Alert Orchestration

next one we have the leaf police is going to talk about security other orchestration security Graham so if everybody turns and looks at the back of the one would probably be more comfortable for me

awesome all right so we're not on some old 8l guy here 2015 and join slip building sector I worked at uh in some capacity with the DoD were other for about 22 years it's sometimes let Cybercom thank God forensics lab down there and then it kind of moved into the tech field where I've been in a financial and a start so and they're really different allopathy they're all worried about the same things but they're very different in the way they work I know that we're like broadcasting this I think on youtube so i just wanted to remind everybody i'm not the item louise class mom okay please don't confuse right uh so what should we

expect from the stop so how to generate lines of code i'm not gonna give you a lot of demo i have no magic tricks and then you want to i don't plan on using them and primarily going to talk about what like a case for automation and then remind everybody still about the humans and you'll kind of see that through all this and I don't believe the bots are gonna rise up and take over all jobs place here kind of signal not function and by the way if I'm going too slow or too fast or you just bored tomatoes are better than all right so why security automation well I don't know about everybody a lot got passes um

how many of you are managing manage people party of you or animus and how many of you are engineers okay so I'm going to super way stop this but we can go on either three of those things and talk about because that's kind of like we were just talking about it went all over the place we kind of want to talk hopefully get some participation so of all the environments increase security information uneven skill sets in your clean is what every manager I think sees life like it's a lot of great information so they're coming fast everybody's kind of changing what you're doing there's new something else in the middle week and all of our team members

are not level understand the network's the same and it's very difficult right and so part of the cases that that help people talk about today is what do you truly Charlie do here and then how do we kind of unify that in a way that we can come in close this is the obligatory the bad guys are coming side right and if you just saw the time that you know hackers only have to be right once right which is kind of true but it's kind of also like against the principles of the fence right like I mean if you look at combat through the centuries they've been like 5,000 years we've been talking about it that it's like three to one

attacker to the fender issue so if that's the case why is this hard I mean we own the house right we should know our own networks the attackers have to discover your name file about are going to exploit you infiltrating exfiltration come on up there you have no idea what our defensive spots or should not normally have you access hard say then insider threat or the insider threat right it's like I mean you know I think the Brighton reports net like 18 percent of the tax last year where insiders with culture ultimately my life to huge state and magazine we're in America

ultimate the VIP community as well as inside of the house that I concur I may not just say the way has been very connected bro I mean you wouldn't expect some we travel to going downtown sister dear Queen pentagrams in the door because they're not here but everything interconnected then kind of people could just get in through your network and you know just one of those things I think it's many different people that watch they fill out my view they do it because it's so many ways of getting the different places attack okay what don't discrete the attackers to let the working ranks big what they're not the where they break something sure winds and learning I'm ready

yeah yeah okay let's just say some some houses don't involved all right no no just yet yeah I work for a start-up recently and we actually had our internal our internal domain a lot of one freaked me out Manny well this is super good one right and if you kind of kind of goes to what you were talking about here it's not only that they don't generate revenue but I Pisa grow on most companies doubly so of your security right Wow so my top server I don't really have an answer to this generally but but looking at it from my point of view the thing that I can't control is the problem of noise versus

signal right does anybody know what I mean by that and your ears in room should be noise versus ooh anybody want to give a layman's terms it is sort of what social selection um it's hard to know what you're looking for this is really like noise or interference within your signal is a problem if EE no problem if you're if you're the person that just you know kind of self train themselves and and are seen I'm aware for the first time right and you're really super smart right so you're going to run it through a thousand sand boxes you're going to check 17 reputation slides in your minimum work for fifty minutes to two hours to try to figure out what just

happened anywhere and then you're going to go I got to examine the person now right so you can spend all that time looking at the person and then you're going to spend all your time looking in the network and then you're going to go for hours and hours and hours into the IP by next you said I am Susan Humphries so this is what I think it's the biggest problem kind of talked a little bit about it is ok so what's what's role role performance and I'm probably not even going to talk to this but the biggest part of this is that it's not only about technology but it's also about repeatable procedures and training

