Chris Sanders - Building a Better Security Analyst Using Cognitive Psychology

said last say that it very nonetheless I'll start by saying man it was good to be in the blue team room I went watched the first talk in the red team room support a good friend colleague of mine talk was great the room was was horrible the lights were out everybody was wearing pities was my so glad people here um so uh don't introduction I won't too much on that um but I I spent most of my previous career in the Department of Defense building and leading various forms of security operation centers basically catching bad guys I do that now for fire and most my time trying to figure out ways to build better mous

trap investigate what called mous trap not Prett thing do um aside from that I am Master South in South my gosh you're going to be in the south fure in your presentation yeah I a couple B analysis [Music] oror Pati a little bit different I'm not going to talk about on and zero so much I'm going to talk a little bit more about matters of mind um so I am currently in process of I'm PhD C psychology to apply to the investigative process and how we cat bad guys at the end of day I'm lot of psychologist so your know may very um so I try to put a sentence with every one of my presentations and said

ultimately what I hope people can get out of it and the real thing this presentation is the concept of medic cognition how to the investigative process and the benefits we really from that just a quick show hands I spoke last year talk about cognitive ADV did anybody see that talk there onl so several of you of course all Myers so thanks even if you're lying so we're about medic comination and medic comination big fancy psych psychology definition It's thinking about thinking it's examining our thought processes and determining what's happening between left year and right here that helps us solve highly complex problems right and that's not challeng unique to our field it's something every field involves some level of CRI has to

deal with we're actually a little behind because our field is is so new the interesting thing is that research out there shows that there's a value to to uh understanding and applying Med medic cognition in what you're doing two components so one is knowledge of cognition so that's like understanding how you think how you approach complex problems and the other part is regulation of cognition so that's taking what you understand and applying to what you do other FS again are very good at this medicine is one of them uh my wife is a medical doctor and you know part of our training we talk about this uh really very little our training perspective thinking is focused on you

know drugs and medicine and diseases and ailments a lot of us how to think how to think clinically how to approach things how to do diagnosis and sense deductive analysis and things like that so other fields do this too and we need to start doing more that's kind of my my pie of statement on this is we do more of it if we do we'll be better at again catching back so we're going to talk about medic Concept in the kind of frame to the investigation we little down all of us do uh you know Doug gave a good example yesterday we talked about good versus evil and really the construct we use as blue teers to frame good and evil and

find Bad Guys open the investigation whether you're a triology analyst or mal analyst or R engineer UL you're doing some type of investigation right how many people in here do some type of investigation most very nearly everybody how many just how many analysts we have here as far as you get alert you investigate them you do with that several great so we're going to phrase things in terms of Investigation so what happened is there a bad guy if so what can you do know there's a lot of things I guess all bad guys have in common there's one big thing that applies to any bad guy matter what makes a bad guy anybody have any

[Music] thoughts that's that's that's not the answer motivations motivations yeah I think so so the big thing is the way ier this is ultim all bad guys steal something from you right and we think of that in different ways rather stealing something to be something tangible like intellectual property actual physical item it can be something a little more ulous like um your time your resources your reputation for that matter especially for B big corporations reputation matters and that damage that a lot of people so uh attack help want to steal something from you so that's so talk about perception and reality I showed the same slide last year and the big thing to understand is we have

perception over here we have reality over here and there's a gap between those we have to acknowledge those are two separate things perception is how we see an interpret the world and reality is how it exists now there's a whole existential discussion about whether reality is real and all that that's that's outside Tim you have perception reality and investigation in most cases is simply getting from perception to reality your reality is correct right now I've dra percep reality here as a straight line but in most cases it's actually a little bit more like this uh you have multiple PS p various options within those paths and when you get to reality a lot of times have to valid

whether you're there when you are there you hope you taking the the right path now the trick is how we navigate this kind of web of reception reality is based on two main things one is our mindset where we see the world the other our bies so you saw I talk last year I talk pretty much exclusively about biis that's out there online if you want to look at that uh do so I'm deal into that too much here B are part of that the other is really focused on mindsets now mindset as a person is shaped by really everything it's shaped by where you're from uh your parents your family your friends your experiences both good and

bad mindset are not a good thing they not a bad thing or thing they can affect affect us both positively and negatively uh so that's what when we see the world that's what we see the world through our mindsets uh the interesting thing the research shows us is mindsets are very quick to to form and very resistant to change right humans are inherently judgmental we don't want to hear that but we are we judge people we judge situations it's just what it is um not a good thing that's where we are so important understand this is the concept of what what call Initial BL so when we're presented with a really complex cognitive challenge we have some level

