Scott Sattler - Threat Intellegence

couple beers and now you're ready to listen to some threat Intel we're already alright going to start off to make sure you guys are awake how many people in here use threat Intel within your organization right now thread and tell any type of threat intelligence at your office and one passion or the other one two three couple oh look at all those people great how many you pay for the service okay is it worthwhile okay we'll talk about that hearing a little bit so I do I'm a manager for a large company I do cyber forensics every team of quite a few people that are spread around the world and part of what we use is threat intelligence to

determine things that may happen to us or is happening right now and when people talk about threat intelligence in this venue we're going to talk about cyber threat intelligence but it's really not the only piece that we deal with I deal with a lot of companies part of it is cyber focused summit is focused at maybe physical threats discussions that happen on blogs web pages things like that but primarily a lot of the groups here that I work with they ingest cyber intelligence through a number of different vendors and open source intelligence when we talk about thread cyber threat intelligence a lot of people use missed as you know what is a threat possible danger it really did

generate threat intelligence you don't have to have a threat and we'll talk about some of the thread actors that are out there that are trying to look at your company's investigate what you have and maybe explore your perimeters and what they can get into and the intelligence there maybe maybe some of that or maybe not in short threat bad guys intelligence predicting the future are predicting what's happening now what may happen in six months from now nine months around and putting those two things together to understand what's out there in the world that may impact you today or tomorrow let's see you care now let's talk about who generates threat intelligence or threat data there's a lot of people here

and out there that are researchers and intentionally good bad indifferent there are out there maybe they're looking through their logs they're looking at activity on some blog whatever maybe they're doing research out there and as they're doing that research they're developing activity that is observable by someone somewhere they're crossing the internet and we're collecting that data so some of your researchers some review our security people innocent or not also we're seeing quite a bit of Prelude to conflict Syria all the different events in the world of probe in the network I work for a lot of different power companies and we routine routinely see the Chinese the Russians and Syrians and everybody there looking at the security of

the infrastructure or these different power generation companies because in case something happens in the world they want to know how to shut down our power grid well the commercial customers tons of organized crime activity I have a large customer we have one in I think for Social Security numbers in one in seven p I records tons of data especially medical data before people would steal credit card information now there's so much about a market it went from just be a dollar fifty a record think it's down to about ten cents are recognized for credit card number it's worth noting healthcare records anywhere from 25 to 100 dollars on the market so very valuable very useful information so

they're hitting the databases i also have a lot of private investigators that are going after large companies they're paid to when a divorce case and they will get that data one way the other once again they leave their home or their office they transit the network somebody's watching that and of course we have the hacktivists there is so much that activity right now banks are a great target you make a statement that is not going to regret they will come after you and I think we've seen that in the news quite often so when we talk about why these people are generated besides money I have a at a large retail customer forty thousand stores tons of cash registers

all over the place I ever cash registers so slow can't hardly do a transaction she said well you're here doing some other work can you look at her cash register itss is fine well we go on there they have a botnet on they're doing bitcoin generations so we have 40,000 patrick stewart interview bitcoins and there so that data right now what was funny ton of money they're making kind of money that way nations say if you saw what the White House yesterday they figured out G with the Russians again and according to the intellectual property so all of that activity goes across the internet so what's looking at that besides in the same now anybody seen or spiking their cool

little dog yeah it's pretty right there's about ten vendors that put that I can be out there cause I had customers that put the heat on her side even though Scott hours it's awesome a customer Zulu so we have that in two other vendors upon the soft wall is awesome so remember those little points Norris has when they say like eight million centers wherever maybe all over the world and they come in they pitch their deal since we look at everything everywhere where every major goes to pursue it around the world and very intelligent is original which means they're finding it they're not going out and OEM it from someplace else they're generating that data there are seeing

that guy trying to go over there and do something to them and they're recording that and their package that and we're going to sell it to their customers then your other customers that are like that's expensive eight million endpoints we got to manage all that date in this gigantic database we can't do it what we'll do is harvest data from what's available on the internet package all this stuff up and want for service to our customers I said ok mr. healthcare company we're gonna watch data focus right on you and it works so it doesn't work for some people but so this is an example of some of the people non-governmental that collecting this data and we're going to talk about how

