Snake Oilers 10 part 1: Richard Bejtlich talks Zeek plus pitches from Respond Software and PATH Networks

Automatic TRANSCRIPT

Hi everyone and welcome to this is snake oil edition of the risky business podcast. My Name's Patrick Bribe. This isn't the weekly news show that we publish here at Risky Biz. This is something else I wholly sponsored podcast that features vendors talking talking about the tech. Everyone who appears in these snake oil is podcasts paid to be here. If you looking for the weekly show just scroll back one episode starred in your podcast Playa up at this point I kind of want to break protocol a little and talk about Al process importing these snake oil is podcasts together opt these days risky Biz gets a lot of inbound inquiries from vendors who are chasing sponsorship packages we have over six hundred security vandals. NFC Ram database and most of them are there because they inquired about sponsoring they reached out to us but in the end we wind up doing business with about twenty to twenty eighty five vendors in any given calendar year so this is my way of saying we can't just accept any sponsor who comes along now. Does this mean that we endorse awesome any of the vendors we featuring. They sponsored segments no it doesn't I mean I'm not practitioner. I cannot tell you these guys fantastic guaranteed tade but we generally select vendors four snake oil is who we think doing interesting things vendors who we think will give us an interesting and relevant conversation for audience about what they're doing and why and that's really what these podcasts are about. That's the process explainer out of the way so let me tell you about what's going to be in this edition. Shen of snake oil is in this podcast. You're going to hear from three vendors. I will hear from industry. Luminary Richard Bailey who is working currently with call call offer products based on Zeke which used to be known as Bro but yeah that that's a super cool chat with Richard and I let it run long because is it's Richard Bite Lick come on right so that one actually runs a little bit longer than the interviews in in oil is normally do then we're going to hear from Marshall Web from path networks. It's and that's also a really great interview that one Masha will be telling us about Abe an xt pay to technologies open source technologies that are really pushing the state of the art indeed AAs mitigation forward basically these two things now main that you can efficiently mitigate data's attacks with commodity hardware. We're so path has built a business around that and by the looks of things going after those arbor networks based services they've already got a terabyte per second of connectivity ability which is a lot of bits per second for a relatively new company but yeah they're idea is the data scrubbing and standby data scrubbing services shouldn't cost a fortune it's kind of a tax on business and they're using the lightest standards and the latest techniques to mitigate these attacks using commodity hardware and they're passing on the savings to customers. They've also built some really cool distributed network monitoring tools as well so the going on in that interview that is number two this time and then I lost snake oil it for this edition is respond software. They make a decision agent for socks basically but I guess that's kind of underselling they quite quite literally aiming to replace frontline salk analysts with software. Now the funny thing is right. You might think that that sounds a bit risky but say this out loud. We can't use a software agent for first line monitoring because we might miss something so yeah when you say it out loud. It's kind of funny right because everybody's already missing. Thank stuff response. Whole pitch is that they can bump out a list of like five serious things? Your sock should be doing that day. Instead of trolling through tens of thousands of meaningless context less alerts let's and when you finished with those five confirm serious things you can always go back and look at your logs but as you hear response customer actually starting to really trust it to do that first piece of analysis so so that is also an interesting chat so yeah. We got a bunch of stuff right bunch of stuff to talk through in this edition so let's kick it off now without chat with Richard has has previously appeared a few times as a guest on this podcast. I think you can really describe rigid as an industry luminary. He's been in the discipline since the ninety s he's written a bunch of books so on and so on and these days he is with Choline. Their goal is to transform network traffic into actionable data for analysis forensics and real time response response. Their product is based on the open source tool zeke which was formerly bro and Richard joined me to talk about it and he is what he had to say. If you think about got a spectrum of what you can learn about your network at one end of the spectrum you've got write everything to disk and that's a full content peak cap collection the other end of the spectrum you have tell me as best as you can just the things that I want to know that might be good or bad or however you define you. If you you WANNA have policy violations or whatever you call it now you can think you know going back to the PHILIPPIC APP. That's great but even in an era of inexpensive storage how you GonNa make use of that data on a daily basis at the other end the alerts would if you miss something what if you don't have an alert for whatever however the attack is so Zeke sits right in the middle of that and the idea behind it is to give you an idea the of what's happening on a network in a form that has enough detail that you can make some sense of it but not so much that it just takes a lot out of space and it's tough to index and all that it's a pretty simple idea but it turns out that there really aren't many products or offerings offerings in that space like the thing that we always like it's compared to quite often is net flow but Netflix for the most part is just a description of who who talked to who when how much data was passed piece protocols that sort of thing and we'll give you that with our connection log but then any protocol protocol that Zeke understands. We're GONNA give you data about that as well so let's say you've got a TCP connection and on top of that is an https session session. We're going to give you what we can from each bs which will end up being. SSL Data so we'll give you server names. We'll we'll tell you information about the certificates in if you want we can extract the certificates and you can save that to disk and all of this is linked through a connection. ID's so that or you ideas as they appear in the logs so that if you're trying to figure out what relates to what you're trying to do