OCA Community Connect

Roseann Guttierrez

Welcome to 'Community Connect,'  this is the space where we dive into the benefits of seamlessly integrating security products using open source software and standards, all with the goal of fostering a more interoperable security ecosystem. In each episode, we'll embark on a journey into the heart of the OCA community, engaging in insightful conversations with the individuals who are actively shaping the open source security landscape.  Expect to stay up-to-date with the very latest developments, as we bring you exciting news, updates, and a closer look at the sub-projects that are steering the course of future security tooling. So, whether you're an experienced contributor, a curious developer, or simply someone with a profound commitment to securing our digital realm, this podcast is your go-to destination. Together, we'll drive innovation, elevate security standards, and contribute to a safer world.   Host info: Roseann Guttierrez is your host. A cybersecurity professional with over two decades of experience. Specializing in computer forensics, digital investigation, and critical infrastructure. As the voice of the podcast, she embodies the spirit of a cybersecurity superhero, dedicated to forging alliances that enhance security across the digital realm.

Episodes

  1. 03/21/2024

    STIX Shifter - March 2024

    Roseann Guttierrez [00:00:00]: Our guest today is Azam, and I say awesome Azam because I do think he's awesome. He's a really great guy. He's a software developer at IBM and is a maintainer contributor to STIX shifter, which is also our topic today. Azam, thank you so much for coming on with us. How are you doing today? Md Saroer-E Azam [00:00:19]: I'm good. Thank you so much, Roseann, for inviting me. It is my pleasure. Nice intro. Roseann Guttierrez [00:00:25]: Well, why don't you you give me a little intro on yourself? How'd you become a developer? How'd you become so awesome? Md Saroer-E Azam [00:00:32]: First of all, I usually go by Azam by my last name, so don't feel weird about it. I studied computer science in my bachelor and also in masters. So that's the background of my software development. So I started my career in Canada at IBM 2015. So it's been 8 to 9 years now. So first 3 years, I worked in IBM QRadar SIEM, which is the classic SIEM, we can say, Just implementing different, DSM protocol, sort of like integration of a different, log sources. For IBM, QRadar. Then I moved on to a new project 5, 6 years ago called IBM Cloud Pak for Security, which is now on the market IBM QRadar Suite platform, which is integrated platform. Md Saroer-E Azam [00:01:24]: Kind of a similar sort of role, like, integrating different diverse data services and make sure important piece like federated search application works in the platform using, open source library called STIX shifter, which is the topic of our discussion today. As a maintainer, 5, 6 years, I've been the maintainer of this STIX shifter project. Roseann Guttierrez [00:01:47]: Time flies? Md Saroer-E Azam [00:01:49]: Yeah. Time flies. The project evolved quite a lot since the beginning to now. It was under IBM project, then we open sourced it under OCA. And even before that, some parts of the base were inherited from a OCA STIX translation project that we took over, made the STIX shifter project, where we have this library that enables people to run searches in diverse data services and get the results in STIX cyber observable objects. So that's the main goal of this library. So we have, like, more than 30 different modules. We call them connectors, which connect to different data services. Md Saroer-E Azam [00:02:32]: The user can send a STIX pattern query, patterning language, then it translate into the native data source query that the data source understand, then data source send back the result based on the search criteria. Then we translate that results into STIX cyber observable object. Sort of uniforming the way that people see different, observable data. Roseann Guttierrez [00:02:58]: As a maintainer, right, of the STIX Shifter project, what are some of the challenges that you have with developing an open source project but still working for a commercial company? Md Saroer-E Azam [00:03:10]: So first and foremost, the main challenge that every open source project maintainer face is the community engagement, engaging the community constantly. So building and sustaining an engaged community, the project is, actually, because constant effort, you have to engage constantly. Roseann Guttierrez [00:03:33]: For sure. Md Saroer-E Azam [00:03:34]: That involves responding to issues, reviewing the contribution, especially the pull requests, and conducting different discussions. Second, I would say the documentation, which is very important because first thing people come to the project, you'll see there what you wrote about the project. Readmes the documentation needs to be up to date always. The project is evolving. The code base is evolving. We are constantly contributing, fixing bugs, adding features, adding connectors. So documentation needs to be update up to date and also comprehensive for the contributor and for the user. We have 2 target audience here, user and contributors. Md Saroer-E Azam [00:04:16]: User has to know how to use the library easily or put it in their own project product. And contributor needs to understand how to contribute, how to develop certain feature, connector, or modules. So we created developer documentation. The next one I'd say is quality of the code that the contributors make, even the maintainers. This is important for it's very crucial, I would say, for the long term maintainability of the project. Contributors come and go, maintenance can come and go. But the project stays for a longer period of time. If anyone comes and wants to contribute, they need to have the ability to contribute the project easily. Md Saroer-E Azam [00:05:05]: So that maintainability in terms of core quality, like, review. We have to review every contribution thoroughly. Sometimes every line of the code that any contributors contribute. We have to make sure test are there. We have to make sure the coding standard is followed. Roseann Guttierrez [00:05:23]: That it's clear. Md Saroer-E Azam [00:05:23]: Yeah. You can stop me, Rosann, if I go too long. The last one, it says the compatibility. Making sure that the project is, the library that we publish is compatible with different platform. For example, for Python, like, we have different versions of Python people have been using, Python 8, 9, 10, 11, 12. We support a wide variety of Python version, especially the latest one, which people would be using always. Roseann Guttierrez [00:05:52]: So make sure it's, like, backwards compatible as well. Md Saroer-E Azam [00:05:55]: Backwards compatible, forward compatible. We need to keep up to date always. And the dependencies that library the project uses, that's that's another important piece because the other libraries that we use in our project, that also evolving. Like, they're also upgrading the version into security issues Right. To feature, fixes, bugs. So Roseann Guttierrez [00:06:19]: Yeah. And that could cause a problem. Right? Yeah. Because the dependency changes and you don't know, and then yeah. Md Saroer-E Azam [00:06:25]: That's that's always a concern for us, especially if any vulnerable library is used. Any good library can be vulnerable in the next release. So Right. We we had to quickly update the vulnerable library. We keep we have to keep track of the dependency. We have to keep track of the compatibility because the project is growing. Dependency could be growing as well. And lastly, I would say securities is kind of security is the main focus of this library. Md Saroer-E Azam [00:06:55]: Right? So Roseann Guttierrez [00:06:56]: Right. Md Saroer-E Azam [00:06:19]: We need to make sure we follow the secure coding practices when you contribute If you're using any vulnerable libraries, dependencies, or in any malicious way, that's how we need to take care of that. Roseann Guttierrez [00:07:10]: Yeah. That makes sense. Md Saroer-E Azam [00:07:09]: I said these are the main challenges. These are not unique. Any every open source project faces these kind of challenges, But, I should say I I need I needed to mention that in terms of our project. Roseann Guttierrez [00:07:24]: No. That's good. That's a good that's a really good list. Md Saroer-E Azam [00:07:27]: Oh, so the first is, like, community engagement Okay. Then documentation updating documentation, maintaining the code quality, maintaining, compatibility or dependency, and the security of the of the of the codes or the project. Roseann Guttierrez [00:07:23]: Yeah. And I know that, you know, not just on maintaining the project, but you, obviously, you want people to use the project also. Right? Because you said that was kind of, like, your second set of users. And I know, from experience dealing with different people on this project that I know, for example, Trend Micro has incorporated STIX shifter into their Vision One product. Do you have any other kind of use cases or stories of people utilizing STIX shifter in their projects? Md Saroer-E Azam [00:08:10]: Sure. Like, I come from IBM. So IBM is the main user since the beginning. let's say. So they use STIX shifter connectors in their federated search application that gives the user/customer say a Unified Analyst Experience(UAX). They run search federate or search on different application across different diverse data services using the STIX shifter connect and the libraries. So this is a very important use case for us, and it's in the market. Like, people have been using it. Md Saroer-E Azam [00:08:43]: Another another important use case I can I could highlight is the threat hunting project of OCA, Kestrel? They have been using it quite a lot, for their threat hunting purpose and different projects. Roseann Guttierrez [00:08:59]: So it's kind of the foundation of the Kestrel. Right? Because it runs on top of it. Md Saroer-E Azam [00:08:57]: They run yeah. The threat hunting is also about searching different criteria and different data sources. So they use STIX shifter for that purpose as well. So Roseann Guttierrez [00:09:14]: Makes sense. Md Saroer-E Azam [00:09:14]: These are the 3 real world cybersecurity product Roseann Guttierrez [00:09:19]: Use cases. Right? Md Saroer-E Azam [00:09:20]: Use cases. Roseann Guttierrez [00:09:13]: Well, product integrations. Because as a regular you know, just like an everyday user, I can also run it from the command line on my own, right, and connect to my own data sources and just run it myself without it actually being integrated. So that's another potential use case as well. Md Saroer-E Azam [00:09:37]: You don't need a platform or any fancy tools. You can just do it on your own from your own machine. You can run your own searches. Roseann Guttierrez [00:09:48]: Right. Where do you see the STIX shifter project going, like, in the next year? I know lots of changes have happened in this past year. Md Saroer-E Azam [00:09:55]: Yes. Yes. That's right. So kind of related

