1 00:00:00,000 --> 00:00:08,469 foreign 2 00:00:00,500 --> 00:00:08,469 [Music] 3 00:00:11,400 --> 00:00:15,480 good afternoon 4 00:00:13,080 --> 00:00:19,560 um so I'm here to introduce you to 5 00:00:15,480 --> 00:00:21,539 Cameron tubball who's here to present on 6 00:00:19,560 --> 00:00:24,359 unlocking the power of open security 7 00:00:21,539 --> 00:00:25,980 standards Cameron has been working in 8 00:00:24,359 --> 00:00:28,320 the security and infrastructure space 9 00:00:25,980 --> 00:00:30,779 for several decades with a current focus 10 00:00:28,320 --> 00:00:32,460 on security operations and his spare 11 00:00:30,779 --> 00:00:34,440 time Cameron likes finding new and 12 00:00:32,460 --> 00:00:35,700 interesting ways of breaking things and 13 00:00:34,440 --> 00:00:37,860 hopes to figure out how to put them 14 00:00:35,700 --> 00:00:39,600 together one day and today's talk 15 00:00:37,860 --> 00:00:42,000 Cameron will discuss the options for 16 00:00:39,600 --> 00:00:44,340 Open Standards to allow different tools 17 00:00:42,000 --> 00:00:46,200 to work together and how you can build a 18 00:00:44,340 --> 00:00:48,300 security defense strategy while 19 00:00:46,200 --> 00:00:50,899 minimizing vendor lock-in please welcome 20 00:00:48,300 --> 00:00:50,899 Cameron 21 00:00:50,940 --> 00:00:54,899 whoo 22 00:00:52,920 --> 00:00:57,840 all right 23 00:00:54,899 --> 00:00:59,699 ah good afternoon 24 00:00:57,840 --> 00:01:01,800 um I'm just going to start with a quick 25 00:00:59,699 --> 00:01:04,260 disclaimer it's very hard to talk about 26 00:01:01,800 --> 00:01:05,700 this topic without mentioning vendors I 27 00:01:04,260 --> 00:01:07,140 don't want any conversation about 28 00:01:05,700 --> 00:01:09,720 vendors I don't want you to take as an 29 00:01:07,140 --> 00:01:11,700 endorsement or otherwise of a particular 30 00:01:09,720 --> 00:01:13,380 vendor but we will talk about a few of 31 00:01:11,700 --> 00:01:15,380 them 32 00:01:13,380 --> 00:01:15,380 um 33 00:01:15,479 --> 00:01:19,860 first I want to talk a little bit about 34 00:01:17,220 --> 00:01:20,820 what the problem is with security uh 35 00:01:19,860 --> 00:01:22,080 currently 36 00:01:20,820 --> 00:01:23,460 and for that we're going to talk a 37 00:01:22,080 --> 00:01:25,740 little bit about where we've come from 38 00:01:23,460 --> 00:01:28,140 from security 39 00:01:25,740 --> 00:01:31,320 it used to be that we worried about 40 00:01:28,140 --> 00:01:34,439 things like ID and authentication and 41 00:01:31,320 --> 00:01:36,079 users having the correct password that 42 00:01:34,439 --> 00:01:37,799 kind of thing 43 00:01:36,079 --> 00:01:40,560 networking we used to worry about 44 00:01:37,799 --> 00:01:44,100 networking as a security perimeter so we 45 00:01:40,560 --> 00:01:46,200 would have trusted networks and DMZ and 46 00:01:44,100 --> 00:01:48,439 we'd worry about the perimeter Security 47 00:01:46,200 --> 00:01:50,520 on a network 48 00:01:48,439 --> 00:01:52,220 systems we're always worried about 49 00:01:50,520 --> 00:01:56,040 system patching levels 50 00:01:52,220 --> 00:01:58,280 whether there's bugs zero days that kind 51 00:01:56,040 --> 00:02:01,320 of thing in our systems 52 00:01:58,280 --> 00:02:04,680 and the code of our applications 53 00:02:01,320 --> 00:02:06,659 we worry about things like are we 54 00:02:04,680 --> 00:02:07,920 introducing bugs are we sanitizing 55 00:02:06,659 --> 00:02:09,899 inputs 56 00:02:07,920 --> 00:02:11,819 you know buffer overflows all the good 57 00:02:09,899 --> 00:02:14,940 stuff 58 00:02:11,819 --> 00:02:17,400 and then we realized that it turns out 59 00:02:14,940 --> 00:02:20,220 the endpoint devices that people are 60 00:02:17,400 --> 00:02:22,020 using also a problem so we need to start 61 00:02:20,220 --> 00:02:24,000 worrying about protecting the laptops 62 00:02:22,020 --> 00:02:25,560 and not just the systems those laptops 63 00:02:24,000 --> 00:02:26,760 they're connecting to 64 00:02:25,560 --> 00:02:29,239 and we have to worry about mobile 65 00:02:26,760 --> 00:02:29,239 devices 66 00:02:29,340 --> 00:02:34,140 and then we have to worry about people 67 00:02:32,040 --> 00:02:37,379 um social engineering obviously a big 68 00:02:34,140 --> 00:02:39,599 problem uh uh even things like malicious 69 00:02:37,379 --> 00:02:41,340 employees has become more and more of a 70 00:02:39,599 --> 00:02:43,379 prevalent thing that we're seeing we 71 00:02:41,340 --> 00:02:45,180 worry about separation of Duties and we 72 00:02:43,379 --> 00:02:48,200 worry about more importantly protecting 73 00:02:45,180 --> 00:02:48,200 the people that we work with 74 00:02:48,360 --> 00:02:52,739 and this is a long long way of saying 75 00:02:50,160 --> 00:02:53,879 that the things that security operations 76 00:02:52,739 --> 00:02:55,980 look at 77 00:02:53,879 --> 00:02:57,480 become normal there are more and more 