“Is it secure?” What does that even mean? The question itself is biased; looking for a Yes/No response. We get annoyed when TV lawyers press a testifying witness for a Yes/No answer, when we can clearly see that both answers are wrong since there are so many potential contextual nuances that affect how to answer truthfully. Sometimes, Yes/No answers are just not realistic.
And so it is with security. “Are we secure, now?” (after spending $Gazillion on new tech) is not a fair question, and either Yes or No is the wrong answer. That is what Deterministic security means; that a Yes/No answer, a binary response, a ‘1’ or a ‘0’ or an ‘on’ or ‘off’ are the only acceptable responses. But, in our field we (should) accept as axiomatic that we will never be 100% secure (what does that mean?).
Therefore, we have to accept as dogma that if a Deterministic answer in this example is not possible, then we are going to be somewhat less than 100% secure. On a scale of 0.00 to 1.00 (we can get as granular we want), our security posture will always be somewhere between 0.01 and 0.99.
When we receive, for example, a security alert from a SIEM. Are we 100% sure it’s an accurate report? No. So, we get a human involved to investigate. The amount of confidence we have in the accuracy of any detection (security event monitoring, et al) is the Probability that is is correct.
Is the report a False Positive or True Positive; or False or True Negative? Each possibility has its own probability. Over time, in heuristic (ML/DL/AI, etc.) we want our security devices to be more accurate. Does that mean they are more secure? No. It only, means that we have a higher probabilistic belief based upon past performance, of the accuracy of a given report (event, etc.)
What happens when we look at our networks or smaller, more manageable pieces of our environments, with probabilism instead? New answers start appearing as if by magic, because we no longer will allow a Yes/No answer.
This talk will give specific examples of how to calculate the probabilities of many systems that must coordinate, each known to be less than perfect. Will using two event monitors instead of one improve or hurt the probability of accuracy of that part of the system? Well, that depends on how you connect them.
What happens when heavily trusted system components are tied to less trusted components. Simple probability rules will give you the answers. In simple algebra. No fancy math.
We will show how iterative approach to event detection and monitoring, and by knowing how to combine components correctly, will measureably improve the probabilistic posture of your security.