    17 min

  2. 03/04/2024

    CACAO Roaster - Feb 2024

    Roseann Guttierrez [00:00:00]: Our guest today is Vasilios Mavroides. He is a professor of cybersecurity at the University of Oslo, and he's also a member of our OCA governing board. We're going to be talking to him today about the CACAO roaster subproject. Very excited to hear about this. Hi, Vasilios. How are you doing today? Thanks for joining us. Vasileios Mavroeidis [00:00:19]: I'm great. Thank you. Thank you for the invitation. Glad to be here. Roseann Guttierrez [00:00:23]: Wonderful. Wonderful. Why don't we start by having you give kind of, like, a little mini story as to how you how you got in cybersecurity, how you got here today? Vasileios Mavroeidis [00:00:33]: Sure. Well, basically, my studies were in cybersecurity, but at some point, you know, after I did actually my masters, I found a job, but then I'd said that I wanted to do a PhD. Then, you know, I relocate from the UK to Norway. I'm originally from Greece, actually. So I've been all over the world. In any case, I started looking at Norway, and I did my PhD here. And then my post doc here, I worked a little as a researcher. Vasileios Mavroeidis [00:00:57]: Then finally, I got a professorship after a lot of effort. So, currently, I'm a professor for cybersecurity at the University of Oslo. Basically, conduct, mostly research, with a particular focus on cyber threat intelligence and security automation, and mostly in the context of European projects, EU funded projects, basically. I'm also an ambassador of open standards and open source. I guess this is the reason also I'm here today. Have contributed massively to the community. I joined OWASP actually almost, 8 years ago, and I supported the development of different standards such as, open c2, STIX, CACAO, the effect of the feedback for context ontology, and many others. I'm also currently having a chair at the board of directors of OASIS and the project governing board of Open Cybersecurity Alliance. Vasileios Mavroeidis [00:01:50]: What else? I'm also co chairing FIRST, Automation Special Interest Group, and I'm a member of different Ad hoc working groups related to cybersecurity. This is more or less cybersecurity domain for about, 10 years now. Roseann Guttierrez [00:02:04]: Okay. Well, why don't you tell us the elevator pitch for the CACAO roaster project? Vasileios Mavroeidis [00:02:10]: Right. So what is the CACAO roasters sub-project? Basically, you know, within Oasis, we identified the need of developing cybersecurity playbook standard, and, we always have this. To make the long story short, we try to do for playbooks, what, STIX, for example, did for cyber threat intelligence. So we needed a robust method to encode cybersecurity playbooks so defenders can exchange them, and the full focus is on interoperability. Basically, the pain point was, we have structural approaches that can be machine processable, basically, for threat intelligence. These standard generally involve, are doing great in encoding detection engineering but then the concept of, "So now what?" was still unresolved. Roseann Guttierrez [00:02:57]: Right. Vasileios Mavroeidis [00:02:57]: And for this reason, you know, we established this technical committee within OASIS. It's, by Brett Jordan and Alan Thompson. I'm also the secretary of this, technical committee, and I have contributed so massively to the development of the specification among other, people and many organizations that have been participating. At some point, the standard, you know, came into a robust stage and, you know, it's all about adoption and verifying basically the standard. You can imagine people that know, STIX, you know, it's exactly the same principle. We'll have a specification. The specification is encoded basically into a machine readable format in particular, JSON. But then, you know, it's really impossible to start creating your playbooks manually. Vasileios Mavroeidis [00:03:43]: So you can't expect some people to start writing their playbooks, you know, in JSON. So we came up with the idea of developing a software to support adoption and basically allow defenders to start creating their own interoperable playbooks, to experiment with CACAO playbooks. And and this is like, you know, 2 fold or 3 fold. Or so, basically, you know, it's not only about the project itself, but will allow you to create playbooks, exchange playbooks, visualize playbooks, digitally sign playbooks, and verify them, but it's also, you know, a means to validate, the specification. Because we develop products such as the specification. But then, you know, when you start developing an actual software, right, it's a it's a good means for validating it, how good it is. So we also expect that the, you know, the community started creating playbooks. I assume that the community have started, have started adopting the CACAO roster. Vasileios Mavroeidis [00:04:40]: I have multiple use cases to discuss later. But at the same time, we also identify, you know, you know, a new use cases, some fascinating use cases, but also issues with the specification we'll have to address in the future. So we can have a perfect standard for security playbooks. Roseann Guttierrez [00:04:59]: That's great. Yeah. I I checked out the project over the weekend and really like, the ease of use on it. And and I do definitely see how it makes it easier for people to jump in and start creating things right away. So that's really great. So what makes the subproject important to you? Why is it important? Vasileios Mavroeidis [00:05:17]: So as I said, you know, I'm a standards person, and, my focusing is on, cybersecurity automation. And if you should take it up a little higher, level, you know, our shares here at the University of Oslo deals a lot with, enhancing, the capacity of security operation centers, and we are focusing on national security authorities and, operators of essential services. Maybe what you call the critical infrastructure. They are or would mean in the US. Right? There were many needs regarding that. So the authorities need to, you know, we have these directives, in the EU that all about cross border collaboration slash cooperation, the ability to exchange intelligence equally, the ability to collaborate in, incident response activities. That was our motivation when we start, the committee. We developed, the project, and now we validate the Roster itself and the request within the context of European projects. Vasileios Mavroeidis [00:06:12]: So we have multiple national security authorities that use their Roster to create playbooks, couple these playbooks with a cyber threat intelligence in particular, STIX, and not only now exchange. Right? Threat intelligence, but basically as we call it here, defensive trade craft. Roseann Guttierrez [00:06:28]: Right. Vasileios Mavroeidis [00:06:29]: And multiple use cases. Right? I mean, most of the people will will think about, you know, about incident response and methodologies, but we have use cases regarding business continuity, resilience, regulatory compliance, security policy, compliance, whatever is related with cybersecurity operations from detection, to response. No. Writing exercises, playbooks for engagement, basically, you know, like, how you engage with adversaries in real time active defense. And and most importantly, you know, how these things, come together because the cybersecurity of specific entities or I would say of too many entities, you know, is quite, immature. So, you know, if you have a standard that will allow you to exchange this defensive knowledge, you know, as we're saying in the past, for, CTI detection can become another prevention. So it's it's a similar concept now with, playbooks. Roseann Guttierrez [00:07:33]: Right. I I love how you can sign them too. That's great. Okay. So as a new project, where can you use some help? Vasileios Mavroeidis [00:07:39]: The main, thing that we want to do here is to create a community around the Roster. So, you know, this was developed by us. Certainly, it's not perfect. It's an open source project. We developed it, basically, our spare time. So we would like the community to contribute, not only to, code to improve, the project. So it doesn't like finding bugs that, you know, initiating pull request to fix something, but also coming up with, you know, use cases, such as we have the use case that we would like the roster to export STIX 2.1 course of action objects that can also incorporate cybersecurity playbooks. Right? So we need the community to support the project. Vasileios Mavroeidis [00:08:28]: We would like to create a playbooks knowledge base. This is a common issue, right now because people saw the Roster, but, immediately, they start asking, but but why you have not made, you know, a series of playbooks available? I mean, it's a reasonable request, but it takes time to do that, especially if you want to make you know, to develop and contribute playbooks that make sense. It will be nice if we have the community supporting us, with, generating and, making available their playbooks. And, also, we would like to identify, use cases to, let's say, extend the project. One, let's say, complex use case would be that, okay, we have now, an application that will allow us to generate playbooks. Right? Let's call it a user interface right now. What about the orchestration power? Basically, the orchestrator itself. So I do know, though, that there are, there is a European entity. Vasileios Mavroeidis [00:09:27]: Thay have already, contact us. They are developing, a native, CACAO Orchestrator. So, you know, another project will be to couple our application, which will be the user interface of their orchestrator. We would like to have such kind of, use cases. Right? We need to create also, an API based on the needs of the community. We'd like to interconnect the system with incident case management system, with, C

