SlideShare a Scribd company logo
1 of 19
Download to read offline
ASK ME ANYTHING:
A CONVERSATIONAL INTERFACE TO AUGMENT
INFORMATION SECURITY WORKERS
Symposium On Usable Privacy and Security 2017
Bobby Filar, Rich Seymour, Matthew Park
BOBBY FILAR
 Data Scientist
 Background in (NLP)
@filar
 bfilar@endgame.com
RICH SEYMOUR
 Data Scientist
 Background in HPC
 @rseymour
 rseymour@endgame.com
2
WHO ARE WE?
MATTHEW PARK
 User Experience Designer
 Background in Big Data
 @muted_counts
 mpark@endgame.com
User-Centric Design
3
Three Stages
• Discovery
• Understanding our users,
confirming/disproving biases, capturing
organizational workflows
• Concepting
• Creating design requirements solutions
• Prototyping and User Testing
• Feature creation and taking it back into the
‘wild’ for testing
Our Initial Problems
4
Insufficient Resources
• Onboarding & training
new hires & Retention
• Limited time to review
alerts and incidents
Lack of easy-to-use
automated tools
• Difficult for non-
programmers to use
• Easy for programmers
to mess up!
Security platforms are just
difficult to use!
• Forces conformity
• Requires level of
expertise to extract value
User-Centric Design Study
 GOAL: Capture team dynamics and worker roles within security organization to
identify challenges common across security teams
5
User Group Team Type Environment Collection Method
A Traditional SOC Day-to-day use User interviews
B Novice Training Team Mock Scenario Side-by-side
monitoring,
Retrospective & User
interviews
C Internal Red vs. Blue Mock Scenario Mirrored Scenario as
User Group B
D Trad. SOC & Consulting group Day-to-day use User testing
Findings: Security Worker Roles
6
Tier 1
Analyst
Tier 3
Analyst
Forensic
Hunter
 Have little to no prior experience (average of 1 year)
in the cyber security space. First line of defense in a
Security Operations Center.
 Main responsibility is to initially triage alerts and
determine if escalation (to higher tiered) is required.
 Primarily rely on a platform’s GUI.
 Intimately understand network and platform architecture.
 Seen as domain experts on the SOC team and more
comfortable working through the command line.
 Investigates escalated alerts, and determine root causes
and extent to remediate problems.
 Expert in EDR platforms and sophisticated
investigation tools
 Uses command line and scripting languages to
bypass UI and collect large data feeds using 3rd
party APIs.
SOC
Manager
 Skilled security practitioners, not necessarily subject matter
experts.
 Extensive management experience, oversees day-to-day ops.
 Set schedules, assigns prioritization, generates reports.
Example: EDR Alert
Alert Type: Suspicious Binary
Alert Created: Feb 11, 2017
Severity: High
Confidence: 73%
File Path: C:Tempaaa.exe
File Size: 45700
MD5: 5d41402abc4b2a76b9719d911017c592
File Created: Feb 11, 2017
What do you do when there are 100s of these each day?
7
Example: EDR Alert
 Lacks context
• Is it actually bad?
• Is it anywhere else?
• Did it talk to the network?
 Lacks connectivity
• Is this alert tied to any others?
 Pivot on single IOC
• Hash
• Filename
• IP address
Alert Type: Suspicious Binary
Alert Created: Feb 11, 2017
Severity: High
Confidence: 73%
File Path: C:Tempaaa.exe
File Size: 45700
MD5: 5d41402abc4b2a76b9719d911017c592
File Created: Feb 11, 2017
What do you do when there are 100s of these each day?
8
Findings: Day in Life of a Security Analyst
Data
Deluge
Lack of
Context
Repetitive
Processes
Searching not
Analyzing
Lack of
Expertise
Lack of
Time
9
Design Requirements
10
1. Eliminate query syntax via natural language
2. Educate users on platform features
3. Provide context-driven alert triage
4. Recommend next steps
5. Expedite focused collection
Solution
 A Bot is an application that assists in
the automation of tasks
• Mimics human conversation
• Natural Language
Understanding determines user
intent
 Imagine an assistant that provides
ability to:
• Ask questions
• Execute workflows
• Educate users
• Recommend next steps
Hello, how can I help
you?
11
Natural Language vs Query Language
12
Query Language
SELECT * FROM TABLE process_event WHERE
process_name == “odinaff.exe”;
Natural Language
Search process event data for odinaff.exe
Reality
Is odinaff.exe on any endpoints?
Confidential and Proprietary 13
Interaction Types
Turn-based Conversation
User: Search processes
Artemis: Okay. Please provide a hash or filename
User: odinaff.exe
Artemis: Got it. Which endpoints would you like to target?
User: Windows 10 machines.
Artemis: Okay. Would you like to launch this search?
User: Yes
14
Interaction Types
Goal-oriented Conversation
User: Show me process event data for odinaff.exe on all Windows 10 endpoints
Artemis: Are you sure?
User: Yep!
15
Interaction Types
API-Driven Investigations
curl 'api/v1/event_search' -H "Content-Type: application/json" -H
'authorization: <api_key> --data-binary '{"intent":"search_process",
"parameters": {
"process_name":"odinaff.exe",
"filepath": "C:Temp*.exe"
}
}'
16
TRADITIONAL INVESTIGATION
1. Narrow scope to limited endpoints
2. Understand adversary TTPs
3. Gather events from limited endpoints
4. Analyze events from for signs of TTPs
5. Discover suspicious activity
6. Decode obfuscated commands
7. Pinpoint powershell activity
8. Expand scope to next set of endpoints
9. Repeat…
ENDGAME ARTEMIS
“Find powershell activity”
Powershell Misuse Investigation
Automatically discovers and
analyzes malicious activity across
your global enterprise in minutes
 17
Looking Forward
18
1. Collaboration
2. Chat Integration
3. Improve via Active Learning
Thank You
Contact:
bfilar@endgame.com @filar
rseymour@endgame.com @rseymour
mpark@endgame.com @muted_counts

