Peter Luo: The Journey of Security Automation

Awesome.

>> Hey, let's keep it down. Speaker started. >> Thank you. Thank you. >> Good afternoon everyone. My name is Cher. I'm the co-founder of the economy and noise and welcome to my talk and I'm going to talk about the journey of security. Uh so I so in this talk we will also look at the uh automation through a practical point of view using open source called and we will share the journey of especially the difference between the basic automation and uh and AI and uh and welcome to ask any question you can have. So before we go to more details about the uh the tool side and let's first uh I'll just do a brief intro about myself

before I start um uh started what I'm doing now I was I was a developer in Microsoft uh I have a developer the uh the tools AI tools automations for the soft center uh software office 65 which used to protect the shareepoint one drive source and as As a developer myself, I wrote lots of things for helping Microsoft to better against the critical infrastructure and as many of you may know uh and I have experienced similar stuff that writing code right is not the easy thing and most time I mean sometime you know it works sometime it's not working and you don't just don't know why but actually works uh and practically speaking everyone knows that uh develop

ers are expensive and uh in a security operation center uh if you hire a separate developer to do your stuff and which uh to some degree it slows down the process of your secure operation prevent you to react analyze and respond to security rate as fast as possible. Uh so uh in my spare time I did some research and uh uh I think no like this kind of local no tools uh it's not a new concept I mean this has been invented for many years and we haven't find this one uh this no this local tool is called nur so surprisingly uh if you go to github and search for this one actually it's very popular it has over like 10

thousands of people in the game community and it had over 3,000s of integrations almost across all kinds of applications IoT I mean primary IoT devices and uh uh cloud so on so forth lots of people are actively contributing to the the open source for for the automation uh I find it's very I mean I I see a lot of people using it and it's lots of good attractions and I find it's actually it's not super popular uh in such skilled areas um we did some try and I found actually very useful to solve a lot of problems you may have uh in your security operations I've g details with more demos uh but on a high

level uh so let's read components the n stuff it's basically a browser based like drag and drop ding tools you can assemble things and and start to run uh and it's on the hood it's built on the uh nodejs framework uh and it has uh it and lots of real functionalities and it's very easy to share between uh between teams. Um so uh before getting to the other use cases I will I'll get you a quick demo like show showcase what kind of what kind of things and see what kind of possibilities it can bring uh to your team.

Uh so this is basically the red interface. Uh so on red side on left side you can see lots of uh lots of different integrations tons of them and uh this is basically the the canvas you can use to create a simple automation. So there are two basic things like we can I can quickly demo and one one is that so it's typically as many tools is need some like triggers

so it's needed a input output so this motor basically represent like input and output so what I what I'm doing here is I'm just

and I'm going to provide uh this is a time stamp information. Let's give a little bit concrete information. Let's see.

This is all was getting output to the window and uh so this is like a ad hoc thing. So once you start automating you want to uh periodically run this kind of things now you can start periodically run this kind of things let's say 1 seconds let's say be like two seconds 3 seconds.

So now you start to automatically run. It's like a job like if you run like crunch start without and with a nice UI you can drag to create nice things. Um so let's stop this one.

So this is the basic building blocks for the array u which take input and output something as a scal. Uh so the other common building block is the rest API. So say you have a you have other like tools you want to uh expose endpoints for other things to quickly uh trigger your automation. So let's get let's get a rest api service. Uh so they have a rest api end points. So imagine like you are writing API endpoints. Now you don't need to write code. You just drag and drop. You create this kind of end points. So let's say drop let's give end points. Just call it like

and let's give a let's give up

here. Let's show you some color work. So with these three nodes basically I use the HTTP end point. Now you can p this automations trigger this automations and get results. So I'm testing using the uh post and let's say I use the size SP

send a query to the send a query to this uh the new API endpoints I just built and now you see we get back results kind of world. Uh so so these two examples basically I showed two building blocks. One is you have you can do a scale block. The other one you can build a build up HTTP end points and get triggered uh automatically. Um so uh I mean on left side there lots of integrations. I will get those part in a second. Um but this is the fundamental part of this kind of uh uh this kind of way and you once you pull other nodes into here you can start building more complicated functionalities for the site