    13 min

  3. 02/14/2024

    OCA 2023 Highlights - Jan 2024

    Roseann Guttierrez [00:00:00]: Our guest today is Mark Mastrangeli. Did I say that right? Mark Mastrangeli [00:00:04]: Yeah. Roseann Guttierrez [00:00:04]: Mark Mastrangeli? Alright. He is the cloud engagement director at Palo Alto Networks, and he's also, co-chair for our OCA governing board. How are you doing today, Mark? Mark Mastrangeli [00:00:15]: I'm doing great. Thanks, Roseann. Roseann Guttierrez [00:00:17]: Thank you. Thank you for, coming and joining us today. We're gonna discuss our, basically, OCA's achievements, over the course of 2023 and talk a little bit about, what this year holds. To get started, why don't you tell me a little bit about you and, how you got into tech? Mark Mastrangeli [00:00:34]: Yeah. Sure. So, long story short, I did engineering undergrad. I was operations research major, so a lot of, efficiency optimization, you know, modeling algorithms, things like that. I loved solving problems. It's It's one of the things that makes me tick. Once a problem is solved, I'm on to the next one and, you know, kinda have to keep myself busy, but, You know, just kind of fell into cybersecurity. McAfee was at a job fair at my college when many, many years ago now and, started out as an inside sales engineer, did sales engineering for many years, and, again, kinda felt like that was problem solved. Mark Mastrangeli [00:01:17]: I wanted to be part of the solution and go influence product design and and really, you know, things that were novel. So moved into the product organization and and then, you know, did that for a little while. And then ultimately, and kind of the origin of The Open Cybersecurity Alliance, I was the lead architect for McAfee's, what we called the Security Innovation Alliance, which was our Partner technology program. I was responsible for, integration pattern design and building integrations between All the McAfee things, which was a pretty broad portfolio from network IPS to SIEM to, you know, firewalls when I started to endpoint protection, of course and Web and you name it. Right? Years later, we had Open DXL, which came out of Intel. So Matthew is part of Intel for about 6 years. And we built an open source implementation of MQTT that evolved to include Kafka and a bunch of other things over time. But I was the lead architect for that program, and that was kinda how we started working really closely with IBM at the time before McAfee, you know, sadly, kind of let Open DXL die. Mark Mastrangeli [00:02:30]: They didn't maintain it. We had a lot of new technical leadership that didn't really understand that kinda open source, Open interoperability philosophy, that Intel did. But, nonetheless, it it led to the formation of the Open Cybersecurity Alliance, You know, working with IBM to say, you know, let's not just build our own technology ecosystems of, you know, McAfee and a bunch of partners, IBM and a bunch Partners, let's build an ecosystem of ecosystems and try and drive interoperability with standards, you know, leveraging OASIS as a governing body to do more and do more as a community in a broader ecosystem of Organizations that have the same philosophy. So, that was kinda how I got into tech and and fast forward a little bit. After McAfee, in hindsight, maybe I Stuck around too long, but it's led me to where I am today. Went on a start up adventure for a couple years after that, and, that didn't work out, like, so many, but, it was a great learning experience. And and then joined Palo Alto last May, as a cloud engagement director. So basically, what I'm doing now, I overlay all of our strategic customers. Mark Mastrangeli [00:03:44]: As, you know, outside the sales organization, I get to just be a consultant, kind of a field CTO role, if you will. I get to go help them on their cloud security journeys, You know, guide them, help them be successful, and, understand kind of the the landscape and what's out there and what things they should be considering. And, Of course, we have tons of people that do the product side of that. You know, what I'm really passionate about now in my current role is, you know, kind of the people Side of the challenge. Roseann Guttierrez [00:04:14]: Right. Mark Mastrangeli [00:03:43]: You know, DevOps was, a cultural revolution more than anything, I think, in getting different teams that It used to be desperate to work together, and now DevSecOps includes that. You know, my favorite definition Roseann Guttierrez [00:04:26]: And everything else..Yes. Mark Mastrangeli [00:04:26]: Yeah. Exactly. But it's, Patrick Debois, I think, has the best definition of what DevOps or DevSecOps is, and it's it's everything you do to remove the efficiency created by silos. And, all the rest is just engineering. Right? So, It's it's really fun. It's always different. Every organization has their are unique challenges and, you know, cloud's one of those things. Mark Mastrangeli [00:04:50]: There's not just one reference architecture. It's it's just every permutation of things that you could possibly come up with. And, so it's really fun. You know, I think it's new. It's it's a maturing space. So that's what I'm doing today, but Still really passionate about the OCA, and I've been honored to, you know, be the co-chair Roseann Guttierrez [00:05:11]: Thats a perfect lead in. Mark Mastrangeli [00:05:12]: Yeah. Roseann Guttierrez [00:05:13]: Give me your your elevator pitch on the OCA. Mark Mastrangeli [00:05:17]: You know, so I think our marketing elevator pitch is, you know, we want to Build an ecosystem of ecosystems. We wanna develop tooling, code, projects, and things that increase the value of existing tools to help organizations stitch together things that they already own. And if you take that as far as it can go, our goal as OCA is to Really develop reference architecture for, you know, any organization that wants to do as much with open source and standards as possible. I think somebody in marketing could put that more succinctly, but, you know, I think that's our goal is to take all of these All the great work that's out there. There's a whole bunch of disparate standards that exist, you know, whether it's a a Schema for some logging format. There's you know, STIX is a great example of something that, you know, gives us a great standard schema by which we can communicate and share information. How do we take that forward, and and how do we continue to evolve those things, and how do we stitch these things together So that they're more interoperable. So that's really Mark Mastrangeli [00:06:23]: You know, been our been our mission. Roseann Guttierrez [00:06:25]: Why is OCA important to you? Mark Mastrangeli [00:06:23]: I I believe deeply. You know I think part of it is growing up at McAfee. McAfee had this open philosophy, be our central management console EPO. He's e policy orchestrator was very open. We had great SDKs where, Really, anybody could build an extension to that management platform and manage their things. We had customers managing Symantec Through ePolicy Orchestrator back in the day. And then Open DXL. Mark Mastrangeli [00:06:55]: And, I love systems design. There was a lot of what I did in undergrad. I love complexity and and trying to control that complexity. So I think there's a ton of that in cybersecurity, and cybersecurity is the ultimate team sport. Like, literally, we all acknowledge that no one can do this alone. There's never gonna be a single vendor solution to cover everything. And so I I really believe philosophically that the right thing to do for organizations and and to Combat the adversaries that are out there, is to work together. And so sometimes that means, you know, I work for a big vendor. Mark Mastrangeli [00:07:32]: You know, Palo arguably is one of the Largest dedicated cybersecurity companies on the planet these days. And, you know, we do a lot of things that are proprietary, but, Ultimately, like, we have to interoperate. We have to share data, you know, with all of these other tools. That is a constant challenge For organizations. I mean, every organization I talk to, they've got, you know, 25 to 35 or more, you know, different cybersecurity solutions. They're struggling with data, and they spend an inordinate amount of time just managing the technology versus, You know, I think doing security. You know, we know that there's a talent shortage, etcetera. And so Right. Mark Mastrangeli [00:08:14]: I think it's the right thing to do. Like, that's why I'm passionate about it. That's why I've, You know, stayed involved even though, you know, today, it's not directly related to my day job. I think it's a worthy mission. Roseann Guttierrez [00:08:25]: Yeah. Agree. Yeah. Totally. That's why I'm here too. Mark Mastrangeli [00:08:28]: Yeah. Yeah. Roseann Guttierrez [00:08:29]: Alright. So what about this past year for 2023? What what highlights did we have for OCA. Mark Mastrangeli [00:08:35]: Two new projects that, came to fruition in 2023. 1 is the OXA, so the Open XDR architecture. And, you know, who knows? We might rename that at some point because I think XDR is a Overused term. But the goal of that project is to take all of these different open source projects and really put it all on the table. You know, it's kind of Apollo 13. We've got all these different pieces. How do we build this thing out of it? And Identify the gaps. Identify the glue in between these pieces so that we can develop that, and then provide that out to the community so that they can, you know, more effectively stitch these things together. Mark Mastrangeli [00:09:20]: We at OCA are never going to be the ones that have all of the projects, all of the standards inside and under our umbrella. You know? So we we wanna build the glue and and really help drive these things forward so that it's it's more consumable. I think that's a a really great project that's r

