BG - The Magic of Symbiotic Security - Creating an EcoSystem of Security Systems - Josh Sokol & Dan

hello yeah hello all right there we go dan Cornell and this is josh so cool and we're going to be talking about the magic of symbiotic security i'm dan cornell i'm the founder and CTO of denim group and i'm a software developer by background originally in Java and spent some time in net but now I spend most of my time looking at how software developers can impact the security of organizations they work with I'm a San Antonio chapter lead and I work with the wasps global membership committee I'm Josh sokol I'm the information security program owner at national instruments I'm going to probably talk a little bit about some other companies I in the in

the talk i want to say up front that i am not advocating for or against any of the companies that i talked about there are merely examples of stuff I'm also the chair of the OWASP global chapters kami and I'm the co-chair of OS apps tech USA 2012 happening in austin texas so if any of you guys are in the application security network security whatever we got a whole lot of cool stuff going on you know staying at the end of October so check it out at OPSEC USA org clicky clicky oh so the kind of premise of this talk is based on something that I encountered a couple years back i had my management come to

me and they said hey we need to purchase a new IPS system and they basically said our business requirements are we need an IPS you got 50k to do it and guess the best tool for our money how many of you guys have been a similar situation not necessarily with IPS but other jewels right so the question comes up how do you know what the best tool for our money is right well it turns out that there's a lot of different ways to evaluate what the best tool is right you can do things like third-party reviews and I pulled this from SC magazine a while back and they basically said you know they rated it by stars right that's

a great way to great tools for reason and so you know of course mcafee came up at the top of the IPS list and you know there's three things with five stars so those are obviously the best choices and then there were a couple others with four stars which means that they're you know slightly less better than this but you know this is its kind of biased right there there's somebody there that's looking at that data you have no idea how they evaluate it you know stars really don't tell me anything about the the actual product itself so that's kind of difficult then we move on and we can do things like Gartner reports right we can look at the

industry rankings and obviously based on this thing Maxie stands out again I said I'm going to talk about products that doesn't mean them advocating for that right but on this list mcafee stands out but then you know you see sourcefire and HP in there you know things like that so you know you start to get a different feel you know maybe Sourcefire is looking a little bit better now because you know they're in the top right quadrant of gardner right so then Dave you don't need to take pictures i can give you this slide deck all right so then we move on and we can talk about cost right you know management said I have a fifty-thousand-dollar budget so

you know what's the lowest cost thing right well it turns out there's this counter snipe thing that SC had reviewed and it's 500 bucks of sight great you know I I got one site so I can go ahead and spend 500 bucks and management has forty nine thousand five hundred dollars left over maybe they'll give me a pay raise right yo and there's all these other tools right so you know you start thinking about and you're like well you know there's there's all these different ways to select tools and then you get into things like features right so I PS has a whole bunch of different features yeah I 10 day I want in line protection

versus you know is something that's out of bands I want to be able to do custom policies I want real-time alerting and a che and you know all this stuff right so there's a whole list of features and you know maybe certain systems have those features in certain systems don't have those features right so you start to give this picture that there's so many different ways to to look at products and to evaluate products well the basis of this talk is I kind of want you guys to throw out all this stuff I don't want you to look at at products in terms of silos or things like that I want you to be able to remove that

third-party bias I want you to remove incomplete industry rankings there's actually if you look at that gartner list there are several products that are considered kind of top in the marketplace that aren't even mentioned in their companies like Symantec for example wasn't even in that gartner list cost always negotiable right depends on how much volume you're doing your relationship with that company how eager they are to get inside I you know features well it turns out with IPS features are kind of a commodity and that's what happens with a lot of these tools you look at these tools and you're like well all five of these things have owed a right which one is better Oh dad

