Enterprise Security Monitoring: Comprehensive Intel-Driven Detection

so hi everybody my name is david bianco i work for mannion but uh i've only been there for about four months so before mandiant i was with a fortune 5 company that i will not name um because i'm no longer speaking for them right now but i i want to tell you that even though i have the manual branding because i'm a corporate dork um honestly the real reason is i can't make anything pretty so don't expect too much out of my graphics um but uh even though this is this says mandiant top this is actually based on work that i did before i came from mandate so it's 100 what i did when i was

working on an enterprise detection and response model for a fortune 5 company so of course if you go back to the history of time this is pretty much where everyone started snort or something like it some ids where you just get an alert you get a little bit of data maybe you get a packet that triggered the alert but then your analyst has to do a lot of work to kind of validate that alert and do some research and kind of really untenable especially ideas it's especially intended today but even then it was pretty untenable we just didn't realize it uh and then what like the end of 19 or into 2004 or so richard's book came out the endowed

member of security monitoring that's actually how i made the transition from ids into nsm and the the big idea from nsm that makes it so different is it is intrusion detection but it's also plus this other data so other supporting network data network sessions full content pcap we've seen a few other things today that fall into the nsm camp such as asset detection and things like that that you can gather from the network traffic and just a quick side um at the time that i started implementing this using squeal we went having like one snort sensor at the perimeter of our network and an analyst spending six hours a day trying to find that world information

that they needed to validate their alert and do their research two having four sensors at the perimeter and three uh three inside one of the perimeter three inside and only spending about two hours a day so we actually quadrupled or more the number of alerts we're processing and we cut the time by a third to process and it's all down to having the network sessions and especially the full content packet capture available and a nice tool like sweel to bring it all together and this is pretty much where we started at my fortune 5 employer we were hired on uh to start this from scratch for the whole company in almost 200 countries around the world all of

our business lines it's a giant company it's probably one of the largest organizations to be honest and we started off with i think we had like four of these sensors this wheel sensors running at first and by the time i left four months ago we were nearly up to 600. i don't want to brag go ahead um and we had like literally petabytes of pcap data sitting around on disk waiting for our analysts to call it a regular basis and we were sending something like two terabytes of data of network sessions and http records into into our database so we pretty much by that point had exhausted the scale of nsm so we were getting great success from it but we

were really looking at okay what is next what can we do to get better at what we're doing because we feel like we've pretty much reached the pretty much the limit of innocent even if we added another 600 sensors it'll give us more visibility but it's not going to substantially improve our ability to detect or respond and so we were looking for something a little different so what i spent about the last year or so at this company working with along with a friend of mine ryan stillians who i would be remiss if i did not mention his name because he has a lot to do with what i'm talking about as well we came up with this

what we call enterprise security monitoring so you have ids and you add some other network-based data and you get network security monitoring well in our model you have network security monitoring and you add some other enterprise data into it and you get esm enterprise security and you get the same kind of junk from one level to the other when we jumped from ids to nsm it was like oh this is awesome well now we've got in a fully functioning nsm shop who needs to make the next jump and that's what i'm going to talk to you about the first half of this presentation i'm going to be talking about um esm in the kind of high level blueprint of

how how you would do this all the presentations leading up to today this was totally uh coincidental i guess but uh but on the last of the presentations that have to do with you know security onion gathering nsm data and elsa gathering all this other kind of enterprise data so you can think of it now as i'm going to tell you how to give you a blueprint for for doing this in your organization i'm also the first person by the way who doesn't have code to present i don't write code for this this is this is not a programming talk and in a lot of cases it's not really a technical talk sorry um this is just a little diagram to show

you the representation that i already talked about snort plus other stuff that's nsm plus other stuff when you get up to dsm so the benefits of enterprise security monitoring uh there's a number of benefits why you would want to approach this that i'm generating first you get even increased visibility i'll be honest when somebody has 600 msm sensors say he needs increased visibility they're talking i'm talking about a really large increase of visibility here um we also get more value out of existing systems you'll see why in a second but the whole the whole idea is to turn everything that you have that can generate logs of any sort into a detection platform so you'll get more visibility because

now you have all these host-based or application-based things that are not just network sensors and you everything that you've already deployed even if you didn't consider it a security system in the first place is now an intrusion detection mechanism we're going to put all this in one place we're going to aggregate it in something like elsa or splunk or something so it's very hunter friendly we talked about hunting richard talked about in the keynote talked about it earlier uh martin was basically showing you and brad and chris were basically showing you how to do that um having all this data and having an all-in-one system is very hunter friendly for all those reasons we've already seen today