    17 min

  4. 02/14/2024

    Kestrel as a Service (KaaS) - Nov 2023

    Roseann Guttierrez [00:00:00]: Our guest, Kenneth Peoples. He is a principal cybersecurity architect for Red Hat, and we're gonna ask him some questions about Kestrel as a service. Kenneth, I'm gonna let you actually start and kinda give a, a quick, you know, bio. Kenneth Peeples [00:00:14]: Sure. Absolutely. Thank you. Glad to be here with everybody. I was really looking forward to, sharing the Kestrel as a service project. So I'm a Red Hat cybersecurity architect. I've been working, mainly department of defense for a number of years And help the government with, security issues to help them solve problems. Kenneth Peeples [00:00:43]: So I, go on-site help in these DOD projects. I started my doctorate 2 years ago At Colorado State University, and I'm in the doctorate of engineering program, which means I have a practicum or a project, and then I have my dissertation. And so the Kestrel as a service is part of my practicum. I also do some, work on some other projects and internal initiatives For Red Hat as well. Roseann Guttierrez [00:01:22]: Awesome. Well, thank you so much. I I really, really appreciate you taking the time to talk with us today. My first Question for you is give me your elevator pitch on Kestrel as a service. Kenneth Peeples [00:01:33]: Yeah. So I am really excited about the project. I think it is filling in some gaps that we've identified, and I've been working with Open Cybersecurity Alliance to get the subproject going, working with folks like Shu and Claudia, and I just really enjoyed putting this platform together. So the elevator pitch is how can I build a platform For crowd hunting, for threat collaboration with a threat hunting team, and, that's where Kestrel as a service comes in. There are many components. I'm just gonna list a couple, and we can dive into into those as As we move forward in this session, but we've created a Dockerfile that has the Kestrel language and runtime, OpenC2, STIX shifter, all those for a, threat hunting container. That is riding on Kubernetes, which is the container platform and managed by JupyterHub for the notebook sharing, also, we're using Ansible Core for automation to do the deployment, along with VirtualBox Vagrant. And so those are are different components To build infrastructure platform as a service and software as a service. And so we have Examples to build the virtual machines, which is the, infrastructure as a service And using either Ubuntu or Red Hat. Kenneth Peeples [00:03:29]: And then on top of the virtual machines, whether it's A single node mini cube or a multinode cluster. Then we put JupyterHub on top of it and Integrate Keycloak with authentication so that users sign in. And if it's a, shared project, Then others can sign in to that project and share, snippets of code, share the, notebook that has the threat hunting flows and steps in it. And so the whole target of Kestrel as a service is to be able to speed up, crowd hunting. Roseann Guttierrez [00:04:17]: Okay. Kenneth Peeples [00:04:17]: And sometimes Roseann Guttierrez [00:04:20]: Go ahead. Sorry. Kenneth Peeples [00:04:21]: Yeah. And I was just gonna say, we've talked more as we get into what's important, in some of these pieces. But With doing the crowd hunting, a team threat hunting platform, the outcome Should be improved mean time to detect. Roseann Guttierrez [00:04:40]: Gotcha. Okay. So basically, it's taking Kestrel that someone would load, like, locally and work on by themselves, right, and then providing a vehicle to have multiple people kind of touch it and then and work on it together, essentially. Yeah. Okay. Alright. So why is this project important to you? I mean, I know, yeah, it's It's part of your dissertation, but I did, take a sneak peek at your GitHub. And I looked at the very, very bottom, and there's kind of a dedication there. Kenneth Peeples [00:05:14]: Yeah. I'm glad you saw that. So, a couple answers to that question, why it's important to me. The, the first part of that is my parents, and that's the dedication that you mentioned. My parents have always been in IT. And if you look at all the old pictures of the magnetic tapes, The size of the original disk drives and and so forth. When I was, you know, elementary Elementary school age, I would go to the computer rooms, and they would have the raised floors. They would have all the lights On the console, the magnetic tapes going in background. Kenneth Peeples [00:05:59]: They would have the punch cards. If everybody remembers the punch cards, but you don't wanna drop the Punch cards. Roseann Guttierrez [00:06:07]: No. Kenneth Peeples [00:06:07]: And and so, you know, my parents were always And still are an inspiration to me of, you know, work and and family. And so, I have a passion for security, and I, came across Kestrel, I started talking with Shu, and I thought this was, great for me to work on Personally, for that passion, of security plus, my hope is The cyber incidents that continue to occur, there's an additional solution that people can use to minimize the impact of those incidents. Roseann Guttierrez [00:06:57]: Nice. Nice. Yes. Passionate. That's that's good. That that's why we have you here, right, as a contributor Yeah. Yeah. To kinda give an example of, you know, what some people are working on. Roseann Guttierrez [00:07:07]: So that's awesome. Alright. Last question. Everybody needs help. Right? All the projects, they always need help. Where could you use some help, and what are some ideas for how people might help you? Kenneth Peeples [00:07:18]: Yeah. And I appreciate that question. And I think it goes to all of open cybersecurity alliance to me in that, You know, generally, at the high level, the open source communities, they can't succeed without having Those that wanna collaborate and commit and give back, not just using a project, but getting involved in the project and helping it move forward. It's very important. So for me, with Kestrel as a service, as I mentioned before, there's a lot of different components that are involved. It's a a platform. And so there are several places where I could use help. One is building out the best ways to deploy the platform. Right now, Kenneth Peeples [00:08:11]: I have mini cube in a full cluster, but there's that's Kubernetes. But there are other container platforms that it would be nice to get it onto and and tested. So that goes to the code, Creation and testing of the infrastructures code, the example, hunt books That would be a help to have more of those. I've started attending conferences and talking about Kestrel as a service. That also means I'm talking about Kestrel, talking about, STIX shifter, talking about OpenC2, These other components that are in there too. So I'm trying to get more of the word out to get help to make this a great Crowd Hunt tool. And so one of the other pieces that's coming up, hopefully, this end of this month, I wrote a article for the Red Hat Research Quarterly, and I hope that we'll get more of the word out and and share, Open Cybersecurity Alliance and share Kestrel as a service. And so that should be published soon. Kenneth Peeples [00:09:27]: And If you look at the repository, there is a set of steps To go through, to stand up the environment on the single node Kubernetes, the the mini cube. And so it would be great To have help there. But I would say to get people started, because we do want people to participate in OCA and Kestrel as a service and the other components I mentioned. There's the repositories in GitHub. I know organizations can become the OCA sponsors. Mine falls under, IBM. So I know OCA is always looking for more organizations there to help, And there's the the OCA project governance board. But there is for Kestrel as a service specifically. Kenneth Peeples [00:10:26]: There's the Slack channel. So if you wanna get involved, getting on the Slack channel and pinging me or any of the others is Always a help. There's the website, open cybersecurity alliance.org, and then there's the GitHub. Roseann Guttierrez [00:10:42]: Nice

