Automating Detection And Response With Tines - Cameron Higgs & Pat Meehan

morning folks how are we all doing uh Cameron's my name uh I was mention there uh Pat's joining me here today so we're going to be talking you through automating detection and response with a pretty interesting technology called ties we don't take ourselves very seriously but uh we do take the uh the technology seriously as we'll uh as we'll be able to show you here now just to kick us off in the buildup to besides me and uh me and Hazel were chatting anyone hasn't met Hazel one of the uh the legendary organizers of the event today and uh as we're talking about bides and exchanging some photos of our fur babies uh bonso on the right

there being mine and uh Angus being Hazel's that actually is a real photo of my dog he does actually sit on the couch like that on a regular basis but uh when we were exchanging the photos it had me thinking about what would These Fine cyber security people come to bides need more of in their lives can anyone take a swing of what that might be close I'll actually buy several pins for someone if they get it right more slides delivered by vendors that's what that that's what the light bul moment is for me I joke we're not going to spend too many times on or too much time on the slides but I think a

bit of context is probably important for the technology itself for it to kind of make sense for you so tin if you haven't heard of us we are a very flexible workflow automation tool for security and it teams so we're we're a humble Irish company with big Ambitions and a big mission and to kind of give you some background of of kind of how we how we came about basically the the two guys that founded us hinchi and TK were security practitioners themselves they were head of SEC Ops and cyber with Ebay docy sign and PayPal and ultimately a lot of the problems they had then with their teams are still very very prevalent now around burnout nois in

their environment analysts really struggling to get on top of uh alert volumes and and workload and ultimately the security team not having the bandwidth to focus on the work that they would like to focus on at the time they had evaluated sore platforms if anyone's interactive with the sore platform in the past you might have some context for what I'm saying here but the challenges that they would have had with those tools were that they required a team of developers who could write python to deploy and also maintain the automation with which makes a deployment could be quite cumbersome very lengthy quite complex for the team to use and the way that they integrated uh was based on

pre-built Integrations and that meant that they couldn't necessarily have the flexibility to integrate across the stack the way they'd like to so the idea of building times was kind of the anesis the sort but really you know a lot of the same problems that they had then those teams now come to us to solve so security teams now obviously handle a lot of repetitive work um day to-day and a lot of reports we've done 81% uh of those teams agree that their workloads growing as a result of what we would say alert fatigue and burnout um and mental health within the industry there's a lot of changing stakeholders a lot of people considering moving jobs obviously you

know as Tax Services increase more and more tools get added to Tech STX so I think we're kind about a point now of 77 being the average number of tools in a security Tech stock and off the back of that obviously you have disparate systems that don't communicate well um and as a result a result of all of this you know you've missed slas and and an impact on metrics so ties is built as a platform to be very flexible to integrate whatever you needed to integrate with so as long as you have an API we can connect to that endpoint and then democratize automation by being a drag and drop no code platform and yes

you can run scripts and times but the idea of it is that everybody in a security team or an IT team can build manage and monitor their own workflows as opposed to being bottlenecked by a small team to do it so if we think about how it works as I said no code functionality when you're building workflows it's like a visual process map that Pat's going to show you here the other thing then in terms of flexibility so if you have apis that's how we integrate and we'll show you how quickly that is to do we can run in any environment that you need us to Cloud on Prem we can even do hybrids where if you

deployed us as a SAS and you needed to connect to on Prem architecture we would use use a 's tunnel to do so and then just giving you the ability to manage and monitor the workflows as you go um and be able to obviously continue to report and visualize workflow outputs so what that kind of does folks is it opens up a a wide variety of use cases so with times like our bread and butter original use case was end to-end automation of responding to fishing alert management then ingesting alerts from SIM EDR IM am the spoke alerts and then obviously connecting all the tools as part of that investigation enrichment and the remediation then things that are

slightly less common have popped up for us things like vulnerability managements employee offboarding um and onboarding it teams then and product security teams start to adopt us so you can see there's there's there's a lot that you can do with tits I've seen people aate fantasy football rosters with tits you know it's extremely extremely versatile um but obviously that's just words so I think the best play way to actually get TI is to see it in action and so with that in mind I'm going to hand over to Pat that was quick yeah what was that like two minutes no pressure and yeah cool so we drop that down and we'll jump in um right so as