of BLT right and that's when we talk about perception it's blur we don't know if it's reality we have to do some critical thinking and pull in that sources we have to get that reality now the thing with initial blur is and what research other are shows us is that the higher the initial degree of blur the harder it is for us to get to a more accurate perception of reality right so if things are just a little nebulous kind of what's going on but not really versus you really have no idea all the data not there there's a big difference it's not just the time Tak get the data it's the ability for our mind to put

together together that's that's kind of a big deal especially in terms of like alert investigation right if you have an alert it comes to you and you have all the data you need to investigated right there you're diing that initial leer and that's very helpful versus if you have to go out and go to multiple data sources and get all that data you have to go to the host and you have to go to sensor and you have to go to you know whatever else and pull it out of that and you don't have that complete picture at first it's going to really reg know that's something we can't hope do a lot about there are some things we can do

um a couple examples one obviously is providing uh relevant information up front when you can that's pretty helpful the other thing is moving towards a concept what I call realistic time alert everybody talks about real time alerting I'm sure somebody knows the stat I'm sure that part of definitely knows the stat what is the the average time from bre to detection the 200 days yeah it's a little over 200 days right so if the average time from protection 200 days is it reasonable to to all of a sudden say we want to catch every breach at real time like the second happens and that's the car maybe a little high I think so and ultim the fact of the matter is when

an attacker gets in when he first reaches the network he's not done and really hasn't accomplished his mission the goal is to stop the attacker from getting it at this point in my opinion is to stop the attacker from accomplishing the mission stealing the data that's hard um I make fun of the red team guys their job is just as hard as ours um and I know like to hear that but it's very difficult once you get in that's a lot of times when this CH starts that's when you have to move around you pass other controls find the data that you need to find I find data on my own network someone else so that's a problem we all way to

so realistic kind of learning is using processes design processes we use to analyze data in a matter that is delivered to us more completely as opposed to just giving us an alert right I'm perfectly fine with an alert coming in 4 hours after this detection even maybe 4 days finial detection it gives me a whole lot more information it's a lot more enriched it's a lot more actionable has a lot more information that I can use to go for and investigate first that's what I talk when itic learning that's something we're not really doing a lot as an industry right now everybody wants real time the other thing is formalization of Tri triage function so I say that I talk

about the process of getting alert putting together what little information need to to make it very CLE decision whether it's a quick false positive or it needs more investigation so I believe you get more out of your analyst in terms of a cognitive workflow when you break that off as its own function so what I'm talking about here in big organizations is two levels of analysis so your alerts come in your Tri analysis gets gets the First Alert information makes a recommendation pass it on to someone else and there's one reason Beyond initial blur why that makes sense one is is bias we talked about before animal biases and and that may shake the investigation so you hand that off to

another an they can then usually apply different biases and then you eliminate some of the bies at that point so that's very helpful obviously that's not very realistic small organizations partner analysis is a good way to do that there who gets it alert does the initial information gathering puts it together makes a recommendation passes it to the next analist uh and then that's from the second part you can put days iation function is another thing I want to talk about is in intentional blinds so attention is really neque because it basically allows us to focus on things meaning of you focus on me so you're focused on your phon not to you're focused on me and uh

and it's our attention span let us do that now I think you all know that attention is somewh of a fin out resource you listen to me now may listen to me I get time we um but attention is an interesting thing so there's over attention and C attention over attention is when you actually looking at something and giving visual attention so look at this person on front row over attention start to call me out C attention is something has your attention off the side you're not necessarily uh looking at it so if there was a sound going on behind me I was actually looking at it that would be cover attention it would be fighting for

my attention resources again it's a limited resources on so much of it when we talk about analysts we have to be very careful about where we apply our attention uh because there's a lot of things right in front of us our tools on always do the best job so for instance I'm glad the screen is big the text is small but this is a PCP output and it may be a couple things people find anous do anybody anything a little more something

else yeah that on S pack that's perfectly fine uh but it's a little per it's perfectly fine uh but as far as analysis that's something maybe we're not used to seeing um and the thing is most of us don't see I know if I saw this pack capture I probably notice first make so about it but otherwise if you're not kind of a tune to looking for those things if you're attention isn't you have the experience level to know where to look at certain things like that or something just out Falls outside a normal attentional boundary where you might Focus your gaze and you're not going to notice it and that's probably the biggest h of chall any an is is

attention to detail in the right areas not attention to detail you have the experience back put in the right areas and that's very hard to do we'll talk about training challenges here in a minute but ultimately what I'm saying is it's very dous thing right in front of us because of intentional blindness uh which the is ultimately saying looking directly at something but missing something that you are getting your attention to uh so the interesting thing I guess is this is TC it's an example of a tool which is a very useful tool I love it use almost every day but doesn't really do a lot for us in terms of directing our attention right and that's why

