Rob Truesdell - How do you find the needle in the haystack? Burn all the hay!

okay now I hear more people as we want jobs want more security professionals in our industry with it the problem is actually a shortage right now not only that but it takes time to bring people on board and that type of workflow to your one event triage is not that attractive I mean it requires a lot of mundane repetitive type work so the challenge with that is not only do you not have the people under the stream key to them it's not very stimulating for so hiring is is one way but it's just it's not going to scale at the event volumes I'm talking about best we can buy more toys right now more tools sound good the

problem is though that just might be Orleans and mi for security issues are good thing right when they know that it's happening but we already can't keep up with the event with the event violence I've received today again on the order hundreds sometimes thousands even tens of thousands security talk about very very large organizations like MSS peace so with that more tools are really just going to magnify the law next we can come up with better processes so I think the keynote talked about this a lot process and absolutely even if you don't have it you shouldn't have it and if you do have there's always ways to improve it the issue in process though is it's not a

one-size-fits-all approach it's it's very opinionated every organization has their own process every organization's you need their snowflake they're gonna cater processes to themselves and a lot of times that's not painting a tablet that's just readily repeatable across the board so really you might need to consider something new and that is where our vision comes in okay so when we think about we think about automation and birthday stack the whole goal here is how do we leverage automated tools either be a commercial tools that are available or via program languages like Python that Justin discovered that's what we need to leverage in order to burn the haystack to identify that one event then we really need to pay attention to alright

so the space like the industry that that's created as a result of this is called security orchestration automation in response so we call it soar that's a the industry that I work in soar at least from a programmatic perspective we focus heavily on the orchestration automation piece where orchestration you're looking at kind of providing a connective connective tissue between all the different losing process that you have and then automation is of course the Machine execution of any tasks that you want to execute by way of processing event we're going to step through a lot of examples of what this actually looks like first so the definition so I think the Webster's dictionary definition of automation is a machine executing a task

on the alcohol a human right so there's a lot of examples of automation today I mean that's what technology effectively is the challenge that we have in our space and the security operation specifically or that we're not applying a nomination to the response side so when we look at things like a security event occur there's a lot of automation and pre event but if you think about pre events that is things like intrusion detection systems AV endpoint detection data loss prevention basically the interaction with those tools to say like a sin there's a lot of automation that exists there but post-event right when the sit is actually generating words there is not a lot of automation that's taking place

taking place in that side of the equation so that's where we really need to focus as practitioners and and security professionals to try to find a way to letter domination as best as we can ooh that a stack orchestration appendages before we refer to it as the connective tissue and so you have all these tools in your in your sock you have all these processes you need a layer of connective tissue between all of them it's a better enable automation no we talked a little bit about what security obligation orchestration is let's talk about what it's not if that can be a lot of times more value when we talk about what it is so what it's not

it's absolutely not a replacement for Gmail so I know that there are some people I talked to at least have said well without a base you really just speaking of Java right and that's really not the case we'll talk about that in the next slide it's also a lot the silver bullets unicorn for solving this problem it does take work it's not just something that you just plug in and hit a button and say great my problems are solved you need an expertise you need specialists to really look at this and optimize your processes ability to processes outlets and I looking at automation and we'd going with the expectation of interested a button and it all works I'm not a private

management side for these type of tools our goal our teams with engineering product and everything like that we want to get to the point where a customer get installed hit a button and it's done but the spaces it's very very very very early writing especially compared to other spaces and firewall for example it's been around for many decades soar is brand new the starting point for sure is Python program right and we talked about that but that's that's a starting point if you think about that everything it just just went through we're we have an editor you're writing a script that's a starting point and the next step are tools that could be more visual programming capability and

testing capability in simulation and those type of things after that I would say that working four years away would be bit about building experiment self but again we're not there yet also in stop more lucky place right so a lot of people they think Automation they just to get get some system you put it press that button all the sudden stop lights up it's not quite as why she is that you're like that nomination even with commercial tools you get involved with my club to get involved in programming those statements so that's who Automation taking or not taking her to us David I'll talk did a really interesting TED talk where it's a automation displacing jobs right or is

