Now that the baseball season is upon us (Go Giants!), thoughts of course turn to…technology???
Billy Beane, General Manager of the Oakland A’s, popularized the use of data to build a winning team and was memorialized in the book (and the movie) “Moneyball.” Baseball’s operational use of data has continued to expand to the point now where decisions about placement of players are made on every pitch. A radical redeployment of the defense is called a “shift” and the 2014 New York Times article, A Rapidly Shifting Philosophy of Infield Play, describes how the use of the “shift” – once a seldom-used tactic – is now a data-driven phenomenon.
The article explains, “As teams compile more and more information on hitters’ trends, managers can predict more accurately than ever where ground balls are most likely to go.” Better insights mean better player placement and better defense. For context, when asked about why he was so good at what he did, legendary hitter Wee Willie Keeler responded, "hit 'em where they ain't" – which sounds a lot harder today given that "they" are predicting with a great deal of accuracy where a batter will "hit 'em." In fact, pull hitters like David Ortiz had a dramatically lower batting average when facing a shift.
It’s not hard to extrapolate this lesson to cyber security. Security teams collect literally billions of data points (e.g., events) each day. Like the shift in baseball, enterprise security teams can continuously analyze historical data to better understand the likely future behavior of both external and internal IT “actors.” If you know the tendencies of your adversaries (threats), your response is bound to be better.
When discussing “Big Data Security Analytics,” analyst firm Gartner describes a multi-tiered decision support “pyramid.” Its base contains raw events, packets, etc. The middle level adds context such as reputation, external intelligence, and at the top there are highly focused applications and analytics that lead to action.
Baseball managers align their real-time defense based on historical data. With emerging tools to examine a year’s worth of logs and other data to see the rogue or abnormal activity of systems, devices, applications, users and data, imagine how much more efficient and effective the security team will be in dealing with the next advanced threat.