people like to like first of all it's graphical that's a little easier but it also has a lot of different uh visual cues here uh we see that these packets are linked by this little visual cue we've got color coding going on uh various section headings Vis of different types of data uh all very useful visual cues to help serve to direct our attention I show this as as a kind of a message to the F hero responsible for configuring and setting up an analysis environment because it's very useful to uh build these digal cues so that you can especially experience direct their GS in certain location uh and have a focus that uh so Dimension intentional viance

again experienced analysts are usually less susceptible um the other thing that's very important to master in your environment if anybody Cooks a lot CL everything in place if you ever watch professional chef work uh when they grab things they also aren't even looking at them but if they Master their environment they know their cutting board is here and inred are here they're not this year then where it's all at just like that as an we need to know basically where our data lives what tools we use to access it and what the limitations of those are at any given time you should pry have a pretty good understanding of I have a question related to an investigation how do I go

out to get the answer the less time you how to get the answer more time get in the better job probably another unique thing and one of the areas I'm focusing on right now is gay uh Gaye studies where uh you have Dev FR of the computer it fix on your pupil and tracks where you look on the screen and compar to certain data so we we throw data we can it's they use this in other areas of psychology it's basically a way to look at different data points because ultimately our eyes U move faster than our brain interprets what we're seeing so often times we're looking at things analyzing things and order in a fashion

or focusing on things in a way we actually don't know what to do so G track you over things like these heat Maps here and directional arrows to show days moves do BR things in terms of data analysis so my hope is maybe this time next year I'll have some cool some cool things to show you so in memory socks are interesting in the University of Kansas State University study a couple years ago now talking about the ethnography of socks kind of the culture of Security operation Center and the biggest finding they had that stuck out to me was kind of the top of it investigative knowledge is H it h what does that mean mean you

can't go often write it down and tell you how do so if you go to someone who's an expert analyst and say hey why are you so good at finding evil they also can't tell you right they might some tools or something like they tell you the thought process to go through and that's a bit of a problem um other fields face it but medicine you ask the doctor we're good they'll often say well because I use this process and this process and this process and a little more medic aware than we are in our field sometimes um the problem being that with senior animals can't explain why they're good what they do junior anals can't environment um and that is a

problem so um all that's to say summ up is anals rely on intuition inition is a little bit of an interesting thing because up until somewhat recently it wasn't really accepted as real most psychologists even the S Floyd who most people kind of household name in terms of psychology had this book here that intuition is basically illusion and you shouldn't really expect anything from it so it's interesting but modern technology has taught us a little bit more they have a great device fmri machine and you have hadm SC for some reason basically allows you to uh perform experiments and measure the output of certain parts of the brain you see FM results at the bottom left here yeah um

and what they found through a series of experiments I won't go into the details but you can you see there t talk I can the research wants to see it but basically by examining professional versus amateur chess players and seeing how they interpret movement and how make their decisions they the brain called and it's you see it's map there it's about here right about on the top of my ball spot um that's theun and they think that intuition is basically Spawn from there so what they're saying is they think there's a biological basis for intuition it's actually a real thing this really changed how psychology World looked at intuition uh you as a construct wants a

whole lot of more interesting experimentation which is interesting um so I don't have a lot of time but I want to step aside and talk about memory for just a second uh memory very simply there's a lot of models for it a lot of ways to explain it um the most common is this right here sensory shortterm long term you think of sensory is if you're looking at me close your eyes if you see the screen on your eyes for just a second uh that short second SP is kind of sensory memory shortterm memory is called working memory a lot of the times and it is ultimately the memory model we use when we're actually

solving problems time Ming you have to repeat something uh to keep it kind fresh on your mind short-term memory long-term memory is is obviously what our longterm memories are stored think of short-term memory like R long-term memory like this so there a lot of memories work or a lot of models working memory too and one of the most common badly model which consist of these four components right here and the one that's really interesting is a vis spatial sketch pad and it's what we use to visually manipulate uh objects so you see I have a picture of a cube on the screen right now and the green square is on top now if you put that in your mind you imagine

the green square rotating so it's you you're using your visual memory visual faal Stitch PAD as a part work ingen that right the interesting thing about the S pad is is also believe m to the binus right so the general hypothesis right now is that people believe the intuition is strongly related to our ability to visually picture solving problems and that changes a lot of things like we know that if you have a lot of complex data Parts it but even for like very simple problems uh the ability to picture things uh could be one of the big keys to greatly increasing the human cognition perceptions reality Gap are decreasing the Gap and increasing our ability to

solve problems right so that's very interesting and if you think about a lot of other fields it kind of applies too right you talk about you talk to expert test players say they can see the board they can see five or six steps ahead talk to stock Brokers they can see the patterns that go on even musicians can say musicians are of quoted saying they can see the music Beyond hearing right and that could very easily apply to the world of security investigation as well so how do we apply that well there's a lot more research to be done there um very simply the first thing to draw a picture because your brain is probably

trying to do that anyway um subconsciously right lot of things going on in our heads we can't really we don't really know we happening but theory is that maybe is happening anyway so you draw a picture and C yourself out other thing to visualize data appropriately and I'll be the first one to say I hate stupid visualizations like you always have the guy who's like I'm going to take every Flor right in the network and draw a big graph for it and like here much closer do know what they me everybody does want I've been there so um but that that's an interesting way I hate bad visualization some of are very useful inent timelines