I don't know they're you know they're all kind of the same so what ends up happening is these tools basically go into a silo and you have a silo for your firewall stuff and silo for your IPS and your Mac and when you actually go and you look at the products and you evaluate the products traditionally you look at within that silo and my goal for this presentation was to get you guys to break out of that silo I don't want you to think of tools working in silos I want you to think about tools and their abilities to get outside those silos and work together when tools are working in silos you have things like proprietary

protocols you have platforms that are greedy and I'll talk about that a little bit sometimes you have duplication and functionality right there might be something that firewall does that IPS also does so how do we gauge enterprise value the value of a purchase in the scope of your entire enterprise and so this is what the bulk of the talk is about so let's talk about consumers a consumer is a device that is able to take in data from other devices right so things like event data things like alerting SNMP syslog right a consumer is able to pull in all that data and do something useful with that a lot of times you know I start talking about

this stuff and people like oh say yeah Sims a great example of this right here's the problem sim takes a lot but it never gives back it consumes it gives you some reporting but it never takes those events make some action on it and gives back to the other devices in your network right so that's a greedy platform it's a parasite right so yeah so then you have this idea of a provider now provider is the exact opposite a provider wants to give stuff so you have the consumer that wants to take stuff in and then you have a provider and some examples of provider capabilities are open api's you have open databases where you can pull data straight out of those

databases you have the ability of export data so that you can import into other tools that's the idea behind a provider now if you're able to do both consumer and provider capabilities then you have what's called symbiosis alright you have the ability for tools to basically interact and leverage each other strings the cool thing here is you as the consumer can assemble an arsenal of the best in breed tools that work together right so you can buy the number one IPS in the industry and if it has the ability to be both a consumer or provider you can also buy the top firewall and you can buy the top mac and you can have all these devices working

together and leverage each other's strengths to be a much better solution for your enterprise and you end up gaining value outside of those individual silos the other nice thing here is even small purchases can have a very large impact on your environment so you can have you can go and buy that 500-dollar IPS because it has the basic signature ability and the basic blocking ability and that IPS has the ability to send data off to your firewall to do additional stuff and send data off to some sort of an app system and event management and all this other stuff you gain those abilities and you can you can have that smaller purchase because you're able to leverage everything else

in your enterprise around that so Simba security is not a piece of hardware or software that you can buy right that this isn't like let's go out to symbiotic security calm and pay 50 bucks and now i have the symbiotic security package right it's not a ranking system for vendors we're not saying well that vendor is symbiotic plus one eh whatever classification right and it's certainly not labeled that you can slap on your new product this isn't you know new and improved now with symbiotic security right this is a mindset it's a philosophy it's how do you evaluate purchases for your environments it's a concept right it's how do i create tools how do i buy the

tools that are going to talk to each other and relate to each other and create an ecosystem where my tools are able to leverage each other's strengths and make up for each other's weaknesses lastly it's a means of making the tools that we invest in more valuable to us if all my tools talk to each other then i can actually my tools become infinitely more valuable to me right because i'm able to have them leverage each other's strengths so beware of pseudo symbiosis and what i mean by this is we have a lot of large vendors out there and i've already named one of them these vendors have a lot of multiple product offerings they offer the IPS they offer the neck

they offer the firewall they offer the vulnerability scanning right now the problem with these vendors is they offer this and they say yeah if you buy a mcafee product these products will talk to each other right these products will give you some of these abilities and when i was doing this evaluation we had EPO within our vice in within our enterprise and so McAfee was like yeah you know we can we can suck india from EPO we can send a a free EPO and that added value right now the interesting thing here is it gives this symbiotic functionality because i am able to by interconnect these tools Ryan but it's only within that vendor tool set so

if I ever want to be able to do the best in breed approach that I talked about earlier I can't really do that if I can only do within the vendor because while McAfee was up at you know number one on that list they're nowhere near that in terms of firewalls right so I have to be able to break out of that one vendor thing true symbiotic security is about being able to handpick your tool set and get them to work together regardless of the brand right so let's talk about tools and their classifications we talked about this problem with data in silos and so what I tried to do is I try to look at the different types of data

