BG - The Leverage of Language, or, How I Realized Information Theory Could Save Information Security

so this is all about pretty much what I've been kind of working on the last three four years a lot of ideas from you know way too much time realizing I I I suck at pen testing and I'm kind of decent at this whole routin crap because I like to think I'm Batman world's greatest

detective I can also tell that pretty much yep pretty much most of you never seen me talk before I know that because you watching it's amazing what kind of inferences you can make with a little bit of logic behind stuff all right where's

our see if this actually works first time stranger things have happened

damn you pring changing resolutions on this thing didn't really help so everyone kind of had this idea what what was going to be about I can guarantee you it's going to be a lot less interesting than what you imagined because this was my title for when it got submitted to black hat because black hat pretty much goes you have a full title and I think that's about where it ends there's a certain amount of Truth in it so essentially what we all do information security is filling the space between things that's where the truth is hidden for both offensive and defensive sites it's not about what's in it's not about what's in front of you that's

actually the important stuff it's about how you can connect it the difference that the difference between someone absolutely green and you know 15E veteran is see those connections between the pieces of information that aren't there in front of them now I have to see

talk for most of us we spend a great deal of our time running through tools pulling out information pulling out data and and turning it information and the amount of that just keeps getting larger every day right now the big thing is Big dat Big Data small questions so last couple years I've been working on really kind of getting away from that and figuring what I think is some more fundamental problems that scale is one of those things that we really aren addressing scale isn't about how powerful your software is how powerful the hardware is or anything else scale is about how much we're actually capable of dealing with and processing this is the thing we don't

deal with information we spend our time deep in data so how's this end up uh basically uh basically coming to pass in terms of day-to-day jobs actually doing this for a company we end up taking our own ability to go through things in this this wonderfully non-winner fashion make these great leaps of intuition between things and try and do it in this corporate process driven method where step a leads to step B conclusion C what we do doesn't really work that way so why do the systems we end up doing our jobs and try to force us into that the real issue for us is is how can we actually get together A system that

allows us to be more effective in what we do how does it scale how many folks here spend a good chunk of their time trailing up the new guy over and over and over again we spend a lot of time just communicating what we know down the chain of experience instead of actually applying it what if we can actually harness that a little bit good if we actually had time to work on some of that but it's inos that get in the morning go post to change yet another crisis to deal with we've spent what at least the last decade plus since uh since things got commercially established Perpetual firefighting mode get down time to sit around and really

analyze why we do things the way we do them recently I finally got some time to do that so that's what this is all about first thing was just why do we still stuff like this 2012 everyone else gets these really kick hands interfaces really designed around how their workflow Works how their brain models most running externally important stuff what great software we have we still tend to do all the work what this means is you I we all spend more time mucking around with data and turning it into information than actually analyzing information and that's what we're supposed to be good at right don't really do it so within that data yeah that's that's everything we need to

know we got to turn it into the the story of your network what actually happened here there you know vast Co text really it all boils down to this is what we actually saw whole bunch of data but simple information lot of it ends up being structured we do isn't really that structured now there's some great stuff out there security visualization getting a little bit of traction and visualization is is good because scales our ability to consume and translate more data at once the human brain is the greatest patent recognition engine on the planet but most of the visualization we end up doing in our day-to-day reporing is absolutely worthless I have a line I

keep telling people especially that the actually developers in ux good visualization creates context and information that is not discernable from the raw data director quick example what is the function of a pie chart anyone a pie chart is a crutch for someone who's too [ __ ] to know what a percentage is it creates no new information that isn't already there especially if you just like left it in text and everything good visualization by finding that space between finds things that aren't immediately discern amounts of transformation and translation they they leverage the human brain's patent recognition engine so we're inos we like technology kind of we're also really bad Lites about things we we're look at