like you know your data science or whatever you WANNA call it on that information and it makes it easy to follow that chain and as it turns out it does a really nice place to be if you're trying to understand what's happening on your network because we the answer a lot of the questions that security person wants to know in a small footprint that can be saved for basically forever if you if you think about having adding some type of hot storage that goes into database or or spunk or Hemu or Google Chronicle or whatever and if you WanNa do cold storage just writing text files to disk or or Jesus files to disk and put it up in Amazon Glacier is something forever so that's that's the basic idea and we can we can expand and beyond that I'm sure yeah it. Kinda reminds me a little bit like it's similar to what the team at iceberg did that they were a small company wound pinquater by Gigamon. This was a bit different in that it streamed everything to the to the cloud and it was very much about metadata but what I found interesting about them and what I find interesting about coal is that here we are in two thousand nineteen when apparently network monitoring is dead and yet you exist and people are people are buying your stuff. I think the the death of network security monitoring has maybe been called a bit prematurely. Yeah I actually wrote a blog post early early on court late and the marketing team labeled it. NSM is dead. I I was a little shocked like Oh. No this is great. This is going to get around that I think. NSM is dead but it ended up. Just being a you know a click. I suppose the people would read the Post and his dad long live. NSM Yeah Yeah so there's no doubt out that it is not the same world as it was when I started in one thousand nine hundred seven hundred ninety eight back then if you saw something on the wire it was generally unencrypted and when it was a non binary protocol so let's say it was not a son remote procedure call or something like that. It was generally text so you could read it so it was simple. https you could read the page and see what it's doing if it was a file transfer over FTP you could read the commands and if it was telling that you could read the administrator or a criminal interacting with your system and that was a great way to figure out what was happening because it was just right there you know fast forward due to the last ten years or so and more and more traffic is encrypted. You can't do that anymore. It did kind of make a lot of the full packet capture stuff. That was very very trendy like a witness. There was another one God what was it called. It was the one that got sold to but that stuff was super hip for awhile and then everything started getting encrypted. That's like look at least captured packets. We've got that we can't read seamless soda well. There's an interesting workflow to that so the workflow the full many of the full package vendors particularly a company like net witness was around network forensics and it was a it was a similar approach that you would take jaquith file based forensics. Imagine you have a disc you want to extract all the artifacts rendered them in a way that an analyst can look through them and when they find the stolen invoice they ah that person's not supposed to have that on the computer the way that the network forensic vendors took it was the traffic was captured during certain periods was essentially the hard disk ask they would extract all the artifacts presented to the analyst that is generally not the same kind of workflow though that we've seen develop in the era of the modern sock and the the rise of of Sims generally what you would you find people doing is threat hunting. That's became popular for the last nine ten years or so. it's looking for something that you didn't necessarily know was bad and because of that you don't need to have every word document that was transferred on the wire to you the one hundred percent right and this is on looking at what's related which connection came from what other connection and whatever and what I've noticed to ride is you've got this a new breed of security vendor. That's coming up at the moment where they've clearly had a lot of design clearly a lot of design influence from people who've worked in incident response wants and I'm thinking in that case like companies like Alpha sock right which is Chris McNab who is very much an incident responder who's doing stuff like real time the main analytics and Ip analytics and things like that call. That's another one I had another one in my head but it's not quite there anymore but yeah I I'm definitely seeing that fusion fusion between people working incident response now saying well hang on if we had been looking at looking for this more at the time we might have had a better shot at detection here Yeah Yeah Yeah and that brings up a really interesting point you. When you buy our product there is an interface but it's essentially a sensor management health and welfare interface now? There may be some additional things coming to that. I've I've been encouraging and helping develop at core light but for the most part our product is built on giving you the data we don't WanNa be another pane of glass that you have to monitor and somehow integrate into your workflow so be initially. I thought this is GonNa be kind of difficult perhaps to due to sell to customers because they want to see the data but it turns out at this point in the in the market. Everybody's got a place for the data to go right. They already have their spunk. Infrastructure structure or the market honestly is being disrupted very heavily. I think companies like a back store companies the chronicle within Google with their back story product people are seeing that you can do a lot with with just really good high fidelity data whether it's from the host or in are cases from the network through through Corlett Zeke so we don't sell you painted glass. We give you good data that helps you understand what's happening and as a result of that where are our stuff appears in many locations and I should mention as well we do support the open source products Zeke we don't and we don't have like Zeke for commercial and Zeke open source. It's the same code it's just that we do quite a bit with the data before it leaves as the sensor and things like data reduction so that for example maybe you don't want all the fields and the connection logger you doing all the fields and the DNS log or you you know if you're going into a spunk environment and you just don't WanNa keep adding to your spunk bill. We can help you select just the fields that you wanNA send and as a result you pay the customers who choose to go down that road pay third less than they might have if they were just sending open source Zeke logs to to their sim