operations I'll get to that part in a second and uh before that um so far so good any questions so far okay good uh so before I get to the the demo part on the subscript subscript operations. Let's get to let's do like a high level overview like what kind of things we have find useful in terms of like secure operation. Uh so one example is about the this kind of monitoring. So say you have data like you worry about your data leaking through this kind of public communities for example test uh test expose data endpoints and we can use the you see the schedule job you use job you can use monitor test and uh and

then you set certain criteras matching your company's domain and you automatically send emails so that's one example that we can use data uh security auditing like if you have like a we have lots of account that you want to check whether everyone have the MFA enabled whe everyone have the password authoriz rotation enabled and we have the the stuff have a integration with with AWS so you can schedule run to make sure give you report give you notification if someone is not satisfy your security audit uh the third part is secure analysis I mean take an example I mean lot of a cognitive part of security analysis end points, firewalls, so on so forth. But

let's look at standard one like fishing emails. Say someone reporting your fish emails and you want to analyze the fish emails uh you want to analyze headers, you want to analyze the senders, you want to analyze the links, you want to analyze the attachments, all those kind of things can be automated through this kind of simple automation through motorated platform. uh the reporting uh I think in the previous conversation in the talk that we also give that there's silo data everywhere silo tools everywhere I mean some company have using seams to do reporting uh so but but you know there's lots of like popular tools like carbi use and you have s data you say your

data is in vulnerability your data have a in your cross end points you have real data in maybe in the in the cloud and you want to just generate a nice report to some aggregate everything. Now like with the integration with number you can pull all this data continuously and and dump data into power use to create a nice report for the management to review. Uh so this is the reporting uh you can use this to create nice report super key uh firewall management say you have like a firewall rules and um you have fireworks I think probably have different version of fireworks you have a lot of firewalls you have a central war and and a variety of different kind

of fireworks and once you have a find something malicious you want to ensure every firewall get updated the rule set with this kind of like a silo tools but also to release. So you can make sure your rules get uh get enforced in all the fireworks immediately. I mean lot other scenarios like uh in fireworks man you have for example you have a uh you have and you you also want to make sure uh you keep those kind of allow this updated every three months. I mean some ways you can continue to monitor connected with your intelligence verify whether the loudest or those kind of automations you don't want to do like manually you want it to be uh

automated for you I mean those are good examples uh we find useful using this kind of automation tools um some admin administrative task I mean this is particularly useful for the policy say your team, you have a new employee got on boarded and you want to uh you want to make sure you want to make sure their account was automatically added to all your security tools and more important when a user get the permission you want to make sure that all their account was removed from the SAS environments or all their tools and this kind of automation is quite useful to reduce the risk there. Uh I there are lots of those scenarios. I mean like red team red team

you want to do the do recon or all those kind of things like that. I mean there's lots of position there. Without the further ado I will uh let's get to some uh some demos.

So um so so the first demo is related to what Wilson was talking about this kind of threat intelligence you have rightly different data source uh so say you have a virus uh you have vars you have a show uh you have uh uh you have abuse IB all this kind of like IB uh like open source or or enterprise version of intelligence you want to be able to control it uh so so this example I'm showing you is that so we in this simple example basically you put the IP uh 8.8.8.8 which is uh and we can go through the thread intelligence and give you the all informations. Let's just connect it with the first one

we run this one. So you automatically uh we show the API for this kind of IP. I give you the information of all this which time. it is where's the where's the latitude longitude so uh same thing here let's let's look at so this is vo you have to get a basically get a credential here for v server once we get have this servers uh let's hook up with this one so you can see

so you will start pull all the vars information for you give you all the detected URLs related to this IP so now you started to to get all the threads from all the data sources u you want to consolidate now it's now you have information in one place to consolidate uh let's just shoot one more example I mean this is similar stuff uh Let's show that.