that's out there and I want to give a nod here to the Austin owasp study group I talked a little bit about this with them last week and they fed me a bunch of ideas into here so so let's talk about reputation data you can get reputation data from web sites you can give from certain services and things like that but if I have reputation data then I have information about whether I trust the source of an attack right if I have attacked data I can tell how I'm being attacked vulnerability day what attacks are my system is vulnerable to asset data what versions of the OS and software am i running identity data who's using my systems data

classification who should have access to what this is all data where if you buy a single tool that does not have these provider and consumer capabilities this is data that just sits in a silo its data that is useful with in that silo but think about if this data were it to break out of that silo and your IPS tool was able to have all of this functionality that becomes infinitely more valuable to us we can start to establish things like trust hierarchies we can look at on occasion data authorization data QA data about what's been tested what hasn't been trust boundaries right the possibilities are limited only by the tools that you guys are a have in

your arsenal and if you're buying a tool and you're able to leverage the ability of the tools that are RA in your arsenal then what why wouldn't you want to do that so magic happens right you start asking questions like should I accept packets from some random IP maybe on your local network maybe on the Internet well how do I answer that question reputation data right where is that attack coming from do I trust that source attack data was it what is actually what is the vulnerability what's the exploit that they're targeting asset data what asset are they going after what software packages what versions of the OS are actually running on that system trust boundaries right

did it cross from our internet into our intranet if you're able to break each of these pieces of data out of their silo meld them together then you can very easily answer that question another question should I allow random person acts to download some file right well if I start getting data about data classification on my network and I have the reputation data about where they're coming from and I know they're all thinking they're authorized and I know they haven't crossed a trust boundary then maybe my answer is yes right now all this data exists in silos but for able to break out of the silos we're able to piece together that data and we're able to use in a much more

meaningful form with symbolic security the possibilities are really limited only by the security ecosystem that you've already put in place you guys all have tools today some of those tools have this ability some of them do not and the whole idea here is when you're evaluating tools don't just look at the functionality that's being provided by that tool don't look at the price tag don't look at the Gartner rankings start looking at these abilities of consuming and providing because you're going to be able to build up a toolset that that much more valuable to you and your environment things like creating whap rules based on attack data and Dan we'll talk about that a little bit is a

targeted exploit actually going to affect the system that they're targeting right if there's an exploit that's a windows exploit and starting a Linux system I can effectively ignore that attack should I allow a system on my network right all questions that we can answer if we're able to break that data outside of the silos so for you guys demand symbiotic security when you are talking to vendors you need to tell them that I am looking for tools that has this type of functionality I am evaluating you as a vendor based on your ability to work with the tools that are a have in place and I know you have a certain set of functionality but that

guy has additional functionality and I'm able to leverage that in other places throughout my environment then that's a value to me and so part of this the reason why we're here the reason why we're talking to you it is as evangelist we need you guys to pick up the symbiotic security torch and say yes I demand this I want my vendors to do this I actually had a really interesting conversation last night with the new director of sales for Trusteer and we started talking about the idea of symbiotic security was like oh vendors won't want to do that and then we got a little bit deeper into the conversation we started talking about some of their

competitors and we actually found out that some of the functionality of their competitors would actually benefit them directly that was a really cool realization for him to have being able to have data coming from the competitor would actually make my tool more valuable that's pretty cool so other tools in your environment that they're tools can consume data from so if I'm looking at vendor are there other tools that i can send data to these guys they'll make that tool more valuable are there other tools in my environment that their tool can provide data to the net increase in security for your entire tool ecosystem and not just the tools siloed functionality when you're making this evaluation you

have to look at the big picture not just within that IPS silo baby I think we run up battery there all right so that's a perfect time for me to turn the mic over a Dan to tell you about thread fix and the reason why I asked Dan to come and to join me in this presentation is because I was really looking for a tool that that embodied symbiotic security that got it that understood the benefits of taking data from one tool and feeding it back to another and then taking it from that tool and feeding it back into the system and so Dan's going to tell you about thread fix he's going to show

