Your IR Team: More than Firemen and Maids

I think the bright light is the signal to begin so we'll go ahead and do it so we're going to talk about using your IR team your incident response team for something other than firemen and maids and we're gonna get into exactly what that is what a firemen have maids and what are we talking about here first of all my name is Wade Baker we both work for Verizon we've taken the Verizon logos off from this point forward so we won't bug you with that but you know this is some things that we've been working on both in our work life and in our non Verizon life as well and my name's Chris Porter I work for Wade and

so we're hoping to give you a nice little entertaining afternoon and hopefully finish up and go find the beers here soon as well so what's the standard IR practice I think the IR practice really hasn't changed all that much since the the the NIST report that came out several years ago I think it's like NIST us 861 or something like that and so I'm gonna kind of walk through that that process as they as they put out so one of the first things in the IR process is that preparation phase a lot of this has to do with the policies you create your IR procedures you set up a team within your organization you do

training one thing that we talk about also with training is practice are we talking about practice if you guys get the allen iverson quote from several years in the past but we've noticed you know in in this whole this whole preparation phase that there's been a lot of deficiencies in work in organizations many organizations don't have these policies and procedures they don't have a team that sort of thing that is not the point of this talk we're just kind of walking through the piece of this as we're kind of going forward so this isn't the kind of the focus of our presentation today though the other piece is detection and analysis so you know these are the ways that

organizations you know use to help identify that an incident has taken place within their organization there's combination of you know people technologies to gain some sort of visibility that there's an incident that's taking place sometimes you know when it's taken place sometimes you don't if you walk over to the RSA hall you know there's plenty of myriads of products over there there's trying to sell you something to help you gain this visibility help you identify that there's these the detection and analysis sorts of things a lot of money is spent on this on this piece but you know we see a lot of deficiencies in this area as well most breaches for instance that we've

studied as part of our date of reach reports you know third parties are telling them that these breaches have taken place so a lot of a lot of space here there can be an entire presentation on this part that's not part of our presentation today either though so the containment phase this is where I think most IR people spend most of their time this is kind of the firefighting phase you know it's Friday afternoon it's closing time you're getting ready to go grab beers and you're gonna head off to the ballgame later that night and then all of a sudden your mobile device it used to be a beeper several years ago now it's probably an alert to your

iPhone you know there's a DDoS attack all your web servers are down and so you're they're spending the weekend trying to get all these systems back up and running when you know you'd like to go about your your regular business you know in the IR team you know if there's a malware you know outbreak in the organization you're trying to contain it and keep it from going to your European operations etc that sorts of things so we've also studied this there's a section in our our report that we talked about like you know breach discovery methods and a specific measurement and how quickly organizations can contain these things and sadly it's it's an area that needs a lot of work as well and

then lastly or not lastly but almost to the the last is that you have your your made part of the ir operation so you've got this incident you've contained it now you have to clean up this mess you got to make sure that the that the systems are no longer infected you got to clean everything up it may be life taking things down completely and in rebuilding from scratch sometimes you can never really get them all cleaned up and these remnants of those incidents are there within your organization and then lastly you've got this lessons-learned piece you've got this is what we're really going to be focusing on this afternoon this is the retrospective of what

happened during the incident the report that spells out the who though the what when where how and why kind of things the improvements that can be made to the organization the processes and procedures that can be improved that sort of thing how many ir folks that we have out me the audience right now quick show of hands like when you guys do an incident how many have this lessons learned phase at the at the end of it all right we're gonna we're gonna go grab beers now we'll see you guys later well sadly what we find happens is that it's not a true lessons learn but rather it's a description documented of the incident it doesn't go through the process of

trying to find the improvements that can be made to the organization but rather it's you know it's more of a cya exercise or maybe just a documentation exercise but the true lessons learned from the incident kind of disappeared and if there is a report that's done it typically will disappear into a shelf somewhere hour out into the ether into a file server never to be found again hidden in the abyss of your organization hanging out with all the other lessons learned that could have been learned all right so we've talked about this firemen and maids containing cleaning things up we've talked about the problems that exist and there and really taking these incidents that occur and using your IR