More Related Content

What's hot

Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)FFRI, Inc.
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responsejeffmcjunkin
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Ram Shankar Siva Kumar
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseInfocyte
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
 
Threat analysis-perception
Threat analysis-perceptionThreat analysis-perception
Threat analysis-perceptionzaffar abbasi
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Transforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsTransforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsRam Shankar Siva Kumar
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat ModelingResistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat ModelingKatie Nickels
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Infocyte
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMEjeffmcjunkin
 

What's hot (14)

Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
 
Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement Strata 2015 Presentation -- Detecting Lateral Movement
Strata 2015 Presentation -- Detecting Lateral Movement
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
 
Threat analysis-perception
Threat analysis-perceptionThreat analysis-perception
Threat analysis-perception
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Transforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using GraphsTransforming incident Response to Intelligent Response using Graphs
Transforming incident Response to Intelligent Response using Graphs
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
Security
SecuritySecurity
Security
 
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat ModelingResistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat Modeling
 
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
Cybersecurity Incident Response Readiness: How to Find and Respond to Attacke...
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOMENegative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
Negative Unemployment and Great Job Satisfaction? Why infosec is AWESEOME
 

Similar to Ask me anything: A Conversational Interface to Augment Information Security workers

Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
UX Workshop: How to design a product with great user experience
UX Workshop: How to design a product with great user experienceUX Workshop: How to design a product with great user experience
UX Workshop: How to design a product with great user experienceRaj Lal
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
PHP & The secure development lifecycle
PHP & The secure development lifecyclePHP & The secure development lifecycle
PHP & The secure development lifecycleguestaaf017
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)Dinis Cruz
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesTao Xie
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceGlobal Knowledge Training
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for DevopsJerika Phelps
 
How to improve Developer Documentations ?
How to improve Developer Documentations ?How to improve Developer Documentations ?
How to improve Developer Documentations ?Utsav Parashar
 
Analyzing Big Data's Weakest Link (hint: it might be you)
Analyzing Big Data's Weakest Link  (hint: it might be you)Analyzing Big Data's Weakest Link  (hint: it might be you)
Analyzing Big Data's Weakest Link (hint: it might be you)HPCC Systems
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...Denim Group
 
Top 5 Machine Learning Tools for Software Development in 2024.pdf
Top 5 Machine Learning Tools for Software Development in 2024.pdfTop 5 Machine Learning Tools for Software Development in 2024.pdf
Top 5 Machine Learning Tools for Software Development in 2024.pdfPolyxer Systems
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics:Towards Software Mining that Matters (2014)Software Analytics:Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Tao Xie
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Welcome & The State of Open Source Security
Welcome & The State of Open Source SecurityWelcome & The State of Open Source Security
Welcome & The State of Open Source SecurityJerika Phelps
 

