Beyond the Buzz: SBOM, AI, DataOps for Org Resilience post Log4j

um so first before I get started I I'm sure everybody in this room has heard of these two things uh but I did want to ask how many of you have heard of s-bombs okay how many of you actually use them that's what I thought um now when I I gave it this talk or a very similar talk in Australia when I asked the first question one person raised their hand and absolutely nobody used desk bombs uh which was actually a little bit surprising to me but I learned a lot on that trip actually related to how Australia handles their cyber security and differences between the US and Australia which I won't get into but I just thought it was an interesting difference there okay so why we're here vulnerabilities nowadays and cyber security are being introduced far left of effect and at scale so with supply chain compromises we see a compromise or vulnerability being introduced far deep into the supply chain and the ultimate effect comes way later when companies organizations teams take software or code implement it into their workflows and then all of a sudden this vulnerability happens we've seen these a few times I'm sure all of us are in the room are familiar with some of these here's the definition from cisov what a supply chain attack is some notable ones not pentia kinda log for Shell solarwinds we're all kind of familiar with these but you know with AI and a lot of the automated tools and techniques we're also seeing vulnerabilities being introduced not just far left of effect but at scale we've seen talks there's been lots of discussions about Automation and how that's going to increase the rate at which certain strains of malware developed and deployed I highlight ransomware as an example where you know we can spit out encrypted there was a talk this morning the plenary talked about ransomware uh ranswers on the rise it has been for a while and here are some examples of those I'm sure we all are familiar with ransomware but just to go over it again um actually another interesting fact the Australian Healthcare sector throughout 2021 and 2022 was hit with huge ransomware attacks across the country affecting their health care sector which was you may have already heard of those that was news to me because I wasn't monitoring that um an interesting uh it was all the buzz when I went down and and gave this talk there but really the thesis of my talk is what I said before which is that s-bombs supply chain attacks ransomware the Advent of automation are just new waves of technology and capabilities that are coming about due to or in response to these types of vulnerabilities and the actions that these actors are taking but there's nothing really in particular special about them my thesis is that for these two examples and all other examples of technology that we will use and Implement and develop in order to tackle the newest Trend in cyber security we are never going to do as well as we could if our underlying data operations and what we do with our data and how we think about data isn't as good as it could be so we really have to focus on these really core fundamentals of data science in order to get the most out of these tools and techniques that's basically what I'm going to be talking about today so first we're going to hit supply chain vulnerabilities all right so we're all familiar with s-bombs that's good um but in case some of the folks who walked in aren't this is the actual definition so it's formal machine readable inventory of software components or dependencies has information about these components and their hierarchical relationships now since none of us with maybe one exception are actually using them it's logical to ask what are they used for well since nobody is using them I'm actually going to say and I knew that would happen what should they be used for there was actually an article published by a really good friend of mine Amelie Quran out of the Atlantic Council where she does a really big and deep treatment of s-bombs and she outlines just as a example article in her paper she outlines four really important use cases for these for these documents uh the procurement you can use s-bombs to make informed decisions about software that you're going to buy or that you're going to integrate into your your workflows vulnerability management threat intelligence the two that I'm kind of going to touch on today are incident response and ecosystem mapping and she outlines a few more in her in her talk but there on the right side is one example from spdx of basically the general structure that one of these things is to take and if you can tell there's actually not a whole lot of information in that document if you've worked with them if you have seen them if you've looked at them they're pretty Bare Bones they're meant to be machine readable not necessarily human readable so there's that but for these documents because they are machine readable not human readable they're really Bare Bones like I said the hard truth the unfortunate truth is that no set of s-bombs no matter how big of a set we get for every piece of software we have in our Organization no set of those is going to tell us anything about our organizational Risk by themselves we have to actually put in a lot of work to get meaningful information and intelligence out of these things and this is where the data operations actually comes in so in some other talks I think there was a talk earlier talking about the important context of data and your cyber operations the context here is very very very important I think context is important in everything that we do but a reminder is that Services products things that are organization that your organization provides to others those are all dependent on software components that's one of the reason we have as bombs we study supply chain vulnerabilities now and it's one reason why Rands or why uh Bad actors want to take advantage of supply chain is because they are so critical to our operations so some of the questions that you might be able to eventually answer with these bills of materials are where is your organization most vulnerable what impacts would a vulnerability have on the services and products that I provide and can these risks be Quantified so one way that you might do this is let's say for an example that your organization provides a service monitoring capability like a data dog comes to mind as you know you have a process running and you want to know information about it let's just say you provide that capability that you monitor a service and you give your end users information about