team to to to build some lessons learned and I'm gonna spend a little bit of time on the other side of the house on the security decision making process so every organization makes security decisions you have people that figure out what you're gonna spend your money on right they're gonna figure out what to do they prioritize which threats or risks are more important most important to you which ones need to be addressed which ones can wait till next year how you're gonna go about doing that they spent an incredible amount of time right and my experience there's some ways that that typically happens but it does not have data in it usually right it's usually utterly lacking in

any kind of real evidence or real data I have done some studies on this I've been working on it for several years actually and this is my sixth bullet point list on how 90 something percent of security decisions are made you can tell me afterwards if you disagree so there's the adamant auditor this is probably one of the most important ones our most common ones the auditor shows up a lot of times they have no security experience they're fresh out of college they have this checklist right this like it was written in stone and if you don't meet everything on this checklist exactly as it's written down that's you know you're done and you can't convince

the guy that if hey this control right here we're already doing that it looks a little bit different but it's accomplishing the same thing right it has equal value we can't check this off so you fail so this out of an auditor is responsible for a phenomenal amount of our security decisions we just do it because we don't have any way to argue against them and it's not worth it to to argue because we're gonna lose anyway so that's number one peer pressure's another big one this is kind of like the grown-up version of doing what the cool kids do right you you hear that your peer organizations a B and C are doing this new fancy gizmo

control practice whatever it is and well why not we should do it because they're like us and we want to be like them and you know that we don't want to be embarrassed if they do it and something happens to us we would look bad like we don't care so we'll do it of course the problem with that is maybe they make fantastic decisions probably they don't they're probably making their decisions exactly like you are so this is just iterating down the chain of events to where people are following other people who are following other people and nobody's really making a decision that that makes sense to me many times would Behe anybody heard of

this alright so this one is incredibly common this was the favorite of the executives out there wouldn't it be horrible if is the beginning of a justification that's gonna waste a lot of money and time and effort right so think of some awful scenario that could go wrong if planets aligned and all of these kinds of things box that up as what we're worried about it we're gonna do all of these things because we're worried about that thing happening and it would be so terrible it would be a business ending event and we'd all have to you know be in jail and it'd be terrible so that is a very common justification right it's it's this

fear-based scary thing focuses on impact more than it does frequency we need both of them so guru guidance is another incredibly common one every business has these smart guys that walk around they all have opinions and you just say hey what do you think we should do just we do a or B and they give you their opinion and you just do it because they're smart and they're right a lot of times and I don't have any other better ideas for the panel is kind of a version of that except maybe you use several gurus this is Delphi method sometimes right there's nothing inherently wrong with this but you just get a bunch of people together

maybe it's in a boardroom and you all I don't know what you do you play cards or something like that you come to a decision and that's what we're going to do you kind of get there I don't know and then the pet project this is an issue too so the boss just read something in a magazine about this new thing or they read the analysts report about it or they see it out on the RSA floor and they come back and if shove it in your face and saying hey we're because it's important and you said yeah but what is it I don't know we're doing it because it's good trust me right so

this and you cannot convince them that that's not worth doing so you just might as well do it so a lot of these things I realize are pre tongue-in-cheek but seriously does anybody think that we don't make a ton of security decisions on this whole notion of fear uncertainty and doubt right this drives a very large proportion maybe your organization is not like this I hope not but again the ones that I've worked with those tend to be the most common ones it would make a lot more sense if we use data to drive our decisions if we could base a little bit more of our security decision-making process on data this guy would look

really confident holding this data thing and he could make his decisions and do all the stuff that he needs to do so where we gonna get this sort of data within organizations it's one of the the biggest problems that we think our industry in general kind of faces is this this sort of lack of data lack of meaning of that data as well and so we're gonna kind of take something from Doug Hubbard here about kind of finding that that sort of data so this is all part of his book you know how to measure anything you know you've got you know your problem isn't as unique as you think you know all organizations have