Similar to Ask me anything: A Conversational Interface to Augment Information Security workers (20)

Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
UX Workshop: How to design a product with great user experience
UX Workshop: How to design a product with great user experienceUX Workshop: How to design a product with great user experience
UX Workshop: How to design a product with great user experience
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
PHP & The secure development lifecycle
PHP & The secure development lifecyclePHP & The secure development lifecycle
PHP & The secure development lifecycle
 
How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)How to not fail at security data analytics (by CxOSidekick)
How to not fail at security data analytics (by CxOSidekick)
 
1435488539 221998
1435488539 2219981435488539 221998
1435488539 221998
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and Challenges
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
01.intro
01.intro01.intro
01.intro
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Software Security Assurance for Devops
Software Security Assurance for DevopsSoftware Security Assurance for Devops
Software Security Assurance for Devops
 
How to improve Developer Documentations ?
How to improve Developer Documentations ?How to improve Developer Documentations ?
How to improve Developer Documentations ?
 
Analyzing Big Data's Weakest Link (hint: it might be you)
Analyzing Big Data's Weakest Link  (hint: it might be you)Analyzing Big Data's Weakest Link  (hint: it might be you)
Analyzing Big Data's Weakest Link (hint: it might be you)
 
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
RSA 2015 Blending the Automated and the Manual: Making Application Vulnerabil...
 
Top 5 Machine Learning Tools for Software Development in 2024.pdf
Top 5 Machine Learning Tools for Software Development in 2024.pdfTop 5 Machine Learning Tools for Software Development in 2024.pdf
Top 5 Machine Learning Tools for Software Development in 2024.pdf
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics:Towards Software Mining that Matters (2014)Software Analytics:Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Welcome & The State of Open Source Security
Welcome & The State of Open Source SecurityWelcome & The State of Open Source Security
Welcome & The State of Open Source Security
 

Recently uploaded

simpson-lee_house_dt20ajshsjsjsjsjj15.pdf
simpson-lee_house_dt20ajshsjsjsjsjj15.pdfsimpson-lee_house_dt20ajshsjsjsjsjj15.pdf
simpson-lee_house_dt20ajshsjsjsjsjj15.pdfLucyBonelli
 
STITCH: HOW MIGHT WE PROMOTE AN EQUITABLE AND INCLUSIVE URBAN LIFESTYLE PRIOR...
STITCH: HOW MIGHT WE PROMOTE AN EQUITABLE AND INCLUSIVE URBAN LIFESTYLE PRIOR...STITCH: HOW MIGHT WE PROMOTE AN EQUITABLE AND INCLUSIVE URBAN LIFESTYLE PRIOR...
STITCH: HOW MIGHT WE PROMOTE AN EQUITABLE AND INCLUSIVE URBAN LIFESTYLE PRIOR...Pranav Subramanian
 
Understanding Image Masking: What It Is and Why It's Matters
Understanding Image Masking: What It Is and Why It's MattersUnderstanding Image Masking: What It Is and Why It's Matters
Understanding Image Masking: What It Is and Why It's MattersCre8iveskill
 
AI and Design Vol. 2: Navigating the New Frontier - Morgenbooster
AI and Design Vol. 2: Navigating the New Frontier - MorgenboosterAI and Design Vol. 2: Navigating the New Frontier - Morgenbooster
AI and Design Vol. 2: Navigating the New Frontier - Morgenbooster1508 A/S
 
Karim apartment ideas 02 ppppppppppppppp
Karim apartment ideas 02 pppppppppppppppKarim apartment ideas 02 ppppppppppppppp
Karim apartment ideas 02 pppppppppppppppNadaMohammed714321
 
guest bathroom white and blue ssssssssss
guest bathroom white and blue ssssssssssguest bathroom white and blue ssssssssss
guest bathroom white and blue ssssssssssNadaMohammed714321
 
General Simple Guide About AI in Design By: A.L. Samar Hossam ElDin
General Simple Guide About AI in Design By: A.L. Samar Hossam ElDinGeneral Simple Guide About AI in Design By: A.L. Samar Hossam ElDin
General Simple Guide About AI in Design By: A.L. Samar Hossam ElDinSamar Hossam ElDin Ahmed
 
