The Logs Don't Work They Just Make It Worse - Ian Murphy

good oh are we okay enjoying it yep how many scousers in the room oh good oh [ __ ] um [Music] that's room four of my jokes already to be quite honest so listen it is um an absolute honor i'm going to jump down here because i keep walking in front of that it's an absolute honor to be asked or to be selected to give a talk um as you may guess oh gosh as you may guess i'm from liverpool i'm from walton originally no not the prison thank you very much about three miles down here and it is a joy to see a tech environment um growing up throughout liverpool because when i was a kid

growing up through the 80s the closest i got to technology was somebody chipping your digital signal so you could get free sky or free broadband or something like that to see it as a cyber security discipline and to see people working in it and it's starting to thrive is an absolute joy i unfortunately left when i was about 21 about six seven years ago um and i i now live in bath um but it's great to come back home it's still home for me just before we go any further blues blues anyone no reds yes here we go tramier me and kenny irons went to school sameen kenny islands played in the same school team which takes me on to my next slide

it's almost like we went to it almost like we were too so a little bit about me um two slides to talk about my background a little bit i've been in security about 25 years um although i wanted to be a professional footballer like everybody uh in liverpool that's me um in the blue that's me in the blue playing at wembley back in 2000 uh in the fa vars final got beat one nil cried like a big girl so like gas going um and on the other side of the screen that is me with not two of the seven dwarfs with anton deck on a a it wasn't even a quiz show it was it was

a game of look red or black it was and essentially you got to the end and if you were the last person standing you had a red or black decision for a million pounds guess which i chose yeah because i'd have been here if i had a million quid right um no i i would have been it's great to it it is great to come back home um what this talk is about is the idea that vendors keep telling us that the more logs we collect the more information we collect there's got to be something in there for us it's i understand that there is a use case for logs and log collection right i'm not saying we can't

do what i'm going to talk about without it what i am saying though is that a lot of vendors and a lot of their hype and a lot of what they tell you and they talk about data likes this and log collection now and correlation the other is largely [ __ ] now i will swear from time to time unfortunately i'm sorry about that if you are offended by it you've got about 20 minutes or so left of it and then you can get on with your day after that it's it's really you know i'm slightly inoffensive i think um so just to describe and frame the issue um and you've probably heard mssp's trotter out all the time

what i want to try and dispel is this kneeling haystack nonsense because it is nonsense um when today's attackers come into your network they are hiding in plain sight they're hiding in the noise so when you're looking for a needle in a haystack you're actually looking for another bit of hay it's it's more hay amongst hay and how do you spot that and how do you accurately and and sensibly use your time and your resources to get to that hey so that's what i'm going to be focusing on this is almost akin to uh the the old added to the old story coming with just killing tantigoria and the old adage the old story of um the girl who wakes up in

the morning goes into the room there's a whole room full of horse [ __ ] she wants a pony for a birthday and she's digging through the horseshit with the out with the with the mentality that there's got to be a pony in here somewhere with this much horse [ __ ] it's the same type of approach right too too much too too much swearing not enough no okay not enough okay well you asked for it um let me make sure so so some of the some of the whys why is it difficult uh one of the big ones is is a layer fatigue the noise becomes the threat when you collect every log that

is available to collect and splunk would love you to collect every single log that is available to collect um the noise becomes the threat the attackers know this we know this in the advanced detection the advanced threat detection side of things and they quite happily hide in that noise a layer fatigue is a common problem um with detective controls that we still focus on prevention with detective controls and i know prevention is better than cure but but but actually we need to get better at it we need to have proper true detection we need to kind of be a bit more like colombo instead of taking what the screen says so we need to be a bit more

and just one more thing that's the only impression i ever do by the way that and paul daniels but he's dead now so i can't do it um so we we need to get cuter about it we need to understand the technologies were being sold or the technologies we're using and what they can do for us rather than what the sales people have told us they can do and we need to have a more proactive approach with those technologies listen ids has been about for years right is a perfect example of our industry intrusion detection systems have been above for years when gartner came out in 2004-5 and said intrusion detection was dead what did

the industry do did we go away and innovate no we changed the d to a p and we called it intrusion prevention systems and they were still the same things we just stuck them in line that's the absolute difference with it i i i'm i'm going to call you out a little bit and i were talking about it before we do not innovate in our industry enough we need to start thinking outside the box which is why when omri gave us presentation earlier today i was so pleased that somebody started talking about serverless and and the new ways of working you haven't missed much guys i was just asking about really to be cautious um