people to be able to handle them right so even if we talk about alert automation what we're really talking about is capturing the signs in your brain it's a way that's repeatable by that guy and it's augmenting the technology and that's what we really talk about it's like the idea of computer vision where you can like see imagery and a computer has a really difficult time seeing a satellite on a pizza imagery you know see a satellite multisig really well this guy you can't do computer but if they could sift out all the potentials they just cut your settin in the tent by order method and so it's really on how do we look at the

information need all that information yet right and what I've seen at least in not two places that I've been to it's that there's a lot of information there everybody knows exactly what's going on in our system right but we're fumbling around trying to understand that and we've taken the advantage of only the Chilean away from we only right you should know exactly what's on it you should know what networks are out there we have more freedom of underdog movement to look what's inside of our networks then are you discussing they have no clue what they were turning off already which she loves more right all right and then um you see sorry and there's a lot

of collaboration teams and way over dependency on the one smart person and understands all the systems right and that person had to advantage right because they have job security I see this way too many times ready walk did senior intrusion detection analyst knows everything and no one knows nothing but that right because there's no information share no no information sherry for training all right so I mean in my last organization and the one before that I've been concentrating on the bone shared share knowledge basis you know sharing information between us training programs for the individuals right getting shared information steps between us and the IP one's lazy since admins I know if they're lady right or

particularly on the desk 92 what we see I would tell you generally they are moving at a different speed that you are I didn't necessarily person involved is the person believes we can also be over how ever much what I've seen also is consistency one they just want a consistent process because they'll also trying on me and they're afraid to share those processes because they booked it on their laptop and maybe so I see that all and on the dead sighs okay I'm just trying to get my job done and every security Hardaway's problem uh so um one of the things that that I focused on in the other side to get to this middle layer where we got

moderate signal is to develop a common security event logging what do I mean by that does anybody have an idea it's not just set if you're in like a place that's a start-up and you know have a hobby right that's a problem right or one set of logs record MAC addresses and the other set of logical IP addresses in either of them or usually juice right so one of the things that I looked at to develop in is monitor signal is to enrich that data or to decorate the information going in so that it can make those connections quickly between alright and then at the highest level is this concept of automation or enrichment vendors where what I see is you can

change by order of magnitudes the amount of information that is being presented to your analysts or your engineer to make a decision right or you can feed get information from your environment in order to support random process so a couple examples anybody do this already right so one of the things that was used to do with my last corporation is that we would send the Dino when we saw certain batch lines being run within online right and it was an email to leave to the person that ran it and said hey did you really intend to do that right X slack which is another sister company they would stand a flap over to the individual and ask engages you in

send run recommend but it's this concept of pooling information isn't pushing it in front of the person who has to make the decieve right and being able you said informations maybe Oh too close or Auto remedial central pontine all right one is an example on sat value there is that needle in users temporary directory if you were the analyst or the engineering person entrances what would you want to know anyone longings not illogical say then bombing in Austin so file attributes were came from where it came from how did it get into our environment vector what user caution information about the user whether what do they have what else really work for the department permissions that he may have awesome so

again what else is acting or great what's happening on the system itself or perhaps within you not agree thank you yeah I'm sorry about that awesome so everything about the binary file type reputation maybe we already had positive what it is cool yeah reputation from or beautiful Radha Thor looked at the time but history how many times is this binary exploding there but how many times did the guy or gal makes that machine get infected how many incidents have a similar profile to what you're looking at I mean create how many how many binders exploded in your organization has secondary colossal unknown terrain so I would tell you that money like that career started warm all of its those

were manual stacks men okay I'd literally would have to employ buyers total or uploaded into my crew from sandbox at the results new reputation stand against all of the Intel sources I had try to figure out how it got into my environment probably by pulling memory off the machine itself or pulling so the argument is that we can do to school automation in without a call right the question is is are you wanting to get that information all in one place and do you have the latitude to really now kind of talk to an example it's a really good one because this is an example to happen in my environmental be model right just next you know that