    12 min

  5. 02/14/2024

    Open XDR Architecture (OXA) - July 2023

    Roseann Guttierrez [00:00:00]: Our guest is David Bizeul. I hope I said that correctly. He is the cofounder and chief scientific officer of Sequoia IO. He actually is here representing our open XDR architecture or, OXA sub project, I believe that's how we're saying it. David, you wanna say hi? David Bizeul [00:00:19]: Yeah. Hi, everyone. It's a pleasure to be with you today. Roseann Guttierrez [00:00:22]: Thank you. I'm so excited to talk to you. I know that this is a new project and so lots of good stuff is happening. You wanna give me your elevator pitch for what Open XDR architecture is? David Bizeul [00:00:35]: What you what you need to know is that, in Sequoia, we provide a sub platform. That means we we provide a solution that can be used to upgrade the SOC Whether it is, in a large company or MSSP. The OXA project is rough. As in Sequoia, we have we have a long story of working with the community. That that's why we had in mind, we imagined, Let's say to have this initiative to be hosted in the OCA, in order to to make something global and, to make an initiative that Could be shared, and, also brainstormed, by, by the industry. When I I looked at the OCA line, we are making standard based interoperable Cybersecurity reality. I really thought that it it would also make sense, for this OXA sub project. Roseann Guttierrez [00:01:24]: Awesome. David Bizeul [00:01:25]: So Open XDR architecture, just basically, you might know what is the, our current environment on IT technology. We have a lot of assets On the left part of the slide, so that mean computers, that mean, physical assets, that mean, virtual assets, etcetera. These assets are managed or observed by a lot of technologies. Some of them are security technologies, And these security technologies can generate data, alerts, events, etcetera. And these, alerts must, let's say, be, It's consumed, handled by, either a specific correlation solution or even, people That we'll need, let's say, to to do with that and to interpret this data into something that makes sense. When the XDR extended detection and response, arrived on the on the market. This was several years ago. The approach was really to make something, easier for the for the community. David Bizeul [00:02:23]: That means to have some things that can interpret, data globally, Whether, it's it it comes, let's say, from an endpoint or from a network technology or network source or even to cloud based cloud based solution, All these kind of assets should be interpreted, in the XDR platform. And the XDR is supposed to be able to Speak, with this technology in order to provide, answers, in order to provide orders, to execute some actions, and to execute some responses Into corporate environment of a specific customer. And another part of the XDR is also, let's say, to change the approach in the way Previously, SIEM used, let's say, to create scenarios to detect, what were supposed to be, to be the risk, into a company. XDR changed that, in order to detect threats, and to detect what is really known, what is really, sure today to be defined as a threat. And maybe the last the last point and the last premise of the XDR was to, to provide high value, added tasks to the users, to the the customers. The point is that, what are these high value added tasks? And on these 3 highlighted blocks, global response, CTI, and high value task, I think today we do not have this, a correct, a great solution wherever you look on the market, whatever the solution is, you have none of them, which can Provide all this kind of, let's say, correct solution. If you think about what could be, the solution About, on this, these different highlighted blocks, we can think about, what we have today in terms of standards, in terms of specific norms that could be used, let's say, to leverage part of the problem. For the ingestion aspect, we have different solutions such as ECS, OCSFs, that exist and that can help, let's say, to standardize what the product can, can generate as data, data formats to be understood as a simple a single as as something that can be interpreted by a central point. David Bizeul [00:04:36]: The same way we can automate, let's say, specific orders using OpenC2. OpenC2 would be used, let's say, could be used, Let's say to, provide, to transform generic orders into specific actions that can be done, on a specific technology. In terms of CTI, we all know about STIX, which, tends to be mainstream today on that street. But STIX might not be used enough, in that in our technology community and should be disseminated more, let's say, from, the STIX sources that already do that, but have, let's say, are are done, let's say, to each Specific technologies that are involved into the production of the customer or customer environment. And the last point is about orchestration. And today, we have a lot of things that tends to be real, using CACAO playbooks. And I'm sure that, by ferriting the community, we could create a very collective and interesting repository of what are the best practices in terms of security, strategies, to be, to be handled and distributed into a specific, let's say, a piloting tower, in order to Orchestrate what would be the best practices for your your security. A global API would also make sense, in order to provide registration and commands to the different technologies in order to claim, okay, I'm here, I'm the new technology, installed in this customer environment. David Bizeul [00:06:08]: I can do this kind of thing and dip at this kind of thing so I can consume this kind of event or this specific part of your CTI. When you mix all these different, things together, it leads, to what is the proposal of this OpenXDR architecture sub project. It's a stack of 4 different blocks. The point is to improve inbound and outbound interoperability, is to create, let's say, an open API that will make sense, let's say, to create basic interaction between technologies and a central point, to provide a way to disseminate threat intel, directly to the machine I mean, to the security technologies Installed, into, a customer environment. Roseann Guttierrez [00:06:59]: Based on everything you've been telling us, why is this project important to you? David Bizeul [00:06:07]: I can see 3 reasons, for that. The first one is that I really believe that, resource expert resources should be preserved. I want to avoid resource, exhaustion, And expert time should be preserved, and development developer time technical developer time should be preserved too. Today, in our environment, you need to do integration in every technology, and each solution has to do the integration with the rest of the world. This is this is a real nonsense. The goal of OXA sub project is to create a repository, in order to, let's say, to to create a a global mapping into You decide you you say what you do in terms of your specificities as a technology vendor, And you map it, with, some things that can be then absorbed by other technology vendors. This way, as a job, is only done once Instead of being done instead of being being done multiple times by everyone. This is the first part of the answer. David Bizeul [00:08:10]: The second one would be, let's say, to to place the technology ownership on the vendor side. Today, we have Very interesting start ups which can do great job, but until they are integrated into major major vendors, major, Let's say XDR solution, they won't be, it won't be it won't be possible, let's say, to use them correctly from users until they are correctly integrated. What I want to do is this way is that you replace the technology ownership on the vendor side. They will create their own mapping. And this way, as soon as they are plugged Into a the environment that can they can, the customer can leverage all the, let's say, some, the set of features that are available in this technology. And the last the last point is really probably, and the most important is to raise the bar, against attack Using CTI dis dissemination. If we allow the possibility, let's say, to translate what is generally Managed by a security team, having access to CTI down, let's say, to the security product installed into, the customer environment, You allow this security product, let's say, to, to to detect better and faster, what specific threats they could have to deal with And then to provide feedbacks, let's say, to the Observation Point, the XDR platform to say, okay. I have seen this, in my in my environment, and this should be investigated. David Bizeul [00:09:43]: So this is all the 3 aspects, resource exhaustion, technology ownership, and, To to elevate the the protection on customer side. Roseann Guttierrez [00:09:51]: Nice. Yeah. All very important points because I know, when I was on a SOC, You don't wanna spend your time creating integrations. Right? You wanna do the work, that's why you're there, so, yeah, makes sense. So, like I said, I know this is a new project for you. Where can you it's probably a loaded question. Where can you use help? David Bizeul [00:10:09]: Mm-mm. Roseann Guttierrez [00:10:11]: Yes. David Bizeul [00:09:42]: Well, At at the end, at the end, the project will be a success if if it's used by, if it's used by security vendors. If if I make a power a parallel, you all remember, Neo learning how to pilot an helicopter in Matrix. What I would love, is, let's say, the security industry to to do the same, to have the ability to do the same. That mean with a simple command such as, PIP install, OXA integration, product x y z, you get The knowledge, let's say, to speak and to interact with this project project x y z. This is exactly the same. With just a simple, Single repository, you get access to the ability to interact with 1 security product that is defined. Doing so, you can understand what's this security product can tell you whether it is, I don't know, somethin

    14 min

  6. 02/14/2024

    Cybersecurity Automation Sub Project (CASP) and Village - June 2023

    Roseann Guttierrez [00:00:00]: Our guest is Duncan Sparrell. He is, I love the title, chief cyber curmudgeon. That's a great title. Of, sFractal Consulting LLC. He is an OASIS board member and is also a cochair of the cybersecurity automation subproject. Duncan, Welcome. I hope I didn't, shortchange you on the intro. Do you have anything you wanna add to that? Duncan Sparrell [00:00:21]: Nope. It sounds good. I'm a lot of other things too, but that's what matters to this talk. Roseann Guttierrez [00:00:26]: Aren't we all? Alright, mister Duncan. So as I said, welcome. I really appreciate you being here today, giving us a little bit of your time. My first question for you is to give me an elevator pitch on the CASP project. Duncan Sparrell [00:00:41]: Alrighty. Well, let me start out with, one of its purposes in life is something called the cybersecurity automation village, Which we had one last week. So I'll I'll just give you some context of how CASP works into the bigger, OCA and then what it produces as output, which is the Village. You're here at the OCA Connect, so hopefully you already know what OCA is. But just as a reminder to everybody, The Open Cybersecurity Alliance is literally a screenshot right off the home page. It's for building an open ecosystem where cybersecurity Products interoperate without the need for customized integration. So that that interoperate is a really keyword. And one of the subprojects of the OCA is the CASP subproject or the cybersecurity automation subproject. Duncan Sparrell [00:01:25]: So that interoperate, that's part of the bigger OCA picture needs to have things talk to each other. And if they could talk to each other, automatically automagically, then they would be much more efficient. And so why why do we why do we wanna do that? Well, we wanna we wanna sort of get our actual products talking to each other, That's why we hold this thing called the cybersecurity automation village, which is where we get these projects actually interacting. Now why, yes, the elevator pitch, why do we even have this stuff at the first place? Well, we have this large set of acronym soup that we're gonna be talking about and explaining at least some of them. And so one of the reasons is just so everybody knows what the acronym stand for and everybody knows each other's project. But the real issue is because it it actually saves money. Okay. And the way it saves the end customer money, you apply the sort of risk principles. Duncan Sparrell [00:02:16]: Why do we do cybersecurity? I'm big into quantitative risk. This would be a whole talk of its own. But to apply those principles, you need some data and some work done by the Johns Hopkins University applied physics lab. The sort of punch line of this talk from years ago is it's a two order of magnitude sooner you kick the hackers out of your system. So if you do this automation stuff that we'll be talking about, you can kick hackers out of your system in hours instead of weeks. And that's the if you want the sort of one sentence punch word of why do we do this automation? Why do we have this subproject? It's because we want the stuff to interoperate automatically so we can kick hackers out quicker. Roseann Guttierrez [00:02:56]: Absolutely. Alright. Well, that leads me to my second question. So why is this important to you? Duncan Sparrell [00:02:54]: So I retired about 10 years ago. I retired as AT&T's chief security architect, and I had a fairly big budget. A lot of people reported to me. We did a lot of really important work. We really moved cybersecurity forward a lot, but we were operating in in human speed. And I retired and had a very good career, and and I was bored and needed something to do. So I got very involved in cybersecurity standards and in particular, the standards of, cybersecurity automation, because I think they really will make the world a safer place. So it's important to me because I really want this stuff to succeed because the hackers traditionally have been winning, and I want the defenders to win. Roseann Guttierrez [00:03:40]: Don't we all? Absolutely. Yes. Alright. Well, like you said, earlier, I know you said that, you had your very 1st CASP workshop. I know you've had workshops in the past, but as as the the subproject. So why don't you tell me a little bit about, you know, highlights for what happened last week? Duncan Sparrell [00:03:57]: Alright. Well, you know, as I sort of mentioned, the reason we're doing this is to is to save the end consumer money. And the other reason we have the village is sorta to get the different things to interoperate, and I'll talk a little bit more about that. But, of course, the other reason we get together is so that we can hand out stickers. One important really important aspect of the of the meeting was that we, we did actually have cybersecurity automation villages stickers, and, of course, we had Open Cybersecurity Alliance stick stickers. But we had, basically, a 4 hours. It was, out at the University of Southern California. We started at 10:30 in the morning, ended up at 4 PM, eastern or, I'm sorry, Pacific. Duncan Sparrell [00:04:35]: And it was, you know, streamed, so it went around the world, and we had people from around the world there. We had people, I think, from 4 continents. We have about 40 people overall, about 15 and 15 to 20 of them in the room. We covered a lot of the alphabet soup that we'll we'll talk about. Again, the main purpose was to get these various projects interoperating with each other, and we got a lot of them, to do that. I can go into it, in sort of a whole lot more detail, but the sort of really big picture was we we want to try and tie this together from sort of the end enterprise viewpoint. What what's the value to them? The value to them is To save money on actual real life use cases. So we created this use case. Duncan Sparrell [00:05:18]: Some people give us grief for the word use case maybe scenario would be a better word because once you get into the details, it's a use case, but it's a very big picture. It's more of the common english, A case where you use this stuff, and the one that we picked was a made up one that we made called the witchy watchee ransomware. So so, we broke it down into a A 6 day on 6 different days, 6 things happened related to this new invented, fake ransomware we did. And we played around, and some of this is funny and and meant to be you know, sort of bring a smile to people's face on, like, Murphy's Law. The law firm's name is Murphy's Law, stuff like that but, the and the the funny US government agency we made up was the NSA, ANSA. But but real important thing is it's actually pretty serious stuff, and and so we we, but we got together, and we had a good time doing it. But the, the 6 days start out with basically a zero day ransomware attack on a law firm. Duncan Sparrell [00:06:17]: They move on through sort of the the day 2 where somebody else gets attacked but takes advantage of the learnings from the 1st day. Day 3, where you sort of do some preventative action, prevent yourself from even getting hacked in the 1st place. Day 4, government agencies have some certain rules they have to follow, like comply to connect, and it sort of works into that. Day 5, we go out and arrest all the the hackers involved. And day 6, we can neither confirm or deny whether the US and, allied partners go in and remove foreign nation state assets involved in the in the attack. And that's again, just sort of, we we try and be a little bit funny while we do it, but we actually took a very lot of actual, looking sort of process the the details of day 1. I'm not gonna read through all this, but the, the actual way we did it when we met last week was we we actually worked out real life scenarios where all those different, open, technologies were used and interactions and actual real life data was was past in some of those, sort of down at the bottom, the little symbols there, the gears, the human, and the hand are, some of it was done with actual machine to machine APIs and real life data. Some of it was done with human to machine interactions. Duncan Sparrell [00:07:32]: Again, we wanna automate, so we want this stuff to be at speed, so we prefer the human to be on the loop as opposed to in the loop, but sometimes they have to be in the loop. And then because not everything always works and because we're not, know, perfect and have everything as much as we'd like. There's a certain amount of hand waving involved, and we got into the details of that. We sort of work through each day in which technologies went through each, Worked in these various things. Sometimes more hand waving was involved than others. And then the sort of summary was that we had an awful lot of technologies that actually talked a lot, to each other with actual machine to machine interfaces, sometimes with human to machine interfaces, and sometimes with hand waving. We had a lot of companies involved, but actual companies who brought what we call sweat equity to the table and had their stuff talk to other stuff is that sort of a string across the bottom. So, Overall, a very successful event. Duncan Sparrell [00:08:19]: That's sort of the the very high level summary. Roseann Guttierrez [00:08:23]: That's awesome. So how often do you plan on, having your meetings? Roseann Guttierrez [00:08:28]: do you already have a set schedule for your meetings? Duncan Sparrell [00:07:31]: So, again, distinguishing between CASP, which is the group of people trying to make all this stuff work, and The Village, which is where we have a wider event, invite outsiders to come watch us, and hopefully get even more people involved. CASP meets twice a month. We meet at 11 AM on the first I keep my day straight up here. Monday of the month and 4 PM EST on 3rd. And the reason we do that time time switches because we do have people