78 00:02:55,980 --> 00:02:59,760 things that they are worried about 79 00:02:57,480 --> 00:03:01,680 everything from the physical security of 80 00:02:59,760 --> 00:03:04,620 a building and people all the way 81 00:03:01,680 --> 00:03:06,840 through to Cloud environments 82 00:03:04,620 --> 00:03:09,360 and in fact 83 00:03:06,840 --> 00:03:11,519 we we have all these platforms and it's 84 00:03:09,360 --> 00:03:12,659 just a much wider space that we worry 85 00:03:11,519 --> 00:03:15,480 about 86 00:03:12,659 --> 00:03:19,379 and so what this has led to is 87 00:03:15,480 --> 00:03:21,720 the tooling space that security uses you 88 00:03:19,379 --> 00:03:24,480 can't just rely on one vendor anymore 89 00:03:21,720 --> 00:03:25,620 so you're used to go all in on Cisco and 90 00:03:24,480 --> 00:03:26,599 you'd rely on them for your network 91 00:03:25,620 --> 00:03:30,300 security 92 00:03:26,599 --> 00:03:32,580 or all in one cloud provider and rely on 93 00:03:30,300 --> 00:03:34,260 them for your network security 94 00:03:32,580 --> 00:03:37,640 but then once you start adding things 95 00:03:34,260 --> 00:03:41,400 like the endpoints mobile devices 96 00:03:37,640 --> 00:03:42,720 uh there's multiple Cloud providers I 97 00:03:41,400 --> 00:03:46,080 was at a conference where they did a 98 00:03:42,720 --> 00:03:48,299 survey recently and 98 of people there 99 00:03:46,080 --> 00:03:51,060 were on multiple Cloud providers 100 00:03:48,299 --> 00:03:53,519 and that's pretty standard now so you're 101 00:03:51,060 --> 00:03:56,159 worried about multiple Cloud providers 102 00:03:53,519 --> 00:03:57,720 uh definitely endpoints a lot of 103 00:03:56,159 --> 00:03:59,879 security vulnerabilities that we've seen 104 00:03:57,720 --> 00:04:03,060 in the last 12 months have been from 105 00:03:59,879 --> 00:04:06,120 developers laptops being compromised 106 00:04:03,060 --> 00:04:07,799 uh and then you worry about environments 107 00:04:06,120 --> 00:04:10,379 a lot of organizations traditionally 108 00:04:07,799 --> 00:04:12,000 have projected production 109 00:04:10,379 --> 00:04:12,980 but it turns out if somebody's looking 110 00:04:12,000 --> 00:04:15,720 to 111 00:04:12,980 --> 00:04:17,699 launch a Bitcoin miner although that 112 00:04:15,720 --> 00:04:19,260 happens less now they don't care if it 113 00:04:17,699 --> 00:04:21,320 runs in your Dev environment 114 00:04:19,260 --> 00:04:24,419 but you will when you get the AWS bill 115 00:04:21,320 --> 00:04:27,479 at the end of the month 116 00:04:24,419 --> 00:04:30,180 and so we worry about all these things 117 00:04:27,479 --> 00:04:33,560 and it comes back to there's a lot of 118 00:04:30,180 --> 00:04:33,560 different tools for different things 119 00:04:34,139 --> 00:04:37,860 it also means that a lot of the 120 00:04:35,820 --> 00:04:41,040 traditional security methods that I 121 00:04:37,860 --> 00:04:42,479 touched on like border security identity 122 00:04:41,040 --> 00:04:44,759 security 123 00:04:42,479 --> 00:04:48,240 we can't trust them anymore 124 00:04:44,759 --> 00:04:49,680 because it turns out your border stops 125 00:04:48,240 --> 00:04:51,479 existing especially now people work 126 00:04:49,680 --> 00:04:53,400 remotely you can't rely on everyone 127 00:04:51,479 --> 00:04:55,080 being in an internal office Network and 128 00:04:53,400 --> 00:04:58,080 protecting that 129 00:04:55,080 --> 00:05:00,419 and so we've moved towards using what we 130 00:04:58,080 --> 00:05:04,080 call zero trust principles 131 00:05:00,419 --> 00:05:05,880 and so these are the following three 132 00:05:04,080 --> 00:05:07,259 this is Microsoft definition but they 133 00:05:05,880 --> 00:05:09,660 all work around this 134 00:05:07,259 --> 00:05:12,840 number one is verify explicitly 135 00:05:09,660 --> 00:05:15,360 just because a user has authenticated 136 00:05:12,840 --> 00:05:17,940 doesn't mean we can trust that user we 137 00:05:15,360 --> 00:05:21,060 have to verify every interaction and 138 00:05:17,940 --> 00:05:24,539 that they're authorized to do it 139 00:05:21,060 --> 00:05:27,960 uh least privilege access we don't just 140 00:05:24,539 --> 00:05:31,680 give root to anyone anymore hopefully uh 141 00:05:27,960 --> 00:05:34,080 we tailor access to what each user or 142 00:05:31,680 --> 00:05:36,900 each application needs 143 00:05:34,080 --> 00:05:39,360 but more importantly is the last one 144 00:05:36,900 --> 00:05:40,500 and that's assumed breach and that's the 145 00:05:39,360 --> 00:05:43,860 one I want you to sort of keep in mind 146 00:05:40,500 --> 00:05:47,220 from this slide because odds are our 147 00:05:43,860 --> 00:05:49,020 systems are now so complex and so varied 148 00:05:47,220 --> 00:05:51,840 that we don't know we've been breached 149 00:05:49,020 --> 00:05:53,400 and we see that time and time again with 150 00:05:51,840 --> 00:05:55,740 things