you a demo of the tool it's a free tool it's available from the damn group and I hope that you guys will take a look at this and if you're using any sort of static analysis dynamic analysis things for your web applications seriously consider using this we use it within our enterprise and it's fantastic it really embodies the symbolic security that have told you about it's my turn now that the clicker doesn't work anymore thanks Joshua yeah so I want to talk about thread fix which is a tool that we put together kind of independent but when we started talking to Josh about his concept with the symbiotic security we found that we were playing like very

much in the same sandbox there we go so just an overview it's a threat tricks a software vulnerability aggregation management system and the goal is to help organizations that are doing Software Assurance activities to you know web app pentesting static code reviews threat modeling things like that what a move all that's like store all that information about their activities in a single place and then to allow the folks that are responsible for application security to go reach out to folks in other parts of the organization to reach out to the folks that are responsible for security operations and ultimately to reach out to the developers who are the folks that are probably going to have to actually do

things to fix these vulnerabilities that are identified it's it's it's freely available to neuro Mozilla public license and that's the google code site right there and so yeah but feel free to check it out it you know it comes with a download the betas have just real easy like unpacking zip you just like unpack the zip run the start script and it fires up a ton of the embedded tomcat server so it should be real easy just to get started and kind of put it through its paces um so well and again we're going to show a couple different parts of this but basically as I said before if you're doing dynamic testing if you're doing

static analysis you're doing manual penetration testing your other sorts of activities that you use to identify vulnerabilities and the software you have deployed your organization you know even and our goal is to a thread fixes to make it so that you can collect all of that in a single place and so even because we run into a lot of organizations and they're using dynamic scanner number one right and they're using static scanner number two and they've got a certain way that they do your testing we also see a lot of organization no division one may have adopted one organizations you know testing tool suite but division 2 has a different one right and so you know for

the folks that are responsible for like looking at the security across all of these what thread fix gives in the ability to do is to normalize all of this scan and vulnerability data and to look at it across the enterprise and an apples-to-apples way so we'll show an example of that you know taking the results of two different scanners for a single app and merging that together once you've got like once you know that you have vulnerabilities in your environment obviously you'd like to be able to do something about that and so if you look at kind of traditional ids IPS systems they have signatures that they're looking for but those are for known configurations like known attacks

against known configurations I'm running SSH version whatever on Linux we know that that version is vulnerable therefore I can look for the exploits as they come across the wire for that you know the challenge that most organizations have with the custom software that they build is that software runs only in their environment and so they're not going to be getting signature updates that deal with vulnerabilities identified in their code because nobody or at least no company is formally looking for those vulnerabilities but if you have vulnerability data especially from the dynamic scanners you can use that to generate signatures specific to the vulnerabilities in the applications that only exists in your environment that's what we'll be demonstrating another thing

that you can do that we're not going to talk a lot about today but you know once you've got all this data together like ultimately software developers in the organization are probably going to have to make a change to code and so one of the things that we also do a thread fixes we let you package vulnerabilities into software defects and so we're trying to help address that mismatch between security people that think in terms of vulnerabilities and software developers who that think in terms of tasks and bugs and things of that nature now I forgot to mention earlier if anybody has any questions we have swag so if you ask a question you may receive

a t-shirt or or a purple laptop cover something yes I'm not aware of that fantastic yeah could you like track me down later and yes try not to hit the thing i have nap okay okay tnc trusted network connectivity very cool come and find me after this good idea excellent was there another another t-shirt request or question ya know alright excellent so uh so again with what Josh was talking about being symbiotic the thread fix is set up to be vendor-independent you know we've got our own data format that we use internally and we take your various different file formats for these different folks and we can generate that normalize it back to our format and that

lets us do things like merge different vulnerability scans and stuff like that so we can consume information from a variety of technologies you know static scanners you know to some little Gartner acronyms here static security tools dynamic security tools and also we can generate stuff for IPS and ids and laughs I'll show two demos one is a one is kind of like clicking through the web user interface which is all well and good but you can also script all of these interactions via a restful api and so if you want to set up you know if you want to automate these processes in your organization you've got the ability to go in you know to manipulate these