it not because it not happen and she talked a lot about how it's really not happening and the example he used were a DNS back in the 70s where those worst came out and the bank tellers in their space was really really concerned about losing their jobs to an automated machine this that's of mind if you look at the stats over the last 30 years that position specifically been tellers at the back should've done the numbers we've done and in his talk he talks a lot about how automation isn't necessarily a a replacement for the human job but really it elevates the humans of the jobs that are doing to apply their skills to more menial tasks

or more tasks that require or poverty so it's interesting topic I would that we take a look at it but as I think about automation if you're trying to sell and terminate your own organization you're facing that type of resistance think about that way is not just wasting the to one analyst it's enabling them to do more meaningful work and when you go back to the people side and hire those type of things if you're giving them more meaningful work they're gonna stay around like students are going to school or study computer science or security to copy/paste data from one school to another you actually look at real security problems real security process and the security posture in the organization

the problem today or that to an analyst arts empowered to do that so a lot of nation empowers them to do that I think that's something that anyone should be combined their faces on introduce accommodation so this this is the magnet we use often show the general workflow in the side it's coming new Observatory I decide that it's a Content that she was in a lot of military situations where basically they say whoever he executes the slap this group the fastest the adversary or the defender is going to develop unfortunately for us the adversaries are going to execute this much much more quickly they have a lot a nation available for them to execute their

attacks against our organizations assess the vendors we need to leverage this and automate this and executed as quickly as we possibly can when you look at it back to the left hand side the observatory inside this is pre event talked about this before this is very well updated but what comes out the other side are events and those events on the decision-making part where Tier one analysts received them again things that were talking about they are many organizations I'd say in the hundreds I know other organizations that are operating period thousands or tens of thousands of events per day if you think about the time in perspective if it takes you let's say five to ten minutes

to process one of these but at most 60 minutes or maybe several hours multiplying that by even augered requires a staff of 10 individuals and I don't think I don't know many socks at that have ten individuals in their team so again when you start looking at the scale just if you need nomination now some best practices I'm getting started and then we're talking to each other this is really nice pieces when you go in automation and say you're you're gonna write this yourself a Python or leverage of popcorn you get really excited you think of the use cases kind of just chocolate I only want to work what we work with customers and I kind of step back and think about

this at a higher level start up the goals right so what is it that you wanna me what are the what are the specific use cases are these things like the prevalence of use cases are these similar to central processing phishing emails but they just take you to management or user management you have to think through at a high level whatever they use cases whether your goal is in automation also do some self-reflection on where you're spending most of your time already to do your children analysts are spending their time that's usually a great place to start as well in terms of identifying opportunities for automation go to I would write these things outs going to

powerful too busy over a sheet of paper write these things out it's very similar to like anyway that's up any computer science courses going going into into school when you take a program across the person that they teach you before writing your program is to literally write an outline of this before implementing right they should think through your problem-solving approach and then when you go to implement it's much easier so with us with our customers and users we do the exact same thing we literally wait where these things out will drop down to zero draw the mountain power point get it workflow built out identify areas where we can automate that so to get started some

things that you need first identify the processes that you want to automate and again it goes beyond just what what either the process is actually PFD I didn't look at the individual steps that you want to execute okay before you start working on this next your security to misbehave EOS okay so I think this is less of a problem I think that you know say five to ten years ago a lot of managers we're not publishing the youngest but now that automation and scripting skirting I'm just like are so popular the customers are pushing all of these vendors to publish must believe the eyes were all of their products so really the UI on these products that

are voting actually inside that the actual tool they're about to check the same REST API that you would be with a vision from a programming perspective so make sure that your tools have made the eyes if they don't push the better to get them to you a lot of times they may say that they're not not available or they don't happen but if you push harder it's very many that they have like a privately the iris apparently they might be able to get into it's not the case with everybody it's just it's worth a shot push and then that you need scripting knowledge right Python is the one that I hear all the time so it's really cool to see Justin

