Threats Versus Capabilities: Building Better Detect and Respond Capabilities

good afternoon everybody um you have to forgive me if my voice starts breaking or anything like that i just came back from three from a trip where i was doing a lot of talking a lot of um partying for those who know me that's really nothing new um so my name's thomas uh i'm done a lot of things in my life actually i should probably update that line to stay almost 30 plus years of experience in infosec i also help run besides london and brian is in the audience he's also one of our co-directors currently i actually work for riot games and i run the security operations team for for the company so what i'm going to talk to you about

today really doesn't have anything to do with write games it has something to do with something that's bugged me for a long time in our industry i'm i've been an instant responder for a number of years i do a lot of detention engineering and things like that just to try and understand the best way to protect an organization from the threats that could come up and also to ensure that you're doing things so that you're protected against for example the data so that you have a focus on data protection if you need to do that in your incident response cycles so why are we here today well i have a fundamental problem when i look at insert response when i

look at what we're trying to achieve the actors still get in right we still get breached we still have we still have uh issues where something gets run in our environments and then there's a breach and then but the actors inside you is inside he's starting to act he's moving laterally he's gaining he's getting a footprint potentially exfoliating stuff or ransoming you're in your environment now is this a failure of people i don't know i'd rather not think it's a value of people the reason i don't think it's fellow people is because i trust the teams i work with i like to trust the teams i work with i don't think that anybody that's doing this work is trying

to fail i think they're trying to do the best they can is it a failure of procedures sometimes it is i'll be honest with you guys sometimes the procedures the work that your your playbooks just don't match what you need to do in your organization to respond or is it a failure of technology and this is where i get stuck because we spend a massive amount of money on technology right we spend literally sometimes millions of dollars a year keeping our technology running using implementing our technology improving our technology to catch to catch the bad guys this week i was at some presentations and this quote came up i actually kind of like it our failures are a

consequence of many factors but possibly one of the most important is the fact that society operates on the fear that specialization is the key to success and not realizing that specialization precludes comprehensive thinking this is from buck this is by bucks mr fuller he wrote a um spaceship earth i think it's called i can't remember the book exactly but it's a i have to actually read this because apparently it's pretty good um even though it seems to be far far-fetched but i like the quote because there's a few things that i highlighted right specialization the comprehensive thinking but if i replace society by security and i replace specialization by tools this still works right because secure on some of the security

operations that we do we rely intensely on certain tools we rely intensely on upgrading our tools or taking new tools into into into into production to help us protect but we're not actually thinking this through and one of the reasons is and i'm sorry if there are any vendors in the in the audience but we've got vendor overload every few years a vendor will come up with a new term and i really like this this is from from uh from secure security security tiny um basically my problem is that vendors are constantly telling us that you know we've got this new tool we've got this new way of doing things we've got xdr now we've got all of this stuff you know we

want to implement zero trust it'll be better for you and at the end of the day vendors are essentially telling us well you know we're the best we're awesome we can protect your organization we can detect everything in the sun don't get me wrong you know they think they can but i can test what they probably can't and the other problem i have too is that yeah this is a marketing pitch you evaluate your tools you do things but it's kind of pushy they're kind of constantly telling us that they have the best tools and that they want the best tools and the problem is they'll usually go pretty high up in the organization to

try and sell you on this so if you have an organization where the cso you know relies on also on you know people like garden and things like that tell them what the best tool what the next best technology is you start to get kind of peer pressure you start to get overload from all of these vendors and you start to feel like you need to adopt these tools but you're not you don't really know why you're adopting them to a certain extent and this is this is something that you know i've experienced you've probably experienced too i just don't like the idea of us having to buy a tool because it's the new best

thing right well because they say they they they detect everything and to continue on this kind of rant and i like to rant right because i because that's just the way i i do things people there's a few people who know me will tell you that i rant like crazy sometimes but one of the problems is minor attack i have mixed feelings about mario attack if you've seen some of my previous presentations you know i will literally like cast this this framework micro attack is really good for defining what actors do the ttps to give you an idea of of some of the capabilities it's also a really great framework to explain to people what's going on from kind of a