Cam said we're an automation platform born and sore what I'm going to show you now is a very quick fire introduction to the times platform how it works what it does the basic architecture it's built on and then I'm going to go through a use case that I've been shown upstairs which is pretty basic alert triage but um you know if it had enough true PO on to it it's really powerful and really useful to different sock teams and that uh if time allows I'll then jump in and show a couple of the more sophisticated workflows that we have built but in a nutshell as as Cam said automation platform what you're seeing on screen

here is what we call a storyboard in tits uh think of a story board or a story in times as a workflow a use case you want to build a business process all those terms are interchangeable and TI is built on what we call the action and event action and event architecture so our actions are these eight little guys over on the left hand side so things you be familiar with like a web hook HTP request triggers um transform event transform for manipulating your data and that we've got receive and send email work exactly like they say receive and email it's like a magic inbox we can use it in IMAP mode as well send email we'll

send an email notification you can get as fancy as you want with your HTML body in that as well we also have a brand new action called the AI action here which can do stuff like help normalize data uh localization translations whatever you want people will freak out and to hear Ai and they go what are you doing with our data we don't use any data within times for training or anything like that it's runtime Ai and we can provide like any insurances after the demo obviously to kind of sway any fears there and then we have what's called a sent Story Action think of that as a subprocess so something that you might end up doing a

load of times across the different use cases things like analyzing an IP so if you got an EDR alert Sim alert fishing alert chances are you're going to be looking up the IP or something similar across all those use cases so we can use a sent a story that will do all that we can copy and paste that and drop it into each of your stories that you're using so you're maintaining it into one place and not having to you know reinvent the wheel and go and troubleshoot different places the whole time how we build let's say you have a SIM so think of any Sim you want as we said we're completely vendor agnostic once it has an API you

get your data into Times away you go sounds very cocky but proof is in the pudding so if I want to receive an alert from a SIM I could dve out a web hook I might want to extract a piece of data from that as it comes in so I'll connect up an event transform different modes so each action is configurable on the right hand side you don't need to be expert in python or Coden or anything like that to use times if you are brilliant you will pick up times a lot quicker CU you're already in the frame of mind with Automation and that as well but if not we have like as I said the Builder panel

here to do whatever you want we've got automatic mode extract I can reference the different data points in that I might then when I get an IP want to go and look it up so if I'm an analyst my typical flow would be receive an alert look at the data pick out different uh ioc's or whatever data point points that I want to use and go to a third party system or that and look it up time consuming um annoying if you're doing that 10 times a day might be all right imagine having to do that a 100 times a day or even 100 times a week anyone guess what happens like say the guys up there you

hate your job like you're like this is not why I got into cyber security I don't want to be sitting looking at 100 alerts all day so times we get rid of all that so with that we could draw out drag out a HTP request hook it up and that could go out and do that third party enrichment for you yourself okay now just want to show you what our events look like so I've got a sample curl command here and I'm going to paste that in here and just run it so I said that times was action and event architecture so you probably saw a little one pop up there on the screen so

what I've done is sent a payload to my web hook and all this is is very basic payad with favorite color blue name Alice title engineer um I can check my event panel here to see did that HD request work got a 2011 perfect check my web hook check events open it up and there's my data coming in so really really basic example of how we can get data into TI okay now as well as dragging out all these actions configuring them and all that you're probably going that's time consuming I want to do it quicker we do have templates so down here we've about 9,000 templates I think now for over 450 different products so one of the common

ones that popped up there was guys were asking us about elastic um elastic are actually very good friends of ours they're a customer of ours they use times for everything you want to drag out an elastic security template and you might say right I want to query my elastic same for alerts there you go that HP request can be set on the schedule to run every second every minute whatever you want and that will pull in alerts we've got the URL here we can put in or using a bit of elastic eql to pull in exactly what you want filter out for what you want so it's really easy to get up and running with