like Optus and all the other 151 00:05:53,400 --> 00:05:59,100 major public reaches 152 00:05:55,740 --> 00:06:02,039 they happened months ago and 153 00:05:59,100 --> 00:06:04,880 companies don't realize at the time that 154 00:06:02,039 --> 00:06:04,880 they're being breached 155 00:06:05,580 --> 00:06:09,840 and so that brings us to 156 00:06:07,979 --> 00:06:12,660 anyone who's worked in security has 157 00:06:09,840 --> 00:06:15,300 probably used the scene seems are sort 158 00:06:12,660 --> 00:06:18,240 of our aggregate of all the information 159 00:06:15,300 --> 00:06:20,580 we can pull from every system 160 00:06:18,240 --> 00:06:22,680 uh his argument about what team stands 161 00:06:20,580 --> 00:06:24,780 for uh it's either security information 162 00:06:22,680 --> 00:06:26,759 or incident event management 163 00:06:24,780 --> 00:06:29,220 and what it traditionally has been is 164 00:06:26,759 --> 00:06:33,020 every log that we can get 165 00:06:29,220 --> 00:06:35,460 or every bit of information or security 166 00:06:33,020 --> 00:06:38,100 event that we can pull from every device 167 00:06:35,460 --> 00:06:39,600 you pull it into a seam and then you do 168 00:06:38,100 --> 00:06:41,039 analysis 169 00:06:39,600 --> 00:06:43,560 in place 170 00:06:41,039 --> 00:06:45,660 so it correlates all the systems and 171 00:06:43,560 --> 00:06:48,360 then you try and do detection for 172 00:06:45,660 --> 00:06:51,139 anomalies and try to determine when 173 00:06:48,360 --> 00:06:51,139 you've been breached 174 00:06:51,180 --> 00:06:56,100 the trouble is 175 00:06:53,639 --> 00:06:58,500 we've talked about how everything is so 176 00:06:56,100 --> 00:07:00,419 vast and you have to protect so much now 177 00:06:58,500 --> 00:07:03,180 there's no standard 178 00:07:00,419 --> 00:07:05,100 so you've got Apache logs you've got 179 00:07:03,180 --> 00:07:07,199 Windows events 180 00:07:05,100 --> 00:07:09,300 and there's you are doing a lot of 181 00:07:07,199 --> 00:07:10,560 manipulation of this data to try and 182 00:07:09,300 --> 00:07:13,500 correlate 183 00:07:10,560 --> 00:07:15,479 because when you're trying to detect an 184 00:07:13,500 --> 00:07:17,819 intruder into your system you're trying 185 00:07:15,479 --> 00:07:19,860 to trace their jump from system to 186 00:07:17,819 --> 00:07:21,720 system and none of these systems talk 187 00:07:19,860 --> 00:07:23,400 the same language 188 00:07:21,720 --> 00:07:25,680 so 189 00:07:23,400 --> 00:07:27,300 you end up doing a lot of translation on 190 00:07:25,680 --> 00:07:30,500 different security events and security 191 00:07:27,300 --> 00:07:30,500 information that you pull in 192 00:07:31,860 --> 00:07:34,680 and so 193 00:07:33,000 --> 00:07:36,840 it'd be nice if we had a standard for 194 00:07:34,680 --> 00:07:39,720 this right it'd be nice if we could go 195 00:07:36,840 --> 00:07:41,099 all the security information comes in in 196 00:07:39,720 --> 00:07:43,740 one standard and we can do that 197 00:07:41,099 --> 00:07:45,300 correlation across systems 198 00:07:43,740 --> 00:07:48,419 uh 199 00:07:45,300 --> 00:07:50,280 unfortunately we don't have that 200 00:07:48,419 --> 00:07:52,139 and so there's been many attempts for 201 00:07:50,280 --> 00:07:54,060 this 202 00:07:52,139 --> 00:07:55,919 um these are some of the standards and 203 00:07:54,060 --> 00:07:58,080 I've been looking at all of those 204 00:07:55,919 --> 00:08:00,479 but what is missing with all of these 205 00:07:58,080 --> 00:08:03,539 standards is that none of seen wide 206 00:08:00,479 --> 00:08:05,759 adoption so you'll find a vendor that 207 00:08:03,539 --> 00:08:08,160 does one part of your security 208 00:08:05,759 --> 00:08:10,020 it's an Android security portfolio and 209 00:08:08,160 --> 00:08:12,060 they'll support one of these standards 210 00:08:10,020 --> 00:08:13,319 but it doesn't help because all of your 211 00:08:12,060 --> 00:08:14,819 other tools 212 00:08:13,319 --> 00:08:17,220 aren't reporting so you're still doing 213 00:08:14,819 --> 00:08:19,819 that data manipulation to get it into 214 00:08:17,220 --> 00:08:19,819 that standard 215 00:08:20,819 --> 00:08:25,979 and then last year 216 00:08:23,220 --> 00:08:27,919 came this came along 217 00:08:25,979 --> 00:08:31,080 so this is the open cyber security 218 00:08:27,919 --> 00:08:33,539 schema framework and it's designed to 219 00:08:31,080 --> 00:08:36,959 solve this problem 220 00:08:33,539 --> 00:08:37,860 um it is basically a Json format but 221 00:08:36,959 --> 00:08:39,659 it's 222 00:08:37,860 --> 00:08:42,000 we'll describe it in a sec 223 00:08:39,659 --> 00:08:44,339 um it's designed to provide standard 224 00:08:42,000 --> 00:08:45,899 information from all your systems so 225 00:08:44,339 --> 00:08:48,120 that you can 226 00:08:45,899 --> 00:08:50,100 bring them together 227 00:08:48,120 --> 00:08:53,279 so it