okay so it sounds like and that's an interesting idea ride allowing you to tune it so you don't get hammered by spunk license fees. Could that's kind of what I picked up there. Is that right that's exactly right. I had a you know. All you can eat spunk license G so it wasn't even an issue we just dumped everything into interest paying for more disk but those days are pretty much over so the in in the modern world you have to pay licenses now. What's really cool about chronicle? This isn't supposed to be an advertisement for them but they have a per user model so rather within a volume based model. They'll take everything you send to to the system so that to me. That's really pretty exciting because what it what it results is we've got people who they have certain workflows about how they're trying to respond to intrusions are trying to find intrusions or even troubleshoot problems and they want to have the same type of data no matter where they're looking if they're looking on premise they want to have a certain type of network data if they're looking in their cloud infrastructure they want that so that's one of the reasons why we we started with hardware appliance but now we have these software offerings so again. If you just have your own virtual infrastructure at your company we have a software you know for VM ware and that sort of thing and then just in June we released the version that can go up and Amazon. Aws So because people want they want to say look. I've got a workflow. I want to be able to see my correlate to data matter where it is. I don't feel like I'm getting enough of the data in the right format format that I like from the tools so what can you guys do about it and thankfully. Aws introduce their virtual tap that makes that that at traffic available to our sensor so I mean what it sounds like you'll pitching here if you boil it down to its simplest terms is it is what you feel is a very high quality network network information censor strips out the relevant information and can put it can plug into your existing seem gear can plug it into your existing pint of gloss us and that's going to be useful for things like threat haunting perhaps detection if you put some rules about that higher up and certainly for things like incident response it's yes and what you've so nightly or nicely summarized that but that is only the foundation so if you do you get correlate and you just put it in your environment you get all of that but the Nice thing about core light is that because it's running Zeke is actually running Zeke. It's not running running something that just looks like Zeke or whatever because there's plenty of those out in the marketplace but you get that turing complete language underneath so you can introduce your own packages news you can alter the way the code works you can change the way our product works without having to have something on the road map. You know I can't tell me vendors. I used to work with where you'd say. Well you ever going to have this feature. Yeah yeah that's coming out in two quarter two of two years from now or whatever and it would never never arrive when you have someone introduce a new capability in Zeke like we just ran a package contest or responser to package contest for Zeke. There's new packages that good to be announced at Zeke in October up in Seattle Portland I can't remember somewhere in the Pacific northwest of the US but these are new capabilities abilities that have just been introduced by the open source community and if you like the way they work you can add them. If you want to modify them you can do that so I like to think of network appliances or network censors built on open source as being sort of a beachhead you can you can take the beach you can enjoy the beach and maybe stay there but if you wanna go farther inland you can because you have this the power of this open source engine underneath that could be modified by by your own users. I guess the last question here would be about deployment. I'm presuming that most organizations who use this at something that I put at the gateway on a mirror on a span port right. It's not something that they're putting everywhere internally yeah most people. This is the way I would generally advise if you're if you're in a legacy environment you want to instrument all your gateways so all the ways inner out of of your environment you know the area that you're responsible for at at a minimum I would instrument those gateways the next place to go. You know people call that a north-south deployment the next place to go would be again if you're talking to a big network. You're going to have sort of critical routers interior locations where a lot of traffic it's passed within the environment. That's typically called east-west so you'd want to deploy some sensors within that eastwest environment and then the final place we're talking about on premise enterprise environment. I'd I'd like to go near a critical infrastructure so if you have like this is our rnd network we really make sure we know who's using it. I would put a sensor there beyond that we we have the virtual sensors as well that you can put up in the cloud so we have people who are who are looking to deploy our sensor into do Amazon and honestly I'm really looking forward to seeing how that goes and and people are finding because it's a it's a whole new world up there so I'm guessing really the the colder action as they say in marketing speak for anyone listening to this. If you do have a Siem and you feel like you're not getting type of raw network visibility that you want. I mean that that's your ideal customer at this point right. Yeah Yeah and you know what I did a blog post just the other day addressing the issue of well if you don't have a Sim should you wait because we had some customers who said well. We're reevaluating our SAM. We want to make sure it works with the new version of light. You know obviously itself serving to say this but you don't need to wait there are many environments where you could just write the the output to disk and you just loaded into the simulator and even if you don't even look at that data over the month or two months or whatever uh-huh oh absolutely that's one of the only times I've disagreed with marcus random key. He used his very famous for saying don't collect logs. You never look at I said no you collect those things 'cause disc is cheap and later on when you find out your owned or or you suspect that your own you go back and you look at all that stuff I think I think Marcus I so you know I think he would be more railing against the people who had just storing stuff like in a completely unstructured way. I mean this at least has some rhyme and reason to it right yeah yeah yeah. That's true yeah. I see where you're coming from. Our data that