The Algorithmic Advantage: Optimizing Cybersecurity With Computer Science

okay so I'm Sarah um and just to talk a little bit about me since I don't really know anyone here at this conference um clearly if you can tell by my accent I'm not actually from the UK um I live in the United States it's called Witchita Kansas in case none of you have ever heard of that but it's quite literally like the center of the entire United States some people call it the flyover states cuz there's not actually anything to do there you just fly over um but that's where I live and my background um is a little less actually in cyber security and more on the statistics data science computer science side of things um so this talk today

which we'll get into is probably one of the least technical talks that you'll hear today but I want to encourage you to think that that's not actually a bad thing and that can still be interesting and applicable to to cyber security um but yeah so I grew up in Michigan I come over here quite a bit for work though we've got offices in Manchester and stuff I had meetings here this week so it kind of worked out um but in general um I like I said don't necessarily consider myself the most you know technical cyber security resource but much more of a a statistician and math person and so this talk came about because I was listening to some like

dumb reality podcasts about dating and relationships and that's just how I spend my time and it is what it is um but there was a certain episode they had a guest speaker who was a behavioral scientist um and she was actually like a relation a relationship scientist which I didn't know was a thing but spent her you know career studying the behavior behind relationships and things like that and she started talking about just humans who we are why we make the decisions we make and why people tend to act against their own best interest you know which was a really fascinating concept to me and um she started talking about this computer science algorithm and immediately I was like oh okay that

is really getting interesting um and was applying it to like dating and relationships I like that's such an interesting concept and she referenced this book called algorithms to live by um if you if you haven't read it I'll highly recommend it it's what some of this talk is going to be based on but it's called the computer science of human decisions but it's it's basically this book that takes computer science algorithms and applies it to daily life and how you can optimize your life with computer science and that is just right up my alley because I really like to to understand psychology and why people make choices I really like math I really like computer science so I immediately

knew like I needed to read this book and then that's kind of how this whole talk was born um and then I started reading this book and I thought you know we can apply this to cyber security too right because algorithms at a high level are really just um Concepts and and constructs of how to do things and so we could apply this to to computer science so for the rest of this talk what I'm going to do I'm going to go over three different algorithms I'll give you the computer science use for an algorithm an example of how to apply it to life but then also an example of how you can apply it to

your job cyber security you know running a cyber security department or the things you're doing in Daily Liv so before we kick into some of the algorithms though I just wanted to show my my favorite quote from the entire book you don't need a therapist you need an algorithm which I thought was hilarious I've adopted that into my daily life now um so that is officially my new quote but I I think it's really interesting because it talks all about you know how you can actually use algorithms to make better choices instead of therapy although I still highly recommend therapy um but let's get into the first algorithm and so algorithm one is called the optimal

stopping algorithm and it actually all stems from a really famous psychological um problem I guess or or or problem that needed to be solved called traditionally was called the secretary problem but let's call it like the admin problem or imagine that you needed to hire an administrative assistant for something okay an executive assistant and you had a stack of 100 rums that you could go through okay put out this job post you can get 100 RS in and you're like okay well I need to hire someone and let's just say for the sake of this algorithm we'll put some some bounds on it that once you interview someone so you're going to go down through these 100

people and once you interview someone you'll either hire them or you pass right if you pass you go and interview the next person you interview number two number three okay and let's just assume that if you give them an offer they'll accept it so the question here is then how many people do you interview before you hire someone because if you hire the fifth person well what if the other 95 people were better and you never knew right but if you get to number 997 or 98 you know and there's only two people left well what if they both suck and now you've missed your best candidate and you can't go back and hire someone

you've already passed on okay so that was this famous problem called the secretary problem so the optimal stopping algorithm showed that the the algorithmically best or most optimal answer to this question where how many people do I interview before I hire someone it's called the 37% rule and this rule is basically that what you're going to do is interview the first 37% of candidates so if we have 100 candidates you'll interview the first 37 people and in those first 37 interviews you're just going to interview them all and you will not hire any of them no matter what you're not going to hire any you're going to pass on them all because what you're doing is getting a sample

size of your population right you're understanding what's out there okay and after you go through your first 37 you're going to pick your benchmark Mar person of those first 37 you can't go back and hire them because you've already passed but you're going to say who was my favorite my best candidate out of those first 37 and that's your benchmark in your mind and you set that Benchmark and now you're going to go continue hiring and the or interviewing and the first time you interview someone as good or better than that Benchmark you should hire them immediately and stop searching right that's this optimal stopping algorithm and it basically the theory behind it is that you you found