something up new tech new complexity new problems don't want to go there and what this ends up being is we all sit there going I'm a command line ninja I don't need any of that Co I can do everything man like and in plain text which is cool I mean everyone should be able to do that but holding on to it is the only way to actually get the truth out of stuff we're uh we're a bunch of kodin really aren't we end result though is we still AR spending most of our time taking all the stuff that we can see and putting into reports that other people can see they really

the end result though is most of the data we end up putting together ends up because of things like SQL CSV data we end up getting Quant model offf um there's definite forone me comes from uh but this is the kind of stuff we end up like sitting there looking at we're doing security because you know the more you have of something the worse it is right and it's not like real real intrusions real security [ __ ] is like one thing in a SE I actually came up with the term finding finding the Hast stack in the needles about this it was going to be my book title until RSA marketing stole it com

me last year this the problem we end we end using system Des quantive analysis not quantitive it's qualitative these 50 identical things quely one of them is more important than the other and it's a relationship to other things that is the quality that makes it more important so suddenly going we had a 150 bad login attempts on the network today so yeah it's it's Monday which of those bad login attempts is malicious it's ridiculous we do this for me to build really good workflow systems using SQL because everyone uses SQL there's a couple of problems with SQL it's designed to quantitive analysis design for cting and spreadsheets and stuff where the relationships between factors are known at a

time my kind of rant with this is we do security the relationships between things not known ahead of time by definition we do security we find the relationships and interconnectedness between things discover those bring them to light that's what security is actually is actually based on as far as the analytic process and everything when you do this unforeseen result X happens and have that in your database schem so there's all these better ways to start looking at data and turning it a little bit more into information directly off the bat and a lot of it comes down to it's the relational patterns of things that are important connecting the do

when you see things like this just go like there it is that that's it that's that little want that's what I'm looking for it's awesome I mean how many of you guys do super response everyone goes on matter how pantes is really awesome and like yeah I gra it I I still get the the best Adrenaline Rush at it gotam bang to WR Smoking Gun right here this is what keeps me doing this everything got that one little thing that puts the rest of the puzzle together like look at this look at this this is this is it this is proof we got it so stuff we work that we do model all time translate CS another and we got all

these great tools and we spend all the time yeah that's MF output fire logs and yeah I feel really good because I just spent this afternoon like writing a pearl script to Max them all together dump them into a sequel and it's awesome I got this one job done and I'm never going to use this again we end up because we didn't take time to Define how we end up doing our work for pay in the Enterprise is we end up letting the Enterprise dictate to us what our Workforce should look like and the Enterprise goes well this kind of sounds like tech support tell you what let's set up a ticket system and we'll just create a

ticket for every alarm and then we'll get a bunch of people fresh out of college we just have them there we sit them get them to look at the alarm go closed next does anyone ever go back and hisorical alarms you what if this one looks like this maybe maybe yesterday maybe a week 3 four months again I'm going to have to drink lot I'm going to say p again uh does anyone to you know go back and go hey can I figure out something like this from six months ago that might be some little a intrusion been sitting there God I'm so cloud in about an hour after done with this talk people sit around

and wait for a while it's not signat we spend all our time running around getting information from the actual companies we work for because no company can manage to get all the information about itself in one place I think pretty much every uh every instant response been part of ends up building their own asset management system because they're tired of looking into five different Asset Management Systems the Enterprise uses that are all slightly out of date depending on which department they don't care about systems so let me sit around and you we wonder why we can't actually scale anything to the level where we can be as I'm going say agile as our attackers because we end up having eight

people monitoring company with 500 officers and 82 Nations and we can't know everything you certainly can't find it all the time at least that was my team um so all po basts have been doing it for a while spend all their time not doing actual work but holding the hands of new guys going oh yeah yeah that yeah that really obscure system over there with the the host name Pat you've never seen before yeah I I remember that like eight years ago it does this I think the guy that runs that stuff doesn't work there anymore I'm not sure we spend all our time digging up information about the the companies we work for more than anything else

so fix some of the first thing I wanted to fix is this ridiculous linear model we do what we do is not text support it's not fix a problem move on throw it away never come back to it it's all about how to how's the big picture coming together what we do is connect the Dos so why we sitting working these linear tech support anything else things are connected let's look at those interconnections