TS um as well as the templates we have a story Library if I have time at the end I'll show you that that's we've got 800 pre-built workflows so the exact stories I'm going to show you here so I'll just get rid of this get rid of the basics and we'll jump into a workflow these are our input actions web hook HTP request receive email output HTTP request again these can be used just to show the different verbs that we use for them and then data manipulation the transform triggers for making branching logic and building out so it can be as sophisticated as you want so enough of the basics let's look at an actual use case so this is one I built

very very quickly I think it took me about 10 minutes to build this but if I was actually to hook this up to my SIM it would work exactly as it looks here I've got a sample alert here and all it's doing is sending in suspicious logging effed user is me obviously the source is the wonderful time Sim system I've got a source IP and a destination IP kind of typical stuff you'd see from a SIM alert so if I send that into time you can see already there was Data run through from earlier on I run that through alert is received in the Sim you can see all the little spinning coming down so it's running through it will

literally run through within seconds so what would typically as I said maybe take an analyst 5 10 minutes to go log into the same look at the alert go to a third party system look up the IPS take down whatever they want go to their Tien system open a case with the relevant data very very timec consuming this is all done automatically so the first thing I want to check is did I actually receive my alert from my sim so this is our data ingestion stage if I open this up and here is my payload and I can see that that came in here my events panel excellent every single data point that comes into times can be

referenced in times so you can reference your metad data your headers your response codes everything and you can decide right I might want to use some of that I might want to use all of it might want to use none of it in this particular instance I use what's called a record in times because I want to capture that data I might want to reuse that over time I might want to do some IP analysis and say how many times are we seeing this IP or from this user what the heck is going on or be able to create reports for management in that so I'm using a record here and it's called flcs demo suspicious login alerts record

great name um and I'm only capturing the alert types very Source IP destination IP and user what that looks like is this typical like a mini table think of a record as a mini table or mini database and I can have is it up to 2 million records I think we have now yeah um build out different charts and that and present it back I can use different dashboard and functionality and times to build it out so I'm going to keep a copy of that go back to my story and what do I want to do next so this is the the important bit as I always say the enrichment Parts in here I've got a

group so a group in times is where I take a bunch of actions and I bundle them together the only reason I'm doing that is it's easier on the eye um I could have had a big longer story and I would have been scrolling up and down and people would chew out um but we bunched them together it's easier and dry easier to manage if I want to see what happened in there I I'm using I think five different tools I'm using gr eyes uh Talis Tor nodes abuse IP and virus toll if I used to go and look at each one of those tools individually for the same IP how long would it take

me again 10 15 20 minutes happened in seconds there in times and we've gone through and you can see the numbers G through so we looked up the IP and Grise got to looked up IP and Talis virus total and that's bringing back all of the data that you would be typically looking in and logging and looking at so let's have a look and see what I got from virus total body data attributes all that stuff that we use and again all these data points can be referenced and used so the last analysis stats typically what I'm going to be looking for here very basically is the militia score so I want to see if the militia score is over

certain I could take all that data from virus to dump it back into my main story probably don't want to do that cuz in reality you're not going to do that check abuse IP let's open them all up here we go I've got lovely data from that again might use some of it might use all of it what I've done here at the output of the group is I've normalized the data a little bit and I've only decided to pull back a couple of data points like the abuse IP confidence score the virus total malitia score and all of that keeping it very basic for the demo purposes at that point then I want to

create another record so I've captured the output of my enrichment and I'm going to save that in a record like I showed you previously as well and again we can use that for reference and that and further on at this point I want to make a decision what do I want to do with all these alerts so I've one coming in so I'm all right if I have 100 you obviously don't want to be opening 100 cases and having to go and look at them a lot of these could be false positive low severity that don't need to be looked at so what do we do there on the left hand side what I've done is and I'm

using my AI action here to generate a summary for each of my cases using lovely markdown if it's low severity I'm going to generate a summary create a low severity case add a comment to it that it's low severity probably don't need to look at it and close it automatically so I still have a record of it the data it doesn't disappear doesn't go anywhere can show there if someone comes back or you're rited right you actually did do something with this if it's a high or medium severity case I want to open up a case and I want the analyst to start looking at depending on the severity so with the AI action I just put in like a