i'm also going to talk about some better organization about the intel because to me just having this data is not very useful so my our approach is very intel focused it's intel driven and once you start thinking of intel driven processes then you can start thinking about what intel do i have how do i organize it what questions do i need to ask about the intel that i have to make sure i have an effective program and we'll talk about that but the real goals here no matter what i said up to now the real goals here are two first quicker more accurate incident detection and response so you'll be alerted to something happening more

quickly and you'll have more data to answer your questions more rapidly so that you'll be able to do something about it more effectively and the last thing that i really enjoy is i see it as leveraging your your detection and response infrastructure to cause pain to the adversary you make it harder for them to do their work you can't stop them they have the will they will do it but you can make it as difficult as them for them as possible and you can almost turn it into an offensive capability or counter offensive capability so i said first of all that we're intel focused um i'm going to spend this in the next few slides talking about a few cycles

that we have i'm not an intel analyst some of you in the room might might have some intel background but i don't want to say that i'm an expert in telemost so i've written this as a very high level but this is a high level view of what a corporate intel team or corporate intel function or even an outsourced intel function would do for your response team they they do some research into threats they gather some raw data they analyze it uh break it down a little bit and make some conclusions like the intel and then they use those conclusions to further go back into their research well i've concluded that this group is in

china well what part of china will they be well some of the some other parts of china have different specialties so let's find out what those specialties are do some research analyze that oh i've got a table of the specialties now oh now i can make a new conclusion that this must be from i don't know quite honest or something

so the output of the intel functions go usually into your detection process the detection process again high level is you observe things that are going on in your enterprise you compare them to the intel that you have the intel could be as simple as i've just got some snort signatures that i know that this kind of attack looks like this and is going on in the internet today there could be more detailed it could be something like the apt-2 report that we published earlier this year and i'll try to make that last time i mentioned man yet today and then when you find those things you do some alerting and somebody has to validate that alert

to say hey this is a false positive i don't really have to care about it or this is an actual real alert somebody had better do some response to in which case you get into the response cycle which at a very again a very high level is you contain the problem to keep it from getting any worse you've already got a validated alert so the first thing you do is keep it from getting worse to buy yourself some time okay you investigate it try to figure out what they did what they got access to what they tried to do maybe they were unsuccessful with make sure you've got the whole scope of the incident and then once you have the whole scope

of the incident you can start remediating it and putting things back in their proper order ejecting attackers uh re-imaging systems putting them back on the production use so these three cycles are not really separate they're at in fact parts of an overall cycle which i could have drawn as a circle but i didn't and you see it starts over here with the intel cycle the output of the intel cycle would be indicators i'll talk a little bit more about indicators in bit the indicators come into the detection cycle the output of the detection cycle is an alert a validated alert and then the incident response folks take over there and their whole goal is to get down to

the remediate stage from as quickly as from alert to remediate as possible actually as quickly from observe where the event actually happened to make a quick alert and then immediately and you'll see that each one of these stages has an in has a database of some sort it might not be actually a like a my sequel or a database it could be a collaboration tool like wikis or something especially on the containment or excuse me on the response side you see a lot of tickets and and wikis and knowledge bases collaboration tools rather than just straight up my sql databases but it's a place that they store all their information so they can look at it over time see

what they did about something a year ago last time they saw it and then these are all also related by feedback groups so i come from from intel to detect to respond but i also get back feedback so i can say your indicators were not too good to send the feedback to the intel team and they can revise their indicator uh or they can say you know the responders dude you're alerts you're just not alerting on the things that we need to know about or you're still giving us too many false positives even though you said it was validated or even you know your alerts are great but they're based on faulty intel that the

detection function didn't know was faulty because they don't have the same view of the network

so those are the processes involved but they all need data so from the esm model we start with the intel intel coming in and the intel can go into two places first it goes into this thing we call the enterprise security monitor the enterprise security monitor would be like splunk or elso or you could do it with a sim although i don't really think the sim as as this the ideal for this um the intel goes in there it also goes through this detection processing to create uh actionable signatures for you for your real like ids platforms and security and bro and snorts or whatever and they feed into there and these all again feed into the enterprise security

monitor but you also have any other data that you have in your enterprise so firewalls router switches network infrastructure operating system or application logs proxy logs web logs antivirus hips kids vpn logs

