The Algorithmic Advantage: Optimizing Cybersecurity with Computer Science

so today I tile kind of ambiguous like I said Chad you wrote it um but basically I'm gonna be talking about taking different algorithms that used to be a lot times in like computer science and just algorithms uh kind of that apply to life and applying them to different situations in life as well as cyber security running a cyber security department just kind of optimizing your work life in general in cyber security um and so the way this uh talk kind of came to be I was listening to this like dumb trashy podcast about dating and relationships um actually I was tribing up to PC one day and you know it's just like girl's gossiping or whatever and then they had a guest speaker on the podcast who was a behavioral scientist um and she started talking about how humans act against their own best interests and why really you know bad at like dating and marriage and all these things and taking a very scientific approach to it thought it was really interesting and she she started talking about this computer science algorithm um which I'll talk about later in the talk and she applied it to like dating to optimize their dating lives like that's such an interesting concept um and she referenced this book called algorithms to live by maybe some of you have heard of it or read it before um and it it basically takes like I said fundamental from your science algorithms and applies them to like daily things you can do in life and immediately I was like I need to read this book because that's so interesting to me um I was an industrial operations engineering major so like Optimal processes is what really really interests me and I I wish I would have done like a psychology double minor or double major or something because I I love the idea of like algorithms and how humans make choices coming together like okay I totally need to read this book and and I read it and basically every chapter in the book is a different algorithm and they apply it to life and I thought you know that's such a cool concept we can apply these to cyber security too though right because algorithms are just Frameworks for how to do things and that's kind of how this talk was born um so for the rest of this talk I picked three of my favorite algorithms for the book and what I'm going to do is I'm going to explain the algorithm show like a fun maybe application to life or something and then an applic to like I said a cyber security running a cyber security department and work like things and things like that um and then real quick I wanted to show my absolute favorite quote from the book I thought this was hilarious um so I'm going to kind of steal it like this is going to be my new quote goinging forward you don't need a therapist mean an algorithm but it's a really interesting concept basically just saying that if you make more choices in your life backed by data and math and algorithms you know maybe even by a little bit less chaos into this like it was really interesting with that I'm going to start getting into these algorithms right um the first one is called the optimal stopping algorithm and to explain this algorithm there's a really famous problem called the secretary problem um and basically the the problem goes let's say you needed to hire like an administrative assistant okay and you have a hundred resumés of people that have applied for this job once you interview someone you can either hire them in which case you stop going through the resumes because you found your person and you're done or you can pass on them and keep going and interviewing the next person and let's say that once you pass on someone you can't go back and hire them later right you passed them then you have to go to the next person okay so the problem of optimal stopping right is how many people do I interview before I hire someone because maybe I really like the second person but if I hire the second person well what if the other 98 were way better and I just never knew it and what if I keep trying and trying and trying to find the best person and I get to the last three people and they're all terrible right and now I R out of B I don't have anybody and I can't go back so what is the optimal number of people to interview before you fire someone well computer science would tell us that what you should do is interview 37% of all applicants so in this case 37 people and not hire any of them because this is going to be what's called your searching phase right you're just looking to see what's out there you're getting kind of a Baseline of the population so in the first 37% you want to interview them all knowing that no matter what no matter how much you like someone you will not hire them okay then once we get to our 37th person we're going to take what we call our Benchmark in the first 37 so who who do we like the best who's our Benchmark in our mind and we can't go back and hire them we already passed they're our Benchmark and then we're going to keep going forward and keep interviewing and the first time we come across someone we like as much or better than that Benchmark you should hire them immediately quit searching right and why is this the optimal approach it's because you're taking a sample size in a population you're understanding what's out there you're doing searching so you kind of know how to find the best person and then the next time you see something that good you stop immediately so you're not wasting time interviewing more and more people than you need to so that's alth a really famous problem so how did they apply this to Da right it's so interesting to be so let's say the average person of date is between the ages of 18 and 40 it's on average right Zer assumptions you can change but what is the 37% right if you dat between the AG of 18 and 40 what's your 37% is 26.1 years old is technically the 37% Mark so what does that mean it's like well by the time you hit 26.1 years old theoretically you dated 37% of the people that you could date right you've gotten your sample size and your population and you try to know who's out there and in theory you've probably come across someone who would make a good life partner right you probably have by that age maybe not the absolute perfect person but probably someone who you could have F to settle down with and probably could have tried to make work right so to optimize dating the theory is that you datee until you're 26.1 now we don't encourage going back to your ex right so you can't go backward but you say who was your benchmark person that you met up until that point and you realize that you probably