simple prompts so in times you could be really specific you can ask it to create a summary as a pirate or do it in French or Arabic or whatever you want and I'm referencing see these little things here I'm referencing these actions so the data and the output and the path from them I'm referencing so I'm saying I'm security engineer creating a case in times from the data in and it's pulling the data from the web hook it's adding then it's looking at the records and stuff like that it's asking to add in links and stuff like that we do all of that just based on the data that you pulled in at this point then I'm

creating my case so for the example in museum we've in times we have our own case management very lightweight solution but at that point in the story whatever ticketing system or case system you use it could be fresh desk it could be J service now a hive all you'd have to do is drag out a template hook it up there and that will work once you're referencing the right data points obviously um a lot of our customers use J A Lot use the hive so it's all interchangeable really easy so at this point here if it's high or medium I want to do two things create a case with the relevant data so that my analyst can

look at that and start actually doing their job I'm going to then maybe want to escalate so I might want to alert my second Ops Team right so we can do this in a number of ways uh I could send them an email I could send them a text I could send them whatever I'm using slack so it's going to post a message to my SEC Ops Channel saying hey this is a high severity alert you probably need to take action now here's the link to the case so on and so on we could have a link to Pedro juty whatever they're using and I might also want to block the IP straight away until the

investigation's complete so that's why we added into two BS here because it's a suspicious login I wanted to do one other thing I wanted to reach out and say hey was this actually you trying to log in so on this Branch here I'm searching for the user in slack sending the user a DM and I'm waiting for the user response okay before we jump there I want to double check that my case was actually created so if I come down here see I've got a case ID perfect and what I'm going to do now is jump into the 's case management and just show you from there what that would look like from the analyst point of view so our Cas section

can be accessed from here in times so each team in times go demo over the cases and we can have different views so I can have just a list view I can have this kind of can band view that shows me what's in progress what's done and the top one here on the left is my suspicious login attempt so what has that done if I open it up everything that I need well well not everything that I might need but everything that I've asked it to the to generate and put into the cases there so I've got the relevant data that I need I've got a description and summary I added in a couple of emojis just to try

and be fancy I've got recommended next steps and I've got a link to my setups portal my setups portal is built on time stories and what that is is a bunch of tools that we created that are actually under the hood they time stories so if I click on it it's presented like this like all these different widgets and these are typical things that an analyst would do each one of these is a tin story presented on a tin page think of like a web form or UI so for as an analyst I might say I want to check maybe have I been or something like that we can click on that I can put in the

email address the recipient's email this is a time story if I want to see what it's like under the hood and that's it it's just another story and we have so many different customers and teams that are using this type of functionality for their analysts so that once your automations are built your analysts don't have to keep going in and opening up the events checking this and that the information is presented exactly where they needed and there able to build out these kind of uh what would you say portal like experiences and that for them it could be thre Intel could be setups it could be anything any kind of tools you use and jump back to my main

story whoops not there uh sorry nor my case first and from here I've got a button added into my case so I could when I'm building my case I could add in 20 buttons If I want I only added one because as part of my case management this I want to claim the case versus the analyst so when I claim that it's going to add in other actions or other buttons so again I just added in like couple of basic stuff but all of these can be configured they could be run a Playbook go out to crowd strike run a realtime response whatever and under the hood all they are we go in and edit it is either

a web hook URL in tin or link into a HTTP request in tin that will carry out particular action so you can see that it's just end to endend automation um I want to we talked then about this part of my story just to show that it is sending a slack message I'm going to bring up my slack open it up here and we can see here that I got first of all in my seup channel I got high already loging attempt blah blah blah so we're using the slack block hit builder in conjunction with tin to build out whatever you want again this could be as fancy as you want I just kept the basic data here again I have a

link for my case click on that and I'm back in into my case management system um I also sent a message to the end user so I just Ed my SEC Ops demo bot here and it's like oh right this one here cuz I added on the case so setups detect SP login attempt for your account p. the location Hong Kong so you could write in here could be D Pat what the heck are you doing in Hong Kong are you in Hong Kong no you're not so confirm if it was you or not we've got buttons added in here so I could confirm yes this was me this was not me that will go back

trigger in our story and if I go back to my story and then we'll get a response here coming back and from there we could decide if it's not me we could add in another Branch to be like right block the IP reset the user password do whatever you want so it's literally whatever your process is so show and then from start to finish what takes like literally again depending on how quick you are it could be 5 10 20 minutes Tri asan and alert to something that could done in seconds presenting the information back to the analyst and away they go to do the important work this is a very straightforward workflow okay we have variations of this