non-technical technical and it's even worse now it's actually a lot there's a lot more non-technical aspects to it so that you can actually take a security team and it's a response team and they can kind of use the miter attack to to identify different the different steps they can either describe different phases of an attack but it also helps them communicate better upwards and i like that for that i like minor attack the problem is i have with minor attack is that vendors started investing into it right so they start to say oh yeah this is really great we can use this to actually demonstrate what our products do things and so you have the evaluation

framework the evaluation system and yeah okay fine but it doesn't prove that you can actually do what you're doing it proves that you are essentially capable of reacting against certain freight actors right if you think about it you're you're acting against whoops i'm sorry

thomas isn't failing today

let's go back so you're you're you're going to be able to act against specific vendors with your specific threat actors that you're testing against right and yes every year mitra kind of pushes that that that testing framework a little bit further and further up the problem i have is that i know specifically for for some of the organizations that i've worked with today and in the past those actually after axes are listed here don't really concern me they're not the ones i'm particularly interested in right that might be interested in them in the future but right now i might have some different visions of which actors i want to i want to specifically detect in my environment

which actors i know are going to look at attacking my environment or or that they want something from me so yeah you cover a bunch of ttps you can demonstrate it against the threat the matter attack but is this really what what is going to save my organization or protect my organization so i've been thinking over the past few years what can be done differently and so when you're on lockdown you've got nothing else to do basically start to think i hope you i hope you do otherwise you're going to get really bored so i started thinking about things right so i started going down the road of how am i going to solve this problem

so i've been in this industry like i said earlier a long time i've done a whole bunch of different roles i've done appsec i've done security architecture i've done compliance i've done privacy i know you know i've gone through all the different environment different um places so i know essentially what can what what different parts of the security for the security life cycle gets done one of the things that i've always liked to threat modeling and you know i'm not going to read this that it's the def standard oh what's definition but threat modeling is interesting because you're basically taking the your your application or your architecture and you're looking at the different aspects of it and you're trying to

determine where the failures in that architecture you're trying to determine what what threats can act on your architecture and try to build in mitigations and look at how what controls you need in place and i've always argued you know i argue continuously with teams it's like if you do a freight if you do have threat mode link and you're playing putting in place controls because you can't really correct whatever whatever weakness you found those controls should be should be escalated down so that detection engineering can actually build them up as as detections and so which you can detect if somebody is pushing through those those controls that you've put into place but fundamentally fret modeling is a

risk based approach so you decide okay i'm going to evaluate my environment i'm going to build a nice workflow probably a dfd or a process workflow and you're going to identify what this application is doing and look at the places where you think there's a risk that you could be attack for example if you have if you have a login page can you you're going to evaluate you're going to evaluate against brute force brute force brute forcing on that login page something like that but does it really work for it's an incident responder does it really work for a detection engineer if you think about for you you're when we're doing instant response while you're doing the detection

engineering you're essentially looking at specific events you want to detect specific events but worse than that you want to detect a timeline of events you want to find the timeline of events that's going to trigger an alert or that's going to tell you that something's going wrong in your environment so determining controls and determining mitigations fire process and a risk-based approach gives you a starting point but it doesn't really tell you that detail enough so that you can build those alerts so that you can build those response activities so i started looking for a more practical approach i was thinking if i take the site this this idea how can i actually build something and do something where i'm going to be

able to identify if my tool is is actually working and if i've got the right right things in place to be able to protect the organization so i came up with four distinct things that i kind of needed to understand and i'm pretty sure i'm not sure you know this is this is a work in progress right so right now i think it's i think it's what i need i'm not sure if it's exactly what i need but overall it's it's a start it's a stepping stone and i'm hoping that it's gonna it's gonna work and i'm hoping this is gonna help you think differently and start to think about how can you think of ways of building you well integrating

new tools into your environment that help you protect an organization better so my first aspect was i wanted a threat driven approach yes i still want to keep that that that concept that we have for actors they do things they do things in a very similar way all the time so i want those threat actors to be detected but i also like the idea of the you know the the techniques and the procedures so i have those techniques in those procedures i also wanted to take those but techniques and procedures evolve over time and they can be mixed together to do different things so threat driven approach to me is more about let's conceptualize that let's not focus on