    11 min

  7. 02/14/2024

    Kestrel - May 2023

    Roseann Guttierrez [00:00:00]: Our featured guest, Xiaokui Xu, he is a senior research scientist from IBM. He is our OCA technical steering committee, chair, one of them, and then also will be talking to us today about the Kestrel subproject. So, Xiaokui, have I missed anything as far as your intro? Xiaokui Shu [00:00:17]: It's really nice. You do not miss anything. Roseann Guttierrez [00:00:20]: Okay. I just wanna make sure. Well, welcome. Thank you very much for being here today. My first question for you is, basically, give me an elevator pitch on what Kestrel is. Xiaokui Shu [00:00:31]: Kestrel is a threat hunting language that we invented, to accelerate the procedure of hunt for threat hunters. That's the main goal of Kestrel. Yeah. Roseann Guttierrez [00:00:48]: Alright. Alright, and what makes the subproject important to you? Xiaokui Shu [00:00:54]: This is really exciting project. Actually, we started planning for it, maybe 6 years ago. So when we were in a DARPA program called transparent computing and in that program, DARPA tried to set up environment to collect as much data as possible. So that's really big data security, much bigger data than what we currently have now in the commercial systems. And we were given a task that what can we do with such amount or big amount of data? And can we do better detection? Can we do better, attributing, attacks. Can we do better, kind of mitigation? Can we do better even recovering from things? So at that time, given the large amount of data we can play with, we invented something, called t-calculus. It's another language, which is kind of a the the essence of graph computation that Kestrel takes. Xiaokui Shu [00:01:53]: So, we invented the language and a paradigm of detection that use graph computation to do cybersecurity. And that is the first time that, we introduce it, to the society, and we published a top tier conference paper on this, to introduce the the society about the idea How people can use a form of graph commutation and to achieve their cybersecurity goals, such as doing threat detection and things. As I mentioned, we did a language at a time to, prototype the idea, to make it into something actionable. So the language was called t-calculus, and that was a big success in the DARPA program. And, we were leading the school board about detection all the time Throughout the years. So we were very excited during the 4 years of the program. And then after program, we thought, Why not to put something into more open source side so that the entire world can benefit from what we invented. So Roseann Guttierrez [00:03:06]: Right. Xiaokui Shu [00:03:05]: That's where we started. So IBM Research started to reach out to IBM Security and, to connect to real world Infrastructure, applications, datasets, and how can we consume everything. And we started to design Kestrel at the time. So it it's it's a little bit long story, but, it's a very exciting thing that, started many years ago, 6 years ago, 6 or 7. Roseann Guttierrez [00:03:34]: Yeah. I I had no idea of that background, so that that's awesome. Where do you think the Kestrel project needs assistance? Where do you think it needs help? Xiaokui Shu [00:03:43]: Yeah. We we need help everywhere. So this is a very, very young project. So Kestrel was announced 2 years ago at RSA conference. And, 2 year is a very a fairly short amount of time for open source project. We are struggling putting things into our formal ways, such as to have a formal unit test for the projects and has, very formal documentation, so to get it easy for people to consume, make it formal to have it, kind of videos and labs for people to play with it and also try to kind of bump up the quality of the code while we try to formalize about things. The basic idea the fundamental idea is there, but there are so many things that, we need to work out during the the years and try to get it more easily consumed by people, and we still need a lot of help on the code side, on documentation side, on the, use case side. Now after about 2 year time, we are very lucky that we get a lot of attractions and interest, and people are trying to use this in their real world kind of a daily job of the hunt. Xiaokui Shu [00:04:59]: And, we were getting feedback from a lot of hunters and also getting feedback from the development team or deployment team that, what type of thing that we may help them to better deploy Kestrel for large, kind of EDUs. But we we see a kind of a lack of, things like, some of the front end development, some of the back end, improvement and things. Lots of things that we we need help, yes. Roseann Guttierrez [00:05:27]: Okay. Alright. And last question: when are your meetings? So people know when they can jump in and talk to y'all. Xiaokui Shu [00:05:35]: Okay. So, for Kestra, currently, we do not have, kind of a periodic meeting that we have a spare time for that because we found it we already have so many meetings for people. So that's, usually, we encourage people to join the Slack channel and to chat there for their questions and schedule, meetings when there is a need. So that's the thing that when we have maybe a topic that several people are interested, and we will schedule a meeting for that, like, more like a discussion or kind of, a a temporary meeting for that topic. And when the topic gets more formalized, and we want to keep developments and maybe some other things on around it. We put it into more periodic meetings. Give you some examples. Xiaokui Shu [00:06:25]: In the last couple of months, we have meetings with people from OpenC2 community, to co-develop, OpenC2 or character profile for hunting that is actually what Kestrel supports. And, also, we have meetings with students from different universities to give them guidelines how can they contribute into the Kestrel project and give them, some technical help, when the students started. And they they may not have a strong cybersecurity background and things. And we also have meetings with senior students and graduate students in universities and give them ideas about the general background of Kestrel and the connection to different projects so that we can do research on the academic side about different hunting strategies and hunting paradigms and try to connect different project and try to make connections and also do evaluations on different things. So once things get for kind of, stretched, for example, the first one, the OpenC2 and the Kestrel meetings, we set up biweekly Periodic meeting for that. So that turns into a very formal meeting after the Roseann Guttierrez [00:07:38]: Right. Xiaokui Shu [00:07:38]: First few touch. We are doing Subclassification of the standards as well as the prototyping so that we are targeting, a show In one of the OCA sub project in June this year. A lot of exciting things are happening, and, if someone are interested In Kestrel and want to, chat more about it, want to ask questions. So the first stop, I will say, is go to a Slack channel, OCA Slack Space, and there is a Kestrel channel. You can ask questions. And when we gather interest around the topic, we will create meetings for that that's the current flow we have. Roseann Guttierrez [00:08:19]: Great. That's great. Well, thank you so much. I really appreciate your time today and to come in and answer all of our questions. Thank you for being here. Xiaokui Shu [00:08:28]: Thank you.

