This document discusses the design of an intelligent assistant named Artemis to help security analysts with their workflow. It describes conducting user research to understand pain points of different security roles. The findings showed analysts lack context for alerts and have repetitive tasks. The document outlines requirements for Artemis, including understanding natural language, providing context-driven investigations, educating users, recommending next steps, and expediting collections using workflows. It provides examples of how Artemis could assist analysts and help optimize their time by automating common tasks. In the end, the goal is to design tools that better utilize analyst resources and are easier for a diverse range of users.

1. Security + Design *
Data Science: A Bot
Story
Bobby Filar & Rich Seymour
O’Reilly Security 2017
October 31, 2017

2. About Us
• Data Scientist
• Background in NLP
• @filar
• Data Scientist
• Background in HPC
• @rseymour
Bobby Filar Rich Seymour
• Endpoint Protection Platform
• ML/Domain Expertise
• @EndgameInc
• endgame.com
Endgame

3. State of
Security
Software
Detect Review Analyze Identify Notify Collect Validate React
Dwell Time Containment Time
Reduce Dwell Time using domain knowledge + ML

4. State of
Security
Software
Detect Review Analyze Identify Notify Collect Validate React
Dwell Time Containment Time
Reduce Dwell Time using domain knowledge + ML
• User and Entity Behavior Analytics (UEBA)
• Detection/Prevention
• Network Monitoring

5. State of
Security
Software
Detect Review Analyze Identify Notify Collect Validate React
Dwell Time Containment Time
Containment Time depends on real-time data availability and intuitivene
of the user interface

6. Opportunities to
Expand ML
Solutions
Reducing Containment Time Via ML is
Difficult!
• How do you optimize a human?
• How do you handle a diverse user base?
• Where do you find quality data?
• How can we optimize workflows?

7. User-Centric
Design Study

8. Design Process
• Discovery
• Understanding our users,
confirming/disproving biases, capturing
organizational workflows
• Concepting
• Creating design requirements solutions
• Prototyping and User Testing
• Feature creation and taking it back into the
‘wild’ for testing

9. Avoid Our Bias
Find What Users Need
Why Do This?

10. Objective
Capture team dynamics and worker roles within security organization to
identify challenges common across security teams
User Group Team Type Environment Collection Method
A Traditional SOC Day-to-day use User interviews
B Novice Training Team Mock Scenario Side-by-side
monitoring,
Retrospective & User
interviews
C Internal Red vs. Blue Mock Scenario Mirrored Scenario as
User Group B
D Traditional SOC & Consulting
group
Day-to-day use User testing

11. How our customers see it…
Insufficient Resources
• Onboarding & training
new hires & retention
• Limited time to review
alerts and incidents
Lack of easy-to-use
automated tools
• Difficult for non-
programmers to use
• Easy for programmers
to mess up!
Security platforms are just
difficult to use!
• Forces conformity
• Requires level of expertise
to extract value

12. Let’s meet the users

13. Tier 1
Analyst
Tier 3
Analyst
Forensic
Hunter
SOC
Manager

14. ”Pretty much any alert or call here
goes through me first. It can be a
lot to handle."
Tier 1
Analyst

15. "I’m doing the hard work here,
also I could really use a Tier 2."
Tier 3
Analyst

16. "Don’t call me unless the server
room is on fire, I’m working on my
new radare2 theme."
Forensic
Hunter

17. "I have a meeting with the CISO,
then 3 one-on-ones and a report
due, no time for a quote."
SOC
Manager

18. Findings: Day in Life of a Tier I
Data
Deluge
Lack of
Context
Repetitive
Processes
Searching not
Analyzing
Lack of
Expertise
Lack of
Time

19. Findings: Pain Points
• Lacks context
• Is it actually bad?
• Is it anywhere else?
• Did it talk to the network?
• Lacks connectivity
• Is this alert tied to any others?
• Pivot on single IOC
• Hash
• Filename
• IP address
Alert Type: Suspicious Binary
Alert Created: Feb 11, 2017
Severity: High
Confidence: 73%
File Path: C:Tempmalware.exe
File Size: 45700
MD5: 5d41402abc4b2a76b9719d911017c592
File Created: Feb 11, 2017
What do you do when there are 100s of these each day?

20. Diverse Data Sources
Process File Users Network Registry

21. Solution
Make a
Bot!
Hello, how can I help
you?

22. You Can Start Making a Bot Today!
• Emphasize chatOps with
Hubot, Chattie, etc
• If you can leverage outside
APIs!
• Define what you want to
automate
• The bot transforms text into
functions with arguments
search(process=‘fish’)
garbage input
usable output
scrub
scrub
scrub

23. But…

24. Solution
• An intelligent assistant can assist in
the automation of tasks
• Guides user through complex tasks
• Mimics human conversation
• Natural Language Understanding
determines user intent
• Imagined an assistant that provides
ability to:
• Ask questions
• Execute workflows
• Educate users
• Recommend next steps
Hello, how can I help
you?

25. Found the right tools (talk to us after for how)
spaCy
CRFsuite

26. From Research to Reality
Building an Intelligent Assistant From Scratch

27. Requirement #1
Eliminate query syntax via natural language

28. Natural Language vs. Query Language
Query Language
SELECT * FROM TABLE process_event WHERE process_name == “odinaff.exe”;

29. Natural Language vs. Query Language
Query Language
SELECT * FROM TABLE process_event WHERE process_name == “odinaff.exe”;
Natural Language
Search process event data for process odinaff.exe

30. Natural Language vs. Query Language
Query Language
SELECT * FROM TABLE process_event WHERE process_name == “odinaff.exe”;
Natural Language
Search process event data for process odinaff.exe
Reality
Did odinaff.exe run on any endpoints?