So now it's getting the the intelligence from show. Uh I mean there are lots of things we can try but u so this is part is related to the threat intelligence you can use to analyze your alerts analyze other things. I think with this example so I'm going to slowly building up a workflow that we can have automation that we can use to analyze in the fishing. So this is correlated with with fishing and uh to analyze fishing. So before we correlated with spread intelligence, you need to be able to parse those kind of informations emails. So the uh the other part is to how do we parse this kind of parse these kind of

emails. Uh so so for emails then boss will uh like also build on like modules uh help you to give a text extra urls give text extra ips automatically give you attachments automatically parse those kind of necessary attachments and the calculated hash I mean there's lots of small components here uh I think the benefits of this kind of things is that so you don't need to rep those kind of level things I mean you can do I And there's some tools they can do the entire but this tools if you want to do by ourselves and I set it time to uh write code. So this example basically uh I'm using a simple node that uh I want to take a piece of random

text and want to extract the URLs. So this is particularly useful if you give alerts or if you give a uh give emails and give you give you the URLs that uh that you analyze and you don't you don't need to click them but now you get you get the URL the real URS out and you can analyze with your thread inter um so so input I'm just doing

the text So the output is automatically randomly automatically outputs out of this functions. So now it's output the URLs come out of this piece of text. So so in this one we we look at the thread intelligence. In this one we look at parsing the data analyze analyze key facts. So now let's go to the real fish emails fishing email analyzing workflows. uh so in this workbook it's is reading emails whe that's in Gmail or that's in the uh in out and parse based on the parsing the community here parse the next emls parse the artifacts and then you go to check with ur and then you will do a switch switches the functionality like conditional based

on the information from the uh for vo If it's malicious, we will send the emails uh we'll send emails back to the to my emails. Uh if not, uh with with the content fish email detector, even fish emails. Uh and if not, it send it will send a different like no issue responding this emails to my uh to my emails. And uh this is a email that automatically send out send out emails. Um so I have a test example here inside of my folders fishing uh fishing news. So uh so these emails will automatically read back emails like fishing emails and analyze them uh and send back me back emails. So let's see. So you can see the little little dots

here which means the the node is and processing right now is in the steps of uh query the rest information. So the the API call usually takes some time u but it's but it's nearly in real time yet. Okay. So I mean this is information come out of the out of the data directory and I actually receive an email that tell me of fish email uh detected uh with the email separate with the content uh with little modification here you can you can use track to delete this email from your inbox you find if you find that email is uh is malicious you can you can delete it you can delete this uh email from your inbox

But otherwise I mean you can you see a a quick and simple simple way to um there are more more scenarios. Um uh I don't have good to could to make every everything any questions so far? Any questions so far? >> Okay. Uh let's go back to the

go back to the top here. So the the nice thing about this actually

Yeah, the nice thing about this kind of automation is that I mean yeah from a developer point of view as I've been talking this stuff so we don't need to review the wheels in terms like uh the building blocks but the meanwhile we need flexibility to reassemble them and build up like a new logics by different different departments so say you have different departments or you manage change your mindset or or or whatever the people have been changing your team. So these kind of things firstly can either help you to manage your automation one place but also uh it also lets you to quickly pick those kind of logic to satisfy any kind of any kind of

new new requirements and uh And

one great thing is that so once you can they have this kind of sharing functionalities you can once you once you export to the to the port basically you can see You can see the see all of uh see the the whole the whole thing is just transfer and share with other colleagues other teams uh for the for the saving time.

>> What do you think it's awesome or is it >> great? No, it is awesome. Um, curious one, do you have any of the workflows

at all? >> Yeah. Yeah. Uh it's first on like the website have lots of lots of

>> Yeah. Question. I'm just curious like how does that work like scalability and stuff like I'm curious

how it handles um yeah so the uh I mean that's a solution to make it scalable You can use but itself is a container and locally want

just to kind of build that. Do you have a Docker image for this? Like is there like >> Yeah. >> Yeah. I mean it's pretty good to set up mpm install that's it you can run actual command from here

>> um yeah so um uh just by some observations we I speak with those kind of automation I think there's there objections and first objection is that so uh people worried that their infrastructure is not true enough to automate Uh so I think my my feedback is that so uh we don't need to wait for everything to be mature to start automation start

um the number two is that so people worry about automation will take take away my job. Uh I mean I mean security is you should worry like there's always problem in the subcript and it's enemies and uh and you are I mean actually it's a good documentation should look good is like how you how you make your subscript efficient.