well we do things so threat Intel cyber threat Intel if you're familiar with this this is a sample of data that we see we see an IP address okay great this IP address you're in law enforcement you should track known associates you're committing a crime we're going to watch you you talk to him and you talk to him you call him you email that guy and we tie it all together known associates we do the same thing with IP addresses this IP is tied to that useful not you know we could tell that DG a type of infection Pat otherwise it's like it could be the same if we get into something a little bit

more useful okay we've got an IP slot on that day oh the givers the kill chain face that's kind of neat for a crack to look great that's why I can watch this so break you better know we saw this I be talking to US government host it is associated used to make so what how helpful is that you can have your analytical track that down you know many things I get or used to get my customers like let's go puck it's nothing you only have a finite number of antlers to follow up on this stuff but common threat intelligence kind of raw a little bit process not much value your buddy that has a

security company there's all the raw data and you're like well how many of these records are you kidding I would a thousand some of your large organizations are getting think we're getting close to a terabyte of logs per day so lots of stuff this is an hour snapshot you she likes 100,000 k of ingestion threat intelligence raw data logs what is that two million something like that the last hour magic just feeding that to your sock analyst now they would go nuts so he's pulling in millions of ioc of analyses but indicated everyday tax dental text any food is rachel bionicle too well so what this exploit dad clears hijack that files all kinds of neat stuff

take that data and categorize it so if you're interested in something like that you get a feat of that data and you can work with it you can manipulate it you can crash ingest it into something useful so this is just kind of a sample inja straight from one vendor two million hits and using all some sensors but could you imagine something that has eight million sensors what kind of data that they're seeing you saw the earlier thread and tall with that IP address and that domain and if your handlers can hate these there's also threat intelligence from the form of this is realm I think this is hi trust so we give you the everyday and you have to

deal with this you know what a waste of time this is because somebody has to go in here and pull out now we have here this one patient somebody uploaded 2 million credentials to taste it so if you do that manually and I have with puffiness 250,000 voice and you've got to go through there and notify all 200,000 people that the credentials are posted out on a sprint it's a headache so this is right if you're in a low balling environment but in a high volume intelligent package okay do you want to be able to take this and process it ingestion and automate it because otherwise we're gonna get killed this is useful to let threat posed for

speculative research training or rolled on or you have an unlimited budget with tons of analysts that can sit there and go through this

that will this thread entails is the same everybody's thinking I'll seize malware indicators domains actors email addresses well yes but there's a lot of companies that are harvesting data a one company that they want to know what every single competitor employee is doing it on Facebook Twitter they're scraping all the data off of that and ingesting these articles into a threat intelligence database or its process and we have certain strains that says you know if it's that name and mentioning this and this and this is popping up to balis and it could be pictures which is hard so when you think threat intelligence pictures places total context so it's a real headache a lot of data

but once you have something like this working it actually works really well this was set up to parse almost every news agency in the world that has a public feed so large database large amounts of data now I'll mention if you look farther down but when you're spending someone you've had you guys were paying for pay service right 50 grand Hunter Graham who's paying like half a million a year 100,000 hundred thousand right does your boss make you go through and prove a metric okay so I got customers that routinely spend over between 1 to 10 million dollars they go threat until better there's Patsy Duff go pay for it and they pay for it and

let's go week on time for this and they paid two hundred two thousand years renewals for this one you got 10 of those also you've got millions of dollars well crazy absolutely insane if ya you want to keep your job and you want to show value to the organization which is what we should do and keep the service you want to be able to produce some type of metric you know you've got all this data coming in and talk about how to do that but all this beat is coming to come on your feeds you're seeing all this computer we've got a nice report we have my glasses on but we have tactical intelligence we're being

dated for maybe some vendor five years ago we want to make sure it's active inactive and we have pending where it has the process for an answer yet you want to deal with it do we want to do the work or do we want somebody else to analysis before we get it most importantly all positive most of the data that you're should get is false positive you're going to see tons of stuff you're going to see this guy went to there and what do you do with it is attachable does it mean anything no can you qualify know a lot of times you have false data being reported to the threat intelligence under it's all so different

so many diverse stuff that comes in Wow I got let's say 20 million pieces of raw data coming in per day most of this as well I want to act probably not but probably want to focus on on this chunk here can be able to say management says six thousand pieces of high value high threat intelligence coming in affecting us and they paid for that so you want to be able to say yes it took if we can children we correlated it we matched it nothing affects us and we're watching it as much good metric one of that you know this is kinda where I look I taken 45 50 different vendors I put them all in here

and go what am i eating my data from I get some better one minute I pay four hundred thousand dollars Bureau but this is hardly anything they're just taking the cash money just keep coming in they're loving it so when I get that metric when the renewals come up next year because it absolute them bye-bye all right you saw some data you want some threat intelligence if you don't have any right you know you want to go ahead I can't tell you that we can talk later if you guys have questions offline unofficial that public we can have a discussion just based on my experience opinion of where your money should go and not go I don't want to get sued but