different things you know via the RESTful API will also show how we you know some of these interactions are actually a bi-directional and like with the interaction will show where you find out here's the hundred vulnerabilities that the scanner found right once you feed that data to the web app firewall you can start to collect the logs from the web app firewall to figure out which of these vulnerabilities are people potentially actually trying to exploit let's map that back to our list of vulnerabilities and then we can potentially prioritize those that are being attacked higher than other ones you know that maybe haven't been discovered or aren't being exercised so one of the things that I think needs to

happen going forward and it sounds like the trusted computer group hasn't figured out so so that's good but is to figure out like what are the different classes of tools that folks have deployed in their environments and what are the different types of messages that they could potentially send to one another to set up these types of interactions to get more value out of the tools and so just looking at what Fred fix does again we can pull stuff in from multiple dynamic scanners from static scanners as well as from your threat modeling and penetration testing and those get centralized indeed oops here once we have that data we can start to describe what we think attacks look like and send

those virtual patch rules over to ids IPS or wave systems you know is it over time we can see where those custom signatures get exercised and then pull the data back over to see which of these which of these vulnerabilities are people actually trying to exploit and another really interesting interaction i was talking with ryan barnett from the modsecurity project and they've done some work with modsecurity to do passive scanning it so they can identify certain classes of vulnerabilities just by watching web traffic and so the laugh which is traditionally not thought of as a vulnerability detection tool like certain types of vulnerabilities can be identified by laughs and so we can also have the laugh export that vulnerability

data and feed that into thread fix so that can be that can go on the stack of vulnerabilities that need to get it rest and we can also again you know communicate back and forth with defect trackers and so what we're going to show in this demo is a subset of this where we'll run two different dynamic scanners against the same site we feed that data into thread fix it normalizes it and D dupes it then we'll generate virtual patch rules for a certain subset of the vulnerabilities and send those over to a mod security sensor will rerun the scan to exercise the sensor pull the logs off the sensor feed them back into thread

fix and we can see we can see the kind of attack traffic that we've seen

all right so you log into the system and what we're going to do is we're going to send it to scans in from w 3f the open source web application scanner and i think we also send one end from skip fish yeah so we refresh the page and what you see down here is these are okay so here we go like from all the vulnerability data that we've consolidated now we're generating laughs rules generate the weft rules then we pull the logs back in so we can see all the all the scans or what the scans at exercised and then we oops this goes a little faster than I thought all right there we go and so slow down there we go

go down no it's at the end of it okay and so what we can see here is their vulnerabilities the way that we consolidate them we've got a concept of what we think vulnerabilities are no there we go and apparently this is made by Jing but that basically runs through from a user interface standpoint what those different interactions would look like that's this look over here and then what we can also do with Ruby we've got an xml RPC api and we could do the same different things here and so we kick off w 3 f's can we kick off a skip fish can we upload those scans into thread fix via the xml RPC api we pull the rules

back out put those on the modsecurity sensor hub it so that reloads the rules and then we can rerun additional scans after that and see how we've managed in an automated way to shrink the obvious vulnerability surface of the web application that we scanned against and one thing to be clear about just about the general practice of virtual patching you know that's not a you know that's not a panacea right like that yeah that's not going to totally solve your problem it is possible to go in and bypass these types of rules but what this virtual patching process can provide is some air cover for development teams that can help to reduce your exposure or increase the

amount of effort that is required of different attackers in order to actually exploit the vulnerabilities that you have in your systems

very so you start to get this picture with thread fix of these different tools that are now leveraging each other strengths right you have the ability to consume data from the web application dynamic scanner you have the ability to consume data from these static analysis tools you have the ability normalize all that data you can send the data out to a laugh you can create rules for all sorts of things right so really thread fix has taken all these different pieces that are just kind of sitting out there and via some of these provider capabilities they've been able to create what what in effect is a better it makes the tools that you are a having your environment

that much more valuable to you now it's probably worth noting that thread fix was created to solve a problem that our security tool vendors have created right if the security tool vendors have this ability and said yeah I realized that if if my wife pulled in data from that scanner and I did this on my own that would be a benefit to me so if the security tool vendors yes

