Embed Size (px)
Citation preview
Security
Interoperability
& AutomationNICK HUMPHREY
CTO, HUNTSMAN SECURITY
Introduction
Industry relationship with machine learning / AI
Automation != ML/AI (but can play a part)
Levels of automation
Humans in the decision making loop
Empowering security analysts and incident responders
Security? Just Pick from Top Right!
Cyber Big Data 2.0 Machine Learning!
Transparency
What is really under the hood?
Why was the decision made?
Do we just take it on trust?
Bias & Learning “The Wrong Thing”
From “The Register” https://www.theregister.co.uk/2016/03/24/microsoft_ai_goes_troll/
The Humans Aren’t Going Away
Not anytime soon, at least.
Finding the right balance
Focussing time best spent on human-led investigation
Local knowledge and context
Tools and standards as a force multiplier
Security Analysts are people too
Paper presented at USENIX 2015
https://www.usenix.org/system/files/conference/soups2015/soups15-paper-sundaramurthy.pdf
Alert Fatigue
Alert Context
Automating the drudge work
Automate the stuff that machines are actually good at
We all have networks with “lots of different kit”
Tooling which interacts reliably with other systems
Ansible, Chef, Puppet etc → “known good state”
Log collection and enrichment
Don’t have humans doing this, let them focus on decisions
Interoperability
Physical security vendors have formed alliance for IP-enabled CCTV
and Physical Access Control products:
Physical Security Interoperability Alliance (PSIA)
For the purpose of this presentation, focus on the logical side
A human-speed response to machine-speed threats will always fall
short
How can we get our disparate systems talking to each other?
Standards
© xkcd (https://xkcd.com/927/) Licence: CC BY-NC 2.5
Threat Intelligence: STIX / TAXII
Structured way of sharing CTI across communities
Version 1 now recommended by European Union
Recognised as a standard for interoperability
COMMISSION IMPLEMENTING DECISION (EU) 2017/2288
Version 2 moves from XML to JSON, simplifies expression, adds patterns
Can articulate similar to YARA, Snort rules etc
https://www.oasis-open.org/committees/cti/
OpenC2: Overview
Open Command and Control (OpenC2) is a concise and extensible
language to enable the command and control of cyber defence
Supported by National Security Agency, Cisco, Intel, Bank of
America, Symantec, Huntsman Security, others
Originally independent “OpenC2 Forum”, moved to OASIS in 2017
Committee Specification Draft 03 as of April 2018
Standard v1.0 expected during 2018
https://www.oasis-open.org/committees/openc2/
OpenC2: Actions
Actions that Control Information (e.g. “scan”, “query”)
Actions that Control Access (e.g. “deny”, “allow”)
Actions that Control Activities/Devices (e.g. “snapshot”, “restart”)
Effects-Based Actions (e.g. “mitigate”, “investigate”)
Profiles for firewalls, proxies, IDS, SIEM, switches, SDN controllers…
Language spec also covers target types, specifiers, options and more
https://www.oasis-open.org/committees/openc2/
OpenC2: Simple JSON Example
{ "header": {
"version": "1.0",
"timestamp": "2018-01-30T18:25:43.511Z"
},
"command": {
"id": "CMD1234",
"action": "redirect",
"target": {
"url": {
"value": "http://evil.com"
} },
"options": {
"destination": "http://newdest.com/home"
} } }
OpenC2: Why Should You Care?
Free to implement and use
Standardising interoperability reduces cost, complexity
OpenC2 → Native API translation done by the actuator –
vendor can translate request into an action on the device
Makes it easier to express “what” you want to happen,
rather than being stuck on “how”
https://www.oasis-open.org/committees/openc2/
You’re almost at the coffee break
ML/AI has its place, but don’t underestimate humans
Focus should be on enabling analysts to make the most
effective use of their time (e.g. threat hunting)
Automate the stuff you are confident about
Open standards in cybersecurity are a positive - talk to
your vendors about what they’re doing to support them