is probably the biggest strength of it is that it is linked by those you. ID's and it if you're if you ever wanted like look at an open source project that was designed by like real smart people impacted invented this thing back in one thousand nine hundred five if you can imagine so it's a twenty four year old open source project the the quality of the engineering and the thought that went into it is really remarkable. It's amazing that the code has has performed so well over the years and can do all these sorts of things and it's also not you know it's it's optimized for the network but at the end of the day it's basically an event so there's there is code out there that will take in. Os Query event data treated as an event and you can have curry hurry data right alongside network data so that's kind of the future of where things are going. I think is you'll have more of this sort of unified logging where you're pairing information from an API call or from a host based product with the network so that you don't have to do it in the Senate will all come out of the event engine Zeke and if you WanNa put it there well Richard Bite Lick. It's great to have you back on the show. I believe you were on once or twice before quite some time ago now but it's it's been a very very good to chat to you and thanks for walking us through what you're working on over there at your welcome always nice to talk to your friend again and thank you to anyone who was listening that was Richard Bite Lick of their big thanks to him for that and you can find choline at Qalat Dot Com C. R. E. L. I. G. H. T. Dot com and yeah I can hardly see that their stuff would be worth taking spin. I mean it's easy to deploy so just give it a guard. See what it's like. Let me nor right okay onto our next snake oil now path networks path is doing some. I'm very interesting stuff with AB PF and exte- pay so I'll just do a quick explain it but he explains it better in the actual interview a quick example well. If like extra pay what that allows you to do is to push network rules to your commodity smart Nick Network cards and that means that the routing decisions aren't being made by the host hours they're not even hitting the OS conal they being made on the actual nick and the obvious benefit to that is speed a lot of speed and in fact you can now use extra pay to build very effective data's filtering equipment. That's competitive against expensive specialist hardware and you can do yeah on commodity hardware next guest Marshall Webb founder of path has seen a market opportunity to provide data protection file larva to a market. That's kind of being extorted a little bit by the incumbent players not all of them but some of them path offers these mitigation services to customers at a a pretty substantially reduced cost compared to the incumbents and they also don't try to screw new customers who are under attack and need the situation resolved quickly they get them back online first first and then they talk Turkey and contract later which is sadly not how it works with some of these other companies they also offer a really interesting network monitoring service. It's it's actually pretty clever the way they've done that they trade access to the VPN service to people who are willing to run the network test agent on their personal mobile devices and the end result is that path has some pretty amazing visibility from a whole bunch of different places around the world. It's kind of a bit like the atlas network visibility stuff but with a modern twist list being those mobile devices or the thing being used. It's not a dedicated hardware appliance anymore. Path also offers security consulting to they've found once they start doing business with new customers. That's something they want from them but Yeah Marshall Web join me to talk about path networks and I started by asking him to explain what actually is an Dan. He is what he had to say. Yes so x t p express data path links teepee is basically a new technologies to be adopted by the the L. Let's community in embedded in the new modern Lewis Colonel would exit appeal as us to do is push customers and real sense directly to aw Spartan Knicks and different vendors who support smart technology such as melanoma CTS rid leverage these commodity number cards on our mitigation devices and then leverage them to push on different rules and filters directly onto the never cards that we use in our devices so there's definitely fleet greatly expedites the way that we're able to filter different needle stacks out rebel do closer to line rate on on her never Kurds urge which is important as most based around one hundred Gigabit Ethernet so having those fast speeds are very important to us now every every second counts when we were trying to mitigate an attack and Abe is I mean it's not quite the same thing but it's something else it's another technology that allows you to optimize for data's eight US mitigation right exactly exactly SUPERPAC Berkeley. peccadillo turned is a fairly older technology. I mean everyone who's ever used. Ip tables Abel's on the interacted with it in some way what Berkeley packet filters have always allowed us to do business rules that we like to tease to protect actor but what did you has done is its provide a very easy pipeline to work with. ADP and in as as stated before we push I those whose those rules tricks on the silicon in another way so that we don't have to abstract that still you got a blog post on this stuff that you wrote up in April and there's a line I really like which is you feel sometimes like you're counting yourself on the bleeding edge which you know I've I've known other people in that taught in that situation before because okay these technologies exist that's great but getting them to work at a reliable way. There's a little bit of expertise involved there. Yeah absolutely absolutely so a lot of what we ran into the you know with this technology coming out with some new you know there is a a litany of our technologies acknowledged that kind of paved the way this picturing copy net map overtime. We had DP de que but fortunately we kinda you know we we put our money on the winning horse and fortunately next ep kind of pulled away became the standard so now that's been adopted by you know by the limps colonel it's definitely definitely on greatly enhanced support that it has and it's made it much much easier to Emma on to work with in terms of commodity years so Yes we're Kinda referred to that is is the lack of any sort of existing applications. You know prior art that we can refer to you know a lot of there's a lot of code online. Obviously with something is news this. It's hard to Poland information that you might see something. That's a little bit older and as a result all we can add to travel as a little