one specific actor but focus on perhaps ransomware and all the different variants of ransomware focus on perhaps uh back doors and all the different types of backdoors and what could happen or focus on lateral movement say if i'm very concerned with detecting lateral movement i'll focus on lateral movement as a threat or focus on active directory compromise if you take a look at all all the recent attacks that have happened and all the recent big big attacks that have been in the news a lot of them start with the active directory got compromised uh slack boolean slack a slack user got compromised and their saml token which doesn't expire too fast enough was used to access

github whatever right so you've got all of these examples that you can rely on but you want to conceptualize those threats and remove that fret axis so that you can cover a broader base you want to understand the capabilities as well right so what i want to do is i kind of want to say look oops it's a bit fast i i kind of want to say what are the i mean i've already i've kind of already said it sorry this thing hasn't worked in so long it doesn't want to work anymore so i kind of want to understand the capabilities um others are ttps yes from the actors point of view but what i actually want to focus on here is

what are my capabilities what can i do what can my organization do what can my team do the third point was i need to it to help me define the detections that it that i can achieve and the detections that i need right i don't care about you can detect apt-29 i care but i can detect the different capabilities well i could but i have the different capabilities to be able to detect different ttps and the vast majority of ttps and how i build those detections based on the information that i have in front of me and lastly i wanted to identify how effective my response is so how do i take those detections that i have the

information that i can gather and build a response model on top of it

this is really annoying so what's the pr so the premise that i came up with is what threats are my organizations concerned with so i have a specific set of threats in my current organization right games i have a very specific set of threats um you may you know probably sought project right got ransomware last year it's another gaming company ea got recent was it recently in the news as well but so i do know there are threats out there and there are potentially actors that are going to target me so i'm going to build kind of like models of the threats that i want to but i want to protect myself against i'm going to identify my assets

that's one important thing that we forget as incident responders is do we really know our assets do we know everything that we really have in our environment that we need to protect and can we get the right information out of those environments uh that that we need comment i mean i'm gonna go back to the tools have you guys heard of exoneus how many of you have heard of exoneus a few of you so axonias basically is they're they're claiming to be a automated i don't know exactly what they call themselves but essentially what they try to do is they pull in all the places where you can potentially have inventory information like active directory the sccm

aws servicenow and they might they merge all of that together to basically give you a vision and a view of your assets and so they'll ma it'll it'll identify the computers the users that are on that computer and things like that so that's kind of assets but assets are also your applications they're also your data stores and things like that your network structure your networking environment you know if you if you subscribe to a like a company like managing that's outside and they give you insulin response um services or remediation services first thing they're going to tell you is like could you have a network map it's like how many of you are in organizations so they can swear they

have a proper network map no one of course not the network changes constantly um and it was been worse for the past couple years right because we've basically completely destroyed the network because everybody's been working from home you want to determine your detection data points too i don't care that you can detect a running process i care well i do but i don't i what i want to know is what information do i want from that running process what information is going to be useful for me to build a detection and then finally i'm going to want to determine what response and actions that i want to take and the data points that i need to take those actions

so for example if i have ransomware of course i'm going to want to stop it from encrypting so what do i need to kind of understand what what data points do i need to be able to determine if something is being encrypted and if how to stop it or how to essentially maybe capture the way that it's encrypting so what i don't so i can potentially reverse it so the approach that i've been working on right now and this could change that's why i put whatever floats your boat on the first bullet point is i start with a mind map i like mind maps if you don't know what a mind map is i suggest you look it up

i'm not going to go through the concepts of mind maps it's there's so many different variations but essentially it's like you break things down into into bite-sized chunks that make that help you understand what you're looking at what you're trying to model in my case i needed somewhere to start and for a lot of instant responders a lot of detection engineering we're talking about using things like incident response framework right so nist right so i use nist and specifically i use the identify detect and respond portions of nist i didn't go too deep i just wanted to be able to kind of label what i was doing into the different phases of where i was

