security interoperability & automation · from “the register” the humans aren’t going...
TRANSCRIPT
![Page 1: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/1.jpg)
Security
Interoperability
& AutomationNICK HUMPHREY
CTO, HUNTSMAN SECURITY
![Page 2: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/2.jpg)
Introduction
Industry relationship with machine learning / AI
Automation != ML/AI (but can play a part)
Levels of automation
Humans in the decision making loop
Empowering security analysts and incident responders
![Page 3: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/3.jpg)
Security? Just Pick from Top Right!
![Page 4: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/4.jpg)
Cyber Big Data 2.0 Machine Learning!
![Page 5: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/5.jpg)
Transparency
What is really under the hood?
Why was the decision made?
Do we just take it on trust?
![Page 6: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/6.jpg)
Bias & Learning “The Wrong Thing”
From “The Register” https://www.theregister.co.uk/2016/03/24/microsoft_ai_goes_troll/
![Page 7: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/7.jpg)
The Humans Aren’t Going Away
Not anytime soon, at least.
Finding the right balance
Focussing time best spent on human-led investigation
Local knowledge and context
Tools and standards as a force multiplier
![Page 8: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/8.jpg)
Security Analysts are people too
Paper presented at USENIX 2015
https://www.usenix.org/system/files/conference/soups2015/soups15-paper-sundaramurthy.pdf
![Page 9: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/9.jpg)
Alert Fatigue
![Page 10: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/10.jpg)
Alert Context
![Page 11: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/11.jpg)
Automating the drudge work
Automate the stuff that machines are actually good at
We all have networks with “lots of different kit”
Tooling which interacts reliably with other systems
Ansible, Chef, Puppet etc → “known good state”
Log collection and enrichment
Don’t have humans doing this, let them focus on decisions
![Page 12: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/12.jpg)
Interoperability
Physical security vendors have formed alliance for IP-enabled CCTV
and Physical Access Control products:
Physical Security Interoperability Alliance (PSIA)
For the purpose of this presentation, focus on the logical side
A human-speed response to machine-speed threats will always fall
short
How can we get our disparate systems talking to each other?
![Page 13: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/13.jpg)
Standards
© xkcd (https://xkcd.com/927/) Licence: CC BY-NC 2.5
![Page 14: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/14.jpg)
Threat Intelligence: STIX / TAXII
Structured way of sharing CTI across communities
Version 1 now recommended by European Union
Recognised as a standard for interoperability
COMMISSION IMPLEMENTING DECISION (EU) 2017/2288
Version 2 moves from XML to JSON, simplifies expression, adds patterns
Can articulate similar to YARA, Snort rules etc
https://www.oasis-open.org/committees/cti/
![Page 15: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/15.jpg)
OpenC2: Overview
Open Command and Control (OpenC2) is a concise and extensible
language to enable the command and control of cyber defence
Supported by National Security Agency, Cisco, Intel, Bank of
America, Symantec, Huntsman Security, others
Originally independent “OpenC2 Forum”, moved to OASIS in 2017
Committee Specification Draft 03 as of April 2018
Standard v1.0 expected during 2018
https://www.oasis-open.org/committees/openc2/
![Page 16: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/16.jpg)
OpenC2: Actions
Actions that Control Information (e.g. “scan”, “query”)
Actions that Control Access (e.g. “deny”, “allow”)
Actions that Control Activities/Devices (e.g. “snapshot”, “restart”)
Effects-Based Actions (e.g. “mitigate”, “investigate”)
Profiles for firewalls, proxies, IDS, SIEM, switches, SDN controllers…
Language spec also covers target types, specifiers, options and more
https://www.oasis-open.org/committees/openc2/
![Page 17: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/17.jpg)
OpenC2: Simple JSON Example
{ "header": {
"version": "1.0",
"timestamp": "2018-01-30T18:25:43.511Z"
},
"command": {
"id": "CMD1234",
"action": "redirect",
"target": {
"url": {
"value": "http://evil.com"
} },
"options": {
"destination": "http://newdest.com/home"
} } }
![Page 18: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/18.jpg)
OpenC2: Why Should You Care?
Free to implement and use
Standardising interoperability reduces cost, complexity
OpenC2 → Native API translation done by the actuator –
vendor can translate request into an action on the device
Makes it easier to express “what” you want to happen,
rather than being stuck on “how”
https://www.oasis-open.org/committees/openc2/
![Page 19: Security Interoperability & Automation · From “The Register” The Humans Aren’t Going Away ... Recognised as a standard for interoperability ... Open Command and Control (OpenC2)](https://reader031.vdocuments.mx/reader031/viewer/2022022015/5b4f2b6d7f8b9a2a6e8bb50b/html5/thumbnails/19.jpg)
You’re almost at the coffee break
ML/AI has its place, but don’t underestimate humans
Focus should be on enabling analysts to make the most
effective use of their time (e.g. threat hunting)
Automate the stuff you are confident about
Open standards in cybersecurity are a positive - talk to
your vendors about what they’re doing to support them