was launched last year as a joint 228 00:08:50,100 --> 00:08:56,459 program by AWS and Splunk 229 00:08:53,279 --> 00:08:59,100 however they do not run the project it 230 00:08:56,459 --> 00:09:00,720 is a open governance project it is run 231 00:08:59,100 --> 00:09:02,519 on GitHub 232 00:09:00,720 --> 00:09:04,980 but what it does provide is a standard 233 00:09:02,519 --> 00:09:08,100 taxonomy for representing security 234 00:09:04,980 --> 00:09:11,060 events from all types of systems and 235 00:09:08,100 --> 00:09:11,060 it's rapidly growing 236 00:09:11,839 --> 00:09:16,440 and so I said it started by Splunk and 237 00:09:15,360 --> 00:09:18,480 AWS 238 00:09:16,440 --> 00:09:20,040 which is a good start they are two of 239 00:09:18,480 --> 00:09:21,720 the biggest companies working in this 240 00:09:20,040 --> 00:09:24,000 space 241 00:09:21,720 --> 00:09:25,440 but they had a whole heap of very 242 00:09:24,000 --> 00:09:27,660 important partners 243 00:09:25,440 --> 00:09:30,240 sign on at the very start 244 00:09:27,660 --> 00:09:33,000 and so I apologize for the giant slide 245 00:09:30,240 --> 00:09:34,800 of corporate logos and this isn't even 246 00:09:33,000 --> 00:09:35,760 all the companies that signed on at the 247 00:09:34,800 --> 00:09:38,100 start 248 00:09:35,760 --> 00:09:40,880 and there are more joining and 249 00:09:38,100 --> 00:09:40,880 supporting this 250 00:09:41,339 --> 00:09:45,720 it's important I guess just from this 251 00:09:43,019 --> 00:09:47,580 slide you understand this is a lot of 252 00:09:45,720 --> 00:09:48,839 the big players in the security tooling 253 00:09:47,580 --> 00:09:52,399 space 254 00:09:48,839 --> 00:09:52,399 who are backing this standard 255 00:09:52,500 --> 00:09:56,100 so let's talk about 256 00:09:54,420 --> 00:09:58,200 ocsf 257 00:09:56,100 --> 00:09:58,980 it's a very very simple architecture to 258 00:09:58,200 --> 00:10:01,500 it 259 00:09:58,980 --> 00:10:03,300 you have your security tools that 260 00:10:01,500 --> 00:10:05,580 produce events 261 00:10:03,300 --> 00:10:08,519 those events go into some kind of event 262 00:10:05,580 --> 00:10:10,440 storage there is no standard or format 263 00:10:08,519 --> 00:10:11,760 around that event storage 264 00:10:10,440 --> 00:10:15,500 and then you just have something to 265 00:10:11,760 --> 00:10:15,500 subscribe to that and process it 266 00:10:17,339 --> 00:10:21,180 so 267 00:10:18,540 --> 00:10:22,560 some examples I said apologize I've got 268 00:10:21,180 --> 00:10:25,680 to mention vendors here because it's 269 00:10:22,560 --> 00:10:26,880 important to where we're going uh you 270 00:10:25,680 --> 00:10:29,580 have things like your Cloud security 271 00:10:26,880 --> 00:10:31,680 posture management tools that tell you 272 00:10:29,580 --> 00:10:34,440 you know monitor your Cloud environments 273 00:10:31,680 --> 00:10:37,260 First Security problems so you have Orca 274 00:10:34,440 --> 00:10:39,720 and you have Palo Alto have a whole 275 00:10:37,260 --> 00:10:41,640 series of tools as well 276 00:10:39,720 --> 00:10:45,120 um your endpoint detection and response 277 00:10:41,640 --> 00:10:47,820 so that is your laptops your mobiles and 278 00:10:45,120 --> 00:10:50,279 your servers virtual or physical 279 00:10:47,820 --> 00:10:52,260 you need all the information from those 280 00:10:50,279 --> 00:10:53,660 crowdstrike is probably the best example 281 00:10:52,260 --> 00:10:55,920 there 282 00:10:53,660 --> 00:10:57,720 platform providers 283 00:10:55,920 --> 00:11:00,959 I'm going to mention AWS because I've 284 00:10:57,720 --> 00:11:04,079 done most of this work in AWS but out of 285 00:11:00,959 --> 00:11:08,279 the box AWS support those four things as 286 00:11:04,079 --> 00:11:11,399 ocf standard so you can get ocff's ocsf 287 00:11:08,279 --> 00:11:13,579 uh events from those four Services right 288 00:11:11,399 --> 00:11:13,579 now 289 00:11:15,240 --> 00:11:20,399 event storage there's really only one on 290 00:11:18,180 --> 00:11:23,579 the market at the moment which is AWS 291 00:11:20,399 --> 00:11:26,040 but as I said these are just Json logs 292 00:11:23,579 --> 00:11:28,820 essentially so you can actually store 293 00:11:26,040 --> 00:11:30,899 them any way you want 294 00:11:28,820 --> 00:11:33,360 AWS have a built-in service called 295 00:11:30,899 --> 00:11:36,660 security Lake which is their normal data 296 00:11:33,360 --> 00:11:39,300 Lake service but it's optimized for 297 00:11:36,660 --> 00:11:41,820 uh ocsf events 298 00:11:39,300 --> 00:11:44,519 and it's essentially backed by S3 299 00:11:41,820 --> 00:11:46,980 and so all you're really paying for in 300 00:11:44,519 --> 00:11:48,720 most cases is just the S3 storage that 301 00:11:46,980 --> 00:11:51,440 you can manage like you would normally 302 00:11:48,720 --> 00:11:51,440 would for S3 303 00:11:51,660 --> 00:11:57,660 and then