I tell you what I've dealt with a lot of them and you can draw your own conclusions where do you get a chance sometime before you're like teachers over could you provide this generically speaking the handful of threat intelligence vendors that we could research from cone up that's coming up I want to talk about what's happening in this industry i I've been in this industry for 25 years I've done sim work I've done so the largest implementations in the world for many many customers and the most exciting thing right now is actually being able to use threat intelligence because before collecting this data and processing and analyzing it and doing it in such a fashion where

I didn't have to have 300 people now there's enough brains computing power and smart people that can automate this and consume it and display it in an actual fashion what's worthwhile and this is why you're seeing such a big boom a multi-billion dollar boom and threaten telligence right now you're excited threaten tell how do you get it right I deal with federal international I get threat intelligence from everybody and their brother VOD do dia tells not bad however do you and you're not give it I mean they've got some great stuff I worked over in released and every day or a couple days you get that whole Bolton that comes down and says you will do

this to these people in this data boom beautiful loved it some analysts had already process it and had an action taken so we just went out there and it did it it it done can't get that out FBI how many get the FBI alerts do they suck or what you go out there and you get these FBI alerts and you're like FBI they got to be right on the ball well they're not giving it to us you're giving us crap the stuff that they give you has been out on an open source community for three or four months and when they give you a list ALCS Google Yahoo excited you're like okay what do we do with this nothing we trash it but

I tell you what in every organization i've been at any time i get an FBI alert everything stops everybody searches for those ioc's and we write up a paper it says we found nothing same thing I Newark there's these Newark alerts there's all these different alert set they come from certain sources and from a political standpoint you have to drop what you're doing especially health care and say yes we search for that I remember the sony one the / marijuana we had some internet site information on that and guess what we spent weeks digging through every single one of these acquired entities that we owned around the world making sure that none of that stuff was there

but political standpoint they could say we look for it now we just look for it I said great let's automate it let's do all this work we put in an automated fashion so tomorrow if it happens we're gonna lord I we don't need to do that politically they cover the butt and that was it the one thing that bothers me about the federal state intelligent hold by the way fake anybody anything from the state I worked in so many different stage couple of them are not too bad most of them there's nothing there is nothing available for you so much you know thank you and i know i think lord I talk to them there's not that big of a

group that i know i mean i speak at the new york state cyber security conference they have a big program they have all kinds of stuff they bring people in and i'm trying to get florida to do that where they bring in all that businesses and share but they keep tell them idiot liver so m when we look at the breach right we have the FBI we had tons of happy billions of dollars in losses is anybody doing it you know where's the national initiative of putting something together not just internally but from all the people that are coming after us in 1993 after work at the free company and they had gates guards lock down and they couldn't

figure out why the French Israelis we're stealing their stuff and coming out to the market six months at a time boy they were just pissed can they spend all that money so I said well let me go look I walk into a great cameras got guards you've got a great physical control and I look I go you put these eunuchs missions let's see where they go well you follow all these eunuchs consumer the deal the development on they connect it to the rest of the corporate network well the corporate network was compromised by French Chinese what kind of Israelis in French of that so all that security is worthless but that's 1393 long time ago but now it

happens daily I can't tell you how many foreign nation states are going to have to stuff that i have i not anything from the FBI that's telling me i don't get a federal or state response that's helping me out and i know they have the data and I know nothing secret they gather stuff too soon we do and we wouldn't do I don't know it bothers the hell out of me anyway okay so we can't get it from the fatima can't get it from the state go to your vendors and we love benders right big vendors big box as well as big BS this is a very large vendor if you have this tool at your office or corporation

you would probably recognize this it's the same story from every few hundred we have the latest threat theta we do this we do that no they don't they're one company they're either buying their intelligence from someplace else or they have a subset of what the community would have talked about but just it's a bit time short tell me a story so i'll buy it from you and what happens is unfortunately you go through the company's you go in now and you say you know what don't mind us cuz you can get it politically they'll spend 250 thousand dollars on the latest let's see arcsight package or RS a pact with your XYZ package I mean it drives me crazy