going where i was going with this so how do i use the mind map i primarily use it as a reference graph i graph a view of the requirements based on the three domains the asset identify specifically asset management detect and respond and like then i can quickly kind of like build this structure out to kind to understand where i'm going with with my thought process how i'm going to identify my threat actor and how i'm going to react to that threat actor and respond and take actions against that for actor and stop it so the first phase is basically identify my risk which i put in the center of my mind map so that's the start of my process

i've described that risk maybe i've described it on a piece of paper locally or i've described it in you know on a whiteboard and i've come i've broken it down into the key components of what that risk is so if it's ransomware i'm going to have some kind of dropper that happens on the machine um i decide whether i'm going to go further up that chain and say oh was it a phishing email or not but typically what i found is that when i start to do that i think that phishing emails probably a different is also a threat in its own right because it can lead to different different types of of actions from the from the actor so i'll actually

extract the fret and put it into the fishing fret and put it into a different mind map um then i needed a starting point so that's where i got my identifier my identify as a management my detect and respond bubbles so basically what this does is it breaks down the tree into into bite into bite size components okay so that's gonna work so this this would be at the start of my tree for the identifying and asset asset management so then i'm going to conceptualize this right so i'm going to put it put up one one layer higher so for asset management what i'm interested in is if i still stay on that aspect of the

of of a ransomware i'm interested in the endpoints and i'm interested in network i'm potentially also interested in the people by people i mean of course users for the for the detect i'm interested in the type of tools that i can use to detect i can i'm interested in a telemetry that i'm going to gather to be able to create my detections for respond i'm going to think first how am i going to analyze this this alert or this detection what mitigations and remediations can i put into place to help me combat that to help me stop that alert and what tools do i have at my disposal and again by tools i'm very conceptualizing the type of tool not the

actual product so i go down one level more so for network i need like to know understand ip assignments how do i understand which devices are in which network which subnet um where are they based for endpoints i potentially need a cmdb right configuration configuration management database so i can understand what type of device it is uh who's it who it's assigned to what operating system it's running on and things like that so for tools for the tools on you'll know for tools under detect you'll notice that i actually put tool one i just don't define it right now well i mean in the practical this might be uh endpoint protection it might be uh network detection might be something

very abstract not a product for telemetry i'm going down the same thing i'm going endpoint i'm going network so those are the telemetry points that i'm interested in when i'm trying to detect my ransomware in the respond i'm of course i'm going to have the event data that i'm going to actually bring in from the detect phase so there's a correlation between detect and my response so i understand where i'm going with this and i also have correlation data so can i bring in indicators of compromise or in or other iocs from from reliable sources to be able to fine-tune that detection be able to tell me what's what it is what it actually is of course then

we've got mitigation and remediation and there i'm talking about actions so do i kill the process do i isolate the endpoint things like that and then the tools would be the tools to be able to do that kind of stuff again very much abstracted so we keep going drilling down and what happens is you get to an example which is when i'm looking at this example is basically when i'm talking about detections and telemetry i have an endpoint and that's going to deliver different data points and i'll show you an example in a second data points and say and same thing for that for the network i have data points and then event data and i have data

points again for the correlated data i have intelligence or i have internal so maybe i've already had a previous trigger like this so i can bring in those internal in that internal information from a previous trigger to correlate those alerts now you notice there's a dotted line here basically what i'm trying to associate here is i'm trying to say so tool one will provide data data aspect one because i could have multiple tools on an endpoint and they could provide more different types of data there's a there's a reason to the madness and you'll you'll see in a minute so this is one that i mapped out for a ransomware type attack might even abstract a little bit more and i just

said what happens when i get a malware so this is really i'm sorry it's really hard to read it is massive and it's like but so like here's the endpoint definition so what domain is it in what ip does it have does it have an edr sensor id does it have a mac what's the mac address sometimes it has multiple macs that's fun does it have a location so do i know if it's in an office which office which floor does it have an asset tag does it has a host what's the host name what's the purpose is it a build machine is it a user machine is it a developer machine what install time who's it owned by what