    9 min

  8. 02/13/2024

    RSA 2023 USA Teaser - April 2023

    Roseann Guttierrez [00:00:00]: We have a great guest today. We have Jason Keirstead, also known as JK, more likely known as JK, I should say. He is a distinguished engineer with, IBM, also, the CTO of Threat Management and is an OCA co-chair. Hi, Jason. How are you doing today? Jason Keirstead [00:00:15]: Hey, Rose. Great to talk to you today. Roseann Guttierrez [00:00:18]: Did you have any other things that you wanted to add to your intro before we get started? Jason Keirstead [00:00:23]: No. Roseann Guttierrez [00:00:25]: The okay. No problem. I always like to give everybody a chance. Jason Keirstead [00:00:29]: No, I mean, I'm co-chair of the OCA, I helped found the organization a couple of years ago. My day job is CTO of threat at IBM, as you mentioned. I do, I'm kind of the open security focal for for IBM Security. So in addition to the stuff at the OCA and Oasis, I'm involved in things at FIRST and MITRE and OpenSSF and a bunch of other, open activities as well. Roseann Guttierrez [00:00:57]: So I'm gonna start off real easy. Give me your elevator pitch on the OCA. Jason Keirstead [00:00:56]: Well, okay, elevator pitch. The OCA we founded back in 2019 to address the problem of interoperability in cybersecurity. And what kind of led myself and the others who cofounded it to this point was We were seeing that, you know, there's a lot of great work going on in standards, and there was a lot of folks that were looking to adopt standards. But the standards didn't seem to be really moving the needle in terms of getting things to just kind of work out of the box. And the other trend that, I saw, was that in the industry, because we don't have common ways to create what I call the connective tissue of cybersecurity. Every vendor was building their own set of integrations to every other vendor. So Right. You know, to explain this a little bit more detail, cybersecurity, you know, a lot of us say it's it's like a team sport. Jason Keirstead [00:02:02]: There's no one company that can solve cybersecurity for an enterprise. All everybody who's trying to solve the problem of cybersecurity has to deal with many vendors. And, you know, our our data at IBM shows that people tend to have, on average, 15 or more different vendors protecting their SOC. So Imagine you have 15 different products, and you're trying to get them all to communicate to each other. Now put yourself in the shoes of the people that actually build those products. Right. So you've got 15 different companies, every one of them having to work with the 100 other companies in the industry And try to do that multiplication. Right? You've got a 100 companies building a 100 integrations to a 100 other companies. Jason Keirstead [00:02:41]: It's this giant spider web of madness. Right? Roseann Guttierrez [00:02:02]: Yes, for sure. Jason Keirstead [00:02:45]: And imagine how much money the collective industry is spending on all of those integrations, all the engineering time, all the testing, all the support, or blah blah blah. And none of that is really moving the needle in helping defend against threat actors. It's just work that has to be done. The OCA was founded to try to push things and assist in doing things in a better way. Where can we build these integrations in the open and let many different companies and communities all collaborate around them and share the source code for them so that we can over time reduce that cost of integration and, you know, hopefully, eventually get to a point where We don't have to have all of these different one off integrations that people can just, you know, collaborate around one common way to integrate, One common messaging fabric, one common source code library, etcetera. So the if you look at the projects in the OCA, All of them are kind of lined up to that mission of how do we improve interoperability, improve data transfer, reduce the friction, reduce The cost of integration, etcetera, just sharing his insights and up level things. So that's that's the elevator pitch to the spiel. Jason Keirstead [00:04:00]: So if you're a defender Right? So if you're a defender, if you're a large company trying to protect yourself, the benefits of the OCA are, you know, reducing vendor lock in, Being able to move your, insights from 1 product to another, being able to see more things. Right? Because The more information you can share between your products at the higher fidelity, the more you can, detect. Right? So see things that you might otherwise miss. And if you're a vendor, or, the the pitch is why spend all of these 1,000,000 of dollars building integrations When other people have already done the work for you. Right? So it's literally saving that engineering time. So there are benefits both for Vendors as well as the consumers, and it's kind of a different pitch for each of them, though. Roseann Guttierrez [00:04:50]: So that's a perfect lead up to my next question, though. So Why is OCA important to you? Jason Keirstead [00:04:56]: Well, yeah, I mean that I did yeah. I guess I kinda covered it a little bit, but I mean the reason it's important to me is because I'm passionate about this whole idea of open security and collective defense. Right? I think that as folks that work in this industry, that work in cybersecurity, we, I hate to say the word moral obligation, but, like, you know, we we should be trying to think about how we can work more closely together to help our customers improve their defense and help society improve its defense against these threat actors that are, you know, tearing things apart at the seams nonstop day after day. Roseann Guttierrez [00:05:41]: Yeah. Jason Keirstead [00:05:42]: You know, in my job, I I deal with a lot of Fortune 500 companies, and, you know, it it's frustrating when we, you know, talk to a Client, and you hear that client talk about one of their major cybersecurity challenges. Then you talk to another client the next day, And they're literally describing word for word almost exactly the same thing that you heard about the day before. And, You know, you can't necessarily connect those dots because of confidentiality and and, you know, having to, You know, you you can't necessarily connect those dots to those people saying, hey. You know, the person this other person you just talked to him because you're working on the exact same problem. Why don't you work on it together? That's not really our place. What I'm trying to say is in the industry, we need to realize that this is happening day in and day out. Like, there is no one who should be going this alone. I think that, you know, I say all the time that we've made a lot of progress in cybersecurity and sharing threat intelligence over the years, and and that took a long time. Jason Keirstead [00:06:50]: It took a long time to get to the point that people were more comfortable both sharing and consuming Threat Intelligence. And we're finally getting to that point, but we're still years and years lagging behind in collaborating around detections. Roseann Guttierrez [00:07:02]: Right. Jason Keirstead [00:07:02]: Sharing the detections for the threats, the analytics for the threats. And part of that part of the reason is because the interoperability isn't there. Part of it is just because people don't know that they could collaborate. Part of it, there's also this idea of holding the cards to the chest around, If I share about how I'm detecting this threat, then the adversaries will know that, the adversaries will know that I know how they operate. Right? Roseann Guttierrez [00:07:31]: Right. Jason Keirstead [00:07:32]: And there's this Roseann Guttierrez [00:07:33]: Don't wanna give away too much information. Yeah. Jason Keirstead [00:07:31]: Yeah. But In in my opinion, we lean way too far on that side of the equation, and we've just gotta be a lot more aggressive about sharing and collaborating more because it's the only way that we can counter this. Like, right now, everything in this industry is so incredibly inefficient compared to other parts of information technology. It is incredibly inefficient. Right? And that's what, that's what we're trying to help with the OCA is improve that efficiency. Roseann Guttierrez [00:08:03]: Makes sense. Makes sense. We're gonna be at RSA, right, the OCA, and I understand that we're having a breakfast. You wanna tell me a little bit more about that? Jason Keirstead [00:08:03]: Yeah. I'm excited about this. So it's kind of, let's say, the sequel. We ran a successful OCA breakfast event last year And had a lot of people come out, you know, some people who didn't weren't familiar with the organization, a lot of excitement about what we were doing This year so it was very successful. We decided to do it again this year. It's going to be at, the W Hotel, which is, strategically located right across the street basically from Moscone. So if you're if you are going down to RSA events that morning, it's really close by. We're gonna be, you know, having some great food and just talking about what we're doing in the OCA. Jason Keirstead [00:08:49]: So give some status updates on the existing projects As well as announcing, let's say announcing, pseudo announcing a couple of exciting new initiatives, right, that that are going on right now. Roseann Guttierrez [00:09:00]: That sounds exciting. Jason Keirstead [00:09:02]: It it is. So if you're attending RSA and you're watching this video, registry registrations are picking up, and there's only a certain number of seats. So once it fills up, it'll fill up. You know, looking very forward to that event and and seeing folks come out. Roseann Guttierrez [00:09:17]: Great. Alright. Well, that actually kind of answered my last question because I was gonna ask you to give us kind of a teaser on the new initiatives, which you did. Did you have anything else that you wanted

    11 min

  9. 01/30/2024

    STIX Shifter - March 2023

    Roseann Guttierrez [00:00:00]: Our guest is Danny Elliott. He is a senior product owner for, UDI and CAR integrations at IBM Security. Danny, did you have anything else you wanted to say for your intro? Danny Elliott [00:00:10]: No. That's that's pretty good. Roseann Guttierrez [00:00:12]: Alright. Then we'll just jump into the first question, can you give me your elevator pitch on the STIX shifter project? Danny Elliott [00:00:19]: STIX shifter is, A, Python library that is able to get data from various security products and data repositories. Essentially, what it does is it takes a, STIX pattern. STIX is a structured threat, intel expression, information expression. So it'll take a STIX pattern, translate that into a native data source query for the target connector, uses that data source's APIs to do a search, gets the results back and then translates that back into Stix objects of observed data. Roseann Guttierrez [00:00:56]: Okay. How is it important to you? Danny Elliott [00:01:00]: Well, it's important to me because it's a way to normalize the data across different security products. So, you know, different products are all you know, have their own API endpoints, their own query languages. They return results in, you know, their own specific fields and formats. What STIX shifter allows us to do is use the, you know, the open source STIX Standard to normalize that data. So a developer could, say, integrate that into their own security products where they're able to use 1 query in the form of a STIX pattern and then do federated search across multiple data sources, provided that there is a connector that has been built for for the STIX shifter project. Roseann Guttierrez [00:01:47]: Okay. So kind of like a translator kind of.. Danny Elliott [00:01:50]: Exactly. Yeah, a translator and and also, like, transmission. So it handles all of the, API calls that are needed to actually do the search For the targeted data source. Roseann Guttierrez [00:02:01]: Gotcha. Where can the project use help? What what are you guys ... or are there certain areas that might need more help than others or.. just in general.. Danny Elliott [00:02:09]: We're we're always looking for new integrations. So so new connectors, obviously, are are always welcome. So someone in the open source community sees a need for a security product that isn't yet represented in STIX shifter. You know, we definitely always welcome that addition, but also anyone that has specific domain expertise around an existing connector. Maybe you have expertise with querying against Splunk, and you see that there's, there's some gaps or some defects in the existing connector. By all means, like, either raise an issue or or better yet, like, raise a poll request to make that fix. Roseann Guttierrez [00:02:49]: Great. Awesome. I think that completes our interview for today. Thanks, Danny.