you have subscribers 304 00:11:54,480 --> 00:11:59,820 and so subscribers are things that will 305 00:11:57,660 --> 00:12:02,760 take these events in and they understand 306 00:11:59,820 --> 00:12:04,019 the taxonomy of these events and they 307 00:12:02,760 --> 00:12:07,260 process them 308 00:12:04,019 --> 00:12:09,420 so today the three commercial ones are 309 00:12:07,260 --> 00:12:11,000 Splunk data dog Sumo logic they're the 310 00:12:09,420 --> 00:12:14,459 three main ones 311 00:12:11,000 --> 00:12:16,560 if you use open search or elasticsearch 312 00:12:14,459 --> 00:12:19,640 there are ocsf 313 00:12:16,560 --> 00:12:19,640 support for that 314 00:12:21,720 --> 00:12:25,320 so let's let's talk a little bit about 315 00:12:23,160 --> 00:12:27,320 what these events actually are 316 00:12:25,320 --> 00:12:30,839 and under the hood they are just 317 00:12:27,320 --> 00:12:33,180 standards for representing in Json 318 00:12:30,839 --> 00:12:34,860 so you have your standard data types 319 00:12:33,180 --> 00:12:37,560 which we'll cover in a sec 320 00:12:34,860 --> 00:12:39,899 uh you have an attribute dictionary 321 00:12:37,560 --> 00:12:41,339 and that's that's important because one 322 00:12:39,899 --> 00:12:44,040 of the problems you have when you're 323 00:12:41,339 --> 00:12:46,680 trying to correlate these events is that 324 00:12:44,040 --> 00:12:47,639 some systems we'll call an IP address an 325 00:12:46,680 --> 00:12:50,399 IP 326 00:12:47,639 --> 00:12:53,880 some will call it IP underscore address 327 00:12:50,399 --> 00:12:57,120 some will call it IP underscore addr and 328 00:12:53,880 --> 00:12:58,860 so you end up having multiple names for 329 00:12:57,120 --> 00:12:59,940 just something like an IP address that 330 00:12:58,860 --> 00:13:03,000 you're trying to manage when you're 331 00:12:59,940 --> 00:13:06,120 trying to bring all this data together 332 00:13:03,000 --> 00:13:07,380 you have event classes which will 333 00:13:06,120 --> 00:13:08,760 definitely cover which fit into 334 00:13:07,380 --> 00:13:11,160 categories 335 00:13:08,760 --> 00:13:14,279 and then you can build profiles so 336 00:13:11,160 --> 00:13:16,560 profiles are basically groups of event 337 00:13:14,279 --> 00:13:18,180 classes and if you're familiar with the 338 00:13:16,560 --> 00:13:20,579 miter framework and a lot of times they 339 00:13:18,180 --> 00:13:22,800 will map directly to miter 340 00:13:20,579 --> 00:13:24,540 and you can do extensions but that's not 341 00:13:22,800 --> 00:13:27,060 as popular 342 00:13:24,540 --> 00:13:29,160 so for data types you have scalar data 343 00:13:27,060 --> 00:13:34,800 types and they are exactly what you 344 00:13:29,160 --> 00:13:38,399 would expect strings floats ins booleans 345 00:13:34,800 --> 00:13:40,680 standard stuff uh but then we Define on 346 00:13:38,399 --> 00:13:42,779 top of those things like timestamps 347 00:13:40,680 --> 00:13:44,639 always a fun thing to try and manage 348 00:13:42,779 --> 00:13:46,980 when you're getting different formats 349 00:13:44,639 --> 00:13:48,779 from different places uh IP addresses 350 00:13:46,980 --> 00:13:51,600 like I said and even things like 351 00:13:48,779 --> 00:13:53,760 usernames so you can track user IDs from 352 00:13:51,600 --> 00:13:56,220 system to system using consistent naming 353 00:13:53,760 --> 00:13:57,060 in your schema 354 00:13:56,220 --> 00:13:59,480 um 355 00:13:57,060 --> 00:14:02,160 then you have attributes 356 00:13:59,480 --> 00:14:03,600 attributes are unique and they're the 357 00:14:02,160 --> 00:14:06,360 things that we Define in the data 358 00:14:03,600 --> 00:14:08,399 dictionary or the attribute dictionary 359 00:14:06,360 --> 00:14:11,480 and like all good type systems you can 360 00:14:08,399 --> 00:14:11,480 have a raise of these things 361 00:14:11,899 --> 00:14:17,579 categories so the categories of events 362 00:14:14,700 --> 00:14:19,740 are system activities so things that 363 00:14:17,579 --> 00:14:22,160 happen on what we traditionally consider 364 00:14:19,740 --> 00:14:25,680 as systems routers 365 00:14:22,160 --> 00:14:28,980 Linux servers Etc Windows servers 366 00:14:25,680 --> 00:14:31,620 uh findings are things that are reported 367 00:14:28,980 --> 00:14:33,180 by security tools so again out of your 368 00:14:31,620 --> 00:14:34,620 Cloud security posture management tools 369 00:14:33,180 --> 00:14:36,360 they'll generally go this is 370 00:14:34,620 --> 00:14:37,760 misconfigured that's reported as a 371 00:14:36,360 --> 00:14:41,519 finding 372 00:14:37,760 --> 00:14:43,019 ordered activity is your authentication 373 00:14:41,519 --> 00:14:45,899 authorization 374 00:14:43,019 --> 00:14:47,519 failed at login attempts Etc 375 00:14:45,899 --> 00:14:50,579 network activity 376 00:14:47,519 --> 00:14:53,220 HTTP lookups DNS lookups 377 00:14:50,579 --> 00:14:55,199 and configuration