Um so we talk about automation I think I think in last last presentation like presentation I think I think Alex was talking about AI and put AI into the into the face um so I think there are lots of things lots of words in AI I mean alongside basically AI is is version of of automation I think that's willy loticious um but we need lots of efforts I mean actually I mean the core commit some efforts to really demystify the AI. Um so basically in our in our like uh I think best automation like no whatever automation and it's like human define human defined logic pre like uh your own logic here it's not like a dynamic

changing it's like put the rules there you say oh this uh if this IP like this like 10 times 10 times and five words so it's like a very fixed ways of of define the logic let machine to run this kind of desire and on other end is the the AI where AI typically are performing task by the human and in the middle is machine learning very machine learning is is this one one day of AI but majority are based on the patterns from uh so typically I think nowadays when people talk about AI or whatever I mean basically means like there's no true AI I don't expect that anytime soon but uh but we do see that there are lots of

applications like real applications that can be applied to uh to secure the operation especially operating center I mean that's part of security detections probably you guys already seen seen that or benefit that because that's under the that's behind the scene uh but those kind of ML have been already widely applied to this kind of detections um I think probably this this concept I mean you guys probably already know just uh just just for the multic purpose there two type of machine learning one supervised one's unwise I mean difference between supervised is that so the supervised requires labels and unwise requires and data and supervised ways uh it's good for classifications like recognize a stock or or prediction predict whether the

whether it's good model uh I saw a lot of ways uh I mean especially in such I think there's a at least in the secure oper operating sector uh there are couple cases like classroom alerts by the type of bless similarities and uh anomal detection by things in your alerts or whatever in your environments uh so those are unsupervised approach um so there definitely some part of the machine learning uh But we have like a really big issue that actually super important is that uh there's a I mean personally is known to be virtual machine to be a black box. uh I think some some example like this uh AI deny my mic I mean when you see this one I

mean you know sub they cannot understand what I mean so they will get confused they don't know what action they should take part this um because under the uh this kind of box is is learn some mystery models uh and uh and sometime is too complicated to explain and uh we cannot explain it and we cannot take action on them and it's not useful for this kind of practical applications in security operation center. So we have been very very uh very mindful of this kind of pits of machine learning. So uh after years of practice I think I think the really the really the real practical applications of machine learning only relies on majority relies on those kind of

unsupervised approach and supervised ways probably I think there's some some part they can be practical but there's some work has to be done to make it more available to the uh to the community. Just quick of two examples. One is the uh uh what do you think is useful for uh this to why is the alert flash? So say you have a tons of alerts from endpoints network firewalls uh vulnerabilities, vulnerabilities and uh and cloud uh I mean some some have possible alerts the way that the way those kind of things the way that machine learning can look at those kind of data and and pop and bring those kind of things into one part but based on

patterns that will see to the same same skill time whether that's two parts either to understand the context. Uh the other thing is about this kind of risk of priorities. I think when we talk about risk or priorations, I think there are lots of mechanism here. People may uh I think some some people I mean risk priorations for prioration based on the organization. I mean there are two different levels but I'm talking about the risk priority for the soft um and so so there's a rule based approach. You can look at like where this access is internal facing external facing for user is that for employee is important access or not and you can find

lots of things but the chip thing is so you have you have to continue to choose things um the lot of factors will be changing all the time for example the type of detections uh let's say brute force attack I mean the the the first one to break the fity of this kind of detection for change all the time and also change a bit for different companies environments. Um so with that those kind of things the tit machine can do a very good job here is to be able to pick up those kind of data data and use to update those kind of risk scores over time uh and also learn from your I mean some of those

find this one this detection is a high validity or this type of users can be very noisy those contractor should factor your risk factor Yeah, just two uh two simple use cases. Um uh that's concludes my talk on this kind of automation and AI. Uh just some quick summary. So uh try it. Uh I mean it's open source is free or give it a try and uh help you automate some tasks and um there's some practical use case of ML. Just be aware of some of you understand it before you use it. Okay, that's my end of my talk. Thank you very much.