this problem this lack of data you have a lot more data and then you can think and we're gonna we're going to get into that here a little bit more you need less of it in order to make these decisions you don't you don't need to have perfect information you can allow a certain amount of uncertainty in your information and still gain meaning from it and there's there's a lot of simple measurements that can be made out of this so gonna kind of steal something from Bill Parcells a Hall of Fame football player you know you are what your record says you are you know that's one of the biggest indicators of like a football team for instance is you know

how many wins they have how many losses they have and you know who they are as a football team is it's really about the record if you're if you're eight Nate you're not a playoff team for instance well kind of play off that a little bit is you are what your incident record says you are incidents within your organization are one of the number one ways that you can really find out how your information security program is going you know at its root you're at an incident is some type of failure it tells you about your threats it tells you about your losses how you've dealt with them how quickly you've dealt with them it's a true outcome based

measurement of your program but we've got this problem you know we talked a little bit about our firemen and maid maids earlier our IR team and then we've got this other part of the organization who make these security decisions and there's this kind of this there's this wall between them they they're not at the same table when these decisions are made and so this information never crosses over to the decision-makers this sort of evidence or intelligence that that can be used to make these these decisions and so we say mr. Gorbachev tear down this wall all right let's talk about that so some of you are probably familiar with the data breach investigations report we do this thing

every year there's a group of folks up there who we work a lot with and we all spend a lot of time on this and we at least hope it's somewhat worthwhile if it's not then my point is really destroyed that I'm trying to make today so I just want to take a step back from IR teams and responding to incidents and collecting data in your organization I'm not going through all the reports so just don't don't even I'm not showing you any statistics from the report actually that's one lie I have one slide on that what I really want to talk about is what this represents right the data breach investigations report uses as its

primary source of information security incidents and the primary suppliers of that information are incident responders we have a group of people that show up and they do their engagement they collect all their evidence they write a report and they file that report team gives that report back to the clients to say hey this is what happened now these guys we spend our time taking that report combing through it and looking at it analyzing it and seeing what we can learn from the report to try to do this lessons learned phase that we talked about that was broken so again going back to the typical incident report it's a narrative it says what happened it's very good for describing

what happened in this security incident what it's not very good at is helping you count things and create metrics and statistics and do quantitative analysis over time right you can't really count that I guess you could do a word search and count how many times you saw a back door but just ignore that for a sec so what we've done in the data breach report is we treat every incident like this an incident is a series of events it's a series of things that occur and if you broke it down into kind of its smallest parts right where we're interested in the major phases that occur in this incident and we try to collect the agent that's who did it the

action what that agent did in the incident the asset that those agents actions affected and then how the asset was affected so we had this forays we call them agents action assets and attributes and you can see the same incident we've Vera sized it we've turned it into something that's looking a little bit more like metrics right I'm gonna get to the point where we get to lessons learned in just a minute so this first phase right here's the incident scenario this first one is the phishing email and it's got some malware on it and you trick somebody to click it bang that's external agent a social threat action against a people asset yes people have information and they process

and store information so we treat them as an asset and the integrity that's the security attribute of that person's been compromised you've caused them to do something they wouldn't have done it changed their behavior and then there's external malware user devices etc etc etc the point is that this if you look at this there's lots of moving parts in this thing right there's external agents there's even an internal guy that commits an error over here there's hacking and malware and social most incident on amines that I've seen maybe or one-dimensional right they say malware or intrusion or something like that we apply these things to it rather than hey every this incident can be thwarted by

more than one way right I can maybe do some training and awareness on that II one phase and keep that guy from ever clicking on the email maybe I can filter that thing out maybe I can after the back doors installed I see it dial out beacon home and I can see that outbound connection that's from a system that's never done that before and that port and stop that thing so my point is there's lots of ways that we can prevent this and this is what the the reason that we're analyzing these this lessons learned right so if you do that for for one incident you can imagine doing that for a hundred incidents right or 855 is

what we've done this for in our next breach report which will be out little advertisement here next not soon or soon not far away is what I meant to say but anyway you can imagine doing it for a hundred right and we can to see hey how many of our incidents are external versus internal and how many involve a social engineering aspect versus malware and hacking how many infect user devices verse servers or other types of offline data and we're building up this knowledge this repository of lessons learned of what happened now you know again this is something that we've done right I like to think that we have proven through these reports that you