dhcp logs and tables dns yeah all these things if you're logging in and you're not capturing that information why the heck can you log in and if you are capturing that information capture it all in one place so your analysts or your itops people or anybody really in your company know where to find that information when they need it and then your analysts here can talk to the enterprise security monitor they get their alerts from the edsm and they'll when they're going to validate them or when they want to do their responses some queries back and get results everything goes through one place there no nothing wrong with security onion right but the demo that you were showing me

showing us this morning was um go to this tool pivot to this school typically this tool which was great actually because that is like the foundation you have to be able to do all those functions right but the slightly better way is to build it all in here so that you don't have to and actually security on your really does work that way i know a lot of those things you were just showing out how you could use the different tools right so security onion is a possible implementation of the enterprise security monitor it doesn't necessarily by default include a lot of this enterprise data but it has the same architecture so let me ask you a question

i said indicators a few times already what is an indicator anybody want to disagree with what i've written on here piece of information points to a conclusion okay now let me ask you another question given this definition of an indicator do you feel confident that you have indicators that can go into your detection mechanisms safely it's a trick question actually so when you say indicator this is what i you know this is the definition of an indicator but in a lot of times when we're talking about indicators for intel driven detection and response we actually have a few different kinds of indicators first of all i want to mention and this is something i see a lot

an indicator is not the same as a signature so i've seen a lot of people say like i've got a snort rule i'm going to capture that as my indicator that's not your indicator you take the indicator just the raw output from intel the output from intel you don't want your intel team creating signatures for you i don't want my intel team running snorkels but i want them to give me good quality indicators and then i will take them as part of this box here the detection process that's where you turn indicators into signatures and there could be a number of different data types for indicators indicators could consist of almost anything ip addresses transaction user elements like

user agents or mail server types or something like that file names or paths or mutexes on the system or even a username that you know or suspect is compromise an email address a hash all kinds of this is not a comprehensive place and i say indicators has three characteristics first they're extractable can i find this indicator in my data if i have an indicator that either i have no data to back up i can't even begin to look for it or if it's an indicator that i can't really find in my data because i don't know the indicator is a plain text string but it would be found over an encrypted session can't find it can't extract it not a

good indicator leaving the middle one aside for a minute uh the next one is actionable if i do find this indicator in my data is it something i can do about that so i get we get these things from like uh don't want to pick on somebody but i'll say dod right and they'll be like hey this is the list of indicators for this attack group this direct actor and they'll be like smtp.aol.com or something you know which is context dependent so at a military site that might be actionable because they might not get a lot of aol traffic but in the corporate world you get tons the educational world will get tons it's not not actionable probably not a good

indicator for you and then the middle one here purposeful to what use will i put this indicator to me this is the biggest thing that people don't understand about indicators used in intel driven detection and response there's actually four at least four different types of indicators i actually had somebody tell me the other day that they they had thought that there might be a fifth time um an attribution indicator that's what your intel team probably uses who or what is responsible for that this activity detection indicator if this event happens i want to know about it this is something you can actually look for in your data a profiling indicator like this is the threat actor who are the people in my

organization or what business units are they likely to go after and then a prediction indicator given whatever just happened can i make some prediction about what i should be looking for in the next number of weeks or days or something so a good example of an attribution indicator is smtp.aol.com right so we have so you have 24 different threat actors that you're tracking a subset of those five of them have have the habit of using aol messages so it's an attribution indicator because it takes out 19 of the possibles and gives you say this is probably one of these five you combine those with other attribution indicators and you might narrow it down to one or two actors

they're low fidelity maybe sometimes they're really high but they can be low fidelity because it doesn't matter because it's not that you do attribution based on any one indicator it's a preponderance of the evidence so it doesn't matter if they're locability it's not going to cause the intel team any problems it causes you problems if they start to send them to you to your detection systems though the detection indicators are more high fidelity they they can't probably use smtp.aol.com as a detection indicator although it may be a very good attribution indicator a profiling indicator would be something like well this group is interested in nuclear energy or this group is interested in things that are going

on in a certain city so i would say that my people that live and work in augusta are at higher risk of being fished by this adversary a prediction indicator is really interesting so i had one of these i don't see these very often but i do occasionally see these we had one where we just published a press release about a new research center we're opening in this business area and this location and our intel team said well based on that i can tell you that this particular threat actor is going to start web-based recon against this web server sometime in the next 30 days because they had noticed they had derived some intel that said prediction