bit in that aspects of you know the the value all the equipment you know obviously buying commodity here on definitely helps us out in terms of merging the along the effort was expended around getting the code basis together working through shrinking bugs or issues with the other the the somewhat nascent you know ex-sdp code base and then put all that together the solution so it's Kinda what we refer to when we say that and then obviously you know there's other technologies that kind of play roller stack that we've had to fight with the maintainers of the s flew Kodak that's used by okay okay. we maintain that code base on we were actually giving ownership other just due to all the various patches that we to to kind of bring it up to speed so if someone comes along and stopped submitting patches and maintaining it's like hey do you want this to be yours. That makes sense right. Yeah sorry it allows us to give give back a little bit you know reload the were enabled to contribute Tribu Tuten in help. You know help everyone else at the same time so that's that makes a lot of sense so look at the end of the day right. What this means is that you can you can you've effectively you figured out how to use these open? Source Technologies are these open source software to engineer data equipment that runs on commodity hardware. I mean the tail all the are is. That's what that's one big pot of. What path dots right exactly that's correct yeah so so you've customs I believe you've got some? ISP's and and hosting companies using the stuff one of your public customizes Cable Bahamas which makes sense because those island nations are particularly vulnerable to data stuff so how'd you deploy to your customers. Is something where you know you're you're upstream from them and they they're providers is that that's that's where your gear is installed redoing this as a cloud based filtering is it always on is it a is it just configured in a file over mode like how you actually taking this democracy yes great question so the answer questions the biggest that these that we deploy this is typically a on demand type solution so obviously lost comes in a few flavors in terms of solutions yet always on yeah yet on the band and then the house you know some short vibrates solution that does both so in our case what we see most clients tend to prefer especially those in the hosting or ISP space latency is always going to be very important. we try to try to keep it in on demand solutions so that works they'll typically configuring their edge never to export flows to US typically Sam close either s flow Netflix with the sampling on but pretty agnostic in terms of what we can adjust my p. six as well taken and then based on the floor tradition that we get we analyze restored Ninja history on it and then if we detect anomalies we know that's when we need to do an advertisement cut over so that point will wilson community string and then trigger policy-based trailing to make sure that they announced those prefixes overdose in at that time I will start to skirl than kick clean trap back typically. We'll do this over on jury tunnels do yeah. Is it physical interconnection Pilla circuit now for a company that I'm guessing most listeners haven't heard of like you've got a lot of gigabits. What's your what's the capacity that you've actually got because it's a lot yeah so our current edge never capacities touching unattended the per second when you take into the Internet exchange ports and stuff that we have so we're currently at Equifax L? A. One equifax white nine in Equifax hand seven in Amsterdam so we have a three points appears in Sun until currently on we partner with NTT Intel you mafia bad now. Look I know one of the strategies going to market with this is to say look way using commodity hardware. We're using open source technology. This isn't like an urban networks situation Shen where we've got a lot of iron de costs to recoup from you know things like specialists silicon on whatever like that. That's the old game. This is the new game so one of the you know the the big city marketing points from you is that like you actually look cheap right and and in addition to that you don't Gouge and have special pricing for people who currently under attack right which is something that various upstream companies have been known to do from time to time exactly exactly our goal is to keep people online shorter things on and then you let liquor point so on trade a builder around that branding and we definitely have a much better emerging in terms of how we've holter stack and just have a modern stack. We can't things that are pretty good times in terms of technology. you know one hundred gig Ethernet become affordable. Do you come to the market and you know the commoditisation of smarter Kurds and we've been able to Kinda ease. This really cut down. What let you know the cops traditionally are in the space on its typically sign people up on like a rolling standby contracts thing? Is that how that works we we still we still long-term contracts increase through your contracts but we're much more flexible belt neon wooden. Promise of somebody news is immediately. Getting attacked will usually usually on board and I rebelled workout a contract later. The main goal is just to help people get through the media attacks. Idiocy is without trying discreet contract signed exactly exactly yeah yeah so look. This isn't the only thing that you do right there. There is also the network monitoring stuff and I think this is really cool. 'cause like you've actually managed to build up a pretty decent network of clients out there that can run tests for you right so you've got a a pretty decent analytics business by stuff that yeah exactly so we have both passively accept the provides more context passer than flow based. I love that it's just you know remote expectation networks grew the company will continue to vices to send that over to them but then the other kirks will be who's the active analytics the active analytics district because we've basically taken a similar to Ripen Lewis Acceptance Software Right Atlas had on hardware region that you could deploy on at your place of business. You're in your home that Negoti participated in in the in the network he could trolling the garden. We took that similar model income tweaked it. He's built a software agent runs on a mobile phones. Not As people walk around your travel today today business well-connected alums if Hans your networks in as a result we glean inside null this Oman's probes into yards tracer outs even layer seven health checks from this device and because of the geographic dispersion constitutes a pretty pretty good insight into held if you're seen certain non certain tracks so what this allows us to do is basically in a portrait for