can take IR data as a primary source and turn it into something that looks maybe decision-makers could find some value out of this right that's one of the things that that we've heard is that decision-makers like the data breach report because it they lay it out it shows them which threats occur most often I'm not saying it's perfect but it's some data right and and it's supposed to improve the decision making process so I think we've done that at a community level incidents that Verizon has responded to or the Secret Service or the other people contributing to us and the question is really how can a single organization implement the same type of process right learning from

incidents figuring out lessons learned and what to do from now so Europe so how can your organization do this and create a data breach report or an incident report that that Wade was just talking about so one of the first things I think we have to do is define what an incident is it seems like a rather simple thing at first but it's one of those things that if you if you truly want to measure something you have to strictly define what it is so you can measure it a lot of organizations you know there's a there's a lot of kind of a broad definition of this sort of thing many organizations only think of like

computer intrusions as being incidents some organizations you know think about downtime as being an incident especially if you're some type of retail organization where you want to have constant uptime and you have your your customers constantly buying some sorts of things you know there's also organizations that count an incident is any IDs alert that comes back which is a lot of counting because a lot of times those things will include lots of false positives that sort of thing so what we want to do is kind of we have a definition that we use and something that we we think is fairly simple it's an event that compromises a security attribute the confidentiality integrity or availability of an

information asset and as Wade talked earlier about the the types of assets that we're looking at within an organization these are all assets it's the servers your network devices your your end-user devices your people offline data as well within your organization but and we're also talking about different thread actions we're not just talking about hacking and malware sorts of incidents within your organization we're not talking about you know even specific threat actors like only we only count an incident from China or you know only activists or an incident that sort of thing we also want to have this broad definition of even like environmental threats you know if it's a hurricane or a tornado knocks the power down we want to be able

to count that incident as as being an availability incident within our organization the second thing is you got to make sure you have a incident response team I've purposely kind of subtracted the see here because a lot of times we call this the computer incident response team well we don't mean just computers we're not we're just not responding to these sorts of electronic incidents but all sorts of incidents you know if it's a if it's a document that's gone missing we want to have that as be being a sort of incident that we can collect metrics upon and you need to have a team from all parts of the organization even including folks from maybe a disaster recovery team and BCP

planning teams you know physical security for instance as well and your traditional more computer Incident Response Teams all together as part of this big team I want you to use Varys it's it's free it gives you a easy way structured to taking all of those incident narratives and help you count those important elements and be able to compare them amongst other incidents that you have within your organization oh and and by the way again it's free so there's nothing you don't have to pay for it so a little bit about what this might look like right what exactly are we talking about here so we want you to take your firemen in your maids your Incident

Response Team that's not derogatory by the way I'm not trying to say that all you incident responders out there a firemen and maids it's it's a good thing right that's an important job so anyway point is let's get them to do their job after they clean up the mess and put out the fires and do what they do document something not just document it but really think about what what exactly happened here let's define this let's classify this incident so that we can store it in a way that we can learn from it in the future if you begin to do that I'll get to this thing in the middle here you're going to build up a

historical knowledge that that the decision-makers can tap into to make better decisions right that's the whole point is to equip them with what they need whoever they are to make better security decisions would you do rather them do wither he and all that other kind of stuff right that doesn't it's hopefully this seems like a little better way to you this is something that we have done we show this in the in the data breach report but I want to use it inside of one organization right now so what you're looking at a lot of organizations just don't even know where to begin right when you start talking about threats they don't have a really

good way to classify or organize threats so how can you start counting things if you don't really have a good organization system so what this what you're looking at here is this grid and there's four things on it there those four A's that I talked about a little while ago at the top external internal and partner are the three main categories of threat agents malware hacking social misuse those are all your threat actions on the side over here servers networks end-user devices those are your assets and confidentiality integrity availability are the attributes of those assets that you're trying to keep those agents from using their actions against so this grid represents everything that can happen to