inventory is literally 378 00:14:53,220 --> 00:14:57,839 just there's a new machine on the 379 00:14:55,199 --> 00:15:00,779 network the config of that machine has 380 00:14:57,839 --> 00:15:02,760 changed etc etc 381 00:15:00,779 --> 00:15:05,839 so let's break them down 382 00:15:02,760 --> 00:15:09,779 uh examples of system activity 383 00:15:05,839 --> 00:15:12,420 you can there are the defined event 384 00:15:09,779 --> 00:15:14,820 classes for everything right down to the 385 00:15:12,420 --> 00:15:16,620 kernel so you can actually record kernel 386 00:15:14,820 --> 00:15:18,959 level activity 387 00:15:16,620 --> 00:15:21,180 um on Linux or Windows there's examples 388 00:15:18,959 --> 00:15:22,639 for both if that's the level you want to 389 00:15:21,180 --> 00:15:25,139 get to 390 00:15:22,639 --> 00:15:29,880 there's also the windows specific ones 391 00:15:25,139 --> 00:15:31,800 on the bottom uh yeah we'll look at a 392 00:15:29,880 --> 00:15:34,199 Windows one because that's always a fun 393 00:15:31,800 --> 00:15:35,699 example uh and this is a really good if 394 00:15:34,199 --> 00:15:38,339 you're familiar with Windows events and 395 00:15:35,699 --> 00:15:40,980 I can't imagine too many people here are 396 00:15:38,339 --> 00:15:43,920 um Windows server has one good thing 397 00:15:40,980 --> 00:15:46,980 going for it it's very very good event 398 00:15:43,920 --> 00:15:49,980 but not so good at naming the events 399 00:15:46,980 --> 00:15:51,240 and so here you can see so these are the 400 00:15:49,980 --> 00:15:54,240 things that are in the standard 401 00:15:51,240 --> 00:15:56,100 dictionary for ocsf and how they map to 402 00:15:54,240 --> 00:15:58,860 things from a Windows Event 403 00:15:56,100 --> 00:16:01,860 and you can probably fairly easily 404 00:15:58,860 --> 00:16:04,019 imagine how things from a Linux system 405 00:16:01,860 --> 00:16:05,579 or any other application that you're 406 00:16:04,019 --> 00:16:08,000 building would match to these kind of 407 00:16:05,579 --> 00:16:08,000 events 408 00:16:09,300 --> 00:16:13,139 security findings fairly 409 00:16:11,220 --> 00:16:15,139 self-explanatory 410 00:16:13,139 --> 00:16:15,139 um 411 00:16:16,440 --> 00:16:21,120 audit activity so this is what I was 412 00:16:18,420 --> 00:16:23,820 talking about before so these are when 413 00:16:21,120 --> 00:16:25,680 you create a user a user logs in a user 414 00:16:23,820 --> 00:16:26,880 fails to log in 415 00:16:25,680 --> 00:16:30,420 um when you've got somebody 416 00:16:26,880 --> 00:16:31,800 authenticating to an API or using an API 417 00:16:30,420 --> 00:16:33,060 these are the kind of things that 418 00:16:31,800 --> 00:16:35,600 generally from the security point of 419 00:16:33,060 --> 00:16:35,600 view you care about 420 00:16:36,600 --> 00:16:41,160 so here's a good example uh this is 421 00:16:39,180 --> 00:16:44,459 again I'm drawing from Windows because 422 00:16:41,160 --> 00:16:46,019 they're eventful that's handy uh this is 423 00:16:44,459 --> 00:16:48,060 a failed login 424 00:16:46,019 --> 00:16:50,940 and again you can generally get a good 425 00:16:48,060 --> 00:16:54,000 idea of the naming 426 00:16:50,940 --> 00:16:56,699 and hopefully you can get an idea of how 427 00:16:54,000 --> 00:16:58,320 the naming on the left provides a more 428 00:16:56,699 --> 00:17:01,639 consistent 429 00:16:58,320 --> 00:17:01,639 pattern for events 430 00:17:02,339 --> 00:17:05,579 uh 431 00:17:03,660 --> 00:17:07,559 examples of network activity that 432 00:17:05,579 --> 00:17:10,919 currently exist 433 00:17:07,559 --> 00:17:14,360 uh standard stuff dhp lookups remote 434 00:17:10,919 --> 00:17:14,360 desktop connections SSH 435 00:17:14,819 --> 00:17:19,679 um here's a example this is not the full 436 00:17:17,100 --> 00:17:22,020 listing of what you get in the VPC flow 437 00:17:19,679 --> 00:17:25,140 log from AWS but again it's a good 438 00:17:22,020 --> 00:17:27,839 example of AWS is different to Microsoft 439 00:17:25,140 --> 00:17:30,419 and that they're very non-descriptive in 440 00:17:27,839 --> 00:17:35,059 their Eventing uh and so again you can 441 00:17:30,419 --> 00:17:35,059 see it Maps directly into ocsf 442 00:17:37,080 --> 00:17:41,820 another one so this is a Route 53 443 00:17:39,660 --> 00:17:44,100 resolver or a DNS lookup 444 00:17:41,820 --> 00:17:46,460 and again you can see 445 00:17:44,100 --> 00:17:49,679 it's all very standard stuff 446 00:17:46,460 --> 00:17:52,679 but still useful hopefully you can see 447 00:17:49,679 --> 00:17:54,120 the use of ocsf and the naming being a 448 00:17:52,679 --> 00:17:59,360 little more 449 00:17:54,120 --> 00:17:59,360 flexible than the standard AWS naming 450 00:17:59,820 --> 00:18:05,179 and then lastly 451 00:18:01,260 --> 00:18:05,179 configuration or inventory changes 452 00:18:06,600 --> 00:18:11,820 so the question