I think we all in timelines we can visualize things occuring over time that you wi another thing is link graphs the ability to visualize relationships and that's pretty clut um so we can visualize relationships and a lot of different things but I visualize relationships of breakfast items uh we're in the South so course GRS um but you can any trust me um so you can think of breakfast in terms of visual relationships nouns and verbs you can do the same thing with breaches right so we can very See Clearly kind where the center of the breach is here uh and we can see how things relate to it when we can see how things relate to each other we can map

those two schemas in our minds because memory is mostly thought to be organized in terms of schemas and if we can do that we can remember things quite a bit better and use work memory more efficiently interesting about work memory too it's also a limited resource just like attention only so many things can be held into into working memory uh some of you may heard the term magic number seven and that's to say that generally most humans can remember seven kind of low Fidelity items in their mind one given point time plus or minus two so the range is kind of 5 to n um and the complexity of the items matters so obviously have a couple of relevant

examples here um so if I as an analyst I'm trying to solve a very complex problem and piece together a lot of different pieces of the puzzle and I have to remember uh this then that's going to take up part of my working memory uh and really decrease my Effectiveness versus remember something like this now granted we all know there are folies to just trying to associate with with chain and so on um but it's important to understand these capacity limitations so a couple quick ways to diminish this this is another area where more research is is going to be required one is Source monitoring one of the number one reasons people make uh memory

areas is because they forget where they learn something uh that may be a person you think of a conference you had a couple years ago you can't remember who gave it that's Source same with information I don't remember if I if I got this information Sim or package post memory I don't know the other thing is chunking and chunking is an area especially in this area where there's not been a lot of research but basically the ability to brot things together similarly this is a technique people use to remember you know tie to 100 digits chunking light numbers together and dissecting them somehow um the ability to chunk information in our tools and how we do analysis um in that way

um the last thing very quickly is M I mentioned this talk about breakfast if ask hours a day from now you're probably [Music] forg Rel to that relational so that's pretty much it the big thing you know I said you have to be kind of knowledgeable without your cognition as part of met cognition and you have to apply this talk was obviously a little bit more about gaining knowledge of it because some the research to apply really hasn't been done yet um so my hope is people can take this they'll get interested in and maybe uh we can get some more Collective industry understanding of how we think you think about thinking do more research and do more cool things uh I'm

start yeah I have one so I mean kind of talking about like this work set we kind of see that with like jargon and words do you think that that's something would be good for an inant response team to kind of come up with here's the shortened versions of all these things that we all agree on so it's easier to yeah sure I mean it's all about the question is kind the common no like really want your team and that's certainly good I mean when you consider that work m is a resource the more time you have to spend translating a word you don't know to a concept you do know is time you can spend doing other

things besides adjusting how you look at your work or console how are you applying this in your day job what other ways would you have to do so I think uh so how are you apply how you apply this typ of thing in your day job I think there kind of two sides one is the tool developer side and we kind of all understand that there's a lot more work that goes into that from Individual anal what kind take this knowledge make it more analyst I think the big thing is guarding is it's kind of putting a shield up the front of your working memory like we all want more data and more data at the end of the day we do

the best analysis when we get just the minimal that data is needed right so it's not going out to a sensor and getting a gig aab getting away getting of the things you don't need way it's going out it's figuring out what we think we need maybe starting flow data uh figuring out you know what flows we're interested in and then going to the peab then just getting what we need so it's guarding your working memory keeping very finite focused on what you need and trying to make sure it's available very very quickly so when you're actually trying to bring up analysts when you have that new analyst and you mentioned that teaching them is very difficult completely are

there any particular approaches you found that work better to get that kind of knowledge transfer working with them so are there any approaches for for teaching new analysts using kind of some of these methods uh of how to be analyst that are Beyond crial watch learn model I think there are I'm not really I'm still early enough in my research I'm not going to say I have all the answers on this don't yet I'm hoping that we get there um but I I don't have anything concrete I got some general ideas but I don't want to put them out there until

they're that can time and then that I that Einstein and haing like convert problems into geometric problems

absolutely I think what you're calling right there is the schema thing right those guys they have schemas for these these computations and they can take all these things they couldn't remember otherwise just into the schema that is mathematical compation understand very well then that's their shortcut for remembering all those things for okay great talk Chris uh we've got a couple giveaways