary statistics mean, standard deviation, etc.  If any summary statistics are used as decision criteria or in models, use quantiles. 4. Put in some effort to estimate the "fatness" of the tail, either parametrically or non-parametrically.  Even a not-very-good fat tail model is much better than one based on thin tails.  There are ways to test how good the alternative models are.   In my opinion, the best academic paper on this is "Power-law distributions in empirical data".
  • 29. You should model risk differently ! ! michael ! [8:21 AM] You should focus your efforts on identifying things that live in the fat tail or are predictors of it ! ! michael ! [8:22 AM] Bc there is no average ! ! michael ! [8:22 AM] you should never ever use metrics like average vulns closed or something like that 1. Investing to fix 100% of vulns is poor use of resources 2. When the Big Loss event happens, only one or a few vulnerabilities will be exploited 3. Ahead of that (ex ante), you need a systematic method to invest to fix a portfolio of vulns which, with very high confidence, include ALL of the vulns that could be part of the Big Loss event.  These vulns will be strategically positioned in the most likely attack graphs. 4. And here’s how you’d do that in practice ...
  • 31. Dan Geer, Power. Law. http://geer.tinho.net/ieee/ieee.sp.geer.1201a.pdf Clauset et al. Power Law Distributions in Empirical Data http://arxiv.org/abs/0706.1062 Farmer and Geanokoplos, Power Laws in Economics and Elsewhere http://tuvalu.santafe.edu/~jdf/papers/powerlaw3.pdf Malliart and Sornette, Heavy-Tailed Distribution of Cyber Risks, http://arxiv.org/abs/ 0803.2256 poweRlaw R Package http://cran.r-project.org/web/packages/poweRlaw/vignettes/ poweRlaw.pdf Gabaix, Some Nondescript NYU Stern Lecture on Power Laws http://pages.stern.nyu.edu/ ~xgabaix/papers/powerLaws.pdf Russell Thomas for graphs and everything he writes on http:// exploringpossibilityspace.blogspot.com/ THANKS! and Alex Hutton