Security products often create more problems than they solve, drowning users in alerts without providing the context required to remediate threats. This challenge is compounded by a lack of experienced personnel and security tools with complex interfaces. These interfaces require users to become domain experts or rely on repetitive, time consuming tasks to turn this data deluge into actionable intelligence. In this paper we present Artemis, a conversational interface to endpoint detection and response (EDR) event data. Artemis leverages dialog to drive the automation of complex tasks and reduce the need to learn a structured query language. Designed to empower inexperienced and junior security workers to better understand their security environment, Artemis provides an intuitive platform to ask questions of alert data as users are guided through triage and hunt workflows. In this paper, we will discuss our user-centric design methodology, feedback from user interviews, and the design requirements generated upon completion of our study. We will also present core functionality, findings from scenario-based testing, and future research for the Artemis platform.

1. ASK ME ANYTHING:
A CONVERSATIONAL INTERFACE TO AUGMENT
INFORMATION SECURITY WORKERS
Symposium On Usable Privacy and Security 2017
Bobby Filar, Rich Seymour, Matthew Park

2. BOBBY FILAR
 Data Scientist
 Background in (NLP)
@filar
 bfilar@endgame.com
RICH SEYMOUR
 Data Scientist
 Background in HPC
 @rseymour
 rseymour@endgame.com
2
WHO ARE WE?
MATTHEW PARK
 User Experience Designer
 Background in Big Data
 @muted_counts
 mpark@endgame.com

3. User-Centric Design
3
Three Stages
• Discovery
• Understanding our users,
confirming/disproving biases, capturing
organizational workflows
• Concepting
• Creating design requirements solutions
• Prototyping and User Testing
• Feature creation and taking it back into the
‘wild’ for testing

4. Our Initial Problems
4
Insufficient Resources
• Onboarding & training
new hires & Retention
• Limited time to review
alerts and incidents
Lack of easy-to-use
automated tools
• Difficult for non-
programmers to use
• Easy for programmers
to mess up!
Security platforms are just
difficult to use!
• Forces conformity
• Requires level of
expertise to extract value

5. User-Centric Design Study
 GOAL: Capture team dynamics and worker roles within security organization to
identify challenges common across security teams
5
User Group Team Type Environment Collection Method
A Traditional SOC Day-to-day use User interviews
B Novice Training Team Mock Scenario Side-by-side
monitoring,
Retrospective & User
interviews
C Internal Red vs. Blue Mock Scenario Mirrored Scenario as
User Group B
D Trad. SOC & Consulting group Day-to-day use User testing

6. Findings: Security Worker Roles
6
Tier 1
Analyst
Tier 3
Analyst
Forensic
Hunter
 Have little to no prior experience (average of 1 year)
in the cyber security space. First line of defense in a
Security Operations Center.
 Main responsibility is to initially triage alerts and
determine if escalation (to higher tiered) is required.
 Primarily rely on a platform’s GUI.
 Intimately understand network and platform architecture.
 Seen as domain experts on the SOC team and more
comfortable working through the command line.
 Investigates escalated alerts, and determine root causes
and extent to remediate problems.
 Expert in EDR platforms and sophisticated
investigation tools
 Uses command line and scripting languages to
bypass UI and collect large data feeds using 3rd
party APIs.
SOC
Manager
 Skilled security practitioners, not necessarily subject matter
experts.
 Extensive management experience, oversees day-to-day ops.
 Set schedules, assigns prioritization, generates reports.

7. Example: EDR Alert
Alert Type: Suspicious Binary
Alert Created: Feb 11, 2017
Severity: High
Confidence: 73%
File Path: C:Tempaaa.exe
File Size: 45700
MD5: 5d41402abc4b2a76b9719d911017c592
File Created: Feb 11, 2017
What do you do when there are 100s of these each day?
7

8. Example: EDR Alert
 Lacks context
• Is it actually bad?
• Is it anywhere else?
• Did it talk to the network?
 Lacks connectivity
• Is this alert tied to any others?
 Pivot on single IOC
• Hash
• Filename
• IP address
Alert Type: Suspicious Binary
Alert Created: Feb 11, 2017
Severity: High
Confidence: 73%
File Path: C:Tempaaa.exe
File Size: 45700
MD5: 5d41402abc4b2a76b9719d911017c592
File Created: Feb 11, 2017
What do you do when there are 100s of these each day?
8

9. Findings: Day in Life of a Security Analyst
Data
Deluge
Lack of
Context
Repetitive
Processes
Searching not
Analyzing
Lack of
Expertise
Lack of
Time
9

10. Design Requirements
10
1. Eliminate query syntax via natural language
2. Educate users on platform features
3. Provide context-driven alert triage
4. Recommend next steps
5. Expedite focused collection

11. Solution
 A Bot is an application that assists in
the automation of tasks
• Mimics human conversation
• Natural Language
Understanding determines user
intent
 Imagine an assistant that provides
ability to:
• Ask questions
• Execute workflows
• Educate users
• Recommend next steps
Hello, how can I help
you?
11

12. Natural Language vs Query Language
12
Query Language
SELECT * FROM TABLE process_event WHERE
process_name == “odinaff.exe”;
Natural Language
Search process event data for odinaff.exe
Reality
Is odinaff.exe on any endpoints?

13. Confidential and Proprietary 13

14. Interaction Types
Turn-based Conversation
User: Search processes
Artemis: Okay. Please provide a hash or filename
User: odinaff.exe
Artemis: Got it. Which endpoints would you like to target?
User: Windows 10 machines.
Artemis: Okay. Would you like to launch this search?
User: Yes
14

15. Interaction Types
Goal-oriented Conversation
User: Show me process event data for odinaff.exe on all Windows 10 endpoints
Artemis: Are you sure?
User: Yep!
15

16. Interaction Types
API-Driven Investigations
curl 'api/v1/event_search' -H "Content-Type: application/json" -H
'authorization: <api_key> --data-binary '{"intent":"search_process",
"parameters": {
"process_name":"odinaff.exe",
"filepath": "C:Temp*.exe"
}
}'
16

17. TRADITIONAL INVESTIGATION
1. Narrow scope to limited endpoints
2. Understand adversary TTPs
3. Gather events from limited endpoints
4. Analyze events from for signs of TTPs
5. Discover suspicious activity
6. Decode obfuscated commands
7. Pinpoint powershell activity
8. Expand scope to next set of endpoints
9. Repeat…
ENDGAME ARTEMIS
“Find powershell activity”
Powershell Misuse Investigation
Automatically discovers and
analyzes malicious activity across
your global enterprise in minutes
 17

18. Looking Forward
18
1. Collaboration
2. Chat Integration
3. Improve via Active Learning

19. Thank You
Contact:
bfilar@endgame.com @filar
rseymour@endgame.com @rseymour
mpark@endgame.com @muted_counts