os does it have versions and patches and we drill down and we can drill down into that and you'll notice that there's some lines here so the ip is actually coming from the network asset configuration information that i have and in the network i have a set of ranges and those ranges might have owners because you know they could be um for example ip ranges in aws and i don't know how you guys structure your aws but a lot of organizations i've worked with in the past and use assign different owners with different organizations in aws to kind of manage billing to kind of understand who's who's running what when you have networks and segment names you might

have a topology as well if it's an office so it might be hub and spoke and things like that when we get to the detect so then i have my telemetry i have my endpoint my process information that's important for me i have my username i have my file detection you know file detection is a subset of the pros process info that's how it you've got command line arguments so this is what i'm basically doing i'm breaking it down into the minimal basic information the data points i'm not breaking it down into something but um but a vendor tells me what i need right i what i i figured if you want to detect these things you

should be able to break down the information that you need and see there's a lot of dotted lines most of these dotted lines are things links too right so this context username the username links back to the user in the asset management so this gets very complex the the the mind map can get very big it's one of my biggest ones actually i really drill down it i really drill down into it to kind of understand what i need what i could detect and how i could detect i also drilled down into how i could respond this is the event data that i had you notice that the event data actually comes from my telemetry

then i have the process info so i've got all this information i can also pull additional hashes additional ip addresses by marrying it with other tools i've got the event data here so i've got network that's coming from the networks i've got source ports i've got destination ports and i've also got coverage here so coverage is basically where am i getting my information from or how can i ensure that i'm getting the right information and where where do i expect to store it so i when i'm responding i know where to go find it so once that's done a mind map really isn't useful to actually do anything practical with it to build a detection or to look at what

kind of tool i want to i want to i want to use in the end so i built a reference sheet this was something that i need to automate and i still need to automate but that means request is going to require a lot of effort because i'm basically going to have to take a mind map out of visio or out of lucid charts and then kind of find all the data points and then bring them into a spreadsheet yes i'm a security engineer and i love to bring and i started making big spreadsheets there's no failure in that and then we complain about finance um requirements is the ref is basically the requirements becomes

the reference manual right so this reference sheet is going to um essentially list out all of my uh all of my requirements based on the mind map i inventory all the data points that i've put into my mind map and those kind of become my assignments for fret risk solutions mapping it helps identify what data points needs a difference it helps me identify the data points at different stages but it also helps me kind of see okay so i have all these data points where am i getting them from where am i actually getting them from so what tools do i currently have deployed in my environment are they actually giving me that information and if i can't find a tool that gives me

that information i basically identified a gap and that's what was important to me i wanted to understand where i was failing in terms of detections where what information was missing for me to be able to detect the next best actor it also provides a it's actually provided me with the ability to build a requirements sheet for selecting new products for like selecting new tools or for defining and building a new solution right so if i wanted to actually define a solution that i wanted to build i could come i can come back to this and look at all the things that i need to put into that solution and the design state that i wanted was

to have it to have a gap analysis of my capabilities so how do i do this well like i said i basically build a spreadsheet so in that spreadsheet i break down my mind map i start to list all the things in the mind map you'll notice in some places i have a privileges like here it says privileges one dot dash m so anybody who's done any database net architecture knows that that basically means you have a relationship of one to many so a user can have one user can have many privileges so you i'm boiling this down and i'm listing this out so then i have a provided by column and again that can be at one to many so

these data elements can be provided by the tools where i have in place so this tells me the information where the information comes from or can come from if i have that tool in place does it provide that information does it come from an application it also it also allows me to populate which tools i kind of i i have or i don't have access to because there might be tools that i don't have access to but can provide me with this information and the data can as i said earlier the data can come from multiple sources the use by field is actually tells me am i using this data point already like i have a playbook am i using that data

point in my playbook i have an insert respon i have an incident template i have an instant layout for my ticket am i actually using those data points in the incident ticket i'm doing some forensics work am i pulling all the information that i need from that forensic work of the tools that i'm using pulling all that information and again the data can be in multiple places i could have a ticket but i can also have a response tool that needs that data to be that needs that data point to be used so then name and path is provided in this example we see that the process information the process info trying to get this way so the process