that service now that capability that you are so important for is built upon applications that you have developed to serve your product right so you may have this is the most simple example in the world but your service monitoring capability might be built upon a python application that your devs have worked really really hard on it may also be dependent on a logging service that logs all of that information and then later goes on to service it for the end users and then those applications all the way down are built upon software and software components so your python application uses packages you're going to pip install those you're going to run with those your logging service how has some logging software that might be developed in a completely different language and what you can kind of start to see here is a dependency tree so at the very very top we have all the services and really important capabilities that our organization provides so like as an analogy you might think of like your your your water treatment facility provides really critical clean drinking water to serve the entire organization or your entire company or country region whatever but their ability to provide that service depends on the people at the plant it depends on the equipment at the plant it depends on you know all the way down to the very fine ICS scada devices the firmware and all of that is anyone in the room familiar with the charm 10 layer model okay you should Google that in this picture this is the most simple picture in the world there are three layers but you can actually go even further down to Hardware components you can intermix other layers in between you don't just go necessarily straight from applications to capability you can make this as complicated as you want the point is that down here at the very bottom is where those s-bombs live so the elements of the software that you're working with the individual components all are kind of at this bottom layer that feed up percolate up to those very important capabilities mathematically I already said this is kind of a dependency as a mathematician I have to point out that these are network structures that can be measured that can be studied that can be modeled and if you start building these for your organization that gives you a source of data and insight for your organization as you run through incident response plans as you run through you know analysis of your processes analysis of the decisions you make that can give you a source of data that you can point to and say hey this data here from which I built this dependency tree is actual real data from your organization I have the s-bombs to prove it we did all these interviews we built this dependency tree so then at the end when you start asking questions about what happened we walk through this exercise we took out this water treatment plant or whatever we took out this logging service and you lost that capability what changes should we make in order to ensure that we do not lose a capability in the event of a supply chain attack or something similar now I say all of that to say and and I actually I'm realizing I'm going really fast so I'm going to try to slow down I get excited um okay great okay great they were like they were like 40 minutes and I'm like it's gonna be 20 minutes for me um yes it's j-a-r-m yeah yeah um so that's a a really interesting model that's used to model uh Network and cyber dependencies that could give you some interesting insight into how to build these now again trying to talk a little bit more slowly I say all of this to say that what I just said is easy to say this is harder in practice to do organizations are not simple three-layer models organizations are not simple Services one single service they're not built on single python applications maybe some companies are but most companies are not they're not built on single software packages building these out for an entire organization takes time it takes money and it takes buy-in from people who are really interested in building the mathematical models you can use to explore these dependencies so this is what I'm talking about when I say work is required um and why a lot of people haven't actually taken these steps yet um there are baby steps that we can take to get to a point where our large organizations actually are starting to think in this way and actually Implement these things um the first is that you don't have to model your entire organization we do this for our people we have org charts we don't necessarily tie the org charts to every individual piece or action or capability that a person serves at the organization but we can um so that's one piece of this people are an important piece of cyber security element of cyber security you can start small maybe model an individual team or one component that you think you'd like to study more you don't have to do everything all at once but before you start doing that or as you take steps to start doing that there are things that you can do to build towards those models and those processes so invest in red teaming your processes I'm a big people process person I am a systems thinker so I'm not you know I work attainable but I'm not down here writing nasal code I'm I'm up here thinking how are we Gathering data how are we using it you know what organizations are talking to each other I think we need to spend more time red teaming people and processes than actual like components cyber security things and even if you are going to Red Team you know pieces of software or whatever you really should take the time to Red Team how those pieces of software affect the people and the processes that you undertake at your organization so if you take one takeaway from this section of the talk please invest in red teaming your processes because those processes are the are the steps by which your people your organization uh take to make the important decisions for how they respond to these things um we have to be diligent and deliberate with respect to the data we collect and log about our internal processes so I mentioned on the previous slide you know we have these logging services or whatever but understanding how individual applications and pieces of software are critical to everything that the organization does isn't necessarily something that you can just get out of GitHub GitHub you're going to have to actually sit down and talk to people and understand who they talk to whether they're really critical and important to a procedure to you know something that your organization does um or you know going back to the process piece we have to actually take