um actually in profiling they said this actor is interested in this business segment and when we've done this in the past we've noticed that within 30 days that actor will say i'll target the web server that originally published the press release and start doing web-based recon to identify the names of all people in that business area or our employees in that local area where the business is going to be and they're going to get phished so what's the actual prediction indicator though the prediction the prediction would be that because we just published a press release on this web server we're going to see web-based recon to do that kind of enumeration within the next 30 days and

probably about two weeks after that we're going to start seeing spear fishing to the people in that business unit or in that physical location and they came to us and said you know we need to be able to be on extra high alert for detecting these things like a narrative that is awarded yeah yeah so uh show hands who in here is familiar with the cyber kill chain okay pretty good number um this is actually created by uh lockheed martin uh so it's uh uh eric hutchins mike hopper and i forgot the first name rohan yeah sorry sorry ron and it's a it's a it's a model that shows a typical attack progression for mostly a targeted attack but it doesn't

have to be um it can be adapted pretty easily to some of the other things but and it starts off with a recon to do some research about the target weaponization to create some kind of exploit package which is then delivered to the target and which is then executed in the exploitation phase they install some package to create a command control channel which allows them to do whatever it was they wanted to do rummage through your network find your files infiltrate it shut down your reactors spin things too fast so you can't manufacture your weapons

so um the the the kill chain model is not the only one you could use for this like mandiant has its own i lied i forgot i had remaining installed in here um mania has its own but the kill chain is probably the one most people are familiar with um and i've taken the kill chain model and we use that a lot but i've also added another model to it which i call the pyramid of pain and the pyramid pain is a measure of if you have certain levels of indicators detection indicators that you can detect and respond to rapidly enough that you effectively demolish the adversary's ability to use that particular indicator against you

how much pain does it cost you because that so on the bottom side here the wide part of the pyramid we have lots of hash values it's trivial to create a new hash value a lot of times it's done accidentally because they added null byte to the end of it and transmission or something it has a whole new hash value so if if you detect an adversary's files because of hash value they're like whatever i'll send you a new one really easy for them to get around um ip addresses are a little bit harder but not that much they change a lot of times the adversaries don't even care what ip address they're using because

they're using an anonymous proxy or tor exit note or something they don't even know what their ip address is maybe um and so yeah fine you you blocked my ip come back tomorrow with a new one domain names may be a little bit more difficult because they actually have to go through the problem of registering a domain name but not terribly bad because you know cyberkind people are just using stolen credit cards or they have funds that they can buy hundreds or thousands of them at a time if it's a nation-state actor they might even have their own domain registrar so screw it a little a little bit higher level though then starts to get annoying

that's when you start being able to detect them based on network artifacts like the protocol that they're using the url patterns or things that they have for user agents or whatever on the host side like that's where i know their typical file names or the mutex is or the registry keys that they use they can change their code but they probably have to recompile something or at least put in a new version of the new config file to get around that if you start being able to see the same tool over and over again with different network artifacts you may eventually get to be the point where you can detect that tool no matter what they do

in which case you've just destroyed their ability to use that particular tool that's that's when it gets a little challenging because they got to either go out and get a new tool and train themselves up to use it as well as they could the old tool or they might have to write a new tool and you cause them a substantial amount of effort to get back in the game and the highest level here is what is it salts and fats and sweets the uh the tactics techniques and procedures that's their standard operating procedures for hacking in other words that's their education that's how they know how to operate if you can find a group that is operating against you because

you know how they work regardless of what tools or artifacts or domains or ips or whatever that's really difficult for them because at that point what are their options they have to stop doing everything they've been trained to do up to that point trained to be an entirely new kind of hacker and then come back at you which by the way is pretty much the same thing as i'm just banding this hacking group creating a new hacking group with totally different training that's extremely difficult i don't really know if anyone who could actually do that i mean i guess with you know some of these adversaries they could if they were determined enough but if you get

if you can push them off and sit them on the top pointy part of that pyramid they're not in a comfortable place and they're most likely going to leave you alone so this is what happens when you combine these two models i'm going to discuss this in the next several slides i don't have a good name for this but yeah i like that so the idea here is for intel driven detection planning we need to answer several questions for our our program first is what scenarios do we need to be able to detect what kinds of indicators at what levels of the kill chain do we have in our intel db already the next is