big business right let's talk about that earlier here's some little good vendors as we kind of we've dealt with and when I say good they're only good if you hold their feet to the fire most of these contracts are terrible I can give it Dell SecureWorks we did they which the customer I said you know what we're spending eight hundred thousand dollars a year we have so many consulting hours in so many analysts hours we want to understand where the value is so that's a quick let's take this latest threat thing that's kind of scary to us and let's let our control for analysts through the research on that's time them engage the quality of your analysis and

let's send it out to I was SecureWorks cross right I defense we should not go eight hours later no response so they is four hours so pick up the phone call but where's the damn oh we're working on more all the other animals were done in about two and a half three hours wrote up some nice papers have lots of data in there and they said this is what's going on these guys come back going secureworks looks like than just google but impose too much crap in there that we already had and they probably the best job probably did a great job speculator over your kind of animals that's a lot of money if they can't

provide me more in-depth analysis that my on-site analyst to know that they're pulling from open source intelligence in their own sources why they spend at you had a thousand dollars a year and I've told many a company I sense of comedy ftes or contractors are preferably fts can you get three hundred thousand dollars a year that's sit there and do threat intelligence analysis all day long and they go but you say that word FTE is there like we don't have to use anyone have to use anyway so these all pay all goods alone agree or the other there's some more experience I guess you want to have a slightly brunch people but it really depends on what your focus is on threat

intelligence what are you going to do with that data and we'll talk about that a little bit later because your use of threat intelligence isn't it be completely different from yours and yours and yours so that's why you guys figure out when you put these vendors and what data feeds you're going to get from them oh and the fun one yeah this one's paying 2.1 none other analysts used the service and all none of them one of them one of them has a p.i on staff and all he did was like Trachsel girlfriend stone it's all he had it's awesome I mean worked out for him all right I got a lot of companies and they

said you know I television said 800 400 100 nobody else budget or they can't get it they can't justify it or two euro and I still be what sanirim all that kind of thing from wherever they are but I under budget well you have a ton of threat intelligence data within your organization time and people understand that they're like we need threat intelligence well no one tax your company your employees are doing stupid things you don't have security controls really I beg to differ I know all of you that firewall what form or the other if you have like some cool ones like Palo Alto or the new checkpoints or the 40 net you're going to get some cool stuff

you're going to get geographical data you're going to get some domains you're going to get some intrusion detection signatures you're going to get a lot of cool stuff from that firewall allowed or denied that's great Tretton called a DNS queries nothing is awesome people do you ask when you look at the NS board have you guys ever had a DNS telling attack are they sucking out terabytes of data through DNS towels or somebody using your company as a DNS amplification tack and you're blown somebody off the network every week and you get a subpoena just appear in court if you keep blowing another company off the network haha we're gonna Deena great data until I guess I guess those about

saying but nobody takes that data it seems nobody has an idea of what threat management means they don't take all of this data that you're collecting and they don't put the profile they don't understand who why or what people are after they don't know the type of attacks are being targeted with their own vulnerabilities or the risk so there's no threat profile of what the enterprise looks like day is there with this data we go who's attacking you how they're attacking you and usually with what tools no one's taking that date and put it together going oh it's the Chinese again it's you know mr. Wang over there he's firing up this XYZ to land now instead of going after these

five IPS he's going after in the mail server today you kill them off their you block his IP address oh look he's like a place in Texas mouth because we have a strict profile you blocked China now he's in texas but we know this signature you know how he attacks we know what he does he's going to make a living just like us this this is awesome this whole space i guess only how many have anybody have invincea you think cool like that or nobody has it huh how about Siberia nothing cool like that I tell you what look at the two products you may put yourself out of business but I tell you said the corporation a lot um semantics

trendmicro mcafee really got that right you don't think that generates a ton of logs awesome long I think people like how can you figure out where my lab will attack your coming or going to like a look have mcafee grabs magic I'm getting a firewall data I I could win that I go oh look you've got a lateral you this machine is infected this machine this is that like open to that look at they break up no visibility there we're collecting that threat data oh all right damn Bella lash line great data point email people don't follow your email i start i get i forgot how many millions of emails we get every day it's just one customer like so i think