EV don't know might I don't which one should I go next to well the next one in the list which is on completely different system completely different network a whole bunch of challenges so everything I just did working to figure out what the hell I'm looking at the first one I then throw out of my brain to go do the next one which is why on average it seems the average the average incident response team as far as you manage analyst gets through about 20 25 alerts per day and that's considered like really high is kind of D what if we just went hey look this other event is kind of related to it all the stuff you just

spent 30 minutes putting into your brain is probably still useful so before you move on to something completely different why don't we try and make sure we leave no stone stone unturn on what you were looking at first something that the way the brain works ores not probably going to find something a easier to identify in that so I do Timmy has a talk called zie workflows about all these horrible workflow systems we have to do to get our job done the uh the things that take us out of the mindset we're actually in the mindset that is doing our job to go and fill out tickets time sheets go into stuff in a in a knowledge based

Wiki zombie workflows things that that break the concentration path everyone knows this like the more you have to change context the the less productive you are so why don't we actually have [ __ ] that resembles that why does every vendor want you to do your job in their product I really like your intrusion detection system I don't want to do my job in it I want to use it as an intrusion detection system everyone has to have it little ticket system here right what you I do not want to record my work in your product so I use it I believe talk security metric is it kind of any Wonder like all the security

metrics we get are quantitive not qualitative he look we've locked 4 billion spam emails that's great More Les what's the coefficient on this it's ridiculous spending our time filling out paperwork and describing what we did instead of doing it work with don't describe what we actually do so the last couple years I've been working on instant response workflow systems data Gathering intelligence uh even trying to bridge a gap to the elephant in the room governance risk compliance okay I'm up to about eight drinks after this talk so keep when I started over Vault um they gave me kind of scope okay build better system from ground up and I started back on from from the way I looked at and sat

down figing at my database schema and then kind of realized this is exactly the opposite of what what I wanted to do I've been trying to build systems that let the analyst decide what is correct at all times you my general mantra for for anything instant response has always been the the analyst is always correct so I wanted system that let them do how do it however they s then I realized sitting down right in database schema I'm sitting here trying to predict all the interdependencies between things all the various factors that can link one thing to another I'm not smart enough to know what they all are and it would be really presumptuous of me to assume that

everything I can think of is everything that everyone else wants um actually that would just make me a security product vendor but I do work for one there point where I I I just realized that rtms itself SEL was kind of the problem it it was designed for systems where you know the relationships ahead of time so I end up looking for other Alternatives something that would let these relationships emerge over time there a couple of other options start looking at this thing called the semantic web the semantic web is one of those things that has been around the corner since Bern Lee came up in the first place it's wonderfully huting and academic and wonderful and beautiful and

pure and no one doing any actual real work uses it I did actually find a couple people that are using it in the real world really effectively get the great thing that the semantic web is that it is all about the relationships between stuff it's not about adding up how many of this happened or you know how many of this are in this category it's about looking at relationships interlinking between things that between the we existence the great thing about semantic we is it's stupidly easy I like stupidly easy um most [ __ ] is too complicated for me to understand if it's just complicated enough for me to understand then I'm probably by definition too

stupid to actually fix it when it goes wrong magic W is really easy subject predicate object the triple so a really simple idea this is a table with three columns just as you all learned in high school grammar subject predicate object thing a has relationship you thing B thing a does something you thing B this is really easy because you can actually start defining incredibly complicated relationship sets really vast and interwoven data sets just from this idea of thinging some relationship for thing being you can just have billions of these roads amazing fun stuff out of it the really great thing about this is that that predicate is the relationship between things when you write