info here we have name path pid command line arguments and this is basically telling us that it's provided by epp so endpoint protection edr so i i did basically i mean this would be like carbon black if you had called black sentinel one if you had something one as an edr um used by and you'll see that the process info here process name is used by my epp but it's also used by my sim alert so the file hashes are used by both as well now you notice under the fire hashes that's basic it's blank and it is supposed to be blank and my example here is that basically it where i'm not using that information from my edr is

providing me now why am i not using it couldn't it be useful like the command line argument i'm not using it in my playbook let me be precise the command line arguments could be very useful in my playbook think about a powershell or a spawn of a process from a cmd to a powershell that has a hash in it why am i not pulling that back into my ticket because at some point in time i'm going to need to analyze that hash so in my playbook i've already found the gap i've already found something that's not working for me right and this is this is more complete version done so you see i've got all the like this

one is the identification part so the identify all the different assets that i have this is the process this is the detect element so here i'm detecting so i have all the i have all of my provided buys so in this in this example i have carbon black providing me information i have jam protect providing me information i have defender i win log b the idea here is that the reason i have multiple tools is because i have multiple different platforms and i'm getting the information from multiple different environments but the information is still from an incident response point of view from a detection engineering point of view it's still the same information and that's that's another thing kind of

side benefit that i got out of this is but basically i was able to create metadata elements from all the detections so if you've ever had to you know if you're a splunk user you're probably lucky because you can basically throw any logs at it and it basically figures out what fields are in the or in the log if you're using elastic you probably spend a few years trying to figure out the mappings into ecs if there isn't one already sorry elastic but that's the hard truth but i know they're getting better with this um i've been talking to them about it so they you know it will get better i'm sure the problem is

i still only want one data point name right i don't want to have to deal with multiple data point names i also blame the other vendors because they basically create data port they create for exports of their logs with varying their own vision of what a data point should be called so that was the side benefit of that i just wanted to kind of put that in there is that i now had a mapping of all the different elements and i could actually identify if i had a name for if all of my products are providing me with a process name or or a path or a pid or command line i don't given sorry i wanted to say something so if

you look at this in this mapping what we did basically you'll notice that i'm pretty good on my use by except most of my fields are only being used by my my sim that's good it's generating my alerts but why am i not using them in my store engine why am i not using them in my playbooks right and this was just an example of the for this particular threat that we were mapping we hadn't actually completed the whole process in building the playbooks to do to use the data right so it also provided me with a way to kind of track the progress of where we were into building our into building our playbook

so this was really cool so now i'm understanding the organize my organization's capabilities in terms of how what things i can detect what things information what i have when i do those detections what information i have and what capabilities i have when i'm able to respond it's also allowing me to make better decisions on what tooling and how to use my tooling or tooling i want to get and what how to use my tooling um to give an example when we were reevaluating uh our mac protection system systems we looked at the different products out there and we picked in the end jam protect for this particular scenario because it was providing the best possible coverage of

information that we needed and finally it's actually given me a framework to poc new tools so when i'm bringing in a new tool i can now use these maps these capabilities that i mapped out and said look at them and look hey cool does this tool match this this this this and that how much does it match can i get the information from another tool so will it marry properly into my into my tool set and into my solution into the solution that i want to build and that's actually it so we're we've got time for questions and i'm sorry again i'm sorry if it's a little bit convoluted i completely misplanned this whole week

which is night hey

so the question is how much time did i spend creating the big mind map that i created so i didn't create it the team created it right because there is no one source of information every you know it's like if you've got a good team they all have good ideas they all have they're all able to work you're gonna want to work together because at the end of the day the team is the one that's going to want to kind of hold on a second the team is going to want is the one that's going to understand those detections that you can make it's also the one that's going to want to respond to be more specific