stock about the appointment I know I see it everywhere I again I want that the products like what we supply a plot point to these things but the customers I work with started by automating all these workflows in Python I love is really good at managing data and when you're doing these interactive movies must be the eyes of all these tools they're sending both of data there's dictionaries and lists and new set of things that they send over and a JSON format and Python is exceptionally handling all those things that in a very high-performance way so again we invest some time and understanding that that men should nominate a platform so black work is all also an alternative there

are a lot of pretty free options out there a lot people Colin Community Edition platforms where you can download them and get started so feel free to check that out but I think that the first three are here your basics right you need to make sure you have a process you need to make sure that your tools that you're using to meet the eyes and you need to make sure that you have some skirting scripting skills like most of I love it it could be JavaScript give me girl okay just give me a lot of little bits as well if you want to read your code later that's not my problem Yeah right so some success stories I

hope there's some Tiger ends in here let's talk about some use cases so first I think I'm about ten ten of these use cases that will allow for pretty good and by the way you'll see here right on the left-hand side you see a visual representation on the right hand side a lot of commercial tools that you may interact with or this will offer a visual program where they look like a business process for modeling and of UI that you'd be used to something again like a physio but they're actually generating Python or some other code in the backend but whereas this example is and this is PE security and in triage so their service at many customers they received

literally hundreds of events and a day it's not if you think about an analyst processing every single one of these if it takes five minutes per event you know that's three individuals right they're gone right and doing nothing but what this use case is doing which is person up checking their ticketing system that their ticket exists if it doesn't create it if it does then query your sin to gather additional information about the event and then post it to the ticket and updated that is not fun knowing when to go to degree and info security or information systems to do that that's not fun that's something that you could leverage obligation to kind of again

burn down that haystack it gets more beautiful the next one busy fishing is one of the top use cases that come across and itself some of the easiest implement in this particular example a software company basically has their suspicious email inbox an automation platform listening in on that inbox they retrieved the email ribbon a part that we had all individual artifacts or the behaviors associated that sort of cool domains IP addresses you are elements those that said they'll basically do some recommendations warrant they make definitely do our elders you are out there in this particular case it actually after interrogating the email they moved on to my actual containment actions so here they want to do things like block domain

and Open DNS as well as the modified actions be an acquirer now what's really cool about this is a leveraged automation system to send a do-over quest or request or deal to the analyst they received another phone or were there were station they see the request do you want to proceed with this law - we want to proceed with this clock domain they see the event details authenticate to do approve and then the automation proceeds with with blockiness so this is a combination of both automating mundane tasks but also accelerating the speed of execution on the response side again when we think back to that little loop you have to decide what you want to do

in the new applicants will be act on it by automating not only the actions but then asking the analyst do you just want to proceed with this it enables them to just quickly approve as well as they're not meeting to log into those platforms and execute the actions they would leverage of the automation system so what we're narrow ordinarily take ten minutes to execute now takes ten seconds next is a domain block so this is a another one same software company they set up a they set up basically a playbook where they did not want to lobby to open VMs to block their domains it just again it takes top with the blogging authenticate go to a few menus

select the block what they did was they set up a play over they said here we're going to work on specific email inbox where all we're going to do is send an email with the domain that we want to bought into this inbox the automation system will be listening in on it it will pulling the email again where we rip the contents of our extract the domain executes the block domain ROP DNS for them so if you think about that it's much easier even under the phone it's something emails of the state box just put the domain and it goes out the block support much easier then logging it to Open DNS going through a menu and executing the

block next is a is a Shanthi so here this financial company a lot of these companies subscribe to threat Intel services right and whether we was a negative a over tender report there will be thousands thousands of indicators that are a part of that now trying to basically interrogate their own entire these indicators in the mango egg is near impossible right you have descriptive of an actually this is an area where python juice a lot so if I thought if you can get these things in a list or a dictionary parse through it and then ability beyond the vasectomy that's exactly what they did here they basically ingest the list they'll use their EDR Jones something like a crowd