have met someone that was good enough and in the future when you find someone as good or better than them or whatever criteria you have you commit to making a life with them you commit to bearing them you call it good and stop searching right of course it's just an algorithm like doesn't always work like that but it's kind of an interesting theory of how you can optimize looking for people but other interesting applications of alcohol stopping parking is like a fun one right how how far do you drive and get as close to you can to the place like how many parking spots do you pass before you say this is probably as close as I'm going to get and if I keep driving further I might not see any more open spots and then I got buying and selling houses right if you're thinking about buying a house how many houses are you willing to go look at and then you have to make a decision a lot of the times on the spot in the market of am I going to put it off you might have to Big a day of decision so what you want to do is look at 37% of all the houses you're willing to look at so maybe you're not willing to look at more than 20 houses the first 37% don't kner on any of them right getting your Sal trying to understand what's out of there so let's actually apply this to cyber security hiring I think obviously is an interesting application I we kind of went over that in the secretary problem but understanding that not every candidate is going to be the ad so than for the candidate so understand what's out there get your sample size try or fix off that but I think more importantly what I say all the time is like evaluating products in the cyber security market so there are so many different products for immm all of these different things and you can spend all day every day just talking to every startup every new product every vendor out there right talking to other people and figuring out how they're implementing a tool or doing it differently than you and a lot of the time what I see it leads to is people jumping shift to a newer better product because they it's better without realizing how expensive and how much time it takes to ditch a tool that you have been using for a long time to try something better and sometimes it is better to do that right but how do you know when those Optimal Solutions are it's like make sure you're always understanding about 37% of the market right you're looking for a new I IM tool you're not going to be able to look at every single startup that's come out there get your sample size look at your 37% and make an educated decision based on so algorithm number two is about scheduling right and so first thing we'll talk about when it comes to scheduling is this concept of preemption so preemption isn't free meaning if if you're doing something and something else is going to preempt it there's a price you have to pay every time you're switching test okay and in computer science that's known as a Content switch so every time you're switching past going from email to a meeting or from a meeting to writing a documentation for something your context is switching in your brain and you're paying a price for that okay and you're not working optimally with your context switching so when a computer processor switches its attention away from a given program let's say you're using Google Chrome and you the computer now you want to blow up a Microsoft Word document it has to pause where it's at in the code for Google Chrome put that code away go find the code for Microsoft Word pull it up find the right portion of the code to run and start running that program right now that all takes milliseconds but it is context switching and it's it's losing time it's time that the computer is doing work but not real work right it's not doing actual things the work that it's doing is just spend content searching so this is one of the fundamental tradeoffs of scheduling is that the more you take on the more you try to do the more overhead and context switching your is so the more time you actually waste then you get into this portion called th Shing and basically it's the concept that a CPU can actually only work on one program at a time but it switches so fast that it looks like you can watch a movie get an email notification and serve the we on right but the more and more you try to get your computer to do the the more and more overhead there's going to be and there's not you know it doesn't level a off over time is actually a concept of thrashing where basically once you give up one more thing to do and it it's a critical threshold the system will die it's like a really steedy drop off and the best example of this is like imagine someone Jing okay they're only actually throwing one ball at a time but it looks like they're multiply you know throwing three balls at a time but they're actually only throwing one ball at a time and let's say you keep giving the juggler another ball you add them one more and one more and they can jugle five and then six and seven if you throw them that eighth wall and they don't know how to jugle eight balls at a time they don't just drop one ball everything right they drop everything come scratching down and it's actually the same for a computer and it's the same for humans we have a basically a rashing threshold where once we try to take on too much all of our time spend content switching and so if you've ever had to stop what you're doing because you're doing so many things you've got so much on your plate that you stop what you're doing and you write a list of all the things that you need to do you you're gr right because you're not actually working on anything productive the work you're putting in is about context ping for the work you need to do you're writing a list of everything that you need to do you're not actually will to do those things which brings us to the tradeoff of scheduling of responsiveness versus throughput so the more programs that are running on a computer or in your mind the small the smaller the slice of pie each programmer gets right so let's say you've got an hour to do something and you got five things to do if you had six things to do each thing has a little bit less time than you've done when you had more and more and more stuff everything has a smaller and a smaller slice of the pie until that entire slice is just spent on preparing to do the next thing or finishing up the thing you previously did context change and basically these algorithms say there's a minimum length of time that you should do certain things to eliminate fraction and make sure that responsiveness doesn't obliterate through what so looking at real