routing we can monitor Propagation Commander under SLA enforcement on measure latency or repack loss on different interfaces on that they may be cured up with and in doing so from all these different nations. We can really get a good picture of rank anomalies. Take place if you this is this is very valuable if you're doing any casting or if you're multi home l. never which most tend to be now that things have scaled up on and that's pretty important so having the heaven that kind of keep up with the way they nets corwin a win is Kinda. were in obviously as mitigation company we kind of built the you know I on we wanted to basically have better better insight into how we could measure the indicating that we have looking for Radin balances and other things like that and this was the best we could figure out how to do and then once it's not who decided to go to market with it and we've had a lot of interest in it all right Sir Marshall Webb I guess what do you want the listeners to do here. I guess you're most interested interested in hearing from people who are hosting who are running telcos that seems to be the the the core group of customers there. I'm guessing you WanNa you WanNa hear from them. I think the biggest thing that we wanna see is just if they if they have any desire held you know improving the analytics that they can see what in southern networker if they have any issues with with Diaz tax or in Earth or need a mitigation or if they're they're looking at that big arbor contract and trying to make a decision then I would hope that they would a participant consideration ration- and see if we could you know help them out or give them a at least another option aright so people can find information more information on path networks at path dot net. I'm going to drop a couple of weeks into the show notes for this podcast including to read that blog post about PF and X. D. pay but Russia web. It's been a pleasure to chat to you my friend and look best of luck with it because I think this business segment that you playing in it has got a little bit style l. Sorry it's really great to see some people jumping in with with a lot of obvious energy to try to shake things up a bit. No Harper goes well. We're we're here. Lebanon also Patrick. Thank you so much that was Marshall Web there from path networks and you can find them at path dot net right which is a killer domain name. I think and yeah I think this is this data's mitigation. Market is a market that has been Giuffra shakeup the quite a while so it's immensely satisfying to see some moves in that direction. It's one thing for the technology to do this easily to exist. It's another thing for a company like Pasta actually go out there and start doing stuff with it and ironing out all of those bugs so good job. Path I came up next is our third and final snake oil it for this edition respond software yeah now we did a great soapbox edition with respond about a year ago with I explained the basic thinking behind their product. I will link through to that in show notes for this episode and I'll just say that respond came too risky Biz by way of a referral from someone I know and respect to absolutely loves their software but yeah the whole idea. YEA is respond offers a decision engine that can replicate so much of the grunt work takes place in a modern sock. Anyone who runs a sock knows how hard it is keeping keeping up with alerts and how much of that I touch work is just mind-numbingly boring and the sad thing is analysts often miss serious stuff and wind up chasing issues and wasting a bunch of time right so they're real efficiency problems there so the team at response software have developed a decision engine designed to replace those level one and sock operators entirely now some people will be skeptical about that they'll think how can you trust a software agent but next guest respond. Vp Chris Miller says assist. That's kind of what's happening. Naturally people buying respond to augment their decision making and then they just going okay look clearly doing a good job so we're just going to rely on that now right so so that's kind of interesting they call it at. It's very American way to put things but they call it their their customer trust journey so so they got it anyway. Here's what Chris had had to say about what respond customers are up to these days last time monitoring in there you know they're sitting there not spending hours and hours a day looking at all the the alerts they're waiting for the respond analyst pop out alerts and it's been very significant for us right to see this change as customers are essentially on trump's journey with us because as you move away from human analysts in the human role is obviously going to be skepticism around that for most everybody right in just whether it's in the security industry or any industry that we're in so as we see so you know that change happening. It's getting really exciting for us and I think for our customers. There's a few different approaches to that problem of trying to get you know salk operate as a wife doing dumb stuff all the time and this is one of them by the sounds of things it's quite effective and I also believe with something like respond. Look what was the statistic statistic that we used in the in the LAS recording we did with you that yeah. Two billion events got crunched down to three hundred fifty alerts right so so that's that's an excellent start. It seems to me that like you know everything that you're going to be flagging is going to be real. Sorry maybe even if you even if it feels like you don't even have to make the claim that it's comprehensive and flagging everything because at least you know whatever it does flag is real and that's a good starting point. Is that kind out of the way customers looking at this in is that how they trust leap yeah I believe so because they're not giving up on their sins right. They're not throwing their sends out or whatever else they were using up to this point so it's not this sort of ripping replaced. It's actually a sort of a better together story right. How how do you bring in additional technology that has great detection logic that none of the other tech is due in a new approach to it and so it's additive in this case right and so we're seeing customers bring it in that way and then eventually as the as the trust builds are able to start to make some some tougher decisions that they might not have not chose fronts right a tough decision might be moving away from their emphasis P. Right and relying on respond analysts to do that monitoring piece? You're not the security device management than MSZP's provide. You know it's a great service that you know that they would offer the monitoring piece where they can off load it. You know to the analyst Yeah. That's a