it's like five million if we was finally on its time smile there's no 97 points something is blocked like oh what'd you do with that data oh not it are you crazy if you pull that this is just a cool friend rich new one on some of these products we take all the email blocks you know the fish you one click here to say hi to Grandma and Centrify box or click here for your American Express of your fact those links are gold mine you take those legs we tied it at fireeye fire right goes up crawls all those links what does the fire I'm as do you're familiar with it fire egg mass will take all of that information feed

it up to fire our cloud and I guess where it goes goes right to your fire I appliance at the perimeter although 0 days symantec math if you will never know low guess who's gonna stop him fire right and you got that data that why I don't know about but again as well as heroes ever block and think about all the executables that you're gay times the executables yours go through it depends I mean the first one goes through we know that it went through and usually pick it up when there was one that went out last week who's a two-hour delay right that two-hour delay depend on your corporate policy if it's an executable I know a lot of corporations

they say if there is an embedded executable we're not taking it if it's a zip if we can expect that zip we're not taking it why would you bring that risk and organization I tell cooperate okay you want to send password types of stuff great but my IES staff the security guys give them that password because it's going to be unencrypted and inspected before it goes into the organization that took eight months to get that approved but they're so phishing attacks are like the number one most awesome thing I can pen testing and I don't even bother doing peste des anymore because everybody's dumb enough to click on email that I'll craft and i'll send them

something and I tell you I get the sea so I get all these people every single time and they get it they finally get it when I like doing funny stuff to them they get it until this stuff happen to your users they don't get it seeing is believing so on your point first one gets through if it's an executable goes down to a workstation hopefully if it's a zero-day in fact semantics useless maccabees useless all those ABS stuff is useless they'll tell you we're dirty forty percent effective look up there's been useless for years that's why I mentioned things like invincea Siberia there's a big defense contractor that was getting nailed all the time and they were told

by the government said one more time you're gone no more business with the federal government they put in invincea across the organization their incidents went down to zero everyone is starting to virtualize their applications application whitelisting with bit9 okay so what we're using carbon black with that so what you better start virtualizing your outlook your browser's these different applications otherwise you can still get nailed time after time after time in the activity pull that data in number of viruses types of viruses proxy activity or people you're trying to go up to the plaques ninety-nine thousand times to a member Flocka man that's good threat intelligence to know this thing here this is awesome how many you have

honeypot couple right you use with mutter honey that are you doing your own okay i'm lazy right greg martin those guys over at threat stream put together the modern hunting that you load it up you toss it out there it's awesome it's i go to hate yes i go to all these free web hosting services i have honey pots all over the world free it's awesome and they feed me of all kinds of data whether it's the chinese food forces the chinese malware the spammers the fisher all that data you're being fed in here I take these I've got a bunch of old IT resources I toss them all the way around my perimeter they're like wool woods say

i would call because what's our attack situation awareness I stopped dice as well I know you know what that sucks doesn't it we put that out there because we knew the attacks that were going out against the assets that we're logging but we didn't have a complete picture of all the attacks that were occurring against all of our subnets throughout the world we have a ton of dead machines times IP address base load it up there we have a couple honey pots sitting on the perimeter all of a sudden now our situational awareness just exploded we started seeing stuff we never thought about we should start grabbing malware x 20 days and all that data is fed into

our collective intelligence framework awesome don't forget your perimeter routers and switches they're sitting outside the firewall tons of stuff good actual intelligence that you can use later on down the road and just saying here I found this little thing on the internet if you're in health care to some step and energy you have groups I get on these calls with all the energy companies in the United States and we're starting to collaborate however a lot of them are deathly afraid tell anything would happen getting people to talk about incidents at their company there's frameworks for to allow a limited amount of information if anything else just say you know what we observe this type of activity but let

people know hey there's this malware there's this type of activity and share it collaborate talk to other people at wherever you can talk share that information absolutely vital that you do because if I'm getting attacked with it pretty much you are going to get the same thing and I see data from many many different types of entities a lot of its example written by the same people that are very interested in us all right so you had what's in your wallet open source I love open source intelligence to a point last night look there is a hundred and seventy-six open source intelligence data sources that's a lot of data there's a lot of people that are very interested and a dedicated

ton of resources to collect information and share it on the screen here this is the modern honeynet sample if you load it up it comes with a nice gooey you let it run on your home router for less than two minutes you will start seeing people bounce against you and all that game is like you can do your own stuff with it but 176 open source data feeds grab it music it's there it's free but you have to do some work okay so you've got the data that's in your wallet right in organization you've got all that data being sucked in you hooked up to 176 open source data fees and you're getting blasted I hope with