so there for the village yeah so his question is how is this really a benefit to the vendor and that's something that I personally struggled with right how do I communicate to a vendor that symbiotic security it is a meaningful concept that's valuable to you and so in this particular case I mean if you can say hey mr. watt vendor right if you have the ability to consume data from these static analysis tools that would be of value to you because now you have you have information about the vulnerabilities that exist out there and if mr. watt vendor you have the ability to provide that data about what is what the attacks are happening back into

those tools back into the defect trackers and things like that now that's a value to those tools as well it's not a competition thing between waves in fact if I'm a whack vendor and I have this ability I have the ability to to break outside my box that's actually a benefit to me I am now able to get beyond those proprietary protocols and things like that and I'm able to gain the advantage of having these other tools yes sir it is really

yes

hmm

[Music]

[Music]

[Music]

yeah okay so that's a great point just if I could summarize just for folks who might not to be able to hear it the concern there is if you automate the kind of round trip of detecting vulnerabilities where you might have false positives then sending out virtual patches you could potentially cause availability concerns with an application bye-bye like riding rules that would enforce traffic blocks on those false positives right no and that's a great question that's a great point and I guess my response to that would be when I explain what we were trying to do to one of our network pentester guys he's like you're not gonna like automate that production right and that's exactly his concern and

but there's a couple different things that you can a couple different ways to look at like firstly the rules that you generate don't necessarily have to automatically start out as blocking or dropping rules right you could put rules in place that would alert and allow you to pull back data for analysis you know in addition you know via the user interface you can also script or subject this to some sort of a review process and you know based on that data you could make a determination we feel comfortable enough that we're not seeing false positives out of this and we will put it out there I think the point of looking at this from a symbiotic

standpoint is by having these capabilities available an organization can make decisions that about like a in our environment we want to script this interaction automatically versus if these tools can't speak to one another you don't even have the option to create those types of interactions and so I think that the point of symbiosis is not that you that every process is just like blindly automated and locking things down which makes for a great demo potentially bad bed policy right but the point is that in an environment where you can cause these interactions between tools you can make a decision for your environment based on risk what sort of things that you want to set up and so I

think the point is more about getting more value out of each of the tools and systems that you've deployed in your environment as opposed to requiring a specific integration scenario be put in place

yeah so you mentioned false positives and I also want to say that by having symbiotic tools you are actually able to eliminate a lot of those false pauses because you're able to take data that was segmented that was siloed off and you're now able to add that back to the equation so I talked about the reputation day of the attack data the host based data about what OS it's running in applications and things like that you're able to bring all of that data back and use that in order to analyze the problem so if you have all that data and you see an attack and you I mentioned the windows attack that's being target a link system a lot of

those tools in the silo would alert on that that would be a false positive what I'm saying is if you bring in the symbiotic nature if you're able to pull in all that data and actually make use of analyzing that data you're actually able to eliminate a lot of those false positives and you know the what dan had said this doesn't symbiosis doesn't necessarily equal automation you can definitely have manual steps there you can have approval pieces and things like that it's all about enabling communication between the tools it's about giving us that ability not necessarily automating that ability okay so your vendors from the vendor perspective hopefully less proprietary protocols more api's yo dan had

mentioned thread fix actually has its own API so you can actually get symbiotic with thread fix and it's not just doing all this stuff within its silo it branches out as well you're more standards like she had mentioned back there it sounds like there's a great standard around that and in general play nice vendors can leverage the abilities of other tools in order to improve their products vendors can be experts at the things that they want to be experts at and leave expertise in other areas to the other tool vendors right alright yeah and also one other point to make I think the question about why would vendors be interested in doing this I look at it from a slightly

different perspective especially if you're using this for vendor selection like saying that you don't want customers to be able to like use the data from their tools to help them make better decisions in other areas is quite frankly a customer hostile attitude right and and and and I don't like I don't like working with vendors that have a customer hostile attitude and so you know similar to like now on the windows guys you can like run PHP and other things like that even Microsoft has been forced in a lot of ways to open up and to abandon a lot of plans that they had yeah yeah I mean I think that's something that I think that's a lot of

