From: Securosis Highlights – Incite 11/7/2012 – And the winner is… Math.

Posted on 2012/11/07

a quick re-post from Securosis Highlights

Incite 11/7/2012 – And the winner is… Math. by (author unknown)

Yesterday was Election Day in the US. That means hundreds of millions of citizens braved the elements, long lines, voter suppression attempts, fluky voting machines and other challenges to exercise their Constitutional right to choose our leaders. After waiting from about 3 hours in 2008, I got smart and voted early this year. It took me about 45 minutes and it was done.

Math is good food...Luckily I don’t live in a swing state, so I think I saw maybe 1 or 2 political ads throughout the cycle, and that was when I was traveling. I know folks that have been pummeled by non-stop robocalls, TV ads, radio blitzes, and annoying canvassers knocking on their doors will appreciate the relative silence they’ll hear tomorrow. But that’s all part of the process. US Presidential candidates have the most sophisticated targeting and marketing machines in existence. Think about it. Each candidate probably spent $1B on the campaign, funded largely by big donors, and spent largely over the past 3-4 months. That’s a similar spend to what a Fortune 500 consumer products company will spend on marketing, if not more.

And all that marketing is to influence the “story” told by the mass media. Trying to manipulate press coverage to portray momentum, define story lines about candidates, and ultimately rile up their base and depress the competition. Amazingly enough, it’s very effective. Talking heads (many on the payrolls of political parties or specific candidates) appear daily to talk about how everything is rosy in their world, how their candidate has the momentum and will win in a landslide. There really is no unbiased view of the reality of a campaign.

Then there are the polls. Hundreds of polls. Every day. With different results, all seemingly within the margin of error. And the polling numbers spun however they want. Now let’s be clear about polls. They are biased because they take a statistical sample and apply certain voter turnout estimates to derive their numbers. That’s why some polls are consistently skewed towards one party or the other. But what happens if you averaged all of those polls, built a big-ass model, and applied defensible algorithms to eliminate perceived bias to get a decent estimate of the current state of the race?

You get a predictive model of a likely outcome of the election. Which is exactly what Nate Silver has built. He was a former baseball analyst that built sophisticated models to estimate baseball player performance, and then applied his sabermetric kung fu to politics. His website was acquired by the NY Times a few years ago, and his accuracy has been uncanny. He called 49 out of 50 states in the 2008 Presidential election and did well in 2010 as well. Could it be luck? Maybe, but probably not. Not if you believe in math, as opposed to punditry and hope.

Since early in the Spring he’s shown the incumbent President as a solid favorite to be re-elected. Turns out he was right. Absolutely, totally right. Of course, throughout the campaign he became a target of the folks on the other side of the aisle. Similar to the Salem Witch Hunt, folks that understand math have had to convince luddites that he isn’t a witch. What these folks don’t understand is that Nate Silver may have a specific ideological bent, but that’s not what his model is about. The data says what it says, and he reports a likelihood of victory. Not a projection. Not a guarantee. A likelihood.

Models don’t lend themselves to exact precision. He’ll be the first to say there is a likelihood that his model was wrong and the election could have gone to the other candidate. That would have given his detractors the ability to put him and his models in a box. But it didn’t happen. Math won because math works. Models get better over time. To be clear, they are never exact, not on complex systems anyway. Silver’s a numbers guy, which means he’ll continue to refine the model in every subsequent election. But it’s pretty close now, and that’s very impressive.

The baseball pundits hated it when the math guys showed up and proved there is something to quantitative analysis. Now all the other sports are embracing the concepts now. And yes, the politicians will pay more attention to quantitative methods over time as well. Anecdote is fine. Qualitative research has a place. But over time math wins. Which scares a lot of people because then pundits and other qualitative windbags will have a lot less to talk about.

When math wins, we all are winners… Especially guys like Rob Graham, who understand the models and how to game them for fun and profit.