environment I was in internal routable on the Internet machine management high level arrives for individual users because we were high technology shop pretty much touch everything now did some other goodness about it for example that we have machine level shirts so you couldn't talk to the involved without doing cucumber chain and everything the spoon factor right so super also we spent a lot of time looking at the label eyes most business processes went through a lot of miles plus we're screwed actually into armor but stuff but it still took a lot for you to get all that information yet so this is what I see right take me hours when I first started or when most people

first start to just go through and locate the potential incident and how many of you just don't know what it is so they belittle falls on you let's be honest okay how often do you think your junior analysts and people starting new people do this can see anything bad all the reputations are be you know so what I assume is that it's taken time I've seen this happen that particularly take upwards of six hours right with over half of them being for top law any of you guys

there's a lot of programs out there that that detonating a moment using temporary directory ah I'm talking way more than issue right like because I was oh right so yeah I'm appreciating your environment I think what we're getting at is that understanding the she hears within environment understanding how your environment functions of the technologies and what's a long novel is super and if you could eliminate this leader understands that some of the systems in my guys I've worked with a bunch of engineers to help in the cotton fired all temporary directory how do we distinguish we went back to these things and deliver that information at time of detonation with the initial alert to the

person that was examining okay so falls out to reputation sides on hashes went online look up to an hour send went programmatic right so the hash the individual like the machine all look up and I send and returned back in Robles format if it met a certain threshold for example wasn't sitting on a on a write letters establish something like into rule met cons mention bob woodruff or went to the known potential secondary download site system was programmatically contained right I think that's the only way that you can tap these type of problems at scale is that it's a trick of decreasing the amount of time to teach you to execute now isn't that one analyzing securities

mostly like with a little bit of sweet from people than that what they're supposed to do treat you like the large organization and they give it to you all in one package to rebuy all their sweets but altogether she worked magically like this alert how many companies that in the room how many people have one type of anger products seriously throughout their entire life why as we supposedly by best agrees or the business pushes us to buy cheapest it cost one or the other right so you have to be able to synchronize all of this information and and I'll talk to an example or some discussions about how we did right so and a nice environment I was in we had

nothing we put up our send created an security logging later functionary spoke out on in your environment and also looked at Canaries within our logging systems right so sending log alerts so we knew what the hell was happening right did that hit that robot in the corner actually ever see anything but we were forced to go respond to those by sending side or our actual Canaries black box Canaries within our environment we would touch them right to see what happened then we establish the set econometrics which I just responded then we put into an automation platform integrated our chat platform into this and created a shared knowledge base so all signatures were written into a

shared knowledge base right we had an automated process that was integrated with our chat platform so what we were hunting within our chat platform example seamless before that when you're really interested it's something called security Bobby was downloaded try to room okay but as we went through our processes we were able to then dump that information into our centralized automation platform which effectively was actually and then we had a common incidence you drop the organization like seven on board addictions in two procedures started moulding Larsen and I will happen to see the stop of the topics and then establish Auto closure or Auto continue procedure when I say oral closure it doesn't mean that we never

looked at it again it just meant that those alerts were pushed off of the pressing right now look and instead we look at ice melted thank you right so in general we saw that the whole drops of ten thousand was number of alerts that we had over a a quick period right and then we were able to push that down to approximately five thousand alerts that required manual intervention right and then once we started putting in all of these other pieces where we even really finely tuned our signatures we were able to drop your mom's alerts about five hundred which there were two incidents right we had high city like not a hundred ten still have issues and there

are other iterations that we had like integrating or how important our internal pentesting and then eventually a purple TV but in general we dramatically increase them all right now I wonder those superfast because anyone who bullies well would love to talk mothers can somebody give me an example of automation that's happening within your environment