your organization if we've done our job if you find something that's not in here that means we need to revise the grid and include it in here but again going back to what Chris was saying there's all kinds of incidents in here we want everything all of your environmental stuff that takes out the availabilities of networks and servers that should be in the same place as your malware and your hacking incidents that were affect confidentiality and integrity of your user devices and servers right we need this big picture view it's all important it all compromises an information asset that's our job to protect it and so just to make sure we're all on the same page

top left two thing with a nine in it ignore the nine and ignore the yellow right now that is an incident that involves an external some type of malicious software that affects the confidentiality of a server it's hierarchical you can break it down into what type of malware and who is the external agent all of that kind of stuff what type of server that's another talk for another day but the nine means we all nine of those things again an incident can have many of these events in one single incident so we're counting things so we saw nine of them and wow there's 656 these are results from it's pretty close to an actual organization

we did a little bit of switching up but you see things like this when you begin to study incidents in an organization obviously we have something to work on an external malware affecting the confidentiality and integrity of user devices right desktops and laptops and things like that so the point of doing this of structuring it in a way that makes sense is to put some boundaries on your universe of risks that you have to manage as a decision maker give you some data to drive these decisions what we're really doing here is starting to diagnose problem areas things that keep happening keep plaguing us this says something is wrong with these areas we need to do

something about them or maybe we don't want to do something about them but we need to know that they exist another thing you can begin to do because it's not all about frequency right is to study loss information and every single one of those right the confidentiality of your end-user systems is affected well that's gonna cause some loss to your organization well what does the loss look like is it a few dollars is it many you know is all of these things would have a different loss distribution theoretically right but you can begin to capture that information as well and tie it all of a sudden you can know all right well if I'm worried about these

types of losses what types of threat agents cause those losses and what actions trigger those things and which ones are worse more frequent all those kinds of questions the reason we want to do that again is to make better decisions we think by doing that you'll make wiser policy procedural people process technology decisions than you would from the adament audit or whether he and poll the audience and all of that other kind of stuff that we talked about at the beginning of this thing and you can measure things over time this would be incredible right do any of your organization's can you tell me after you implement a control what happens to your average incident

count on a monthly basis do you measure the Delta of this maybe let's see some but why not why don't we do things like this everybody says that's a bunch of crap that that what they're selling out there is not gonna work well why don't we prove them wrong or right why don't we measure these things after we do a security change let's measure and we should start to see things drop over time whether it's losses or incidents right yes maybe it's an outside maybe the threat environment change but that's my point is we can measure what how effectively we're using our our security money okay what else can you do so another thing you can do after you've

kind of created this process where you're going back and you're you're looking at incidents as they come in and you're new you're capturing and measuring and doing these different things you also have an incredible amount of data in your organization in you know in the abyss as we mentioned earlier you can go back into those files dig up those description reports that we were talking about earlier that are describing incidents and kind of convert them into these sorts of metrics where you can create those those measurements over time and look at how your incidents have been have been over time another thing that I think is one of the most important ways of looking at incidents

within your organization and your ticketing systems how many incident responders or decision-makers out in the crowd here use like a look at helpdesk tickets as a measurement of of what's going on within your organization new pans it's really bright down here yeah I mean oh there's I think I saw one up there I think that was said Alex Wow Alex Hutton's here man this is a big day but but your help your helpdesk ticketing system you know if you if you have I remember as an incident responder working at an organization you know 10 10 or so years ago there was an outbreak of a brute force piece of malware and all of a sudden folks across the entire

organization were getting locked out of their accounts well we had direct measurements of that happening because everybody was calling the helpdesk and trying to get the password changed so helpdesk ticketing systems very rich resource for these sorts of things and then also you know another thing you know and this is in a very much ideal world that you have these sorts of decision-makers at many organizations kind of following this same process so you know people within organizations in the same industry in different industry each are going to have metrics that look different you know there's different threats and different actions that are used against different types of organization we've seen in the breach report that for instance hospitality and

retail organizations have a much different looking grid compared to a manufacturing organization or a financial organization very different types of attacks very different types of of assets that are affected different combinations of attributes affected on those assets so in a perfect world everybody would be doing this and you could then use that as a way of sharing information amongst organizations Varys for instance doesn't have any identity in in each of the in the metrics you know you can capture them for yourself but if you wanted to share that information the only part of it that that gets shared is you know what industry you are what sizes of your organization and maybe your region that