the time to log almost metadata about our organization and I just don't think we're doing that um and then I've said it with red teaming a little bit but using s-bomb's and dependency modeling to inform your exercises and playbooks and run-throughs like I said s-bombs really could be a great source of Truth and data that you can point to get everybody on the same page and say Here's the s-bomb that I was given for the piece of software that you're actually using you agree that you're using it and you're using it for ABC yes okay so now we've agreed on our Baseline assumptions when I Implement a plan we you know test something out we red team and we see the impacts well we've agreed on our Baseline assumptions so these impacts really are real and can be measured yeah but do you have like a you said that that previous slide is a little like high level you have like a practical example of what this would look like for an organization like an example process um so in this example I have for for example I have the capability the applications and the software but you can have a people layer and you can have information layers so if you have people or approval processes so here's me and I may I may be critical to an approval process for purchasing at my organization but the person who is making the decision to purchase has to go through me to get that approval so in my people layer I have you know here's here's the manager here's my manager decision maker layer here's my you know subordinate layer the information that's being passed between the layers not only information about that purchasing agreement but it's information about the approval so one way to model those processes is to actually honest to goodness put people and the edges between your people here I'm getting into graph Theory land the edges between your nodes and your network are that information the approvals the stamps the requirements that have to be satisfied in order to proceed from one step of the process to the next so when you build these out for large organization or for an organization doesn't have to be a large organization um it almost becomes a social network because you have information being passed from one person one organization to the next you can make it as big or as fine-tuned as possible or as you want you may have a node that represents a team and within that team are other nodes or you may have nodes that have attributes of what teams they belong to and what types of approvals they pass so I'm always in graph Theory land and that is what that would look like to me and what it has looked like for me in practice does that answer your question okay that's okay because right now it's like this it's like this big abstract concept and I just want to know like if I want to take this into a company and say hey everyone's cool talk about like understanding our whole flow of everything how do I make that practical like do you have an example of that for like a server like service monitoring like what that really trickles down to all these different layers yeah I mean so what I just described is basically what that does look like what the process of implementing it is a very it's resource intensive it involves talking to a lot of people because you have to understand who person a talks to what what pieces of software they use to get all of that done in instances where I've accomplished this in the past it is months and months long for the scales that we're doing but for small teams it's a whole lot easier when I've done this in the past it's been huge organizations like military organizations yeah so okay one second hold on he beat you yeah so how do you um how do you do this dynamically and you know organizations the people change the processes change um and obviously software changes itself but even the people part of it change it so how do you keep it Dynamic um you know as as that changes like is there software that you use to to do this um so uh I don't work at the Applied Physics lab anymore but when we were at the Applied Physics lab there we actually did develop a proprietary system for doing this uh there is a paper in open source that you can read about it's called dagger is what the software is called um we used it to do these very things and you can actually but all dagger is the dag and Dagger stands for directed acyclic graph there's nothing preventing you from in a computer using python or your favorite graph Theory code of choice to implement a dynamic time dependent directed acyclic graph where the nodes the edges change depending on you know actions you take on that graph model you know it mathematically that's how and computer scientifically that's how you would implement this so if you want you can even set it up to be like Monte Carlo and and ran and random seeded randomly right so like let's say a organization I have a model of all the people in my organization and here they are talking to each other and I want a change to be made let's say someone unexpectedly really sadly tragically passes away or something just as an example I could see that in the algorithm have that Implement that change in my graph model and then have people respond to that how would the organization handle it how would the organization change would we would we restructures that person important enough that we would have to go through an entire restructuring so implementing models like that that are data driven using things like these s-bombs are really important to driving those important conversations about the people the processes at the seams of your organization right um so that that would be that would be how I would do that um does that does that answer your question all right one for two absolutely yeah absolutely you hear about the movies this whole process is please because it's difficult yeah no absolutely totally agree I mean you're pointing out the obvious but the obvious needs to be said yeah right and now they exist when no one's using them yay slow link we'll get there it's because this is what it takes to do useful intelligence and actually do things with these no one wants to invest in this I get it everything I just talked talked about spending months developing graph models actionable pieces of intelligence using these is a huge investment I get it that's part of what I'm trying to say is that we're not there yet so don't walk away from this top be like stop supply chain guys we did it good at spawns no not at all we're not we're not there yet um yes five maybe I don't know I don't think we're I don't think we're close we got a long way to go so yeah so like four yes um what if any