so it really is difficult to identify hacker on your network you know gone are the days when there's a script kid who's banging on your front door or wandering through your network smashing bin lids together telling everybody of where their presence is most hackers are gonna like i say come in by the noise bypass your controls and then start living off the land if you don't know what living off the land means within a an attacker context it means what other tools are at their disposal on the network already or on the systems like powershell and things like that where they can move laterally from machine to machine to where they need to get to

and and we we are really difficult with that from a post-breach strategy of actually being able to spot that and actually look at the ways of being able to capture sean talked about it earlier on in trapex detection type controls or honey pots or honey nets if you're old enough to remember them one way to do it also this there's a lack of evidence it's the who what why where when and how type questions afterwards in this propensity to capture everything that goes on on the network we're still not doing enough with answering those questions primarily i believe because we're not focusing enough time in the skills and the expertise of the people who do it and we

want to rely more on the machines or the technology you know if you don't fully understand how to do what you're doing you're not going to fully understand how to get the best out of that machine or that bit of technology and then ubiquitously the lack of skills resource we are in an industry that we hear this all the time my wages aren't going up to spite of it by the way but we are in an industry where we hear this all the time and i think it's it's a slight misnomer because yes we have a lack of skills resource but i think it's the actual skills to do the types of things we want to do because

we're still doing the same thing we did 20 years ago and expecting different outcomes and that my friends is the idea and the and the actual definition of idiocy it really is um so the so what question where we concentrate throw money away where we concentrate is on the the dwell time issue now it doesn't matter who you listen to whether it's that figure comes from gartner or whether it's fire i fight i publish a 99 day figure anywhere between three months and closer to nine months is a pretty big average dwell time that somebody will be on your network just pleasing themselves wandering about moving from machine to machine not being caught and when you

think it's not going to happen to me well you know we we only have to bring the the big names equifax target citrix pick any one of them a lot of them had this dwell time issue i think target in fact were told by del secureworks was there at mssp i think at the time they told them there was some suspicious activity several times because of the alert volume and because of the issue with the noise and they became anesthetized to it they didn't do anything about it they then became the subject of a massive breach and more often than not nearly 60 percent of the time the indications of the breach of the dwell

time does not come from an internal source citrix is a perfect perfect example it was an externally uh security research and firm that told citrix about it and then citrix did some tap dancing show about it being the fbi that taught them yeah depends who you want to believe there um but the real goal here is to reduce that dwell time because studies have shown that actually if you can reduce the dwell time and you can't see that there but that's from the aberdeen group they did a bit of research back in 2016 and if you can get it and contain it and spot it and do something within a day the actual reduction in the cost to your

business is magnificent get 60 days out and you've got a full business impact whatever that may mean to the business whatever those costs mean to the business i'm not going to tie figures to that because everybody tries to do that every business is different from that point of view i will say that every business is different i they they didn't need to do different things security the way they hacked the way they get in the way they move around tcp is the same in every business by the way it is no different no difference no no business is special from that point of view so you can see trying to eliminate dwell time or catch

it as soon as possible is an important side of things three fundamental truths i think that we need moving forward in our industry you need an assumed breach you are going to be breached if you're not breached you will be breached soon and why is that largely the background image there is supposedly i know the great wall of china was supposedly to uh to to evoke a castle a perimeter approach organizations still have a perimeter approach to security they want to build higher turrets thicker walls wider and deeper moats when the enemy has either got somebody already on the inside or has learned to fly so you're not defending against the right things so you need to assume that and if you're

not going to be breached guess what you're probably your third party is going to be breached cloud hopper perfect example has anybody seen the cloud hopper report around the mssps thank you very much um if you haven't seen it go to my linkedin feed there's a bit on there it was just released by the reuters guys really great bit of work talked about top eight msps in the world every single one of them compromised from uh from their third party infrastructure which then went on to compromise their customers and these are the people you put your trust and security in by the way these are not small names these are not startups you've never heard of these

are the big boys another fundamental truth we are the weakest link mitnick said it there's no patch for stupidity it's really true um it doesn't matter how many times i tell my dad not to click on a link in an email i must have rebuilt his pc three or four times and you know what the the one thing that you can never recover from is seeing your parents internet safe and history just absolutely kills you it really does honestly [Music] i just need a moment [Music] i'm i'm finally insecure software's eating the world if it wasn't we wouldn't have a career bless them bless those coders but we still do it today right we still do it you know i can well

