Friday, May 17, 2013

Cyber and Pareto's Law of the Vital Few

Have you ever met anyone working cyber security that said they were bored?  Me either.  Cyber security is an often unthanking and underappreciated grind.  Problem is we only have ourselves to blame, including me. There’s a difference between taking action and productivity. 

As humans, our lives cannot scale to meet the demands the threat actors throw at us on a daily basis. Throw in a few meetings with vendors, the folks in the C-Suite, sprinkled with one or two HR matters, the week dries up pretty fast.  More importantly, it doesn’t allow much time for doing what we’re supposed to be doing – fighting the good fight!  

Italian economist Vilfredo Pareto observed that roughly 80% of the effects came from 20% of the causes.  This principle is known as the “80-20 rule” or the “law of the vital few”.  This law can be observed in many ways, business for example – typically 80% of profits come from 20% of your customers.  Or in our realm, take the SANS “Top 20 Critical Controls” - the top four controls (20%) can mitigate much of the threat.  O.K. not perfect, but you get the point.  So think a minute, if only 20% of your work produces 80% of your results are your focusing on the correct 20%?  Would the last four controls of the Top 20, give you 80% protection?  Probably not!

Each of us works with a unique set of circumstances and constraints.  Despite the near-daily reporting of high profile attacks, budget shortfalls, inadequate staffing levels, and mission creep, are still ubiquitous in cyber security.   It is incumbent upon us, as cyber security experts, to make sure we get 80% of at least 20% of our investments.  The Pareto principle needs to be welded into our decision making process.  This is an absolute requirement if you’re an SMB!

At the end of each week, take time to review the actions you or your staff made and what the results of those actions were.  What could you have done better to make the result more productive?  Furthermore, did you take actions that produced low results or not “Pareto efficient”?   For example, did you spend 20% of your budget hiring a penetration tester when you could have used the money to replace your packet filtering firewall with an application layer firewall?  Which decision would give you an 80% return?

For those of us working with APT in an incident response capacity, not applying Pareto’s principle can be dangerous!  Incident response teams need precise, timely and detailed information like now, not tomorrow.  If an incident response team has to sift through mountains of indicators to get at the ones that are actionable, you quickly become Pareto inefficient! 

We often hear that indicator feeds produce about 10%-15% of real actionable indicators yet it costs an analyst, or analysts, a lot of cycles to examine 100% of the data.  So in the best case scenario, you’re investing about 85% of your time for a 15% result – that’s important to note!  

I’m not suggesting that feeds are not worth it, I’m simply suggesting they’re not enough in of themselves.  If you’re spending $10,000 for a feed, which is a bargain by any stretch, and you’re only getting 15% results, it would tend to make one rethink the value proposition of the feed.  Then add the human time required for scrutinizing the indicators, the value drops off precipitously.

This is why when we at Red Sky are talking to potential members or simply educating people about the APT problem we stress threat intelligence has to be timely, contextual, and most importantly – accurate.  Every analyst in the Red Sky membership has to show their work. Each puts into context their findings that are then peer reviewed for accuracy.  We do this to ensure when a new member joins Red Sky, they have an abundance of rich and contextual indicators, Snort signatures, and Yara rules they can apply to their defense strategies on day one.  Add in the ability to work alongside and ask questions of some of the most experienced and intelligent incident responders from some of the world’s leading organizations fighting APT – it’s clear a membership in Red Sky would be a Pareto efficient decision!


This week Red Sky released Fusion report 13-013, which was released on the 13th! No, that wasn't intentional!  This report described a new targeted malware variant which leveraged a previously unobserved TTP. Included were several new rules and indicators for proactive mitigation. Fusion report 13-014 should be published by this weekend and will provide analysis on yet another new variant observed in recent watering hole activity.

My last blog, “Time for some good news in Cyber Security”, was met with a lot of positive emails.  I was very pleased by those that took the time to email me to thank me for being uplifting.  And why shouldn’t we be?  We’re all doing really good things tackling a very hard and real problem.  Keep up the good work!

I encourage you to share your thoughts with me.  If you haven’t requested our whitepaper How Great Companies Fight Targeted Attacks and APT, please shoot me an email or visit our website

Keep fighting the good fight!
Post a Comment