it took us um because we work remotely and plus we work in different time zones we did four two hour sessions the harder piece of work was taking the data put it put taking the my map and putting it into the spreadsheet that's why i need to find a way to automate it because to be honest it's not gonna work long term it's not gonna work if i because as soon as you make a change you have to go back and look at the in the um in the spreadsheet and change that spreadsheet as well

well i think i'll give you the mic just thanks no pressure so um i have a question hopefully i can get this out right so when i look at the mind map it was fantastic and that you can clearly see the process the decision the action the source the data point yeah i looked at that and thought oh great and i can put the application id here the control point here and so on but i kind of realized geez you're getting into an awful lot of work in this and while it's very useful for me personally to do um i'm not sure i'd take that full document through to my stakeholders for example i was kind of curious once you have it

done for the kind of takeaways what are you bringing out to the other teams to say right you wouldn't necessarily show them the map might not show up in a spreadsheet is it the gap analysis that comes out that says look here's our gaps this is what we've got and we have the sitting behind is that how it works yeah they said yeah you you hit that on the nose so i didn't um whole presentation is a work in progress because the process isn't working in progress right but yeah the goal the goal from the management point of view is to build a gap analysis the goal from the management point of view is to

basically say hey guys we're missing this this is a potential risk for us because we can't cover we can't cover the variance of ransomware of our concern to us it's like we need to rework this so i need to assign a team to basically do some new detection engineering it justify it kind of helps me justify the work that we need to do um it also helps me go back say to to one of the other teams so like one of the things that i've been working with closely is our privacy team trying to understand what do we do about privacy and edr tools yeah right so there we basically identify all the data points that we want and privacy is

like no you can't use that one kind of thing right but it's it's useful and the thing is it's like again this is um and i i've got to kind of emphasize at the beginning i don't want to push anything on to you this is to help you kind of look at things differently differently and think from the bottom up instead of the product down kind of position right because you know i'm going to go okay we're out of time but vendors tend to tell you oh i've got this fantastic solution for you if a vendor tells you that kick him out of kick him out of the room because a vendor cannot build a solution for you

they don't have your problem you have your problem you need to fix your problem with your solution they can sell your product they can sell you a tool that's all well thanks everybody i'm i'm we're right we have time but i think we've got a break we can probably take one more question sorry yeah i mean just because there was one more question but well i can take it i can take it in the other room anyway but you go ahead if you have it hello uh so uh yeah so the question i had is like uh like say isn't uh let's say the uh the implementation of the sigma or the uh uh or like say the mitre care uh

let's say mapping to attack uh for the incident responder like like say do we really need to accept build build or like say uh let's say reinvent a wheel uh instead of just like say building on top of the miter so my intention is not to build on top of the miter attack framework for this um if you want to do that you're welcome to uh i don't have enough alcohol anymore in me anymore today to be able to to go off on my rant about minor attack but if you so this the tldr of the mitre attack is if you looked at it the ver the early versions it was very specific they were mapping techniques

uh they were mapping ttps properly if you look at it now you it takes you like 10 minutes to actually find the ttp the actual definite the actual elements of the ttp they've completely removed the data points they completely remove the the actual technical aspects of the ttps they haven't really but they've not made it easy for you to get anymore uh actually like uh makes it to answer that uh there is actually a json version of it available which actually has all the uh all those all this mapping yeah but even if you if even if you go into the json version a lot of it's missing now okay no i don't have enough alcohol

uh yeah so like one more just just one more question go ahead go ahead i mean we've got a break but everybody's welcome to okay uh so like yeah so like say uh where do we actually like to draw the line for like uh the uh for like say the money

where do we actually draw the line between the money aspect and the ease uh uh is in the mind map um we actually have to fill the gaps in the uh in the mind map when we implement a new technology but we also have to check like if the technology we are buying is that it comes that becomes a risk-based decision and a money-based decision and you can't do everything in the world if you have a good company and they've got a good budget and they realize the benefits of doing this then that's it but one of the things i'm playing with in my head is because i've done this mind mapping and i've done this this gap

analysis if you get compromised and you can identify that the compromise was because what if it was due to one of the gaps that you identified earlier that just gives you another justification to go back to management and say i need more money to stop this from happening again does that make sense cool thanks