you operate in and gives a way to kind of look at this sort of comparative data and then you get this massive grid that that you can then compare your results to so for instance say you know I'm part of some sort of information sharing program I've got my grid from all the incidents that we've had and then I also get a grid of my peers in my industry will be very interesting is you know what's different you know or my peers seeing more hacking and malware events than I am well why is that is that because I don't have visibility into my incidents I don't know they're happening and it that certainly could be the case maybe you

don't know they're happening or maybe you see that if it's broken down even further you can even compare this with you know different departments within your own organization if if you're one of these much larger corporations that have groups that that compete in different industries you can compare each of those amongst the other organizations

certainly but you know this type of information sharing happens all the time between competitors right now I mean FSI SEC for instance you know there's you've got all these banks who are competing and trying to grab customers and you know they're sharing this type of information and some share more than others well various are they using it um I don't think so I don't know yeah hopefully talk to him we've talked to him yeah and a lot of that information sharing is unstructured you know have a little sip over drinks what do you see in I trust you it's face to face it won't leave this room all of that kind of thing or it might be more tactical

sort of information which is within varus as well as you know specific malware indicators or IP addresses that sort of thing has a place within the framework as well so your question though is interesting you you asked what what would cause them to want to do it which is critically important to this whole thing right if nobody wants to share information then it all just crumbles and it's it's not worth it's worth it so one again go back to a single organization you can do this you just be buying at the top to say yes we're gonna spend the time on it and and begin tracking these things so there's value that can be had within one

organization again between departments and other things like that a lot of organizations have already decided if they want to share information there's information sharing consortiums FSI sac is one of them multi-state Isacc there's you know they are groups of organizations that are committed to sharing information with each other obviously they don't want to divulge secrets or anything that could put them out but I think one of the most important things is is you got to get to the decision-makers and show them that this is worthwhile and we've been trying to do that I mean this is we've we've been publishing the data breach report for four five years this will be the fifth version of it this coming spring

and you know we're trying to put this data out there and say hey this is this is valuable this is this is worth collecting and we get good feedback on it so we think there's something to it you could do this too yes it takes time and effort and all that but it's it's worth doing and if you share it it's even more valuable because we'll start building up this this knowledge that we all have collectively and that's maybe maybe that's a pipe dream it might not work perfectly but we are seeing institutions that are that are willing to share that kind of information and if you followed the sorry I see your question over there

but if you followed the breach report the first two times we did it it was just Verizon data right we were the only only organizations we could convince to share this information this year when we published we've got the United States Secret Service giving us hundreds of incidents classified according to various anonymized and shared we've got the Dutch national high tech crime unit we've got the London Metropolitan Police we've got the Australian Federal Police and the Irish cert so these are organizations they're government's we're a private organization we're sharing across that line again I'm not trying to advertise here but I'm saying that it can work right it works across those lines that people don't like to usually

communicate stuff it works across cultural borders we're sharing with people in asia-pacific and and I think there's gonna be value in it this is well we we got to look at more incidents in 2011 than we than we ever have in any in a year so part of it's a value proposition of if I'm gonna share what am I gonna get from it

appreciate it so yes now he's asking the chart is great but it has it's missing impact that is because the forays represent a threat event so it actually doesn't have impact the technical impact if you want to call it that would be the intersection of a security attribute confidentiality and integrity and an information asset so if I can say that the confidentiality of this server was compromised that's a technical description of an impact and that's going to have some business level consequences depending on what that asset is and how its confidentiality was affected so so there's kind of another grid we have a different way to look at impact but they fit together if you will

at that attribute and asset combo so so you're correct I don't in this slide but yeah maybe we can talk about it afterwards

so he's asking about basis of security intelligence a lot of people at RSA are talking about security intelligence are we doing anything with that is that is that what it is would love to if anybody is interested in information sharing we're always into that that's so unlike Alex I didn't see that actually no no ah so is it working mate well no actually I don't but I've got 30 minutes tomorrow or some other time