your sample size so you know what's out there and 37% is the mathematically correct answer to how much you should should search before you stop and make a decision okay but how can we apply that to actual life well this book applied it to dating which I thought was really interesting now this is all just Theory and an algorithm but bear with me right so let's say that the average person dates between the ages of 18 and 40 okay what is the 37% of that well if we apply 37 % to the ages 18 to 40 it would technically be 26.1 years old which the theory then here is is by the time you're 26.1 years old in theory you have

dated 37% of the people that you could possibly or would date in your life right so you're going to pick your benchmark from everyone you've dated before and this is not encouraging you to go back to your ex right but you're just thinking in your mind your benchmark because realistically you have probably met or dated someone someone who would make a good life partner for you right maybe you haven't found the story book perfect person but you've probably met someone that you could build a life with so the theory is by the time you hit 26.1 you pick that Benchmark and the next time you date someone that you think would make as good of a life partner or better than

that person you should stop searching and marry them immediately because that's as good as it's going to get right and now of course it's all a theory it's all an algorithm but it's a really interesting way to look at something right it's it's a very scientific and algorithmically focused way to look at a very emotional problem so how can we apply this to cyber security well first a few other fun examples that the book mentioned um parking is a really good one I guess I guess you guys don't probably drive as much in the UK maybe it's the us but like whenever you're driving and you're driving down a street right and let's say you're half a mile away from your

destination how far should you keep driving and pass up parking spots until you park somewhere right because what if you get to a point now that you've passed all the good parking spots cuz you're trying to get as close as you can and now there's no parking spots available anymore and you have to turn around and do the whole thing again right it's optimal stopping problem so is buying and selling houses or looking for apartments right if you're selling your house how many offers do you wait for until you accept an offer right because you could say well I could take this offer that's on the table but what if I get a better one

next week or if you're hunting for an apartment right how many apartments do you go tour before you decide you know what this one's good enough and I'm just going to pick it right because you can tour every apartment in the city of leaves but do you have that much time we want to optimize basically the difference between how much time you spend searching and how good of a product you get in the outcome so applying this to cyber security I think the first one we already kind of talked about is very obvious is actually with hiring if you're a hiring manager I know I am at my job I have this problem where people talk a lot about a talent

shortage in cyber security which I think is true for some of the more senior roles but if you're posting for a sock one analyst you know a junior level P tester for me I hire a lot of junior level computer scientists or data scientists I mean I can get hundreds of resumés within a few days pretty easily right and so as a hiring manager I have to decide like how much time am I going to spend looking through all those resumés knowing that I want the best candidate for the job but I also can't dedicate you know a week straight to just reading through resume after resume after resume and interviewing people so hiring is good example of using the

optimal stopping problem but I think so is evaluating and understanding products in the market so when I look at cyber security I think a lot of there tends to be a lot of startups right and when I see the market it kind of es and flows in which you'll get a bunch of startups and then the big companies will start to to py them up buy them up right and you'll kind of get this dip and then a few years later a bunch of startups start to pop up and then they get Acquired and it kind of like goes in these waves right but either way if I wanted a new identity and access management tool that I wanted

to buy tomorrow I could easily evaluate 20 products if I wanted I could do 20 pcc's I could get a hundred salese trying to pitch me on their product telling me why which one's good bad better you know at the end of the day it's probably not worth it especially from the ciso to spend so much time looking at every single product I could possibly buy right so what you need to do is use your optimal stopping algorithm to evaluate a few products understand what's out there in the market because let's be real a lot of these products are 95% the same right and then they all have 5% of something that they do different so you evaluate

what's out there in the market pick a benchmark you know and go with that one and it's it's really about understanding how much time should you spend searching versus actually implementing and and choosing something so that's the optimal stopping problem next one is scheduling and applies a little bit more to just like your day-to-day corporate life so so to talk about scheduling we're going to talk about something called the context switch right so we have to operate when we're talking about scheduling and context switching under the assumption that preemption isn't free meaning if you're context switching from one thing to another that's not a free thing to do there's going to be time you're spending

context switching right that you're not actually getting anything productive done so the algorithm here is what how computers switch between applications so let's say I'm on my laptop I'm going to switch from Google Chrome to Microsoft Word right the computer has to do things in the background to switch between those applications so if you want to shift a computer processor away from Google Chrome to Microsoft Word you see that happen pretty instantaneously right but there's a certain amount of overhead where the computer needs to bookmark where it was in the code on Google Chrome stop running that code pull up the code for Microsoft Word you know execute it to whatever stance you know you whatever document or whatever you

wanted to pull up for for Google Chrome find a place in that code and then get back into gear right that whole process is called a context switch okay and that's all preemption and what's interesting about that is that during that time that the computer is switching from one application to the next the entire time it's actually not getting anything valuable Done Right the time the processing power that it's spending is on I guess like wasted wasted materials it's it's using its time to switch something but not actually run what you want it to run and this is one of the fundamental trade-offs of scheduling is that the more you take on the more you're trying to do