examples of this the first really interesting one is responding to emails every time you navigate away from something that you're doing writing a document or something to go respond to an email you're you're context switching and you are losing a little bit of efficiency right so do you need to be really really responsive and respond to every email within five minutes of it coming into the inbox because if not let's say in your head you got a 30 minute email SLA that means that you should not check your email more than once every 30 minutes because that gives me the minimum amount of time you a context and on top of that let's say you just sign on for the first time at 8: a.m. you know first time of the day and you've got 30 unread emails what most people do what I do is I scan through all the emails I figure out which ones are the highest priority and I start responding to those first and then I kind of go down the list when you do that scanning through all of those emails is an example of memory brashing because you're swapping every email in and out of your mind which takes a lot of context you're not actually responding to any of them then you have to go back to the ones you decided begin to respond to First and what's the first thing you do you reread the entire email that you just read and start to figure out your response so you've actually wasting a lot of time doing that and for computer scientists who know you know the speed at which algorithms run this takes big of n squar time which means if your inbox is three times as full it takes nine times as long to scan through the emails to decide which ones to respond to so an optimal way of responding to emails actually is just starting with the very first point you receive and going down the list read everything once you respond and you you kind of eliminate for that memory thrash another example of this it's called interrupt coalescing basically all the interruptions you're going to get throughout your day if you can coales them into one time and then have longer blocks of times where you're not interrupted you'll pay less context switching prices so great examples of this if you're in management hosting office hours right where you have an hour that anyone can pop on a call or a bridge that you've got somewhere and ask your questions that way you're not constantly getting pained all day long getting emails getting random meeting requests or IMS because every time you navigate away to respond to that IM r with your your contact switching another great example and people hate it it's like weekly or daily update meetings where you've got five developers on a call and they're all quick update for the day or the week it's get a really bad W but it's actually an idea of inter call Lessing where everyone just gets on a call and for that 30 minutes give your update you know you're not doing random updates in the middle of the day or anything and for that 30 minutes you get the interruptions out of the way and you go work the rest of the day so those are some ways you can kind of use scheduling to optimize you know what you're prioritizing and things like that throughout the day then the last algorithm I'll go over is called overfitting so overfitting I'll show this example here we've got something that's like underfitted a good fit and overfit right like statistical modeling so the reason the one on the right is what we call overfitted you might think well it goes through every single point so it technically represents the data that's on that chart the best but it cannot predict future data at all it'll be really really bad at that right oras the middle one that we say is a good fit probably more accurately predict Fusion data and basically this means the more and more factors you put into your line doesn't necessarily need a better fit for the overall data and the concept of this that applies to real life law the more time that you give someone to do a task or the more time you give yourself to do a task the more complex they will make the solution this is like a theory that's been looked at a lot in Psychology but it's really true where like if there's a task that should take maybe around a day and you have two days to get it done and you give someone two days to do it they inherently and they won't even know that they do it will make the solution more complex than it needs to be than if they had less time to get it done and that kind of introduces this concept of opin Razor which you guys have might have heard of before um but it basically means that giving two alternative approaches to something or two answers to a potential question the more simple approach is typically the best one so it's like the old saying when you hear H beeds you should think course not see right that's a really popular example or you know if you hear something knocking against a house you should think it's wind from a tree and not a burglar coming to murder you and steal all of your things right and this comes into the concept which I think is really interesting that if you cannot explain something simply you probably don't understand it right so anytime you think you understand something think to yourself can I explain this very simply to like a 10-year-old if you can't you actually probably don't understand it very well and examples of overfitting that we can apply to cyber security and work the number one the obvious one is over engineering right there's so much complex over engineering that happens in cyber security really really complex systems um I see it a lot in like development environments my background is in computer science where you know they might set up really complex stalker containers because they think it's going to simplify deployment but all of these things just go wrong over engineering is is really common in our industry and it's something you really need to be aware of to make sure you don't do in the future stopping when good enough and that kind of goes back to the um optimal stopping algorithm right but realizing that you might not need a whole week to do something if you can get it done in two or three days and it's good enough it might Le to move on because the next part of that is don't let Perfection be the enemy of good right it's a really common saying I know everyone kind of says it but it's a really good thing just to remember because there's a lot of times I've seen this especially with like software Architects or cyber security archtics where you know with cyber security we're never going to be perfectly defended ever no matter what we do we could we could dump billions of dollars in our cyber security de