Making and Unmaking of Chandigarh - A City of Two Plans2-4-24.ppt
Making and Unmaking of Chandigarh - A City of Two Plans2-4-24.pptMaking and Unmaking of Chandigarh - A City of Two Plans2-4-24.ppt
Making and Unmaking of Chandigarh - A City of Two Plans2-4-24.pptJIT KUMAR GUPTA
 
Sharif's 9-BOX Monitoring Model for Adaptive Programme Management
Sharif's 9-BOX Monitoring Model for Adaptive Programme ManagementSharif's 9-BOX Monitoring Model for Adaptive Programme Management
Sharif's 9-BOX Monitoring Model for Adaptive Programme ManagementMd. Shariful Hoque
 
Cities Light Up in Solidarity With Ukraine: From Internationally Synchronized...
Cities Light Up in Solidarity With Ukraine: From Internationally Synchronized...Cities Light Up in Solidarity With Ukraine: From Internationally Synchronized...
Cities Light Up in Solidarity With Ukraine: From Internationally Synchronized...Thomas Schielke
 
Niintendo Wii Presentation Template.pptx
Niintendo Wii Presentation Template.pptxNiintendo Wii Presentation Template.pptx
Niintendo Wii Presentation Template.pptxKevinYaelJimnezSanti
 
ARCHITECTURAL PORTFOLIO CRISTOBAL HERAUD 2024.pdf
ARCHITECTURAL PORTFOLIO CRISTOBAL HERAUD 2024.pdfARCHITECTURAL PORTFOLIO CRISTOBAL HERAUD 2024.pdf
ARCHITECTURAL PORTFOLIO CRISTOBAL HERAUD 2024.pdfCristobalHeraud
 
PORTFOLIO 2024_ANASTASIYA KUDINOVA / EXTENDED VERSION
PORTFOLIO 2024_ANASTASIYA KUDINOVA / EXTENDED VERSIONPORTFOLIO 2024_ANASTASIYA KUDINOVA / EXTENDED VERSION
PORTFOLIO 2024_ANASTASIYA KUDINOVA / EXTENDED VERSIONAnastasiya Kudinova
 
Imagist3D Architectural and Interior Rendering Portfolio
Imagist3D Architectural and Interior Rendering PortfolioImagist3D Architectural and Interior Rendering Portfolio
Imagist3D Architectural and Interior Rendering PortfolioAlinaLau2
 
City Hall London, Norman Foster building description with building details.pptx
City Hall London, Norman Foster building description with building details.pptxCity Hall London, Norman Foster building description with building details.pptx
City Hall London, Norman Foster building description with building details.pptxYaminiDabbara
 
Interior Design for Office a cura di RMG Project Studio
Interior Design for Office a cura di RMG Project StudioInterior Design for Office a cura di RMG Project Studio
Interior Design for Office a cura di RMG Project StudioRMG Project Studio
 
Exploring Tehran's Architectural Marvels: A Glimpse into Vilaas Studio's Dyna...
Exploring Tehran's Architectural Marvels: A Glimpse into Vilaas Studio's Dyna...Exploring Tehran's Architectural Marvels: A Glimpse into Vilaas Studio's Dyna...
Exploring Tehran's Architectural Marvels: A Glimpse into Vilaas Studio's Dyna...Yantram Animation Studio Corporation
 
TIMBRE: HOW MIGHT WE REMEDY MUSIC DESERTS AND FACILITATE GROWTH OF A MUSICAL ...
TIMBRE: HOW MIGHT WE REMEDY MUSIC DESERTS AND FACILITATE GROWTH OF A MUSICAL ...TIMBRE: HOW MIGHT WE REMEDY MUSIC DESERTS AND FACILITATE GROWTH OF A MUSICAL ...
TIMBRE: HOW MIGHT WE REMEDY MUSIC DESERTS AND FACILITATE GROWTH OF A MUSICAL ...Pranav Subramanian
 
The spirit of digital place - game worlds and architectural phenomenology
The spirit of digital place - game worlds and architectural phenomenologyThe spirit of digital place - game worlds and architectural phenomenology
The spirit of digital place - game worlds and architectural phenomenologyChristopher Totten
 