simultaneously the more overhead there's going to be right and it actually gets to a certain level when it crashes so this is um the degrees of multi-programming which I'll try not to get too too crazy about this but basically a CPU can only work on one program at a time but they switch so fast that it looks like you're watching a movie while you're getting email notifications and getting text messages and all this stuff but it can actually only do one thing at a time and so there's a critical threshold when it's switching between different applications that it crashes right you guys have probably seen this before with a computer right you start running too

many things at once the fan starts going so loud that you think your computer's going to take off into outer space and then it crashes okay that's actually called thrashing and thrashing is this concept of you've taken on so much that you're no that you're spending your entire time Conta switching and no longer getting anything valuable done and the best real life example of this seems really simple but think of a juggler right you're juggling three balls and then they throw a fourth ball in and a fifth ball and a sixth ball and the juggler can handle it can handle it until you throw that seventh ball in they don't just drop one ball when they

can no longer handle that many they drop them all and that's a concept of thrashing right the computer doesn't just shut down one application when it takes much on it's going to basically the system's going to like explode right I can't do anything else and so the real life example of this if you've ever had to stop what you were doing to write down all the things that you needed to do you you've thrashed right you are now just spending your time context switching and figuring out what you need to do and not actually getting anything valuable done and it's this entire concept of responsiveness versus throughput which basically means you know how responsive do I need to be

versus how much context switching should I do and a great example of this is checking emails okay so let's talk about checking emails but before we get into that actually let's say so just to get back into the computer science program a little bit behind this you can think about a computer running different programs and it and there's different slices of the pie of the processor right the more things that it's running the smaller slice of the pie that each thing gets to run thrashing again is this concept that the entire pie now is spent on Switching instead of actually running any of these programs so example of this and how we can apply this to you know

our daily corporate lives in cyber security talk about responding to emails so if you're like me or an average corporate individual the first thing you do when you log on for the day is probably look through all the emails that you got last night you know and if again you're like me you start at the top of your inbox and you start looking you know you kind of go through them and you say oh this one's for my CEO let me read that one first this one you know but you scan your whole inbox to figure out what you got and then you go back and you start answering the important ones first okay but to scan your whole

inbox you have to read every email first okay and you're just but it's a quick read and then you go back and then you do an in-depth read when you actually are ready to respond to something and you respond to right this is a great example of spending time doing no real measurable work because you've now gone through all the emails and then have to reread all the emails because the first time you went through them you didn't really read read them that well right whereas imagine if you just started at the top and one by one went down and dealt with every emo the reason that's actually a lot more efficient is because now you're not reading every email twice

right you're picking one email you're dealing with it you go to the next you go to the next you're not jumping around you're not contact switching you're not doing multiple things so the the theory behind this with responding to emails is that you should decide how responsive you need to be and be no much no more responsive than that right so let's say you're you're hardcore in some code or setting up some Network or something and you get an email notification and you pop over and you respond to that email real quick and then you come back you've wasted so much time and so much brain power context switching that it's actually really really inefficient whereas if you

decide you know what my SLA my personal SLA for responding to emails is going to be 30 minutes right so once every 30 minutes I will go respond to any emails that came in and then I'll go back right it's actually a way more efficient way of doing it and it's getting that trade-off between responsiveness and throughput the next would be this concept called interrupt coalescing and again we can you know use emails for this example but it's the idea that you should try to coales or group together any interruptions that are going to happen during your day right so instead of going and popping and responding to each individual email you should group respond to all your emails every hour or

every 30 minutes another great one I don't know about you guys but if you have IM my IM goes off all freaking day long everyone pinging me because they have quick questions to ask me especially if you're a manager or something a really great way to um coales all of those interruptions is have 30 set minutes of office hours a day or something like that right 30 set minutes that you put together on a calendar and you say hey anyone who's got questions or need someone something from me hop on this bridge for these 30 minutes right now again I know that's not always super practical in the corporate environment but it's a way to

colless those interruptions the last one and this actually gets a bad rep but is weekly meetings oh I'm running out of time okay weekly meetings right so instead of having someone you know ping you every single day tell you their update it's actually a lot more efficient to have either a daily or a weekly standup where you take 30 minutes and everyone gives you their their updates you know just like developers through weekly stand up meetings so I'm going to zoom through scheduling because we're a little past here the last one is the overfitting algorithm um okay um okay so overfitting algorithm so here's an example of overfitting it's pretty easy right so you've got an

underfitted line a good and then an overfitted line and what's the algorithm here well it's basically that when you whenever you're taking a model and you're trying to fit a line like you are here through models of data points the more and more data points or variables you put into that model A lot of people think well the better fitted it's going to be right so this line here might just have one one input variable right it's like a straight line Y NX plus b or whatever slope okay this one might have a few might be like quadratic or something it has a few input variables this one on the end here has the most