SQL if if you hand someone on a SQL database they might be able to kind of like reverse engineering pull some good queries out of it but out of joins uh cross reference FS don't describe why those two things are related or how to use that relationship you might have a couple proced in there that it probably means something ridiculously obscure uh but mostly it's trying to reverse engineer and translate extract transform and load other people's data I am really sick of being a data transformation monkey I wanted to be an information security guy this look it's a scheme that's actually full of information the relationships actually get defined within the same table get them colums thing a has relationship

thing once it start scaling out you start seeing pns just right there human patn recognition engine 1.0 that takes some pretty funky ass sequ to do otherwise that these are quantities qu relationships so who actually uses this sh it's not just a ridiculous the open gra Facebook NOS are enabled by Trippers Google's got on the bandwagon now and started doing their own Knowledge Graph thing uh they're they're actually exposing some portions of how the whole Google search engine works uh through this this is this is why certain words produce certain uh certain hits on on Google search because they're n degre separated from the there's this idea these two things are related concep similar biomatics that the only other

field I know that's really stting to get into using semantic data heavily I'm a huge fan of biomatics because these guys are starting to look at a lot of the same problems we are uh a lot of unstructured data discovering relationships emerging from things most of bioinformatics isn't about finding new data points we we map the human genome we got most of the chemicals and organic compounds out there and everything biomatics is about going and finding the relationships and interactions between these things uh everyone's seen protein folding you know that that's a great example protein folding all the data points are known you're just moving stuff around and seeing how the relationships change the outcome protein folding is about

calculating these things instead of going and sitting there in the lab making 10 billion different folded protein combinations security company doing this they do fraud detection that whole thing of is this a fraudulent transaction this is kind of interesting because although this isn't Network or host security it's more behavioral it gets into that idea of yeah we we keep coming to that loop we're going to do we're going to do anomalous behavioral detection and everything at which point I got to stop getting into kill chain thing about Atomic Behavior computer these guys how to do decent FL detection based on this idea of Behavioral interaction they also make one of the most popular one of

the most popular rdf stores triple stores so how do we get this actually working to secur well the first thing you need is this thing called nonology which is kind of like a schema but it's not because it's designed to be added on to an itated over time a bit then there's this thing called resource description framework which is wonderfully academic like all stuff written by brilliantly smart people they make it so elegant that only they can understand it tooking about a month to figure out rdf and it's it's wonderful because once you understand rdf rdf is really simple to understand because most rdf is written in rdf could be easier but the great thing

about semantic stuff is that data stores are designed to work together I can create a database of all my you can create yours and by exchange like a single link we can start working through so we start together in this this is a great line I owe Google this one things not strings have many people work in applications where IP address is a string field can you manipulate it as an IP address no because the ux guy wrote it as oh IP that say string it's not a number because it has dots in it so it won't take a numeric I'll make it a string so try manipulate Nik extract data modify it dump it back in once again same old

same so with semantic data you start actually describing things as they actually are it's if SQL is kind of procedural semantic itself is very object oriented an IP address is an ID address and has all the capabilities and interactions that nor the great thing about semantic stuff other than SE is that it builds around the idea of there is something here we do not know you can't link to a non-existent road in SE they don't have those kind of I really like the idea of this this sounds like security to me there is this thing out there a Known Unknown I know it exists I know this thing has a relationship with but I don't know what it is yet I'd like to

record that and then when I find out what it is I can put it that con search you don't

know okay back a sexy voice time at least I think so so this is the problem weend working in systems that don't record all the things we know we end up sitting there writing stuff on wikis and paper pads and the whole shebang you can't search for what you don't remember what the system doesn't remember we're knowledge workers it's about putting the dots together but we don't have systems that let us do that so how about we started looking at something that let just record the work we actually do remember in math class show your work well how about we actually show our work in a system so we can go back and look at it

later see this that looks like a great breach timeline to me about to put a few of these things together with Vio sitting there extracting transforming loading data why don't we have systems that actually dump reports out like this well because they don't track the relationship between things like this I really like this onean I've used it so many times but it's way too complicated to go through right now so this is basically it we're spending our time running around with data we want to be working with information most of our systems don't give us information they present data and expect us to come up with the information record it use it make workflows out of