becomes why why do we 453 00:18:10,320 --> 00:18:14,039 care about this 454 00:18:11,820 --> 00:18:15,960 what are we why are we worried about 455 00:18:14,039 --> 00:18:17,880 keeping these things 456 00:18:15,960 --> 00:18:21,660 and you can't talk about standards 457 00:18:17,880 --> 00:18:22,980 without bringing up this XKCD 458 00:18:21,660 --> 00:18:24,059 cartoon 459 00:18:22,980 --> 00:18:26,100 um 460 00:18:24,059 --> 00:18:28,799 because it's hilarious because we've all 461 00:18:26,100 --> 00:18:30,539 seen it but it's a real tale right if 462 00:18:28,799 --> 00:18:32,460 we've got all these standards and I've 463 00:18:30,539 --> 00:18:34,860 set at the start they don't really work 464 00:18:32,460 --> 00:18:36,240 because nobody's adopted them 465 00:18:34,860 --> 00:18:38,220 why is this one going to be different 466 00:18:36,240 --> 00:18:40,820 why is this not going to just be a 467 00:18:38,220 --> 00:18:40,820 different standard 468 00:18:40,860 --> 00:18:46,140 and for that we we need to sort of take 469 00:18:44,280 --> 00:18:48,360 a left turn into one of my favorite 470 00:18:46,140 --> 00:18:50,700 projects which is open Telemetry who 471 00:18:48,360 --> 00:18:53,280 here is used open telemetry 472 00:18:50,700 --> 00:18:55,380 besides David 473 00:18:53,280 --> 00:18:58,380 who gets very excited about it 474 00:18:55,380 --> 00:19:00,179 open Telemetry has sort of come out of 475 00:18:58,380 --> 00:19:01,740 nowhere and because of the timing and 476 00:19:00,179 --> 00:19:04,620 because of the space 477 00:19:01,740 --> 00:19:06,240 it's become sort of the de facto 478 00:19:04,620 --> 00:19:07,620 standard for all kind of telemetry and 479 00:19:06,240 --> 00:19:10,140 logging now 480 00:19:07,620 --> 00:19:11,900 and so you look at the a lot of the 481 00:19:10,140 --> 00:19:14,520 vendors that I was referring to before 482 00:19:11,900 --> 00:19:15,960 that are in The observed Village space 483 00:19:14,520 --> 00:19:16,980 and they're all standardized around 484 00:19:15,960 --> 00:19:19,380 theirs 485 00:19:16,980 --> 00:19:21,720 you look at pretty much any language or 486 00:19:19,380 --> 00:19:22,520 platform you're using and it supports 487 00:19:21,720 --> 00:19:25,860 this 488 00:19:22,520 --> 00:19:28,140 dotnet Java PHP 489 00:19:25,860 --> 00:19:30,980 python everything has support for open 490 00:19:28,140 --> 00:19:30,980 Telemetry now 491 00:19:31,200 --> 00:19:36,900 um and the reasons for that are 492 00:19:33,600 --> 00:19:39,419 it is vendor agnostic open Telemetry is 493 00:19:36,900 --> 00:19:41,580 not supported by a single vendor 494 00:19:39,419 --> 00:19:43,559 it's supported by every vendor now 495 00:19:41,580 --> 00:19:46,080 because it's an open standard 496 00:19:43,559 --> 00:19:48,539 and as I said it's platform agnostic you 497 00:19:46,080 --> 00:19:51,720 can use it on every platform 498 00:19:48,539 --> 00:19:53,640 and the fact that it's well supported is 499 00:19:51,720 --> 00:19:56,340 because we've kind of hit that point 500 00:19:53,640 --> 00:19:58,440 where nobody wants to go with vendors 501 00:19:56,340 --> 00:20:01,039 anymore they want solutions to give them 502 00:19:58,440 --> 00:20:01,039 the flexibility 503 00:20:01,140 --> 00:20:06,000 timing thing 504 00:20:03,600 --> 00:20:07,980 security events however work a little 505 00:20:06,000 --> 00:20:10,500 bit different than your standard 506 00:20:07,980 --> 00:20:13,020 observability and logs 507 00:20:10,500 --> 00:20:13,980 number one being we need to keep them 508 00:20:13,020 --> 00:20:17,460 all 509 00:20:13,980 --> 00:20:19,919 when you're looking at Telemetry and 510 00:20:17,460 --> 00:20:21,720 logs from systems a lot of times you 511 00:20:19,919 --> 00:20:23,640 only need to keep them for say 30 days 512 00:20:21,720 --> 00:20:26,039 for debugging or if you're doing 513 00:20:23,640 --> 00:20:27,539 Telemetry and anyone who's used over 514 00:20:26,039 --> 00:20:29,880 until lunch you will know you can't 515 00:20:27,539 --> 00:20:33,539 capture everything that is a level of 516 00:20:29,880 --> 00:20:37,020 data that you don't want to pay to keep 517 00:20:33,539 --> 00:20:39,059 we however with security logs can't do 518 00:20:37,020 --> 00:20:41,280 the sampling and the filtering that we 519 00:20:39,059 --> 00:20:44,100 can with open Telemetry because we don't 520 00:20:41,280 --> 00:20:46,860 know what we need and this goes back to 521 00:20:44,100 --> 00:20:48,840 the assume breach part of the of what I 522 00:20:46,860 --> 00:20:51,360 was talking about in zero trust 523 00:20:48,840 --> 00:20:53,220 we don't know what logs will need until 524 00:20:51,360 --> 00:20:56,400 possibly three to six months down the 525 00:20:53,220 --> 00:20:59,039 track when we go ah this user was 526 00:20:56,400 --> 00:21:01,380 actually breached we need to go back and 527 00:20:59,039 --> 00:21:03,660 