    4 min

  10. 01/24/2024

    Indicators of Behavior (IoB) - Feb 2023

    Roseann Guttierrez [00:00:00]: I wanted to introduce our guest speaker. His name is Charles Frick. He's a chief scientist at Johns Hopkins University Applied Physics Laboratory, and he's here to talk a little bit about our indicators of behavior subproject. So, Charles, I'll I'll let you actually do, I know I didn't do much of an intro there for you, so did you have anything you wanna add To your intro before I ask you some questions? Charles Frick [00:00:20]: Just one small minor thing, because I don't wanna, I don't wanna sell myself too highly. I'm a chief scientist at Johns Hopkins Applied Physics Lab, because we have a I oversee research In our cyber operations area for something we like to call the Capabilities Development Group, but just out of respect for my fellow chief scientists out there, at the laboratory. Just wanted to caveat that I tend to focus more in Cybersecurity Automation and Threat Intelligence, sharing research that we do here. Roseann Guttierrez [00:00:51]: To start off then, I just have a couple questions for you. Give me your elevator pitch on what the IOB is. Charles Frick [00:00:59]: Absolutely. So thank you. First of all, thanks, everybody, for having me today. So one of the hats I wear is I'm also the chair for the indicators behavior subproject under the Open Cybersecurity Alliance. And as for the elevator pitch, we were looking for help to define.. ways to use Open standards to represent cyber adversary behaviors because we wanted to be able to share detections and ways to correlate detections that were a little bit more effective and had longer shelf lives than a lot of the current work we're seeing in sharing indicators of compromise. Because IOCs, for those of us familiar with them, very actionable, for the most part, insanely short shelf lives. Of once you see it in the wild it's not there very long, as an active threat. We wanted to be able to share things that would persist longer and we look at a lot of the analytics being shared, and there's some really great analytics being put out there that can be used for longer periods of time, but they're very tailored to specific campaigns. Charles Frick [00:02:07]: And a lot of folks do that because we wanna reduce the false positive rate because we still have this mindset of the analytic is gonna go directly to feed something like our SIEM, and we're still gonna have a human looking at those, so we need low false positives. So to make a highly accurate analytic, it's really tailored to this is APT, umpty squat, doing campaign X, and if they if that group does this again, this might detect that. Well, we wanted to think about it a little differently and say, what if I have kind of a 2 Some... 2 pass type of analytics where automation would be looking at the 1st wave. And so I might not care if it has a high false alarm rate, But what I care about is if these 2, 3, 4 analytics have data that you can correlate across. And so I might see the pattern like, one of the patterns we do in our example is I wanna know anytime a Mail client launches a web browser, I'm not gonna alert a human to that, but If a if the same machine has the mail client open a web browser, the web browser access a macro enabled office file, and that same computer modified the system registry within a certain timeline. I care about that, the fact that that happened on the same machine. Right. Charles Frick [00:03:30]: And if that user account that, that was opening that email happens to be tied to launch eventually spawning a process that's now owned by the system on that computer, I care about that. And If there was other processes that started sending weird network traffic to a domain controller. I care about that in itself, but the fact that that can be tied and have those bread crumbs, That makes it a lot easier to detect with something that there's some weird behavior going on that I is probably tied to an adversary, and so we wanted to look at how we could share those detections but also share how you cross correlate that, and that led us to start our work that we're doing currently on Indicators of Behavior. Long elevator pitch. Just... it was a very tall building. Roseann Guttierrez [00:04:26]: No. Understood. Understood. So What makes it important to you, this working group, this sub project? Charles Frick [00:04:33]: So what makes it important to me, really is trying to really seeing the need to push forward our, network defense and better leverage automation. I've been doing, you know, cybersecurity automation pilots and research, you know, for close to 10 years now and I keep seeing in the majority of our organizations still heavily mired in the manual process, which is completely unsurvivable. Roseann Guttierrez [00:04:59]: Right Charles Frick [00:04:59]: know, the bad guys, they're using automation. I think it I'll get the attribution wrong. I think it was Michael Daniel who want who said it first, though, that that's bringing people to a software fight, and that's never gonna win. But so we started looking at automation, and I keep seeing us focus so much on Indicators of Compromise and blocking them. And that's very important to do in a very short time frame, and I'm talking minutes. Where we've had our best success is normally having a community block an IOC within 3 to 5 minutes of it first being seen in the wild, and knowing that It's going to age off in a matter of days, for the most part. We can have the debate on file hashes, but, you know, The bad guys aren't stupid, and they don't stay you know, amazingly, they also know how to look up their IP addresses and VirusTotal. And if they see their their infrastructure publicly being broadcast as a cyberattack, they move on because they want to keep attacking. Roseann Guttierrez [00:06:05]: As you would. Charles Frick [00:06:06]: And so it's got us looking at we need a way to get this better, and the answer can't be make more and more super complex things that can need Master's degrees and PhD level computer scientists to execute because our workforce, that doesn't exist, at the scale we need it. And so we need the vendors and the MSSPs to be able to scale out. And for them to scale out, what we saw in in other forms, we need better standards to to to define and standardizing information so that they can start adapting tools and automation on behalf of their customer bases. And so that's why I care about this. Roseann Guttierrez [00:06:49]: Nice. Alright. So speaking about needs then, what what does your subproject need? Where could you use some help? Charles Frick [00:06:57]: Well, we are always looking for folks to help review some of the, developments that we're doing on our reference implementations. I'd be doing a bad job if I didn't do a plug for the IOB repository on GitLab. I'm I'm sorry. GitHub. But, we regularly post public releases of some of our samples, we're using STIX with several extensions right now and some custom objects and we would love to get more feedback and so, folks that are willing to take a look at our samples and provide some constructive criticism on suggestions for improvements is always welcome. Additionally, we are looking to, over the coming year, partner with a few other initiatives throughout not just the OCA, but other opportunities that might arise and people that wanna volunteer their time or their organizations that wanna volunteer some time to participate together with the standard, They're always welcome and can be greatly helpful because we can develop some of our kind of simple analytical tools and things to help make some parts of this easier, but it does take a a community. And so anybody that's willing to work I know, We also have some active groups looking to build out ontologies. If folks out there are interested in that, we welcome your contributions. Charles Frick [00:08:24]: Basically, just anybody that wants to help in any way whatsoever with designing out machine readable data, we'll we'll find a job for you. And if there's something you think we're not doing, we're pretty glad to let you take lead in getting us to start doing it. Roseann Guttierrez [00:08:38]: Awesome. Thanks so much, Charles.

    9 min
  • 10 Episodes

About

Welcome to 'Community Connect,'  this is the space where we dive into the benefits of seamlessly integrating security products using open source software and standards, all with the goal of fostering a more interoperable security ecosystem. In each episode, we'll embark on a journey into the heart of the OCA community, engaging in insightful conversations with the individuals who are actively shaping the open source security landscape.  Expect to stay up-to-date with the very latest developments, as we bring you exciting news, updates, and a closer look at the sub-projects that are steering the course of future security tooling. So, whether you're an experienced contributor, a curious developer, or simply someone with a profound commitment to securing our digital realm, this podcast is your go-to destination. Together, we'll drive innovation, elevate security standards, and contribute to a safer world.   Host info: Roseann Guttierrez is your host. A cybersecurity professional with over two decades of experience. Specializing in computer forensics, digital investigation, and critical infrastructure. As the voice of the podcast, she embodies the spirit of a cybersecurity superhero, dedicated to forging alliances that enhance security across the digital realm.

Information

  • Creator
    Roseann Guttierrez
  • Years Active
    2K
  • Episodes
    10
  • Rating
    Clean
  • Copyright
    © 2026 Roseann Guttierrez
  • Show Website
    OCA Community Connect