it as one of my bosses have said most of the stuff we get out of out of security tools and the V you know the vendor offerings these days we're really excellent at getting everything up to the alert look something bad happened but when it comes to actually what to do with that alert we're totally reliant on people and getting talent to scale is one of our biggest issues let's say I I think we can all say that for yeah every one of us every one of us out here in Vegas we've probably got about a thousand other folks out there that also do security that we're responsible for either helping them do it a little

better or cleaning up their mistakes how do we make our lives easier and stop having to teach people the same stuff over and over again so I started looking at well this is a great Theory let's actually put some of it into action and actually make something that's information based not databased oh I see what I did there so I started getting this uh this this got a bug in my ear about uh you know Metasploit is really cool if you're on red team where's where's metas sploit for blue team we have to track all this crap train it search for it put the big picture together Everyone likes doing the cool sexy red team stuff but uh blue

team work is kind of slow boring repetitive and we spend a lot of time looking at CSV and doing wiks and everything where's our cool stuff on the time on on on the you know the pentesting end how much time do you actually spend doing pen testing and how much time do you spend recording translating everything you actually did on that pentest and putting it into a big picture report I I'm stupid and lazy I mean I really want tools that I just do stuff and it records what I did and then I just kind of Click I I did this because and then it spits out a report for me at the end so there's some great stuff

they're uh been mucking around with drus recently and everything they're going down the same lines but uh again just we spend all our time being translating data from one sword to another why can't we throw it all in one well we think we can't because no one's smart enough to know all the stuff you want to put in there can't get a schema together for that but the point of semantic stuff is I can have my schema you can have yours and they can interact how about that so this is what I end up coming up with and yeah I've been working with Sim so long I decided I had to kind of redefine it I'm sick of point in time

data information and events we need a lay above those better intelligence and exposures what's actually happening everyone loves using the term situational awareness these days and everything but I wanted something less government that work also I work for a company that puts out something called osim so hey look I'm running with a theme here this is because I cannot start writing a piece of piece of software without having an awesome name for it so I just pretty much went for the jugle here and what else was I going to call it workflow because I ended up spending too much time being that that integration guy for every instant response team I was on and as boring as

workflows are let's face it integrating [ __ ] is just making better workflows for people to do better work with their jobs most of them suck I hope this one doesn't there's lots of panic out there also a little bit of jealousy where is the [ __ ] in security where do where does like Facebook and all the Web 2.0 guys and everything else get the cool share it last time I checked we were the people with penetration tester on our business cards I don't know about you guys but I got into this thing so I could look cool and get

chicks actually pretty well though I've never had a business card that said penetration tester though my current business cards do say research operative um because that's the job title I asked for and my boss was going that's cool cuz I'm about to take Chief hacking officer let's put it this way the new management team comes on in a week they don't have any say on anything until then and then we're grandfathered in look at that though wasn't that great you know Screw I'm gonna go back again I'm G to go back and look at this again I'm going to go back and look at this again I love this what's this this is like hey this is Minority Report [ __ ]

why don't we have that

none of those actually are um yeah most of them are just uh straight sets in fact many of them actually just CSV but the uh the big rph one was uh was was semantic so this is B I've been working on for like the last I'd say nine months but the first version I built and it sank into the swamp but I wasn't going to be distracted disheartened so I built a second version version and that sank into the swamp too then I buil a third version that one stayed up and that's the one I'm trying to get released by the end of Q3 and uh yay uh you know employer pimp here Alien Vault has been

awesome and they actually kind of like leave me alone to go just kind of make this happen and make it kickass and they they've been really cool so there we go there's my responsibilities for vendor pimping done uh what I originally wanted to do was build a better instant response application and I got to the point where I realized I wanted better tools to write a better incident response application with and then it got to the point that the better tools I were looking at I've had this mattra for years about if if the solution you have in mind only fixes one problem it's probably the wrong solution if it doesn't accidentally fix something else as a