data well we did Nike address how many people are analyst work okay don't you love getting oh this is bad he still went to a bad site you get a ticket on that you're like you go to that thing you do your research find out there's three and 67,000 domains on there what's the point there's nothing else you have an IP address there you go okay that Gator splicing don't care there's three and sixty-seven Chinese origami sites less blocking awesome the one that I'd be like a group the investor with my type is a saint a business partner their interim pen testers who are awesome they once who scanned a country italy and had the Thai

government call us what are you doing they decided to scan our internal corporate network not realizing that there was a nap between us and a large financial client they're scanning away their get their stuff you're going with pen testing Oh call from the FBI and the big bank one you guys attack well you know what the bank block their IP address you only need millions of dollars of transactions that they not below for those two days so we got to think about that it's part of the whole quality thing say thing the email addresses email addresses are very valuable if you how many people use multi go multi goes awesome right you throw an IP address in

there and you throw it in error you'll see that that guy on 450 domains and the more shitty said now I got a bad guy and I got a list of all 450 a bit she demands an item why no problem so don't overlook that email address fishing take all those down but make sure the qualities they're going to validate that this IP address staying here this is another thing we have 22,000 clients we're going to a website on port 8443 we know is that website but we know that the analyst can't hand it off to the sock much less to the organization for fishing off the network because they can't tell you typically organization

your job is to say this machine is compromised we can prove it this is Miss and then we'll take it and they'll actually do something with it trying here but this thing is going up 40 80 or four three so now you get pcap you're looking at porn is both got no problem 443 how many people are doing SSL decryption yet I have one thing a lot of my customers now after in the US they've had if their customers are not in the US they're blocking the rest of the world they don't care we don't do this channel and Kazakhstan blah blah blah whatever it is they're blocking everything anyone deal with it it's costing them way too much time I got one

of those a lot of business in China we see 300 machines going to try on for 42 44 3 you know how it's going we're not doing SSL decryption it says it's bad we look at threat intelligence a base well 5050 I can't go up cold two two three four machines off the network figure out that their listen to music it's tough it is really tough but as a solid decryption is coming to most corporations because let's never wait an extra chilled raita well it's nice dns says these display okay are you pen test first angle most these cupcakes are so sloppy you go in there and you're sucking all the data out and you back

absolutely and then I need to monitoring that their baseline for three traffic should be like this right there just like this and then much less than two o'clock and saturday or sunday works like this they don't have that threatened toast said they don't they're not pulling that floated in about trending porch about trending through the traffic that's actually fail now our indicators we left dealing with those but the actual now when you run through we took a shower we ran through Joe sandbox and so there's other ones and we got three different cells to headache so you want to get down to it is an actual or false positives in the floor only champagne and orange salad ate the source reporter

all right so as you go through here and kind of try to build this and ports value source necessary support so what source destination for an activity keep building up to get the value you kind of build the context of the threat I tell intellect initi and activity and the history things that are out there imagine it to what's going on in your corporation you're starting to get something there with the Dale all right so what do you do with it if you're not using you better does it tell you away is use daily indicator to compromise threat intelligence is post later decided the problem is most companies don't have time and you're authorized to do

anything with threat intelligence with your company or share that clean plate and the most important question is I do it all this stuff's out there free to do it except your ability to execute how do you process it how do you ingest it analyzed for late respond and report on it how do you prove that's worth anything you do this show management that you save them a breach worth X dollars stuff and then how do you react to it you get the threat intelligence data now because you're against the response program to deal with some of the stuff that you're finding that's always fun people run around with their heads off screaming you're getting the

feeds there are you can drop by threat intelligence that you can just are excited and tell our say has first launched a law you gotta pay up baby it's not cheap not keep it all some of you may have play around Collective Intelligence framework on google great learning about cozy years ago during the commercial ventricle treachery most of things now are going into the Duke we can just a lot of data into do we can query it a good website three hours Purdue 15 seconds but you have something else how to implement it how to congestion how to protect the data there's a lot stuff in turn to see these members aren't scared of this

because people are going for free biggest problem is suggestion two million we've got very about 2.3 million an hour I'll pass you suck that into your database can you normalize it so you can search it you got it the immobilization is the toughest thing you can deal with new poll is up there how can you consume it and how can you feel it I'm going fast as I don't have a couple minutes left quiet 15 don't give me that five okay tenor all right so this is kind of an example this is the collective intelligence framework and up here have corn your feet your firewalls your routers or switches all that Gators come in it's going to collect intelligence