the point is let's look at this from the standpoint of how do we enable our customers to be more successful as opposed to how do we prevent our customers from like going elsewhere to be successful so so one of the you know one of the one of the challenges that we have in its it's kind of a kiss a shitty at bsides kind of a shitty thing that we've had to do in building thread fixes we've got to interact with a bunch of different tools and every time they changed their format we've got to like a keep up with the changes that they make to their format and so common data standards which again it sounds like the

trusted computing folks may have a big chunk of this figured out like that would be really handy if these tools had standard ways of interacting communicating there's two efforts out there right now The MITRE guys have safes which is the software assurance findings expressions schema and they've that's kind of in lumber long for a while basically what they did is they went to kind of like the top 20 vendors in the software assurance or software security tool space and made a union of all the different stuff that they had in their file formats Sean Barnum from mitre is he's run around black hat I don't know if he's here but he's the guy that's kind of heading up safes my

concern was safe is it's a little unwieldly like if you look at their spec it's a 300-page UML diagram which is maybe a little heavy weight just talking about Software Assurance messages the OWASP folks also have a data exchange format project this hasn't really this hasn't really gotten off the ground yet but they're doing some interesting stuff so one of the things that we put together is the simple software vulnerability language and it's a common way to represent you know for the interactions that we have in thread fix which are fairly kind of like minimum like what are the minimum things that we need to know about vulnerabilities in order to enable these types of interactions between systems

and like an advantage that it has is it actually works like because this is this very closely models the data format that we have inside of thread fix and thread fix imports the static and dynamic scanners all the major folks as well as manual stuff so like it you know this actually handles all the interactions that we've talked about so I feel good about it it's not external thread fix it hasn't been battle tested but it has been useful the you know for our stuff I would love to hear feedback from folks especially to see how some of the other standards matched with this it's a google doc you feel free to email me if

you're if you're interested in it and i can i can add you to the list of people that can edit it and that's what it looks like it's an xml document but basically it looks at you know if i have vulnerability data what are the pieces of evidence that i have for you know that that vulnerability exists and you know in both for both for code results as well as for dynamic results so we've already kind of covered this but vendors can win to hear right we can have industry standards for communication we can have niche products that have Enterprise functionality functionality that bridges that that gets outside those silos we can as a vendor optimize

our time and our money and maximize it I towards our product towards the thing that we know bats and vendors can excel in the areas that matters most for them you know and all that outside of just the the ability for you to interact with other tools and gain functionality that you might not otherwise have thank you so some ideas to further the cause this was actually something that was mentioned at the the Olaf's group but you know Gartner does these evaluations they look at this stuff on a regular basis and wouldn't it be cool if we add something like simba symbiosis provider and consumer capabilities in to gartner's evaluation so when you're looking at the tool not only do you get

you know where it goes in the magic quadrant but also does it have the ability to interact with the other tools in my environment right creating a list of tools with these types of characteristics so that when you go out and you evaluate products you can say hey you know there's X vendors laughs I wonder if this has an API right and so if there were some website that you can go to like symbiotic security com where you could see this list of tools right that would be pretty cool if only so my hope is that you guys will all join me in terms of evangelizing this and that you guys will go back to your workplace

and you will talk to your co-workers and your friends in the security industry about this idea and hopefully you all will embrace the concept of symbiotic security and use it when you're evaluating purchases in your environment so that's it for our talk it looks like we have one more thing to give away if somebody has a question for us yeah question really we we have whip oh we we got even more stuff how about that I'm not accepting that question again there are no repetitive questions rules anybody alright alright so obviously you came in late we'll forgive that he asked if there are any cool apps at conferences coming up in October and as already mentioned OPSEC USA being

hosted in austin texas october twenty third through 26 so hopefully you all will join us for that ain't real questions seriously cool thank you guys yeah I'm sorry best in live crush your enemies to see them driven before you and most importantly to hear the lamentation of their women