byproduct you're probably not looking at the root issue so awesome framework ended up being that it ended up being that well I'm a little behind on that instant management app but I'm writing something that's going to allow us to write a lot better stuff than just instant management applications I want to write better pentesting applications better risk management applications what I really want is for people in pentesting and risk management and instant response and the compliance team and everything to actually be able to work on the same data set so that when I'm sitting there looking at something going what the hell is this why is it doing this way this looks malicious as hell but I

know that this this like some dumb decision the employer has made like I know this is a legitimate business process I'm looking at here and somewhere there is some paperwork saying why it was done this stupidly but the person that she knows that probably doesn't work here and it's not recording everything and I just start thinking well you know when he did that he just went yep I did this because and linked a couple of things together I could sit there and go oh look look it's this system here's that r that would be really cool like hey not only would' be able to like share workflow and information we'd have to talk to each

other less especially the compliance guys I was really hoping I was going to have something a little more ready for release here uh I'm terrible at predicting how long stuff's going to take so maybe end Q3 security is a people problem right physici heal thyself this whole thing was about making us better making our jobs a little more fun and putting a a framework together that uh would allow us to write applications that would allow us to spend you know not how us spend so much time doing data transformation and crap there are all these great little applications out there my dream for this is you go hey I just write a little awesome plugin and

then the stuff that comes out of this I can run it and it gets dumped into a little knowledge store that other fine folks beautifully doing their work can have access to and go oh that's why that is but for me I start out with an instant management app I'm doing this so I hope people are going to write applications that are just way cooler than anything I could ever imagine maybe we'll actually bring some scientific style Research into this so this is what I'm doing with it I'm an instant response Guy this is what I know I've had this idea of just in time instant response rages I don't need to look at every single alert that comes

off the systems I I need to look at the alerts that are actually bad [ __ ] happening well right now we can't do that until you look at every single one of them and hey look there's a queue of 3,000 alerts here and all first 2,000 of them are all critical critical crit some criticals are more critical than other criticals so you don't have to look at everything you don't have to do all the work if you look at the stuff that's actually dangerous and ignore the rest of it you're fine you can clock off for the day I don't need to look at the rest of the [ __ ] my job's done you're safe for

today let's wait for something else to show up again and five minutes ago okay so this idea of of sim being this this this top layer of of integrating all the security controls and everything really got to bugging me uh this idea of yeah it's great at at producing single point in time alerts but it still couldn't get that holistic layer of what this actually means for humans so I started throwing this together all right so as far as uh as far as rdf and light goes subject pred object really simple thing a property thing B Gondor has host name XYZ runs OS this is the triples whole database is just a whole stack of

triples like this but for each of these things hey it's Rel I know what runs OS mean I'm not sure exactly what you know SQL outer join host yeah I'm not going to try and put a SQL query together right now I'm I'm too sober or too drunk I'm not sure how it works especially not with SQL so you get this idea of ontologies where you define all these relationships but they're not fixed you can add new relationships over time I can add new relationships to your data set you can do to mine we can Traverse from one data set to another just with a single point of information you give me one row effectively and I go

okay I've got this row a single note but in that data is where all the relationships between other points they just traversal l so everything ends up being this this URI for both the relationships the objects the instances the classes there's no weird proprietary stuff to interact with it and you can start putting together these wonderfully complex queries in natural language because the actual schema is built out of natural language not these weird outer join cross foreign keys and everything else so when you read my data and my data SCH it's like reading plain English that's really cool cuz I'm sick of having to like teach new analysts SQL before they can be useful but most of them I H are pretty

good at reading plain English amazing really so first thing we need a whole bunch of ontologies every sort of possible relationship between things you IP address has octet has net mask is part of network vulnerability uh exists on software or software version that runs on OS platform exposure exposes this network segment to this network segment via this port or via this uh you know via this this attack class and you can start developing all these like wonderfully soft knowledge things that aren't really data there's a lot of actual data in the system there but then you're tying it all together with natural language that other people can look at and read so this is not on slides but I'm going

