Cybersecurity’s Moneyball Transformation

What do baseball and cybersecurity have in common? Nothing, at first glance. But, take a deeper look and you can see the glaring similarities. That's because cybersecurity is going through its Moneyball transformation right now. Early investments in cybersecurity tools and intelligence sources have created a plethora of data, causing security leaders and operators to re-evaluate how they optimize data to reduce Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

Michael Lewis’s book Moneyball: The Art of Winning an Unfair Game documents the transformation of professional sports into data-centric businesses. Baseball’s Oakland A’s leadership, including Sandy Alderson and Billy Beane, led the way as scouting changed from assessing players based on an instinct and visual observation to evaluating players based on statistical analysis. Beane argued that scouts were “victimized by what they see” and unable to evaluate talent objectively. The transformation ran deep as old norms of box scores were replaced with new statistics based on the fusion of critical data sets to align a combination of players that consistently produced. Selecting a young high school star was set aside to evaluate players on how they performed over time. Rather than focusing on hits, the focus turned to an on-base percentage based on a combination of hits and walks.

“By 1995, Alderson created a new baseball corporate culture around a single baseball statistic: on-base percentage. Scoring runs was, in the new view, less an art or a talent than a process. If you made the process routine- — if you get every player doing his part on the production line- — you could pay a lot less for runs than the going rate.”      

TruSTAR, since its inception over six years ago, has focused on extracting as much value as possible from security tools and sources. Our effort has focused on normalizing and transforming disparate data sets and ensuring operators are not “victimized by what they see” on a screen. Rather, operators should be able to leverage the tool of their choice such as Splunk ES or ServiceNow, and know these tools are updated with relevant data from all other tools and sources they operate. Operators can gain an objective view of the data, including normalized scoring of the severity of events among intelligence sources. 

TruSTAR’s API 2.0, consistent with our API first strategy, enables greater flexibility for operators to leverage data from security tools and sources. In addition, this week we are rolling out no-code TruSTAR Intelligence workflows to automate the integration and distribution of security data sets within an enterprise and to sharing organizations. 

TruSTAR Intelligence workflows in combination with our enclave based architecture moves cybersecurity from a transactional model to building a reservoir of intelligence within companies about their own operations. This combination of capabilities is vital to enabling companies to automatically recall past events. As demonstrated by the SolarWinds hack, adversaries execute a series of events over time in order to gain persistent access to our systems. Our ability to string together events over time is vital. As Brian Krebs blog noted, Commerce’s NTIA had seen an MD-5 hash in August of 2020 but the information was not understood in the broader context of a massive hacking effort involving several exploits and tactics. 

Eric James, one of the primary thinkers in rethinking baseball, wrote, “The problem is that baseball statistics are not pure accomplishments of men against other men, which is what we are in the habit of seeing them as. They are accomplishments of men in combination with their circumstances.” Cybersecurity tools and sources should be seen in combination with their circumstances. Our means of evaluation rests in the data. John Henry, a billionaire who made his money evaluating statistics in financial markets, bought the Florida Marlins in 1999. In a letter to ESPN’s Roby Neyer, he wrote:

“People in both fields operate with beliefs and biases. To the extent you can eliminate both and replace them with data, you can gain a clear advantage. Many people think they are smarter than others in the stock market and that the market itself has no intrinsic intelligence — as if it is inert. Many people think they are smarter than others in baseball and that the game on the field is simply what they think it is through their set of images/beliefs. Actual data from the market means more than the individual perception /belief. The same is true for baseball.”

The same is also true for cybersecurity. Cybersecurity is not about the individual tool or source, it is about combining the data from tools and sources. Company leadership in conjunction with operators must leverage and measure the combined output of tools and sources. Welcome to the dawn of cyber sabermetrics. Today we can identify a few key metrics, including meantime to detect, meantime to respond, and reducing analyst hours. Tomorrow, as the field grows more sophisticated, we will be able to measure and classify events and trends. Such a system will be similar to baseball’s AVM Systems, which classifies every event on the baseball field and how much players involved should be held responsible, and therefore debited or credited. AVM was adopted by Oakland, and other teams, to minimize risks. That sounds familiar to the challenges CISO’s and operators seek to address everyday.