Recently uploaded (20)

simpson-lee_house_dt20ajshsjsjsjsjj15.pdf
simpson-lee_house_dt20ajshsjsjsjsjj15.pdfsimpson-lee_house_dt20ajshsjsjsjsjj15.pdf
simpson-lee_house_dt20ajshsjsjsjsjj15.pdf
 
STITCH: HOW MIGHT WE PROMOTE AN EQUITABLE AND INCLUSIVE URBAN LIFESTYLE PRIOR...
STITCH: HOW MIGHT WE PROMOTE AN EQUITABLE AND INCLUSIVE URBAN LIFESTYLE PRIOR...STITCH: HOW MIGHT WE PROMOTE AN EQUITABLE AND INCLUSIVE URBAN LIFESTYLE PRIOR...
STITCH: HOW MIGHT WE PROMOTE AN EQUITABLE AND INCLUSIVE URBAN LIFESTYLE PRIOR...
 
Understanding Image Masking: What It Is and Why It's Matters
Understanding Image Masking: What It Is and Why It's MattersUnderstanding Image Masking: What It Is and Why It's Matters
Understanding Image Masking: What It Is and Why It's Matters
 
AI and Design Vol. 2: Navigating the New Frontier - Morgenbooster
AI and Design Vol. 2: Navigating the New Frontier - MorgenboosterAI and Design Vol. 2: Navigating the New Frontier - Morgenbooster
AI and Design Vol. 2: Navigating the New Frontier - Morgenbooster
 
Karim apartment ideas 02 ppppppppppppppp
Karim apartment ideas 02 pppppppppppppppKarim apartment ideas 02 ppppppppppppppp
Karim apartment ideas 02 ppppppppppppppp
 
guest bathroom white and blue ssssssssss
guest bathroom white and blue ssssssssssguest bathroom white and blue ssssssssss
guest bathroom white and blue ssssssssss
 
General Simple Guide About AI in Design By: A.L. Samar Hossam ElDin
General Simple Guide About AI in Design By: A.L. Samar Hossam ElDinGeneral Simple Guide About AI in Design By: A.L. Samar Hossam ElDin
General Simple Guide About AI in Design By: A.L. Samar Hossam ElDin
 
Making and Unmaking of Chandigarh - A City of Two Plans2-4-24.ppt
Making and Unmaking of Chandigarh - A City of Two Plans2-4-24.pptMaking and Unmaking of Chandigarh - A City of Two Plans2-4-24.ppt
Making and Unmaking of Chandigarh - A City of Two Plans2-4-24.ppt
 
Sharif's 9-BOX Monitoring Model for Adaptive Programme Management
Sharif's 9-BOX Monitoring Model for Adaptive Programme ManagementSharif's 9-BOX Monitoring Model for Adaptive Programme Management
Sharif's 9-BOX Monitoring Model for Adaptive Programme Management
 
ASME B31.4-2022 estandar ductos año 2022
ASME B31.4-2022 estandar ductos año 2022ASME B31.4-2022 estandar ductos año 2022
ASME B31.4-2022 estandar ductos año 2022
 
Cities Light Up in Solidarity With Ukraine: From Internationally Synchronized...
Cities Light Up in Solidarity With Ukraine: From Internationally Synchronized...Cities Light Up in Solidarity With Ukraine: From Internationally Synchronized...
Cities Light Up in Solidarity With Ukraine: From Internationally Synchronized...
 
Niintendo Wii Presentation Template.pptx
Niintendo Wii Presentation Template.pptxNiintendo Wii Presentation Template.pptx
Niintendo Wii Presentation Template.pptx
 
ARCHITECTURAL PORTFOLIO CRISTOBAL HERAUD 2024.pdf
ARCHITECTURAL PORTFOLIO CRISTOBAL HERAUD 2024.pdfARCHITECTURAL PORTFOLIO CRISTOBAL HERAUD 2024.pdf
ARCHITECTURAL PORTFOLIO CRISTOBAL HERAUD 2024.pdf
 
PORTFOLIO 2024_ANASTASIYA KUDINOVA / EXTENDED VERSION
PORTFOLIO 2024_ANASTASIYA KUDINOVA / EXTENDED VERSIONPORTFOLIO 2024_ANASTASIYA KUDINOVA / EXTENDED VERSION
PORTFOLIO 2024_ANASTASIYA KUDINOVA / EXTENDED VERSION
 