yesterday he's running Senate bill I bet the HR velvet long story short they're looking first Congress is looking for this TS IE which is expensive VIP and mixed sharing all the ice ax they're looking for this to telecom work we're calling this a true Verizon the more of us that are following the same yep I would agree with that and excuse me [Laughter] so there's there's several folks on our team up here up at hiding the dark areas up there but you know something speaking about intelligence sharing and just understanding a little bit more about threat actors and the type of actions that they have we're recently getting to a point in maturity and our data to where we can do

a lot of pattern matching of these sorts of things we were at mini metric on yesterday and Jay Jacobs one of our new team members went through and and and talked about some of the the patterns that we've been seeing when you drill down into this grid and see how they interconnect with one another how malware and hacking interact with one another and how those things are used there's some very interesting sort of patterns that come out and when you dissect a little bit more and you look at say activists and compare it to organized crime or look at you know more you know nation state sort of actors they have different types of attacks

that they use and they have different victims most of the time as well so it's very interesting when you start collecting this data even if you do it within your own organization you get part of some sort of intelligence or information sharing group to be able to look at this you you get a much bigger story there's a lot of depth to this when you when you start using it through all the slides by the way

this is probably I'll admit this is a a difficult question especially we've kind of expanded this right we had the same question just internally when we were analyzing our own data and what are we calling an incident right and and because some incidents affect two different organizations but it's tied together so is that a separate incident of those separate organizations are they is it a mega incident or something like that so these questions are hard and basically we've gotten better at it over time I guess is the best answer but see there's still an issue of we get asked a lot for could I do this with my device monitoring you know what on my events

there can I could I use this process and I'll be honest and say we've most of the work we've done is on an incident that it has happened that we there's some kind of response to but the principle can be applied to other types of incidents but am i off track with your question it's okay right

right

this is this really good question there is a sort of time element involved with tying an incident together and also I know this is a drive-by download so let's just say they got it all in one place I mean that's monestime piece if there happened all the same day like you said that could be I think considered one incident but it's yeah the same thing happens we have this discussion all the time with skimming devices I know it's a totally different subject but you know we get these things from the secret service where they go out and investigate and a bunch of ATMs and a bunch of different banks have all been skinned and so it's okay is an incident

every separate bank is an incident every separate atm how do we handle this so it's again it's it's kind of trying to learn over time and and we have we sometimes we go out and then we'll dial it back and and yeah I'm busting that question pretty bad but it's a it's a it's a problem that those kind of Fringe things and that is going to be a barrier to information sharing but maybe we get better ideas as we start spreading it out just to add to that sometimes if you kind of do this root cause analysis on like six drive-by downloads within your organization you might be able to tie it back to a - like a single event that

started it all yeah so for instance if it was an email like spam that came in that was directly so this would be some sort of social engineering external social but it's kind of thing that you're the first segment if it shared the first segment then then at that point we would probably can consider that one incident that affected you know six different people because each of them had to click on that link and go visit a website and get drive-by downloaded on their systems but that sort and then there would be six separate you know desktop assets or laptop assets that were involved but but doing that sort of exercise when you're kind of doing the lessons learned and

kind of understanding what happened is very helpful in determining that

so the question is what is an the atomic level we're not physicists though right

I think we have one more okay one question less

so yes yeah Varys is kind of a balance between you could count innumerable you could never run out of counting things about an incident right so it is a balance between we're trying to capture various really has this decision-making thing we want to capture what is useful for decision making is kind of the driver behind it as opposed to say like a malware analyst would probably find a lot of things missing from Varys if they really really really really wanted to drill down into into malware you know about malware we want to know its main functionality and the vector of its the way it got there and then some other things like hash and and things that

could be used to detect it so but going back to your question yes we kind of have various community we call it which is what we've put out as hey just the minimum set we think the community can use and get a good start on information sharing and then internally we collect other data points that we use in track RDF RTF okay right okay

yeah we've been we've spent a lot of work in the last several months it's way overdue but we've got a schema now that's XML is what we went with to to start for verus has been kind of a wiki which is not the easiest way to use it but so we're moving toward that what what is needed to to share these things in large quantities when we start to lose control over who's who's putting in information all right thank you guys [Applause]