variables it has the most different variables in that equation to fit the line but it's actually overfitted and it's this example that a line with more factors in it more variables might be a perfect fit to your current model but might be Terri at predicting the future or past observations right so whereas this one is likely the middle best fitted one is more likely going to better predict future data points the last one is going to be terrible at it and the computer science relation to this overfitting model would be the more time that you give someone to come up with a solution to a problem the inherently more complex they will make that solution even if there is no need

for it to be it's human nature right so if you're given a task that you think you should be able to finish in 30 minutes and your boss says yeah spend the whole day on it right and you know you can finish this in 30 minutes it's pretty simple but they say spend the whole day on it you're automatically by human nature going to make that solution way more complex and you're going to way overthink it than it needs to be because you've been given more time to do it and it's this concept of you guys have probably heard of it before aam's razor right the answer that requires the fewest assumptions is generally the

correct one which just means that you know when you hear hoof beats you should think horse not zebra but in general with overfitting the the theory here is that I really like to go for it's called like if you cannot explain something simply to someone you do not understand it well enough so think about the way that your networks are set up right if you're in charge of running networks for your cyos security company if you cannot simply explain to someone one how your networks your vpns your firewalls are set up one you don't understand it well enough and two it's probably overly complex and so what I like to talk about in terms of cyber security and

overfitting is this concept of over engineering which I think is really really prevalent in cyber security right we like to think that we have these crazy complex super highly technical challenges which sometimes we do to be fair but I see a lot of times especially in large organizations that I work with for Consulting there's just a ton of over engineering that happens in cyber security departments and it's really a concept of overfitting right you've given a lot of resources you've given people time and they've made these highly highly complex networks that really in reality have more points of failure nobody understands it's harder to manage it's harder to maintain it's harder to replace if something new and better

comes out right so over engineering is really prevalent and something to be be very careful about and it's this concept again of stopping when something's good enough right so I see a ton of times that people want to rip and replace a product um let's say you know they've got a a vulnerability management solution and they're using t or something they're like well I want to move to qualus and it's like why well tenal doesn't do this one little thing that I want it's like so are you telling me that it's really worth it to invest the time and the money to take out tenable or whatever vulnerability management product you're using buy this new product implement it train up new

resources to learn this new product for one little thing right what you're really doing at that point is you're overfitting okay you need to stop when something is good enough a lot of the time and that's not to say you should never try new products or change to things because there are things that are better but it's recognizing that you should stop when something is good enough and really understanding that Perfection a lot of times is the enemy of good um I think the best example I had of this is when I you know I've worked for a couple different companies my current company is definitely more of if something's good it's good enough um

a previous company that I worked for were definitely perfectionist and I tried to really figure out why that was so different in the company cultures my current company is about 450 people the previous company I worked for was I mean it was Apple so it was like one of the largest companies in the world right okay so what's the big difference between a 450 person company in a company like apple a 450 person company each individual person is respons responsible for a lot more things because you don't have everyone doing everything at a company like apple I mean you have you know they want you to be the one perfect subject matter expert at the one specific thing you do because

they have 80 other employees who do all the other different things right so you're you're focused more on one individual specific thing and it really created this culture of perfection because you have such a narrow limited scope of what you're doing in a day-to-day job that you try to perfect what you're doing and sometimes that can be then you good so that's kind of the concept of overfitting but to wrap up I do want to say I can acknowledge that life is not an algorithm right life is and neither is your job neither is your daily workday I understand that if you get an email from your CEO you're not going to say well I can't reply for 30

more minutes because otherwise I'm going to thrash and it's too much context switching I get it okay it's not perfect life is not an algorithm and life is not optimal it doesn't work like a lot of the examples that I showed right if it was my life would probably look very different um but I think this is a good reminder to try different approaches look at the pros and cons of things and more so reflect on yourself and understand that humans are not optimal people we do not make optimal choices we act against our own best interest all the time it's the reason that you say you know I want to lose 5 pounds actually and this morning my alarm went

off at 7:00 to go for a run and I did I said nope and I turned it off and I turned it back on at eight right and my goal I want to run another half marathon in a few months so why did I not go for a run this morning humans act against their own best interest right life comes up we're not optimal people okay but I think we have a natural inclination as humans toward chaos right we kind of we invite bad things into our life we have we have a natural inclination towards chaos and we can never expect to make good decisions if we're just acting off emotion no logic things like that but

understanding these algorithms understanding that we naturally make bad choices inherently can actually help us make good choices right so that was kind of I know it's very high level and not as related to cyber security but that's that's my my pitch is to treat life a little bit more like an algorithm and just see how much more productive it makes you but yeah um I just drot my LinkedIn and my email on here but that's all I have thanks for listening