that um shorter some that are way more complex to show you an example of that if you go to times.com library in here we have 82 pre-built workflows and you'll see it here for some of the most commonly used tools um that security teams and it teams engineering teams used across the market so one of our most popular ones as cam called it out was fishing we open this up you might say I need a fishing use case I've logged into my 's tenant and here we go so you can see how complex and sophisticated it can get compared to my basic one this one gets data into times in three ways we've got a page or a UI form like what I

showed you at the the portal where you can literally dump an EML file in there if you want want uh the web hook could be pulling from something like Fisher or Co fence so on or the receive email action that's the magic inbox you could be forwarding your uh your fishing attempts to that and then we're just passing out the data we're making decisions based on what's contained in the data if it's an EML if there's URLs if there's no URLs what do we want to do and we're using the same kind of enrichment that we did in the other store you saw so different tools and don't think when you see this right you're seeing right right there's a

virus total action do I have to use virus total there no use whatever is in your stack drag out a template if there's no template existing it's very very easy to create when you can paste curl commands into tin you can build them very easily with decent API docks which unfortunately a lot of tools don't have um but yeah and that's like just a very very simple example if I want to use that in my tenants I can import that select the tenant I want to go to there's my tenant bring it in and away we go this is probably the 100 time I've imported this so I'll give it you four this week um and I can decide I

like all of that or I can right get rid of some of this what's after happening

HDMI are we happy with that that one I don't know what's going on ignore the blanking blue screen yeah don't know what happened there um yeah and like you could use all of this you could use some of it you could use all of it and add in your own bits and pieces and way you go how are we doing on time 15 minutes remaining [ __ ] we go back to the story Library um so one we always show said it's kind of come up a lot up there is our good friends in elastic um one thing with the tin story libr is a lot of the stories have been built by us by our Labs team but a lot of them

built by what we call our friends so our customers people we work with um we've got a bunch of elastic stories in there and a lot of these has actually been built by the elastic team so you can see Christopher there Christopher's over in Malta he spends half his day building in tits that's a lot of his job um and he's very generously submitted some amazing Stories some of them thought of how he comes up with the ideas for building them he's one there for managing clusters via slackbot this is awesome like repairing shards and stuff like that like when he showed us this a CS call one that was like what's this like this is Magic um there's just one of our

our friends as we call them we've got others in there but literally whatever tool is in your stock we should be able to automate get your data in um and 99.9% of the time do what you want there will be always a use case where it's like right you might need to do something a little bit manually but yeah that's in a small nutshell tin I think another thing to mention is that as pass kind of mentioned there like a lot of our customers but a massive thing that influences uh tians is our community U so tians has a fully commercial grade Community addition on the websites uh which anyone can sign up to um and ultimately that Community you

know we we we communicate on slack a lot of those users would be responsible for you know influencing our R&D team H for submitting stories that obviously help other teams build out and times and I think one thing that we do always try and do is just you know have open ears like we listen we listen to our users and a lot of the innovation in times like if you were to see times from five or six years ago as a beta versus what it is now and the speed in which we try to implement changes ship features and and and and innovate um within the platform vast majority of that has been influenced by you know humble users who

were just using playing around with it at home and have ideas for how things could be done better a classic example of that is what I showed you with the cases uh so this kind of can band view uh three four weeks ago we had a list view in times I was on a call with a prospect they said it would be really cool if you had this kind of canand view um gave the feedback to our product and engineering team and they shipped it two days later now they had it on the road map for a long way but they said if someone's asking for it makes sense to ship it so that's the kind of quick

turnaround we do and how um how fast we get things done um I've probably gone through most of it is there any any questions anyone any anything they'd like to ask stuff yeah [Music] I you had some of the kind of fls there that Gathering data andion yeah B decisions