for all those that we need to be able to detect what are our options currently in our organization that are already deployed for detecting each of those and then we may have multiple options for the same scenario um what are the strengths and weaknesses of the different options why would i choose one over the other and once we get all that going then we can start to answer some really interesting questions like what is our detection stance against a particular actor like based on what we know about this threat how would we you know how do we feel we're doing against detecting what they have and then what's our overall plan an integrated plan for detecting any activity that's

in our intel database across our entire organization using the full spectrum of information that we have just some easy questions right i'm just curious anybody feel like they have good answers to at least i don't know one of these questions nobody okay honestly i kind of expected that but i was hoping so first of all this is the the kind of scenarios that we have to face first question so what i did was i took a hypothetical intel database and i said well these each one of these bullet items here is a data type it's not the type of indicator like for profiling or prediction or these are all detection indicators but i took the

data type of all of them that i had in our database we record what kill chain phase that indicator is associated with and it might be more than one so what i did was i took all the ones that are associated associated with recon and dumped the unique data types i had not the actual indicators themselves just the unique data types i did that same thing for all of them so you can see here like i have a lot on installation i know you know snippets of binary code windows processes mac being so post antivirus street names for things some hashes and ip addresses and everything and notice that these are ranked in pyramid order

so the things closest to the top of the pyramid are at the top of the list depends on the bottom of the pyramid or at the bottom of the list that's not to say that the top of each list is the top of the pyramid it's just the closest that i have in my database i in fact do have a few behaviors which is the top of the pyramid but i have almost all of these have like ip addresses or something which and hashes which are the very bottom and so now i've got this scenario this catalog of scenarios i have to be detecting so i can make a list of all the possible detection mechanisms

not only like ies's but any kind of log sources that are going into my enterprise security monitor and i can say okay this is what these are good at can i cross off anything it's not good at so snort is not really good at finding file names on the disk not really good at finding nd5s not really good at finding what else behaviors is iffy if it's network but even so snort is usually more bite-stream oriented than behaviorally oriented so i cross off everything that snort is not good at this doesn't really tell me that much by itself but i've done the same thing for multiple different things so here's um a host-based uh intrusion prevention so like antivirus

kind of solution macbeth has a hitch product to go with their eb but there's other ones too and some of these are you know different so where snort was crossing off almost everything having to do with the host and leaving everything to do with the network this is kind of the opposite like it doesn't do very well with http gets or user agents or ip addresses or something but it can find hashes it can find file names you can find registry keys you can find snippets of code because this is basically what an antivirus does right so it can find in some senses it can find behaviors when they're doing actions on objectives but not

necessarily behaviors on command and control because that's kind of networking and you can do this on multiple ones um if you have like a host based response problems or something like that and basically what you what you end up with is layers and you stack these layers on top of each other and anything that is when they're stacked up if you have any of these scenarios that is not crossed off in at least one of those you make sure it's uncrossed here so like i have at least one thing that's good at uri's in the installation phase so it's fine this says i have nothing that's really good at street name sophos in the installation phase so it's still crossed

off so now you can start to do some scorecarding um where you can say some basic high-level things like based on the intel that i have available my detection program is doing pretty good at detecting it in the in the recon phase i have very few if anything's crossed off there it's kind of iffy in the delivery phase because i have some things that are crossed off um this is a not just pure numerics i wouldn't care too much if if it was crossed off only hashes because they're very low on the pyramid but i kind of care that it's cross-off behaviors behaviors are the most valuable kinds of indicators so i don't want to see them crossed off

ever and because those were crossed off i gave it kind of the middle rating like warning we could be doing better here but we're not terrible and then i don't really have any on here that we're really terrible at and you do this across all of the kill chain cases so this is how well we're doing with the intel that we already have

now this is a little different view it says based on the indicators that we have not whether we can detect them or not but are we gathering the right information the right kind of intel in each of these phases what is the i called the pyramid effectiveness of our intel gathering at that phase and so you can see you know there's some places where we do really well delivery exploitation command control and actual objectives we've gotten cooked we're doing really well because we have things at the top we have a lot of things here in the middle that's where we want to focus the middle and the top we have some things at the bottom that's

good we have a couple of weak points with installation where we really don't get too high in the pyramid the highest thing we have is binary code which is kind of mid pyramid level and that's okay it's not terrible but we don't have anything in terms of i mean this is pretty much artifact level yeah this is the artifact level select the mid-level impairment we don't have anything about tools the tools level we don't have anything at the behavior level we could focus a little bit more and try to ask our intel team to do some additional research to find those out and we're terrible at weapons weaponization we have very few types of indicators