31. Interaction Types
Turn-based Conversation
User: Search processes
Artemis: Okay. Please provide a hash or filename
User: odinaff.exe
Artemis: Got it. Which endpoints would you like to target?
User: Windows 10 machines.
Artemis: Okay. Would you like to launch this search?
User: Yes
Artemis: Searching process data for odinaff.exe on
Windows10 endpoints.

32. Interaction Types
Turn-based Conversation
User: Search processes
Artemis: Okay. Please provide a hash or filename
User: odinaff.exe
Artemis: Got it. Which endpoints would you like to target?
User: Windows 10 machines.
Artemis: Okay. Would you like to launch this search?
User: Yes
Artemis: Searching process data for odinaff.exe on
Windows10 endpoints.
Resolve
Confirm
Handle

33. Interaction Types
Goal-oriented Conversation
User: Show me process event data for odinaff.exe
on all Windows 10 endpoints
Artemis: Are you sure?
User: Yes!

34. Interaction Types
API-Driven Investigations
curl 'api/v1/event_search' -H "Content-Type: application/json" -H
'authorization: <api_key> --data-binary '{"intent":"search_process",
"parameters": {
"process_name":"odinaff.exe",
"filepath": "C:Temp*.exe"
}
}'

35. Back to the Users!
Requirement #2
Provide Context-Driven Alert Triage

36. •Understand what a user is currently viewing
•Ingest metadata in current view
•Map nested fields to common nomenclature
•Access indicators by saying “this <field>”
ContextSharing

38. Endpoint data

39. Endpoint data
Process data

40. Endpoint data
Process data
User data

41. “Search process data for this MD5 on all endpoints”
“Was this domain requested on any other endpoint?”
“Has user admin logged into this endpoint?”

42. Requirement #3
Educate Users on Platform Features

43. • Assist in feature discovery
• Reduce need to consult docs
• Recommend best practices
• Focus analysts in current view
• Avoid copy/paste operations
WhisperText

45. Did it run anywhere else?
Where else is the file?
Has anyone else seen it in the wild?
Has it sent any data out of my
network?

46. Requirement #4
Recommend Next Steps

47. Short-term Memory
• Avoid defeated users
• Disambiguate user input
• Eliminate repetitive tasks
• Guide users through
recommended actions using
playbooks
search_network
search_network
search_networ
ksearch_proces
s
unknown
search_networ
k
unknown
unknown
“It looks like you’re trying to…”
“Would you like to run that
same query on this data?”
Repetition
Avoid Frustration

48. Long-Term Memory
Current User
Location Action
Alert List Accessed
Malware Alert
Malware Alert Open Artemis???
… …

49. Long-Term Memory
Current User
Location Action
Alert List Accessed
Malware Alert
Malware Alert Open Artemis???
… …
Location Action
Process Inject. Search process
Results view Kill process
Endpoint List Search DNS
Results View Search process
Results View Kill Process
Most Common Actions
Across Organization
Alert List Accessed
Malware Alert
Malware Alert Search Process
Results View Search Network
Results View Grab Memory

50. Long-Term Memory
Current User
Location Action
Alert List Accessed
Malware Alert
Malware Alert Open Artemis???
… …
Location Action
Process Inject. Search process
Results view Kill process
Endpoint List Search DNS
Results View Search process
Results View Kill Process
Most Common Actions
Across Organization
85%
Of analysts perform
this sequence
Alert List Accessed
Malware Alert
Malware Alert Search Process
Results View Search Network
Results View Grab Memory

51. Long-Term Memory
Current User
Location Action
Alert List Accessed
Malware Alert
Malware Alert Open Artemis???
… …
Location Action
Process Inject. Search process
Results view Kill process
Endpoint List Search DNS
Results View Search process
Results View Kill Process
Most Common Actions
Across Organization
85%
Of analysts perform
this sequence“We recommend the
following actions to triage
this alert”
Alert List Accessed
Malware Alert
Malware Alert Search Process
Results View Search Network
Results View Grab Memory

52. Requirement #5
Expedite Focused Collection

53. Structured Workflows & Automation
Domain expertise + Workflow *Automation
• Use playbooks
• Endgame provides some built-in
• Alert Remediation
• Quick Responses
• Multi-step analysis
• Orgs should be empowered to add their own
Make Security Software Work for You!

54. PowerShell Misuse Playbook
Traditional Investigation
1.Narrow scope to limited endpoints
2.Understand adversary TTPs
3.Gather events from limited endpoints
4.Analyze events from for signs of TTPs
5.Discover suspicious activity
6.Decode obfuscated commands
7.Pinpoint PowerShell activity
8.Expand scope to next set of endpoints
9.Repeat…
Endgame Artemis
“Find powershell activity”
Automatically discovers and
analyzes malicious activity across
your endpoints in minutes

55. Back to the Users!

56. “I want easy access to response actions”
“I want better insight into what my team is working on”
“I want to share new IOCs with my teammates”
“I still want an option for a structured query language”

58. How our customers NOW see it…
Better Use of Resources
• Helps with onboarding
& training new hires
• Decreases time to
review alerts and
incidents
Automation via NLP
• Easy for non-
programmers to use
• Exposes response
actions via API
Platform that works for you
• Encourages
personalization
• Reduces level of expertise
to extract value

59. Closing
Thoughts
• Data science can be applied to
more than just good/bad
• User-centric studies help capture
diverse team environments
• Intelligent assistants can help
alleviate rigid interfaces

60. Questions?
Bobby Filar
@filar
bfilar@endgame.com
Rich Seymour
@rseymour
rseymour @endgame.com