Lean Hunting SANS THIR SUMMIT 2018 | New Orleans, LA Ben Johnson, Co-Founder & CTO [email protected]
Abstract Lean Hunting (Threat) Hunting has been around long enough that most agree it should be part of all comprehensive information security programs. In any cat and mouse game, existing traps will never catch all mice. We need to apply creativity, analytical thinking, and keep humans in the loop. The challenge, of course, is that human hours are scarce and expensive. Most organizations cannot afford to staff hunt teams 24/7 (or at all), so what's the best way to deploy human attention to identify emerging threats? We'll explore how to adopt aspects of entrepreneurship and align organizations to achieve positive outcomes by building lean (threat) hunting capabilities. @chicagoben | @obsidiansec
Agenda Introduction State of Cyber Entrepreneurship Applied Lean Hunting Wrap-Up
Background Check Ben Johnson Co-Founder and CTO, Obsidian Security Co-founder and former CTO of Carbon Black, built the first EDR product. Previously, NSA CNO and AI Lab.
2000 Career
2010
2017
Board Seats Entrepreneurship Professor
Today's Goal? TO SPARK CONTEMPLATION (and hopefully give you a tip or two.)
Physical-World IR @chicagoben | @obsidiansec
Recent headlines @chicagoben | @obsidiansec
Data breaches
2017 2016 2015
2017
2014 2013 2012
2016
2011 2010
2015
2009 2008 2014 @chicagoben | @obsidiansec
Even the Cloud is Leaky Booz Allen OneLogin The RNC Verizon Accenture Dow Jones Viacom Deloitte Sweden California @chicagoben | @obsidiansec
Variety of adversaries
Cybercriminals · Broad-based and targeted · Financially motivated · Getting more sophisticated
Hactivists · Targeted and destructive · Unpredictable motivations · Generally less sophisticated
Nation-States · Targeted and multi-stage · Motivated by data collection · Highly sophisticated with endless resources
Insiders · Targeted and destructive · Unpredictable motivations · Sophistication varies
@chicagoben | @obsidiansec
Many challenges Skills Gap + Deploy-and-Decay + Attacker Successes + Huge Data (more than big) = LACK OF CYBER SELF-ESTEEM @chicagoben | @obsidiansec
Hunting: Filling the Automation Gap
Universe of threats Automated threat detection processes
Hunting: because there's always a gap between automated threat detection and the universe of threats. @chicagoben | @obsidiansec
Hunting: Ideal vs. reality
Ideal
Reality @chicagoben | @obsidiansec
Can hunting be formulaic? What's the formula for hunting? X FTE * Y tooling + Z buy-in ?= Threat Hunting @chicagoben | @obsidiansec
Entrepreneurship @chicagoben | @obsidiansec
Start-Up Formula? What's the formula for start-ups? Idea(quality) + work(quantity) + raise money ?= profit @chicagoben | @obsidiansec
Lean Manufacturing · Developed by Toyota 70s/80s, perhaps 30s! · Systematic, holistic identification of waste · Improves the flow / smoothness of work · Just-In-Time and Autonomation (smart automation) · Identify features, process, inputs that create customer value, everything else is waste @chicagoben | @obsidiansec
Lean Manufacturing
Eight types of waste require monitoring:
- Overproduction Is supply way higher than demand? 2. Waiting Lag time between production steps 3. Inventory (work in progress) Are supply levels and work in progress inventories too high? 4. Transportation Do you move materials efficiently? 5. Over-processing Do you work on the product too many times? 6. Motion Do people and things move between tasks efficiently? 7. Defects How much time do you spend finding, fixing mistakes? 8. Workforce Do you use workers efficiently?
Waste: anything that doesn't add value to the end product
@chicagoben | @obsidiansec
Essentialism? "It is about making the wisest possible investment of your time and energy in order to operate at our highest point of contribution by doing only what is essential." Greg McKeown, Author of Essentialism @chicagoben | @obsidiansec
Lean Startup Methodology
"The Lean Startup method teaches you how to drive a startup - how to steer, when to turn, and when to persevere - and grow a business with maximum acceleration." - Eric Ries
Lean methodology: ·Gets products and services in the hands of customers f a s t e r. ·Reduces uncertainty (and waste)! @chicagoben | @obsidiansec
Entrepreneurs are Everywhere
"The day before something is a breakthrough, it's a crazy idea."
- Peter Diamandis
Think Big. Start Small. Scale Fast.
@chicagoben | @obsidiansec
Validated Learning
How quickly can you learn? "Are you learning in gulps or sips?" - Apollo Astronauts It's all about product-market fit!
Create hypothesis. Run Experiment. Analyze Results. Repeat.