Imagist3D Architectural and Interior Rendering Portfolio
Imagist3D Architectural and Interior Rendering PortfolioImagist3D Architectural and Interior Rendering Portfolio
Imagist3D Architectural and Interior Rendering Portfolio
 
City Hall London, Norman Foster building description with building details.pptx
City Hall London, Norman Foster building description with building details.pptxCity Hall London, Norman Foster building description with building details.pptx
City Hall London, Norman Foster building description with building details.pptx
 
Interior Design for Office a cura di RMG Project Studio
Interior Design for Office a cura di RMG Project StudioInterior Design for Office a cura di RMG Project Studio
Interior Design for Office a cura di RMG Project Studio
 
Exploring Tehran's Architectural Marvels: A Glimpse into Vilaas Studio's Dyna...
Exploring Tehran's Architectural Marvels: A Glimpse into Vilaas Studio's Dyna...Exploring Tehran's Architectural Marvels: A Glimpse into Vilaas Studio's Dyna...
Exploring Tehran's Architectural Marvels: A Glimpse into Vilaas Studio's Dyna...
 
TIMBRE: HOW MIGHT WE REMEDY MUSIC DESERTS AND FACILITATE GROWTH OF A MUSICAL ...
TIMBRE: HOW MIGHT WE REMEDY MUSIC DESERTS AND FACILITATE GROWTH OF A MUSICAL ...TIMBRE: HOW MIGHT WE REMEDY MUSIC DESERTS AND FACILITATE GROWTH OF A MUSICAL ...
TIMBRE: HOW MIGHT WE REMEDY MUSIC DESERTS AND FACILITATE GROWTH OF A MUSICAL ...
 
The spirit of digital place - game worlds and architectural phenomenology
The spirit of digital place - game worlds and architectural phenomenologyThe spirit of digital place - game worlds and architectural phenomenology
The spirit of digital place - game worlds and architectural phenomenology
 

Ask me anything: A Conversational Interface to Augment Information Security workers