TR you so yeah so great question super question everyone's always like let's just get the AI to do it we would we would straight up say probably don't do that use the AI but the end of the day you make the decision let the AI augment what you're doing but at the end of day like hard code your your branching logic so we could build out we using those triggers build out that branch and logic not you know if it's this ask the AI to go for forward or that we'd never advise anyone to do that we'd always like put a kind of warning label when anyone's using it do you know but never never

like depend on it fully for for your most critical workflows it's a great addition to the product it's helped us tremendously like you saw the the case I created there if I was to do that manually while you can do it quickly in times it's a little bit tedious referencing all those data points and getting it to look nice and pretty especially if your crap that markdown like I am whereas the AI will do that in second so they're kind of where we use the AI action in that um there is another AI functionality in in times it's the automatic transform and so let's say I drag this out oops but I don't want that uh that

and I can switch it to automatic transform and what that does then is your input it will just run a bit of python in the background to do what you want so again we're not we're helping it to manipulate our data and that but we're not going to rely on it to make decisions which we just don't think AI is there yet or should be trusted I also think that our philosophy for AI was on the scene even from an automation perspective the philosophy was never to replace humans yeah you know what I mean the and I think a lot of people's perception can be oh well you know what I'm not going to have a job if you it's

like it's not necessarily how we think about it it's like it's it's automating the mundane and the automatable to kind of free up to do your best work if you had your time back what would you do with it and the AI thing is you know it's a case of keeping the in the loop you know you you still need someone to ride the horse and that's kind of how we'd approach the

aiop

junior judment like B inject that can if you want I want that that that's probably an easy answer to say but genuinely we we don't we don't use that for that and we wouldn't advise it our customer success team would be like if you want to do that that's on you you know the functionality is there but through your mission critical workflows you know I'd rather use the branching logic which is hardcoded which you can have like connect up then maybe an approval process where it does need that human intervention rather than leaving it to your little yellow action to make the decision I'd always use it to augment your workflow ever to decide on what you

should do yeah gu we we do have some customers isn't it like that again best of Lu to them I just personally you know like they're they're happy and they're confident but I I I get what you're saying it's like should we always trust it well you can trust it if you want but it it's up to you genuinely yeah interesting interesting to be able to have that yeah yeah we're always very cautious about the AI and we don't want to be like hey we're selling automation or AI Automation and that that's not what we do we sell automation um the AI functionality is something that we had to build in because it was looked for but we're very very cautious

about it and we've made sure that there are um limits within the product with what it can do and with your data and that that your data doesn't go anywhere or anything like that so very very secure and privacy oriented how yeah you you said with regards integ other tools or something an API good to go um so presume you got a library of existing API next in so if someone's got a tool that you're not previously aware of does that then allow you to corate your yeah great question I keep getting asked that up there uh and you'll probably laugh at the are going to give it um there's different ways of creating an integration right so if

they've if like there's an example here have I got it up so here's Stripe Right stripe of pretty good API docs we don't have any stripe templates in our template Library what good thing about uh any tool that has good API docs is they may have a curl command so if you have a curl command there copy it you can go back into times and you can just paste it in and there's your instant integration and if I run that that will actually work so I've got an instant integration where I created a payment intent in stripe now if you come across a tool that has crappy API docks which we do um what I

do is I either go to my good friend chbt and I say give me a curl command or I used the T AI to say give me a curl command to do this um and I copy that and paste it in and I've been working like that or you just troll through the API docs we've seen people do that and been able to build out HTP request to do what they want very very quickly so it's not a case of having to spend half a day quoting out python or something you do like within 10 15 minutes in time what if it's not using a AP um so let's say you want to connect to

like a database or something like that yeah so we have in 's uh run script action so it's in here and you can use this and it's uh run no python it's under python could probably change this so drag this out it says run python script but we can actually run uh bash and Powershell with it as well AWS command line um but if you needed to do that you can do that we always say try not to um people always can fall back on coding which fits the purpose of HS but we did get as so we built it in the product as well yeah yeah he must he must yeah there's always some little bit of python that some

python we're not against python by the way if anyone in here is python fishing at all um there's always something that they want to do and we're like okay let's let them do it any other questions we on time we're on time and we're good so I mean obviously the guys are going to be on the booths upstairs and around all day today and tomorrow so please go up and um ask them any questions um um obviously the the next ones are going to be coming on in a minute but you want to give these guys a quick Round of Applause