Math Versus Assumptions (Spoiler Alert: Math Wins)

At Verodin, we see digital “Millennium Towers” almost everywhere we go. Huge, weighty edifices of legacy security products that have been stacked up in the hopes of creating “defense in depth”… but the whole security tower is essentially built on assumptions.

January 26, 2017

Long before I got into cryptography, I studied mechanical and civil engineering; in fact, my bachelor's degree is in ME. It’s a difficult, demanding discipline. One of the things that makes engineering so stressful (get it?) is that it’s really hard to cut corners and get away with it. Eventually, math wins. And you lose.

To wit: San Francisco’s Millennium Tower.

Since the building’s completion in 2009, it has sunk 16 inches (406 mm) into the sand and clay typical of the financial district… and it’s tilting several inches to the northwest. New data from the European Space Agency shows that it has sunk about 2.7 inches (72 mm) in just the last 17 months.

The Tower was constructed on not-great land reclaimed from the Bay. It is perfectly possible to build a skyscraper there… The usual solution is to use a ‘piled raft’ foundation. But unlike its neighbors (181 Fremont and the Salesforce Tower), the MT’s piles don’t reach bedrock. Rather, the piles are (hopefully) held in place by friction. Imagine driving a wooden stake into the sand. Eventually, you can’t push it down any farther, even though it’s only sand beneath you.

Now, all buildings sink. But MT’s sunk 3x more than expected, and unevenly. The sinking is not stopping or slowing. And that’s bad news because there simply aren’t any good fixes that don’t approach the price of demolishing the building and starting over again.

At Verodin, we see digital “Millennium Towers” almost everywhere we go these days. Huge, weighty edifices of legacy security products that have been stacked up in the hopes of creating “defense in depth”… but because the tools aren’t in place to quantitatively measure their cumulative effectiveness, the whole security tower is essentially built on assumptions. And that, sooner or later, will lead to tears.

Verodin’s working hard to INSTRUMENT security, so CISOs and SOC leads know exactly what’s going on in their environment, and which security products are “load bearing” and which aren’t. And what’s sinking – or tilting. As our digital enterprises get taller and more complex, this type of instrumentation becomes not just a “good idea” – but a matter of corporate survival.

Return to Blog

Get new cybersecurity effectiveness podcasts delivered straight to your inbox.

We will never sell or distribute your information.