In the early morning hours of Monday, November 1st, the Kansas City Royals won the 2015 major league baseball World Series. To be sure, the team secured its championship against the expectations of most.In the fifth game, the Royals trailed behind the New York Mets 0-2. Everyone expected that the Mets would win, but then things changed. At the top of the ninth inning, the Royals scored two runs and tied everything up 2-2. Three innings later, following a few steals here, a run there, the Royals emerged victorious with a resounding 7-2 win. The team had not won the World Series since 1985.The Royals’ performance this year is clearly one for the history books. But there’s more to this story than the stuff of sports chronicles. Indeed, for those of us who work in the security industry, there are clear parallels that can be drawn between the final game of the World Series and our profession.For starters, Kansas City was never the favorite team of this championship team. The Mets were always expected to win. Some, however, did have their doubts and foresaw what would happen.The field of computer technology is largely dominated by a host of online threats, including sophisticated malware that employ evasive techniques and hacker groups that target our personal information, as was the case in the Target, Sony and Anthem breaches. Given this evolving threat landscape, many observers expect that we security folks will always lose and that we will fail to protect users.But by and large, we do not. Like the Royals, we seize upon the mistakes of computer criminals and use them to our advantage, both offensively and defensively. This is what researchers at Kaspersky Lab recently put in to practice in order to develop a decryption tool for CoinVault and Bitcryptor ransomware.This is what Google internalized when designing the new security features of Android 6.0 (Marshmallow), and this is what we study and talk about together at community events like BSides Portland.
Kansas City Royals team celebrates after winning the game in the ALCS playoff baseball game on Wednesday October 15, 2014 at Kauffman Stadium in Kansas City, MO. (Source: The Kansas City Star)
The Royals had a “win” attitude. As observed by Mike Fitzpatrick, AP baseball writer, they fought for their championship against Matt Harvey and Jeurys Familia, two of the top pitchers with the Mets, and they won via incremental gains made over a period of time. “Consistent contact, keep the line moving,” Fitzpatrick explains.We as security professionals would be wise to internalize this same mindset. The manner and frequency with which new threats emerge prevent us from mitigating all vulnerabilities at once. But that is a simple fact of our profession, just as it is for the Royals.Just as they could not immediately turn the tides of Game 5 in their favor, so too did Cisco’s researchers need to patiently work to cripple part of the Angler Exploit Kit’s infrastructure. Baseball and security both operate according to the long view – we make incremental progress now to achieve a more opportune future.That is not to say that we do not each have our struggles or failings. The Royals, for example, experienced what many considered to be a heartbreaking loss against the San Francisco Giants in Game 7 of last year’s World Series championship. But it’s not how many times you lose – it’s about how many times you get back up.Seven times now, the Royals have come back into the game from multiple runs down, which broke the previous record of five by the 1996 New York Yankees over Atlanta. Eric Hosmer and Johnny Cueto helped, but that’s not how they came back all those times. They did so by playing as a team.The same can be said for us. In a recent post for National Cyber Security Awareness Month (NCSAM), Tony Martin-Vegue, host of the Standard Deviant Security podcast, explained how we as security practitioners can benefit from inviting people with backgrounds in accounting, criminal justice, public relations and others into our field.No one person has the skills needed to address all of today’s security challenges but by pooling our expertise together, a collaboration which is embodied in events like Black Hat and DEF CON, we can better prepare ourselves for the threats of tomorrow.The Royals won the World Series by capitalizing on the Mets’ mistakes, by maintaining a “win” attitude, and by playing as a team. We as information security professionals have much to gain from Kansas City’s strategy. By internalizing these lessons, we can better protect online users well into the future.Title image courtesy of ShutterStock