@chicagoben | @obsidiansec
Build. Measure. Learn
Learn Faster Unit Tests Customer interviews Customer development Five whys root cause analysis Customer advisory board Justifiable hypothesis Product owner accountability Custom archetypes Cross-functional team Smoke tests
IDEAS
LEARN
BUILD
Build Faster
The Lean Startup
DATA
CODE
Measure Faster Split tests Clear product owner Continuous development Usability Tests Real-time monitoring Customer Liaison
MEASURE
Funnel analysis Cohort analysis Net promoter score Search engine marketing Real-time alerting Predictive monitoring
Unit tests Usability tests Continuous integration Incremental deployment Free & open-source components Cloud computing Cluster immune system Just-in-time scalability Refactoring Developer sandbox
@chicagoben | @obsidiansec
Wait ... OODA LOOPS! "Time is the dominant parameter. The pilot who goes through the OODA cycle in the shortest time prevails because his opponent is caught responding to situations that have already changed."
- Colonel John Boyd, 1966
Observe. Orient. Decide. Act.
@chicagoben | @obsidiansec
Minimum Viable Product.
Minimum viable product: The skinniest version of a product that still functions. · sufficient functionality to attract initial users/customers · promises enough future benefit to keep early adopters · designed with a feedback loop to guide new features
What's the MVP you think is necessary?
@chicagoben | @obsidiansec
Applied Lean Hunting @chicagoben | @obsidiansec
Building
What is your pain point? "If I had an hour to solve a problem I'd spend 55 minutes thinking about the problem and 5 minutes thinking about solutions."
- Albert Einstein
Who is this for? What is this for? Painkillers vs Vitamins
@chicagoben | @obsidiansec
Efficient Hunting (& Triage): Fail Fast
Start hunting
Fail fast
Move quickly with feedback loops and validated learning.
Successful discovery @chicagoben | @obsidiansec
Building: Start with visibility Scanning Continuous Recording Continuous Recording + Intelligence Continuous Recording + Intelligence + Prevalence Continuous Recording + Intelligence + Prevalence + Relationships @chicagoben | @obsidiansec
Building: Open Source & APIs @chicagoben | @obsidiansec
The Detection-Response Spectrum
Hunting / Detection
Triage Discovery
Investigation
Hunting
Incident Response
Cleanup
@chicagoben | @obsidiansec
Selling
What are you selling?
We aren't selling anything.
You're always selling!
Ben
People
Can you sell your organization on new spending? Can you sell your organization on freeing up time to hunt? Can you sell the culture on spending time to help with hunting?
@chicagoben | @obsidiansec
Competition Can your competition (i.e. other tasks) be automated? Can you make vendors better? @chicagoben | @obsidiansec
Wrap-Up (&Ranting) @chicagoben | @obsidiansec
Is the Environment Healthy? The absence of disease does not mean health. @chicagoben | @obsidiansec
Reduce Entropy, Reduce Risk @chicagoben | @obsidiansec
Risk as a Slope
Risk
Catch points descending the risk slope.
Threat Threshold Impact Zone
The steeper the risk slope, the faster the environment slides into compromise. Reduce risk, reduce the slope!
@chicagoben | @obsidiansec
Identity Creep
DORMANT ACCOUNTS
238 days 181 days 87 days 79 days 22 days 17 days 9 days 8 days
MISMATCHED PERMISSIONS 20758 lines
@chicagoben | @obsidiansec
Right-Size Surface Area? Visualize the surface area you could use against the surface area you are using. Lower the risk and also focus your hunts! @chicagoben | @obsidiansec
Dormant Accounts? Aside from risk, cost savings could be huge! At left, a relatively small company (600 employees) could save over $300k / year by right-sizing 3 services! @chicagoben | @obsidiansec
Information Security and the Cloud
"IT is going from 0 to 100 in the cloud and leaving us in the dust"
- CISO, Financial Tech Company "50% of our IR Engagements are Office 365."
- Principal IR, Rapid7
"We're blind to all these new SaaS accounts"
- Director, Cyber Intelligence, Top Athletics Brand "We have 300 AWS accounts and no governance"
- Public Tech Company
"Hackers don't break in, they login." - CISO, Cisco
@chicagoben | @obsidiansec
Remember: Reduce Waste & Essentialism Where's the IT waste? (Dormant Accounts, Config Drift, etc) Where can you get the biggest ROI of your Hunting time? Identify features, process, inputs that create successful hunts... everything else is waste (or could be)! @chicagoben | @obsidiansec
Remember: Build. Measure. Learn. Think Big. Start Small. Scale Fast. @chicagoben | @obsidiansec
Be the Hunter Your Environment Needs!
Lean start-up "Being an entrepreneur is a state of mind, not a job title."
- Guy Kawasaki
Lean hunting "Being a hunter is a state of mind, not a job title."
- Ben Johnson (I think?)
@chicagoben | @obsidiansec
Because Who Doesn't Love a Book Recommendation @chicagoben | @obsidiansec
Today's Goal: TO SPARK CONTEMPLATION "If you're not embarrassed by your first product you've shipped too late." - Reid Hoffman, LinkedIn Founder What can you do TODAY to upgrade your hunting?
THANK YOU! Ben Johnson, CTO [email protected] @chicagoben | @obsidiansec