Photo credits: Math Doesn’t Suck originally uploaded by John Baichtal

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Building an Early Warning System

Implementing and Managing Patch and Configuration Management

Understanding and Selecting a Key Manager

Understanding and Selecting Identity Management for Cloud Services

Newly Published Papers

Incite 4 U

  1. Taking the path of least resistance: If I was a bad guy (and yes, I’m a bad guy, but I’m not a bad guy), I’d go after small business. Maybe that’s because I know too much. I know how much effort and money is spent by enterprises to protect themselves. They still stink, but they try. PCI guarantees that. But small business tends to spend far less and take security far less seriously. That means they are sitting ducks. And as Krebs shows time and time again, those ducks get slaughtered. This latest story is more of the same about a building security company who got looted via a fraudulent payroll run. Their machines got owned, money mules miraculously were entered into the payroll system, and that day got paychecks adding up to $180,000. Sad truth is that guys like us tend to deal with very advanced security topics, but those tactics are like quantum physics to most of the world. Those folks can hardly wipe their proverbial backside relative to security, and it shows. — MR

  2. Bit Flipping on Software Security: A couple years ago, I did a Firestarter (you know, when we used to blog) on the Automation of Secure Software Development. The gist of my angst was Forrester researcher Chenxi Wang claiming that (I am paraphrasing) coders suck at secure code development, and they will continue to suck at it – in perpetuity. Her position was we need to take security out of the application developer’s hands entirely and build it in with compilers and pre-compilers that take care of bad code automatically. So imagine my surprise to see Chenxi presenting the Forrester Software Security Risk Report (Reg. required) where the findings claim The Road to Application Security Starts in Development. Ironic? You bet. Color me surprised. And as far as the Forrester report goes, it’s something I would have applauded in this Incite several years ago, but not now. Yes, Application Security needs to take a ‘Holistic’ approach, but the missing ingredient in the report is security needs to be systemic to the app and application stacks. Cloud and mobile forced me to start thinking differently, but it was BigData’s architecture and lack of built-in security features that make me realize developers can only do so much with the tools and technologies they have. And some architectures are not conducive to bolting stuff on, and we can’t expect developers to re-invent the wheel for every app. They won’t. Bolt-on technologies need to give way to built in security capabilities to assist development staff. — AL

  3. Jobs available. Only unicorns need apply: Here is a very good, succinct summary of one of the biggest issues facing us security folk on the carnal0wnage blog. It’s staffing. At a recent IANS Forum one of the biggest areas of concern amongst the CISOs participating in my sessions was finding, training and retaining talented folks. Consulting firms have a hard enough time getting skilled enough folks to meet demand, and they pay well. Most enterprises have no shot. The answer is two-fold. If you want to compete, you need to pay better. Period. Sure folks like to feel fulfilled and need a challenge. But offer them 40% of a competing offer and you’ll lose. If you have a decent sized staff, you also need to start building a farm team. That means establishing a training program to take talented n00bs (like sysadmins or network jockeys) and train them to be security folk. Understand that investment you make will pay off for someone else. Eventually another organization will pay your folks big bucks to do what you’ve taught them to do. But that’s part of the game. — MR

  4. Don’t let the facts ruin a good story: I think it’s become obvious that an interesting story about a hack is just as good as a hack in this day and age. The page view whore (Mike’s term) mentality means the media reports first and fact checks later, maybe. Anonymous has claimed to have hacked PayPal and harvested 28k passwords in the process. PayPal denies the claim. Regardless of the truth, perception = reality, and as such the damage has already been done on this. Anonymous once again proves they are masters at PR and marketing. The interesting fallout in the security market is people are now using this as a proof point that regular password rotation will be helpful, and technologies like Password Splitting are now a solution to cover large firms in the event they are hacked. Anonymous has been so successful they can alter security programs by using a fake hack. — AL

  5. Application Control is a feature: Over the past year, I’ve done a lot of research into endpoint security. Why most existing products stink, and why all companies continue to buy them. I’ve tried to keep my cynicism gene in check and focus on endpoint security management, as endpoint hygiene (patch/config, etc.) can make a marked difference in security posture. I’ve always conceptually been a fan of application white listing, since the reality remains that a locked down machine is a lot harder to compromise. The problem is AWL dramatically impacted the user experience and not in a good way, so it was relegated to a niche technology and niches don’t make markets. So seeing Lumension acquire the assets of CoreTrace was (unfortunately) not a surprise. Lumension had a product and adding CoreTrace gives them more of the (small) market, and additional technical capabilities. But more importantly, you don’t see Lumension (or any application control vendor) talk about AWL as a stand-alone solution. It’s part of a bigger endpoint protection suite that includes old-school AV to keep the auditors happy. Mr. Market has spoken and AWL is a feature. — MR

– Mike Rothman
(0) Comments

Posted in: reading