  • 1. ASK ME ANYTHING: A CONVERSATIONAL INTERFACE TO AUGMENT INFORMATION SECURITY WORKERS Symposium On Usable Privacy and Security 2017 Bobby Filar, Rich Seymour, Matthew Park
  • 2. BOBBY FILAR  Data Scientist  Background in (NLP) @filar  bfilar@endgame.com RICH SEYMOUR  Data Scientist  Background in HPC  @rseymour  rseymour@endgame.com 2 WHO ARE WE? MATTHEW PARK  User Experience Designer  Background in Big Data  @muted_counts  mpark@endgame.com
  • 3. User-Centric Design 3 Three Stages • Discovery • Understanding our users, confirming/disproving biases, capturing organizational workflows • Concepting • Creating design requirements solutions • Prototyping and User Testing • Feature creation and taking it back into the ‘wild’ for testing
  • 4. Our Initial Problems 4 Insufficient Resources • Onboarding & training new hires & Retention • Limited time to review alerts and incidents Lack of easy-to-use automated tools • Difficult for non- programmers to use • Easy for programmers to mess up! Security platforms are just difficult to use! • Forces conformity • Requires level of expertise to extract value
  • 5. User-Centric Design Study  GOAL: Capture team dynamics and worker roles within security organization to identify challenges common across security teams 5 User Group Team Type Environment Collection Method A Traditional SOC Day-to-day use User interviews B Novice Training Team Mock Scenario Side-by-side monitoring, Retrospective & User interviews C Internal Red vs. Blue Mock Scenario Mirrored Scenario as User Group B D Trad. SOC & Consulting group Day-to-day use User testing
  • 6. Findings: Security Worker Roles 6 Tier 1 Analyst Tier 3 Analyst Forensic Hunter  Have little to no prior experience (average of 1 year) in the cyber security space. First line of defense in a Security Operations Center.  Main responsibility is to initially triage alerts and determine if escalation (to higher tiered) is required.  Primarily rely on a platform’s GUI.  Intimately understand network and platform architecture.  Seen as domain experts on the SOC team and more comfortable working through the command line.  Investigates escalated alerts, and determine root causes and extent to remediate problems.  Expert in EDR platforms and sophisticated investigation tools  Uses command line and scripting languages to bypass UI and collect large data feeds using 3rd party APIs. SOC Manager  Skilled security practitioners, not necessarily subject matter experts.  Extensive management experience, oversees day-to-day ops.  Set schedules, assigns prioritization, generates reports.
  • 7. Example: EDR Alert Alert Type: Suspicious Binary Alert Created: Feb 11, 2017 Severity: High Confidence: 73% File Path: C:Tempaaa.exe File Size: 45700 MD5: 5d41402abc4b2a76b9719d911017c592 File Created: Feb 11, 2017 What do you do when there are 100s of these each day? 7
  • 8. Example: EDR Alert  Lacks context • Is it actually bad? • Is it anywhere else? • Did it talk to the network?  Lacks connectivity • Is this alert tied to any others?  Pivot on single IOC • Hash • Filename • IP address Alert Type: Suspicious Binary Alert Created: Feb 11, 2017 Severity: High Confidence: 73% File Path: C:Tempaaa.exe File Size: 45700 MD5: 5d41402abc4b2a76b9719d911017c592 File Created: Feb 11, 2017 What do you do when there are 100s of these each day? 8
  • 9. Findings: Day in Life of a Security Analyst Data Deluge Lack of Context Repetitive Processes Searching not Analyzing Lack of Expertise Lack of Time 9
  • 10. Design Requirements 10 1. Eliminate query syntax via natural language 2. Educate users on platform features 3. Provide context-driven alert triage 4. Recommend next steps 5. Expedite focused collection
  • 11. Solution  A Bot is an application that assists in the automation of tasks • Mimics human conversation • Natural Language Understanding determines user intent  Imagine an assistant that provides ability to: • Ask questions • Execute workflows • Educate users • Recommend next steps Hello, how can I help you? 11
  • 12. Natural Language vs Query Language 12 Query Language SELECT * FROM TABLE process_event WHERE process_name == “odinaff.exe”; Natural Language Search process event data for odinaff.exe Reality Is odinaff.exe on any endpoints?
  • 14. Interaction Types Turn-based Conversation User: Search processes Artemis: Okay. Please provide a hash or filename User: odinaff.exe Artemis: Got it. Which endpoints would you like to target? User: Windows 10 machines. Artemis: Okay. Would you like to launch this search? User: Yes 14
  • 15. Interaction Types Goal-oriented Conversation User: Show me process event data for odinaff.exe on all Windows 10 endpoints Artemis: Are you sure? User: Yep! 15
  • 16. Interaction Types API-Driven Investigations curl 'api/v1/event_search' -H "Content-Type: application/json" -H 'authorization: <api_key> --data-binary '{"intent":"search_process", "parameters": { "process_name":"odinaff.exe", "filepath": "C:Temp*.exe" } }' 16
  • 17. TRADITIONAL INVESTIGATION 1. Narrow scope to limited endpoints 2. Understand adversary TTPs 3. Gather events from limited endpoints 4. Analyze events from for signs of TTPs 5. Discover suspicious activity 6. Decode obfuscated commands 7. Pinpoint powershell activity 8. Expand scope to next set of endpoints 9. Repeat… ENDGAME ARTEMIS “Find powershell activity” Powershell Misuse Investigation Automatically discovers and analyzes malicious activity across your global enterprise in minutes  17
  • 18. Looking Forward 18 1. Collaboration 2. Chat Integration 3. Improve via Active Learning
  • 19. Thank You Contact: bfilar@endgame.com @filar rseymour@endgame.com @rseymour mpark@endgame.com @muted_counts