somebody will talk about github somebody talk about code depository somebody we're using somebody else's code most of the time but we're we're accepting that that's okay we're not doing really any checks on it holistically we may stick three or four modules together and go does that do what i wanted to do yeah brilliant let's not worry about everything else because that's a bit of a cost we don't really want to think about at this moment in time but as long as those three elements are there you will be breached people do dumb [ __ ] and we've got insecure code we'll always have a career great news folks [Music] so [Music] i've set a scene i've i've give you an

idea of of why i think just using a logs only approach is a little bit uh dark ages can i say uh what next where must we go from an evolution point of view and it is evolution it's not innovation against something we were talking about earlier on we are i think most organizations are in that left-hand side i'm not doing that left-hand side very well whether in mssp or no or whether an internal customer trying to build their own internal sock which again puzzles me slightly slightly puzzles me that why people want to reinvent the wheel i get the use case for certain ones i do get it for big organizations however i think a lot of it is hubris i think a

lot of it is a c so trying to make a name for himself most of the time if i'm gonna be honest with you or a cto it's almost like it's almost like uh for those of you old enough to remember the hanes manuals of how you fix cars it's almost but that's how i that's how i got through my mechanical apprenticeship actually um it's almost like buying one of those and thinking you're a mechanic it just isn't okay so we need to evolve we need to get more proactive we need to be on the front foot a little bit more and we need to we need to ride that cave towards a more of a hunting

approach going after the bad guys instead of waiting for the bad guys to come to you that doesn't mean a hack back approach by the way that means taking a proactive approach on your network knowing what the signs of bad are and educating yourself on that and if you can't educate yourself on that partner up with somebody whilst you ramp up your education you know this isn't a sales alert for me partner up with people who are good at that stuff threat hunting is difficult by the way you know it takes a skill it's not a product it's a mindset it's a a high path i can't even say it's a hypothesis that a threat hunter will come up with

and then test it's like the scientific method you know you're looking for certain things or you're looking for absence of certain things but what does that mean for many organizations i'll quickly scan through this so we get to the end this is a maturity scale again for a lot of organizations i've worked with worked for and uh talked to we're still in those bottom two left-hand sides the architecture side of things we might have a decent security architecture or we think we've got a decent security architecture and we might have some kind of passive defense a seam if you will an outsourced third party provider collecting logs not really doing anything for you but you're compliant right because

compliance equals security doesn't it no okay good um where we need to move from a maturity point of view is over to the right-hand side we need to get more active we need to get more involved you know the one thing a business does know is what it needs to operate that business and that can then translate into what's important to you what you need to look out for and if you are working with a partner you can discuss that with the partner how it's going to be hot isn't it just all of a sudden got a little bit hot but you can discuss that with a partner and how that materializes itself in terms of what you need from them don't

be afraid to ask questions of them by the way if they come in and go i've got this artificial intelligence blur or this machine learning blur ask them what algorithm they use in their machine learning ask them the difference between ai and machine learning sales guys won't be able to tell you they'll be stumped and then you've got them then because then you've called them out on their [ __ ] that they regularly turn out you know and you should do it i'm in sales okay we're all in certain we're not i'm in sales but i try and go into a customer and talk to a customer about the pains they have rather than trying

to sell them on some kind of snake oil you know because it's my reputation at the end of the day i may walk out the room they think slightly dodgy scouser half right um but my professional integrity is the only thing i've got in this business you know pin your sales guys to the wall when they come in and try and sell you that type of stuff what more do we need to see i think uh today our picture is this from a spen point of view most of the spend is on prevention there's not enough on true monitoring and response capabilities it is all about the the the castle analogy uh the moats the tourists the prevention even though

we've got a perimeters environment now and everybody accepts that we're still thinking that way we're not thinking holistically we're not thinking who's fourth fifth sixth seventh link in that chain on that process that my business requires and where they we can how would i spot and defend against that type of thing um a lot of the a lot of the um gardeners the idc's the foresters will talk about even in this uh spend up i'm trying to spend more on true and decent monitoring that gets you to where you need to be try and spend a bit more on response you know we all know about incident response teams but how many actually have a