favorite server you got your public face while you're hosting sources you can presenting the data is there so what I'm on a private right now I am logging we have to get like 15 petabytes of data to deal with their law did your water what do you do it then you get like free now the price tag on is millions but they wanted me to quiet actually do log they forgot that water monitor part so you get down to here may collect intelligence trailer now you can query it you see something happen here now this machine is talking with that boom type it in it BAM here's all the strength how is the stuff the whole

history about someone you've got that but that's not what you really want you can't afford to have a ton of analyst sitting around with manual looking things up doesn't work get on the model here we got some collectors we're pulling in from facebook paceman reddit Twitter blah blah blah a lot all over their net or second that stuff then we're going to do and we're actually doing something thing we're logging massive amounts of data French some data but we push a lot of that data we developed a used a solution what's he using plus when would we want to go about and one of those data elements that when you need so we'll pull in that

game goes into HAARP site and I get the red correlation rules that says if this happens yeah this is a very common framework that you're starting to see being developed because no one wants to spend three billion dollars on commercial salmon in most commercial Sims when I start talking 300,000 to 500,000 events per second you know they have to go use the restroom it scares them it really scares them all right so now we collected it we've ingested it we don't sound cool one of the things that we're seeing out here now and if you're a federal government or you're on a cutting edge one of your shared data now magically through a common format sticks

cybot actually which is free you can upload all kinds of cool stuff Bishop your emails indicators I PSP caps we're taking tons of data put it into this bridge sultra has like a vm you can download and play with you can suckle this day to end this now we got this guy is tied to all these things and I like to take this data and say share this to all my people my health / share this to all my people in the feds sharing data collaboration is going to save your bacon hey that right now it's free this is magic by the way if you have a sim developer that can write very great correlation rules where

your side people aren't pissed off because there's so many false father very good people anybody great piece of Intel it says I'm going there you know that if you're going there is bad no question by your type you're right duel and says this business we know it's bad it's like we know there's no magic take a little piece of magic pure magic is turning around and taking multiple pieces of intelligence and activity and time that all together where you at 2.3 million events per hour your son can't handle that you need a sip filter kool-aid get down to the point where you give them very actual direct and interesting intelligence but they could have done otherwise going to be in

trouble one of the things I kind of skipped over remember target they all got the fire I learns does it happen they weren't looking at the laws we can ask me do their liability do not collect data that you're just going to sit there and do nothing with think about that yeah we at the data yeah we saw we were breach we didn't feel like looking at do anything with it attorney about that see how that works out anyway threaten tell you not do no harm remember the UPS hack is it last year this organization said our policy is that organizations hacked we block their whole domain if I QPS calm Paulette hurt leather with me so when

you do it please validate a trip common sense that we're eight members of understanding with senior management says this is what we're going to do when we see this really bad stuff they go deal good sign here so we have a block ups type of activity anyone approach this that's what we've redone that is our standard operating procedure so all that data not only to feed that to the sample we have one ton of money but take that data feature-rich send to your iron for your proximus with bad domains bad eye peas bad stuff and it goes to a lot though you can publish a list and palatal grab that say how this bad stuff

we pulled back so populate the firewall to say pocket take the night Jessica tree I read cuz my distance repel all the time based on threat intelligence and I'm that's understand where I push up or great intelligence of do semantics you can't find anything you push it back down it pushes to all the clients in a first it's a way to help them help themselves and were completed active with us and streaming lynxes of energy wow we know that people an RSA likes to be on our side but we're stuck with that five minutes left any questions done

you want to tell you what I've seen I've worked with kind of the new stuff like Burma me by Kenneth bromium yeah cool stuff I looked at it last year was it quite ready it might be ready now very promising sigh Berra Palo Alto just lost I ver deployed it at some extremely large banks after three months does what they did they didn't renew their AV they took AV off of 186,000 pcs same thing with invincea they're not to the point where they trust well this one DoD customer they don't have a TV they have invincea they did the painstaking task of application whitelisting virtualizing all the apps that they're running I tell you all the guys that are doing all the

response or doing something else it will save your bacon because if baby doesn't cut it

you know like they bought one of my favorite a boss clarinet works they got some cool stuff there I don't know what anybody a four I couldn't tell you ok let's go twice to thank their much hope you enjoy the rest of the conference