pretty dramatic change for a customer and we're seeing those kinds of things but only only over time. It's definitely sort of an added of approach upfront. I think the MSSP people listening to this will probably not like me saying this but you know that that type of service log monitoring MSSP has kind of been a compliance check box for a long time and no one's really expected to get any value out of it. I mean you know the famous case of the the target hack where there was an and there was a sock person who actually flagged that out out of some fire. I kid it was a firearm and then you know just no one kind of took it seriously because it was lost in a deluge of other alerts I mean that's really the problem. You're trying to solve here. Yeah we would love to see. MSSP's take our technology. We think anyone who's doing tier. One sock level analysis they should be automating right and now these tools are are starting to be available and they should should leverage them. Emerson's piece could do right is offload that even in their own operation ration- and then focusing on that higher value service but their customers whether that's you know threat hunting people are looking for manage threat hunting type services deeper deeper investigation. I are services to help them. Through a breach breaches occurring music things that emphasis piece could be you're sort of transitioning to while they're you know taking that responsibility of that tier one monitoring off their plate because what it often results Zan and this is the complaint you'll hear from customers. Most often is many many false positives that results in customer spending hours and hours trying to run down down only to find out that it wasn't anything to be concerned about the funniest description of that base level sock work is someone might say who it was but it was they were saying knowing that it's like sitting in front of the same console is kind of like tinder for malicious behavior. You don't yes no yes yes. That's that's kind of the work floor and you know it's just a recipe for mistake so I'd imagine like having something that gives you at least a priority list to work through first before you start going through the manual process like and and might be might be a good place to start now. Refresh my memory on how responded actually deployed deployed as seem helper into spunk or do you actually take a feat of all of the logs into some some on Prim equipment yourselves like what is the actual deployment model yeah we actually have multiple models models for for deploying the technology probably the the most common one for us right now is there's an on premise component called respond analysts analysts server and then there is the decision engine our respond decision engine. It's in the cloud you would point your security technologies your sturdy devices send those alerts to on premise analysts server and then from there it talks to our decision engine in the cloud and brings back these decisions when we see something that's militias and actionable right. That's the decision criteria that we're trying to meet that is the traditional way that we do it. we also offer the ability instead of forwarding the events from the security the devices themselves we can forward it from the Sim- yeah. I was wondering I that was exactly what I was gonNA. Ask if you could just joop it out of the Sim right absolutely because because you know if customers already doing centralize collection in log management wherever they're doing that we'll take the feed from that and so we built integrations with all all the SIM products you know the common ones as well as a data link type solutions wherever you've got it. That's where we WANNA take. It can also do the solution the full cloud so you still have to you know send us the alerts whether that's coming from your Sam from security devices but we could have on our analysts servers also in the cloud and you can just do the full cloud approaches well that's less common customers tend to want to have that on trump's component where odd they did have a little more control over that part of the infrastructure yeah makes sense and I'd imagine the on Prem stuff. He's doing a lot of stuff like stripping out relevant bits and shunting that up into the cloud rather than the hall kitten caboodle you do a little bit of sorting on Prim and then trump the interesting stuff to the cloud. Is that out works. We do some sorting Cram Yeah No. That's that's a great way to center. Yes uh-huh we're extracting what we what we need to make a good decision and that's not all the data right. There's only certain aspects or fields of of the security data that we're collecting that we're pulling out in sending so yes yep that makes a lot of sense so last time I spoke to someone from respond spawned there was like about ten commonly used technologies that could talk to respond and respond with would be able to analyze those logs. I believe really the last year for your your company has been about just expanding the number and types of technologies that you're able to actually ingest right yeah that is correct. You know a lot of products out there even in the same category you take. IDs I t s as a as a category. There's a dozen different vendors out there that everyone's using so if you're gonNA appeal right to to the customer base you have to have coverage there and so a lot of the the energy is going into building. You know the connections to to those products the integrations for for all of them across the different categories that we cover and we've always is there a particularly popular combination of solutions that vendors tend to come to you with like. Can you say that respond works particularly well well when you using technologies X. Wines it with all the technologies that we you know we have models built for it it. Just there's interesting examples. Would you take take your vendor like a Palo Alto. That has the entire security stack in their own product when we could connect into their their full stack it makes makes it interesting for any customer. That's that's a powerful shop client venue signaling exactly and Powell out been doing very well. All I mean they're very prolific in the market so for us it makes sense to make sure that we will match with their coverage so that might be one example yeah. So what are some of the new vendors window is that you've moved to support lost twelve months will say well the the thing that we're working on probably the most this is not out yet but on the Dr side you know getting the crowd stripes for example crowd strike carbon black. ETR Technology has gotten really popular. Everybody's dotted deployed. We're still seeing the need to put additional decision logic on top of these feeds to help customers prioritize and understand exactly what's