decent one how many train for this all the time you know all all of this stuff it it kind of having a slight semi career as as a footballer it slightly amazes me that we do no training for cyber security whatsoever we do no scenario based training we don't know how we're going to respond we have a plan it's in a draw somewhere but we haven't got a clue how we're going to do it once the sticky stuff hits the fan you know yes i'll [Music] so and i'm with you 100 on that one but how many of us have actually got some kind of a reference architecture to simulate attacks about our enterprise the answer is very few why is that to

your point we don't do it enough even with the technology we've got available to us listen you don't win six champions leagues by not practicing right no no blues no united supporters no okay um but you're right you're right we we don't do enough of it um our cyber security awareness training it consists of one hour once a year right and you should you should then all be experts on it should know what to look out for what to do what not to do who to talk to we need to do more about it and it's always in the industry who need to be speaking to our peers and try and do it from a human point of view as well

try not to be geeks about it we can all fall into the geek side of things but let's try not to be let's try and talk to them as professionals and human beings um [Music] it's an interesting thing there's a there's an economic effect called the veblen effect uh and essentially it translates into if something costs a lot it must be really good and and i i see a lot of what organizations could be doing they could do for a lot less than they're currently doing today and do it much better than the service or the product that they're getting today you know look at look at elastic right look at elk they've just bought end game and they've just

released the scene it's all free it's all free you know there's a lot of that stuff out there set hunting bro it's all free you know go don't skill yourself up on it go and learn and then you will be less reliant on logs you'll be more reliant on your knowledge you'll provide a better service to your customers who the business you work for and guess what you'll be more employable throughout the throughout the lifetime of cyber security i keep telling my boy that cyber security wasn't available when i was a kid when i left school i left school to be a mechanic and fell into cyber security and university john moores university over the road there

and it just wasn't available back in 92. it's great just wonder what our kids are gonna get into that isn't available right now you know hopefully something in europe but that's a different conversation all together a little bit of politics um i was gonna go all dedicated on your limbo no i won't people five minutes thank you so so um just to back up uh you guys can read that as much as i can read it out to you and my eyesight's failing as i get older as well so but just to back the types of things i've been talking about around the response the detection the splitting of budgets the even and out of budgets there's a bunch of quotes

there from gartner forester esg and idc some of it talks about the types of technologies that are reliant on logs like seam type technologies one of our customers actually calls it stupidly irrelevant electronic messaging is what seem to them stands for because they just get a barrage of alerts and if it's red just fire the alert off which comes back to my earlier point the alert fatigue side of things you just start switching that stuff off not just the alerts themselves you become anesthetized to it so you're possibly missing stuff that you shouldn't be missing because you're anesthetized to all that nonsense that's coming through all those false positives okay and i think that's all i've got to

say on the any questions i'll leave five minutes for questions on anything [Music] in how how well do you think we're doing our value proposition to the business to your point about costs and whether the spend is in the right place retain on security investment rosie that's a long time ago um i don't think we've moved the needle i th if anything i think we've regressed i'm going to be honest with you we have more reliance on new technologies and new approaches by the way cloud is no different than mainframe for those of you who remember it it's the same thing okay um and and i think because of that we are so so eager to consume new groovy stuff

that we're actually still not getting the basics right you know i talk about the basics all the time what are the basics mean understand what you're connected to your network understand who's accessing your network and understand whether it's vulnerable and then what the threat to your network is from now and then do stuff about it doesn't mean patch everything all the time but that's your critical stuff or at least have a fair stab at it right you know there's another okay cool we set that up i'll buy you a beard afterwards another question so you're talking about the future um and you kind of given up on the idea that developers might develop less insecure applications completely like

that's a lost cause can we have a drug test we all live in hope right we all live in hope i'll even hope that claudia's shift is going to drive me to work in a ferrari it's probably not going to happen no it's a very fair point sorry to make light of it um do i uh my experience tells me that we're not going to do it anytime soon my experience tells me that the good intentions we have in our industry remember this is our industry so we're kind of all in the room patting each other on the background aren't we great we're great in security blah blah blah outside people don't give a [ __ ] they really

don't they will do stuff and not really care and you'll go what about that oh that's a bit james bond isn't it no it's no it happened last week so you can't you can't even point maybe it's maybe it's the climate we now live in that evidence and facts are useless maybe it is an absence of evidence isn't evidence of absence right so um i would like to think we could let's do that let's you and i change the world for the better okay i don't mean we have to go and live together or anything like that but you know yeah with claudia and the ferrari we're in any other questions one stu you asleep

no anymore for any more thank you very much i'll be here all day we'll have a pint later on thank you very much