Editor's Notes

  1. Summary Security operations center (SOC) teams are burdened with a deluge of alerts, repetitive processes for data analysis, and lack of skills and tools to stop advanced threats. To address these challenges, it is crucial to empower junior analysts to stop advanced threats before damage and loss occurs.  Just as digital assistants like Siri or Alexa have proved their ability to give time back to our day by tackling tasks, a security chatbot can streamline workflows, perform complex tasks, and make recommendations to the SOC analyst. Using a combination of subject matter expertise from SOC analysts and the power of machine learning, chatbots can help teams overcome resource shortcomings by using conversations to offload data collection and guide analysts through recommended courses of action. This process provides an intuitive interface to remediation/investigation workflows and complex storage structures so the analyst can spend less time on collection efforts and more on analysis and response.
  2. So lets address the security industry as a whole. Generally, there are streams of new exploits types and malicious attacks constantly threaten enterprises environments To combat this, security products have been created to detect and respond and remediate problem areas - in their environment But for these products to be deployed successfully, the right teams had to be employed to monitor and act on these suspicious and malicious events. These teams are know as SOC teams – Security Operations Center – Who physically sit in these centers and remediate a stream of alerts. When approaching our predisposed soc problem (which we will discussed in the next slide) – We wanted to better understand our soc users- In order to create the best tools for own personas, we wanted to understand who they were and their daily workflow habits.  We split this approach into three distinct phases: 1) Discovery; 2) Concepting and 3) Prototyping and User Testing
  3. Bascially… what the bosses said... Forces conformity as opposed to integrating into teams & workflows
  4. I can get into this more in the Q/A - but during this discovery phase.. confirming our biases/ capturing team dynamics and creating user personas.
  5. When a SOC analyst starts their shift, they first participate in the shift handover from the analysts on the previous shift. Here they get a briefing on current ongoing investigations or open alerts, ticket numbers associated with those alerts, whois assigned to the investigations, and anything that needs attention. They then monitor a SIEM, an assigned endpoint UI dashboard, email and wait for a security event to occur. Typically that doesn't take very long - with the amount of tools generating alerts in a typical SOC environment (especially those monitoring large networks) - getting alerts is not the problem. Determining which alerts to focus on is the problem. The analyst is typically in reactive mode - where they respond to alerts as they come in, quickly identifying the high priority alerts. Typically, Tier 1 Analysts will have little to no authority to take immediate action on suspected malicious security events and will instead move the alert up the SOC chain. When escalating they will create a case/investigation/incident and assign that case/investigation/incident to the SOC investigator (or Tier 3 analysis). Both the SOC Investigator and the Tier 3 Analyst will take further steps in verifying the anomalous event, and will take the proper response in remediating the alert. While the Tier 3 Analyst will also sift through a SIEM alongside the Tier 1 Analyst, SOC Investigators will often times only work on escalated alerts. At the end of the shift, all levels of analysts needs to prepare a report of the alerts triaged, what was resolved, and what is still open in order to handover the activities to the oncoming shift. Larger reports depicting alert and investigation trends are generated for a SOC Manager on a daily or weekly basis. The SOC Manager will use these reports to focus in on key metadata in the coming weeks, determine the SOC shift schedule and build a custom summary report for the organization's executive level.
  6. Analysts must battle a tide of incoming alerts Data deluge Morning coffee situation Too much data, too many sources AV EDR Firewall Application logs Threat Intel Feeds No Context No shared context Hard to tie the events from feed A to the events from feed B Repetitive Searching through event logs can be a repetitive process. Alert, Search, Find or Not, Repeat Can we automate this work without creating another data stream? Searching not analyzing Lack of expertise Even tier 3 analysts have blind spots Tier 1 analysts want to build skills and be effective as the first line of defense Can a security product teach new users how to use it effectively while supporting users all skill levels? Lack of time
  7. Analysts must battle a tide of incoming alerts Data deluge Morning coffee situation Too much data, too many sources AV EDR Firewall Application logs Threat Intel Feeds No Context No shared context Hard to tie the events from feed A to the events from feed B Repetitive Searching through event logs can be a repetitive process. Alert, Search, Find or Not, Repeat Can we automate this work without creating another data stream? Searching not analyzing Lack of expertise Even tier 3 analysts have blind spots Tier 1 analysts want to build skills and be effective as the first line of defense Can a security product teach new users how to use it effectively while supporting users all skill levels? Lack of time
  8. User: Show me process event data for odinaff.exe on all Windows 10 endpoints Artemis: Okay.
  9. User: Show me process event data for odinaff.exe on all Windows 10 endpoints Artemis: Okay.
  10. User: Show me process event data for odinaff.exe on all Windows 10 endpoints Artemis: Okay.
  11. Analysts must battle a tide of incoming alerts Data deluge Morning coffee situation Too much data, too many sources AV EDR Firewall Application logs Threat Intel Feeds No Context No shared context Hard to tie the events from feed A to the events from feed B Repetitive Searching through event logs can be a repetitive process. Alert, Search, Find or Not, Repeat Can we automate this work without creating another data stream? Searching not analyzing Lack of expertise Even tier 3 analysts have blind spots Tier 1 analysts want to build skills and be effective as the first line of defense Can a security product teach new users how to use it effectively while supporting users all skill levels? Lack of time