malicious. It's just an actionable so we've been spending a lot of time in in that area. As of late the the other thing that we've been doing is contextual will sources so being able to ingest. DHCP this is this is a great feature that we've added so that as I t addresses are changing aging inside of environment we keep track of of those assets right. This is proven out to be pretty useful to our clients. At this point. Vulnerability Vulnerability Stan integration being able to tape vulnerability stamp data in as a contextual source in order to make decisions has been You know something that's also useful to us. That's been one of the holy grails doesn't security is being able to cheering out like exploitation attempts against stuff. That's patched like that has been. That's been something people have been trying to do for years and it's surprisingly hod yet you know the other thing. That's cool about. Boehner ability scan data is that we can infer things like asset criticality from from the fee. If we see that there's server ports are open. You can infer that that's a critical asset right into server. It's running different services that are going to be higher criticality tallied. Let's say a workstation so you start to get those kinds of advantages right when you get that type of feat that makes sense that makes a lot of sense actually and it's it's funny. Isn't it that really what we're talking about about it. A lot of these security automation stuff is we're just talking about taking common sense stuff and automating it and you know this is why I'm very proud of all of you for not. I'm trying to go the machine learning artificial intelligence marketing route right. It's much more about like Oh yeah okay that box ports open. It's on the network and those ports correspond respond to like a SAP service. We probably want to escalate alerts targeting that machine a little bit more. I mean it makes a lot of sense yeah and the way that we like to think about it it is it's probably not any one approach that's going to win. It's going to be a combination of approaches now. We do some analysis well. That's that's an aspect of it right but that's not the whole thing right we leverage Beijing math. We have math is part of our bodily conditional probabilities. You're we're leveraging different techniques sort of you know the best fit for the problem right best Matt for the problems what we said we that's that's the approach right that the debtor industry needs to take it's not gonna be. It's GONNA be a hybrid of sorts in order to get to these answers because the problems are complex right and so you've got to use the right tool for the right problem yeah it's like. Is this an attack. Well it depends I'd imagine a lot of the engineering that's pointing to imagine. A lot of the engineering that's going to respond would be really just thinking thinking through those curly ones and wondering what context you need to actually make a call roll on in a given scenario and then figuring out how to automate that we're trying to do and what we're what we're seeing happen is it if we can offload flowed this task. What could you do with your time and your budget if you didn't have to spend it on level one sock analysis right right and we start to see how organizations can unlock that budget and apply it to other security projects? Which essentially are you know? Things are going to help reduce reduce risk in an organization right and this is where the your the promise really really comes is that when you've got that opportunity and I we'll take care you take advantage of this. You know you're able to see that kind of change where you're investigating on average one or two or five alerts today I talked to any sock. They would be so jealous if they had to look at you know five incidents that came out of the respond analysts versus the thousand that they normally have to look at on a daily basis right now it is it changes the game by orders of magnitude and it's that kind of change change that I think you're SORTA transforms in industry. I think Chris One of your best selling points. There is people might be a bit scared of it and say well. What if we miss something because we're relying on an automated agent? It's like well you missing stuff already like that's just that's just reality because in the console just because it's in the console it doesn't mean you level one like some analysts are gonNA catch it did not well and in fact the way that our software works is that we analyze a security event. We're looking at it from dozens of dimensions whereas in dozens of questions that if a human analysts had the time the energy in the skill to ask they would on every single alert so our belief is that we can outperform the human analysts and you should be asking more right the question the other way right not so much. How do you respond did miss something but it's how do you know you're not missing something? That's exactly right. I I mean with all of the technology that we feature in snake oil as I mean I've never used respond software but it's the sort of thing you know in these sort of conversations you have convinced me at least that you know where I am responsible for running a sock that it would certainly be looking into Chris Roller. Thank you very much for joining us to give us a bit of an update on where respond is at an. I wish you the best of luck with it all right thank Patrick that was crystal or their of respond software big. Thanks to him for that and Yeah Respond Office. Both live trials and historical trials are their free will you can just get it to crunch historical logs and compare. It's out the things you know we're real during that period or you can throw it in for live trial and just have it running and you saw can you you can you can get a really good idea of what sort of outputs you're gonNA get out of. It and you have absolutely nothing to lose by at least taking it. I been you can check them out at respond. DASH SOFTWARE DOT COM so that's respond DASH SOFTWARE DOT COM and that is it for this edition of the snake oilers podcast. I do hope you enjoyed it and yeah I have. I have enjoyed this right which is kind of not Wanna expected when I started doing these sponsored podcast a couple years ago I mean there was a part of me when I launched a series. That felt like I was a massive sell-out bought God help me. I actually enjoy doing these. I joined the conversations ninety percent of the vendors vendors who participate really smart and super bowl to deal with so yeah not what I expected when I started off doing this we will be running a soapbox edition next week for you you because which is another fantastic podcast chatting with all about the latest line of Yuba keys and where they're going. That's super cool weeks from now will be

Coming up next