Denny LeCompte
Denny LeCompte, CEO, Portnox

How Brandolini’s law informs our everyday infosec reality

Brandolini’s law, also known as the “bullshit asymmetry principle”, is simple but devastating:

“The amount of energy needed to refute bullshit is an order of magnitude bigger than to produce it.”

While it’s often thrown around in political debates and social media flame wars, I’ve been thinking a lot about how brutally relevant it is to our world of cybersecurity.

Brandolini’s law casts a long shadow over everything we do, from fighting social engineering to dissecting threat intel and even trying to make sense of the very tools we rely on.

Understanding this uphill battle isn’t about being pessimistic: it’s about being realistic and, ultimately, more effective. So, let’s dive into the nitty-gritty.

The asymmetric grind: Offense vs. defense

This is where it hits home most directly for anyone in security. The attacker’s playbook is all about finding that single crack in the armor – one unpatched server, one unsuspecting click, one moment of human error. We’re the ones scrambling to fortify every possible entry point, often against threats we may not have even seen before.

Consider a basic phishing attack. Some threat actor can whip up a fake login page in minutes, blast out a generic “your account has been compromised” email, and just wait for someone to take the bait. That’s a minimal investment of their time.

Now, flip to our side. If even one person clicks, the alert sirens start blaring. We’re talking about hours, sometimes days, spent isolating the compromised account, tracing the attack, resetting passwords, digging through logs for lateral movement, and cleaning up the mess.

Attacker time: maybe 10 minutes. Defender time: potentially 10 hours, and that’s on a good day. This is Brandolini’s law in its purest, most frustrating form. They throw the digital equivalent of a Molotov cocktail, and we’re left doing triage with the cleanup crew.

The social engineering minefield

Social engineering is where the asymmetry feels almost personal. A simple, often poorly written email lands in someone’s inbox:

“Urgent security update required! Click here now.”

That took maybe 15 seconds to type out.

Now, let’s look at the defensive wall we have to build against that:

  • Running constant phishing simulations (and dealing with the inevitable employee resistance).
  • Developing and delivering comprehensive security awareness training.
  • Trying to create training that’s engaging, and not just another thing people click through
  • Tracking who has completed the training (and nagging those who haven’t).
  • Sending out regular reminders and updates.
  • Testing everyone again, month after month, quarter after quarter.

It’s so much effort that most companies pay subscriptions for products that coordinate the whole effort. And on the attacking side, they don’t need much sophistication, just an average person with a keyboard or (increasingly) an average person with access to an AI.

It’s not that people are inherently careless: it’s that the attacker’s message often preys on fear and urgency, while our defenses rely on building a culture of cautious awareness, which is a much slower, more deliberate process. They’re exploiting emotion, we’re trying to instill logic. Asymmetric effort, asymmetric impact.

Drowning in data

We live and breathe by our security tools, and the endless streams of logs and alerts they generate. But here’s the rub: attackers know this too. They can intentionally trigger a flood of minor alerts to mask the real threat.

Suddenly, your SIEM is lighting up like a Christmas tree because of some anomalous behavior. Is it a genuine intrusion attempt? Or just your CI/CD pipeline acting up again? To answer that, someone on your team has to spend time investigating each alert. And this is where Brandolini rears its head.

It’s incredibly easy to generate a false positive – a slightly unusual file hash, an unexpected network connection. But proving that something is not a threat? That requires digging, context, and often a significant investment of time. Multiply that by dozens, or even hundreds, of alerts a day, and you’ve got analysts bogged down in a sea of noise, potentially missing the signal.

The asymmetry here is stark: a small, often benign action on the attacker’s part can generate hours of investigation on our end.

The threat intel echo chamber

The world of threat intelligence isn’t immune to this imbalance either. How often do we see sensational headlines making dramatic claims?

“Massive new ransomware campaign targeting your industry!”

“Nation-state actor deploying never-before-seen zero-day!”

The immediate reaction is a flurry of questions from leadership: “Are we vulnerable? What are we doing about this?”

And then the real work starts:

  • Trying to find concrete evidence to back up the claims.
  • Analyzing samples, if they exist.
  • Tracing the reported indicators of compromise (IOCs).
  • Trying to determine the validity of the attribution.
  • Coordinating with your threat intel providers for clarification.
  • Developing and communicating your response plan.

Sometimes, after all that effort, the initial threat turns out to be overhyped, misinterpreted, or even completely fabricated. But the time and resources spent chasing down shadows are gone. The asymmetry lies in the ease with which fear-inducing narratives can be created versus the rigorous analysis required to verify them.

The supply chain black hole

The supply chain has become a prime target for asymmetric attacks. In the infamous SolarWinds breach, a few lines of carefully crafted code allowed attackers to infiltrate trusted software used by thousands of organizations.

These weren’t brute-force attacks, they were subtle, almost surgical insertions into the digital ecosystem. The initial effort required by the attackers was relatively small compared to the massive disruption and cleanup that followed.

The aftermath involves:

  • Scrutinizing software builds and CI/CD pipelines with a fine-tooth comb.
  • Verifying the integrity of every piece of software in your environment.
  • Trying to figure out which of your systems might have been affected.
  • Notifying your own customers about potential risks.
  • Working to rebuild trust in the compromised software.

A few lines of malicious code can trigger months of painstaking work for defenders across the globe. The asymmetry is brutal: we’re not just fighting the initial attack, we’re dealing with the cascading impact throughout the entire supply chain.

Smart defense strategies

So, how do we navigate this inherently uneven playing field? While we can’t magically make the attacker’s job harder, we can focus on strategies that amplify our defensive capabilities.

Here are some tactics that acknowledge and address Brandolini’s law:

  • Automated detection and response: If the speed of attack outpaces our manual response capabilities, we need to empower our systems to react in real-time. Automation is key to shrinking the response gap.
  • Zero trust architecture: By operating under the assumption that a breach has already occurred, we minimize the potential damage from that single successful attack. Every access attempt is scrutinized, reducing the attacker’s ability to move laterally.
  • Behavioral analytics: Instead of solely relying on known signatures, we need to focus on identifying deviations from normal activity. This helps us spot novel attacks and insider threats that might otherwise slip through the cracks.
  • Continuous, realistic security training: Security awareness shouldn’t be a once-a-year checkbox exercise. We need ongoing, engaging simulations that reflect the real-world tactics attackers are using. Make it practical, make it relevant, and make it stick.
  • Complexity reduction: The more intricate our infrastructure, the more potential hiding places exist for attackers and the more assumptions we have to get right. Simplifying our environments makes them easier to monitor and defend.

We’ll never achieve perfect parity with attackers, but by focusing on these smarter defense strategies, we can make the game more winnable.

Final thoughts: embracing the imbalance

Brandolini’s law is a constant reminder that defense is often a heavier lift than offense, but that doesn’t mean we’re destined to lose. It means we need to be strategic, to prioritize resilience over the elusive promise of perfect security. It means accepting that the landscape will likely never be “fair” or “simple.”

Cybersecurity is inherently asymmetric, and Brandolini’s law reminds us why that’s such a persistent challenge. But with the right mindset and the right tools, we can reframe that challenge as an advantage. Simplicity, automation, context-aware access are survival strategies in an unfair fight. And if we use them well, we’ll defend and we’ll endure.

More about

Featured news

Resources

Don't miss