and they're all file names and file paths or uris so they're kind of mid-level but we just don't have that much different kinds of data that means we can't bring a lot of our different tools to bear so that's kind of we don't get a passing grade there i would say the weaponization phase is the hardest one to detect because it usually is action that happens at the attacker's computer because they're creating the exploit package we usually actually detect the weaponization as it's delivered to us but it still gets its own phase and now this is another view that you can have with this data this is the kind of the pyramid effectiveness and the

what can i detect effectiveness against a specific adversary mandiant likes to oh i lied again we'd like to number all of our adversaries so i've given an irrational number

and we're doing terrible at recon for weaponization we don't even have anything for weaponization for this adversary and we only have i can't even remodel slider uh uris and addresses so not you know kind of mid to low level at the delivery of the phase and we're doing mid-level effectiveness all the way up until we get actions on objectives we're really good at knowing what they do when they get inside honestly that means they probably got inside a lot

okay so we have some we have some places that we could improve obviously the more green you are across the board the better but you especially want to focus on things like to the left where you are red because we could potentially find some recon that free state proceeded an attack by one or two weeks or something to give us some early warning and kind of help compensate for the fact that we're only marginal or okay at the other phases but if we have that additional intelligence and we have the ability to look for it but we don't and then finally the the last piece of this is kind of like the integrated enterprise detection plan

so this is actually a screenshot of my excel spreadsheet that has again all of the data types of all the indicators sorted by pyramid effectiveness and then the phases of the kill chain and it says basically if you have uh let's what's a good one if you have a file name and you need to find it in the installation phase come all the way over and here's your two options pips and mirror mine because i work for andy oh david bianco biggest liar at b-sides august

so and then so these are your options these are the places that you would consider deploying your indicators so you can notice that i've got it marked for deploying in two places i don't like to only deploy it in one place so you'll see that if i have no place to deploy my indicator i'm red this tells me where as as a detection program planner i need to develop a new log source or deploy a new system or something to be able to detect those things and i care about red up high more than i care about red down low so they're ranked but i still care about all the red and if i only have one place

i can put it it's kind of yellow it's like warning if if this one snort sensor is down for maintenance i'm blind for urls in the action zone intent does that sound like a good idea no but i only have one place i can look for it so there's no overlapping coverage if they obfuscated it such that snort was fooled maybe bro wouldn't have been fooled if i had bro deployed i'd have both of them looking for the same thing and the odds are increased that i would find it and so this is your program plan it tells you just kind of at a glance a whole lot of these other things that we talked about in the previous slides

and gives you an idea of where you're doing well you know all these all these greens at the top and at the right right where you're not doing so well all these reds at the top some of these reds down here and where you have some room for improvement it also tells you where you actually have intel so all these black places i don't have to tell about i have no idea about what they do for reconnaissance you know except for a few things i have no for for some reason i have no email headers at all for spearfish i don't know anything about their spearfishing apparently so you can derive most of the previous

graphs from just this spreadsheet but those are a little easier way of digesting it so uh just to summarize so the same thing when we went from ids to nsm we're now talking about going from nsm to the next level enterprise security monitoring by collecting and aggregating data from all the systems across the enterprise and taking an intelligent look at the intel that we have the intel that we need and how we can most effectively use that to cover our own bases and inflict uh harm on the adversaries processes we can get big improvements in detection and response capabilities again similar to the way we got big improvements when we added additional data to ids's and

came with nsms but the best thing is i really just i don't like these guys if i can take them off i would like to do so um i want to make it as hard as possible for them and this is the way that that we came up with and i think this this is the model going forward that a lot of the rest of the industry has large companies small companies mid-sized companies they can all do this to a smaller or mid-sized company may find security onion turn it on do exactly this stuff a larger company may need to have their own dedicated elsa or a splunk environment or something like that but the architecture the diagram i showed

earlier it should be the same at a pretty much all the levels so um i'll take questions oh by the way on my blog down here in case anybody's interested in reading and i will before i take questions if there are any i just want to mention i tweeted earlier about a contest to win richard's book i didn't do a trivia question so i want to i wanted to everybody to tweet with the besides augusta hashtag why why you won a signed copy of richard's book and i did say that by the end of this talk but by the time i started the truck i didn't have a single entry so if anybody wants one get one in pretty

quick and i'll pick the one i like the best um i i'll actually give you until the end of the next talk and then uh give you some time to think about why you really need this book and with that i will open it up for questions