to come back and give you one of my favorite examples and how much time do I have here do I have time for a Side Story man I better make this quick oh God damn I'm to I'm going to be totally like making you all AG for un too long so really quickly um we we we had uh we had a deal where uh there there was something looked a little out of place uh an office in Germany that was going to be closed down in a little while and it just so happened at the same time there was an office opening in turkey and on the surface of it it didn't look too suspicious but then I

just sort of said you know what Germans really hate the Turks let's look at this actually because it may just be some dude who's kind of like really pissed off they moving the office to Turkey and kind of looked at and well actually there probably was something more to it but they came around went how did you know that like well I'm European I know that Germans well tur Turks are the Mexicans of Germany because I'm European and all the Americans went wow that's we would never figure that out with that I'm like you're right but that's not really great amount of skill to put together I three like you know if you'd been looking at the

stuff and it just said oh yeah office in Germany office in Turkey oh look there's this fact that links these two together so I'm just going to present that up when you're looking at this and just like yeah Germans dislike Turkish people link like oh look there's something that connects these two things context that's amazing and you know any any kid green off the street on his F first security job doing instant response could could go there's probably something there I'm sitting there going I don't want to explain that to anyone ever again but it' be really great to make it available and that's kind of like where the started getting into it so back to this so the framework is a

whole bunch of ontologies they're not static thing about ontologies they're never complete they're always designed to be iterated out uh this is the first thing I'm going to really going to publish I've got a couple of people I'm letting be an iron-handed dictator over a few things but one of the major things about this framework is getting people to Define new relationships they can see between bits of information and adding them to them the great thing about semantic stuff is you're can to add as much of the stuff as you want and it doesn't break anything if no one uses it no one uses it if someone uses it and you don't doesn't matter it still works

there the flow set is basically about uh this is about really building a a security-minded data engine where all the classes all the data types are objects that are relevant to security hosts users exposures vulnerabilities exploits threat surfaces the whole thing whatever we can find out there that we can express in language do we go oh look this is something that someone else should know I want to record later because my memory is crap we can put it into that along with just straight out data sets oh look here's all my IP addresses here's a bunch of reputation info and they can coexist and be reused so the flow set the framework are just uh a bunch of uh simple code present it

via HTP rest so that's most of my API if you go hey what's the information on this host there's a single unique URI for it uh if you want to pull it out XML RPC RF whatever so the core server throws out all these uh these particular ontology object types just makes it really easy to manipulate them directly some command line tools some gooey hopefully it's designed for uh mostly web apps and everything little St loan server great thing about semantic web everything is a unique is a unique URI you don't have to go out and learn SQL or anything else so you end up iteratively building this this database of information about the stuff you're

working on the stuff you know about things you're bringing in from asset management or thread Intel or whatever and every single object is just it's a unique URI someone goes hey what about that go look at this Ur I'll kick it out and plain text for you or something some fancy HTTP or whatever format you want cuz I can do that cuz HTTP rest is pretty awesome and I'm really kind of like skipping over most of the tech on this because it's not massively fascinating Tech it's all stuff that's out there uh the last thing I wanted to do was try and reinvent the wheel on this just bring a bunch of things that are already

out there and make them useful to infos SEC so yeah still a bunch of conversions import export stuff and everything we still have to populate things in from your ideas s and Intel stuff and that's a lot of the stuff that I'm hoping I'm going to get a fair amount of community involvement cuz they go those main framework's kind of cool I'd love to get this info in it maybe I should write a little script to do that at least once I do that I don't have to do it again some develop crap some API crap I'm getting short on time I was hoping to have something more uh this week I'm I'm a lazy drunker so