strength or a carbon block or tinea to see if that actually exists anywhere on the endpoints so then they can take the step where they're actually good morning and block hashes another one another email fishing example here what we're doing is basically adjusting promote issue as well as directly from the isla holbox now why do you need automation here with you when you're getting from other tools like a fish may triage what they'll do is they'll usually our own metadata around artifacts so this is more verb better use inside of their own tool but when you actually get the JSON from them now have these headers of these trailers that are surrounding the URLs that make automation paint right so

what this customer did was they were able to adjust both sources and then they normalize the URLs but they rip the headers and trailers off and now you have normalize URLs that you can pass through the remaining remaining investigation process which would be again things like domain domain reputation score you are around that nation so here's another one what's oppression to talk about since customers are receiving hundreds or thousands sometimes tens of thousands of similar today can get overwhelming novices are alcoholic Network suppression so this customer basically implemented logic to suppress these these alerts right social setting so the threshold with certain scoring associated each individual word and then you kind of eliminate the noise

and only highlight those are the highest specials to to the end that's another example of voter suppression in this it's the customer book logic in their playbook to say it's not from this particular workstation or not for this particular domain I don't like to see it brand said you can start to and then really customize logic on what you do or don't want to see this one I personally love this one I think it's really good because it keeps the vendor honest in this particular scenario the customer was maintaining your own malware Rico and check it against Firestone so when they receive their threat Intel suspected malware and file hashes associated with it they take all those

file hashes they run a recommended by reputation look up against virustotal and they're specifically looking at their to pay the engines to see if those in the engines are tractable eyelashes if they are not tracking them what they do is they download the file from virustotal and then they're going to email it to the vendor and make them aware that there are meeting engine are not trafficking with your client request they update the duct 85 program the logic to the engine so I thought this one was awesome because it you know it's it's not only taking proactive measures internally to identify malware and then taking all the the corrective actions with it but it's also you can't depend on us as well

which I thought really amuses this one school system they were giving alert triage they were managed about their alerts to the email Jeff I don't suggest that that's what they were doing this is an example basically it's switching player so they receive all their medicine they're hitting the events apart and they're basically using it's a classify the event to determine what are the downstream automation workloads that I want to drive as a result of this being data lock so this being of malware outbreak or or something along those lines so just a few more so this one they were running a malwarebytes remediation skin basically standing endpoints for particularly during corrective action pretty pretty similar to some previous

use cases so you can see here there's there's a lot of commonality incident on being it's Monday repent scanning data transcripts those same things and then I see this one is another fishing meat sample except this particular use case they're leveraging whiteness so we have a lot length listing but they're they're basically using lists that they've built in Python to ignore particular domains particular users or video of us now we on the last one that I want to cover here manages any like suspicious email boxes or anything like that yeah all right so you always have a bottle or so many ports told you in email that's suspicious which is great that's behavior you want but they don't

actually attach them it's just for the text and then you're missing all the headers so this customer basically implemented a workbook that said if when they receive the email we're going to check to the attachment if the attachment isn't there and the headers are missing it actually brought a response back to the center with the exact instructions of how to attach to eat them so if you think about stuff like the city you get 30 of these a day that's annoying nobody wants to do that again it's big for automation and then they're really the last one I promise lots of the site is a registry key so this one is very similar to where as registry keys are

being added to the registry run key it's basically sending it alerts automation will go out and fetch the file who's responsible for per atom a key it's going to retrieve the file detonated in a sandbox and then look to see if it's metal or if it's about learner then it's going to take corrective action but what's written about this and say you received 20 to 30 of these a day well if I use automation to only highlight to be the one or two that are really malware and I can resolve or maybe be teamed up to 30 or whatever they are that makes my life much easier so by the side detailing is how do you

get started think about the processes think about your tools okay it's some script acknowledge as well that's very helpful strictly the eyes of the looking look at somebody which is a lot of real tournament and if your companyís budget to leverage a real commercial platform you can do that but you're not forced to do that you people enter try it on again a lot of the talk on sex drive this or leveraging Python beneath the hood what you'll find with commercial Black Hawks are they need the tools to kind of get up and running much quicker much easier to get support those type of things but everything that I just show you here your name with 100% through Python and

Russel UTIs