end of Q3 um the main thing about this is that yeah I'm doing this for my employer but when all sudden done this is the last 10 odd years of me sitting there going I really hate doing the boring parts of this job someone else should like figure out how to make this like suck less and the last three years of going I guess that's me and then certainly the last year of hey I'm actually working for a company now that will let me do this and other people can use it hooray so if you guys like this that would be like really kick ass cuz I've been like basically you know putting a putting uh you know

betting the farm on this for forever if uh if you don't like it I uh I hope it's probably because more like you uh don't like me a lot of people don't but uh I'll probably cry I'm hoping it's going to be I'm hoping it's going to be awesome this is all the stupid pain and crap I've seen with uh doing security security work dayto day for a paycheck my attempt to like make something make it all easy make a lot more sense this is my big you know Community throwback project and I'm kind of glad cuz I'm getting paid to do for it so hopefully everyone wins alrighty this is the app I'm kicking

together with it everyone knows killchain stuff if you don't know killchain stuff you should do because this is the first step to getting away from doing tech support alert after alert after alert so the whole killchain thing developed by locked Martin and it's basically the idea that there's not one signature to one attack real attacks happen over multiple stages find the real attack in this crap you can't it's it's like Blind Men finding the elephant and there are multiple elephants we just can't do anything with this that's that's not without a great amount of experience and and deep dark work this is not something you can really sort of put in front of in front

of someone and go haha yes I can see the grand picture and that's that's really one of the things that's that's murdering us on on on the defensive side just going through this this wrote work that doesn't produce Real Results because yeah six months later lose all your source code you know that that that stat about like how most organizations have uh evidence of the breach in their logs yeah what they really mean is they had evidence of the breach in their you know Incident Management System where some guy looked at it and went I don't know what this this looks like if all IDs is too noisy close move to the next okay but once you start like relating

things together it's a lot easier for even people without a great amount of experience to go I can kind of see something bad happening here so instead of going for uh instead of going for this tech support model I started going you know what there's a lot of better models out there like QA and ooh police work like evidence files that's kind of a an amazing thought hey you know we actually start keeping a file on people what have you done before those 50 times you've been browsing ESPN from a server in the data center like maybe that might be important to the stuff I'm looking at I was like hey I might actually be

able to figure out gee I wonder how that machine got pwned so once you start gather Gathering stuff together and putting the big picture in front of people people get a lot better at seeing the big picture and then if you start actually bringing back the work they did on things before in context so that when I'm looking at this host I can actually see all the stuff that's ever been done on anyone else's like hey maybe I know what this one might be about if you're recording all your knowledge in a ticket system and no one ever looks at a ticket again got problems great patent recognition engines this is all like straightforward data but once you start exposing the

relationships between things putting them in front of people it's a lot easier to do better work with a lot less experience putting the dots together and that's really the kind of thing here is just making the talent scale down to a larger security audience so that when I go oh look hey this oh this thing it's available to someone else later they don't have to go send there searching through tickets they run into another incident has that same that that same host but because that host is in the same W the notes are attached the host not the ticket objects are objects things not strings and go oh look someone else found out what the system

is for me already 6 months ago oh it was me yeah my memory is kind of bad because right now you really got to find a single Obsession to kind of drive you to do something worthwhile this is mine because that thing on the left is what most of the stuff we end up looking at every day looks like and yeah then we go and do a whole bunch of manual info Gathering to figure out what the hell that means instant response system I'm working on right now really simple without giving a whole bunch of screenshots and everything cuz I can't that's what I want it's like tell me what's actually happening brief me I

don't want to be a data monkey anymore I want to be a secret agent going out and Jack baring it down and going yes you I got you now ha fair cop be a lot more fun than a lot of lot of what it ends up with today all right folks uh go eat and [ __ ]

I was going to say at the start of this if it's a good presentation it will leave you with more questions than answers if it's a bad presentation it will leave you with more questions and answers this is me trying to narrow down about four hours of crap into like 45 minutes of at least it was entertaining um come harass me for [ __ ] whenever and definitely I'm absolutely all about talking about the [ __ ] more