find out what have they accessed have 528 00:21:01,380 --> 00:21:05,820 they leaked data did they what has 529 00:21:03,660 --> 00:21:09,059 happened 530 00:21:05,820 --> 00:21:11,520 so we have bigger data sets 531 00:21:09,059 --> 00:21:13,919 and more importantly a bigger cost 532 00:21:11,520 --> 00:21:15,840 not just restoring the data 533 00:21:13,919 --> 00:21:17,700 but with the current way things are 534 00:21:15,840 --> 00:21:19,140 because we integrate all these different 535 00:21:17,700 --> 00:21:21,480 tools and we bring them together into 536 00:21:19,140 --> 00:21:23,940 the scene like I talked about where 537 00:21:21,480 --> 00:21:25,559 Trends Translating that data into some 538 00:21:23,940 --> 00:21:27,299 kind of common format 539 00:21:25,559 --> 00:21:28,559 whatever the theme is generally going to 540 00:21:27,299 --> 00:21:30,419 use under the hood 541 00:21:28,559 --> 00:21:31,740 and you're talking 542 00:21:30,419 --> 00:21:33,480 the systems that I've worked on you're 543 00:21:31,740 --> 00:21:35,400 talking Millions upon millions of events 544 00:21:33,480 --> 00:21:37,200 a day and if you're going to run into 545 00:21:35,400 --> 00:21:40,020 Lambda to do that like a lot of people 546 00:21:37,200 --> 00:21:43,080 do Lambda costs can build up very 547 00:21:40,020 --> 00:21:44,880 quickly that way if you're in AWS 548 00:21:43,080 --> 00:21:46,860 so it's not just the cost of storing the 549 00:21:44,880 --> 00:21:49,380 data and searching the data it's 550 00:21:46,860 --> 00:21:52,200 Translating that data 551 00:21:49,380 --> 00:21:54,600 and that's why having a common standard 552 00:21:52,200 --> 00:21:58,080 is important 553 00:21:54,600 --> 00:22:00,240 because it means that we're not locked 554 00:21:58,080 --> 00:22:02,159 into these tools 555 00:22:00,240 --> 00:22:04,020 um okay very careful not to mention 556 00:22:02,159 --> 00:22:06,780 specific vendors when I talk about this 557 00:22:04,020 --> 00:22:08,820 but there are a lot of vendors that will 558 00:22:06,780 --> 00:22:10,620 lock you in because they will take care 559 00:22:08,820 --> 00:22:13,080 of that piece for you and support you 560 00:22:10,620 --> 00:22:16,620 but if you then want to go you know what 561 00:22:13,080 --> 00:22:19,080 we think this tool over here is better 562 00:22:16,620 --> 00:22:20,940 it's a big lift and shift job 563 00:22:19,080 --> 00:22:22,919 if you are using 564 00:22:20,940 --> 00:22:25,440 a common event storage 565 00:22:22,919 --> 00:22:28,700 and it's all in a common format you can 566 00:22:25,440 --> 00:22:31,020 easily switch from one button to another 567 00:22:28,700 --> 00:22:32,340 choice of tools is the other thing and 568 00:22:31,020 --> 00:22:33,360 so when we started looking at this 569 00:22:32,340 --> 00:22:35,880 problem 570 00:22:33,360 --> 00:22:37,559 and why we've started working with ocsf 571 00:22:35,880 --> 00:22:39,000 is because we wanted to build our own 572 00:22:37,559 --> 00:22:40,679 analysis tools 573 00:22:39,000 --> 00:22:43,320 every business has 574 00:22:40,679 --> 00:22:45,299 unique use cases and so what we're 575 00:22:43,320 --> 00:22:46,679 getting now is from all of our security 576 00:22:45,299 --> 00:22:50,400 tooling 577 00:22:46,679 --> 00:22:52,080 that supports ocsf we're getting these 578 00:22:50,400 --> 00:22:53,880 standard logs that we can then go back 579 00:22:52,080 --> 00:22:56,039 and do analysis on 580 00:22:53,880 --> 00:22:58,760 but we could build the systems that we 581 00:22:56,039 --> 00:22:58,760 want to do that 582 00:22:58,799 --> 00:23:02,280 um 583 00:22:59,580 --> 00:23:04,020 and you get adaptive ecosystems and by 584 00:23:02,280 --> 00:23:05,340 that I mean again you're not locked into 585 00:23:04,020 --> 00:23:09,120 vendors 586 00:23:05,340 --> 00:23:13,080 and it gives vendors a chance to sort of 587 00:23:09,120 --> 00:23:15,059 innovate or and I'm hoping open source 588 00:23:13,080 --> 00:23:16,799 projects to support this and then 589 00:23:15,059 --> 00:23:19,620 provide Innovation that way 590 00:23:16,799 --> 00:23:22,140 we've seen that with open Telemetry open 591 00:23:19,620 --> 00:23:23,640 Telemetry is encouraged 592 00:23:22,140 --> 00:23:26,280 um things like if anyone's used 593 00:23:23,640 --> 00:23:29,340 honeycomb honeycomb is just a really 594 00:23:26,280 --> 00:23:33,320 good tool that if without open telemetry 595 00:23:29,340 --> 00:23:33,320 would have would not exist the way it is 596 00:23:35,580 --> 00:23:39,600 so why why then is do I think this 597 00:23:38,100 --> 00:23:41,820 standard is important and why do we need 598 00:23:39,600 --> 00:23:45,980 to talk about it 599 00:23:41,820 --> 00:23:45,980 number one the timing is right 600 00:23:46,140 --> 00:23:49,919 we've got this much bigger focus on 601 00:23:48,240 --> 00:23:53,220 cyber security coming not just from 602 00:23:49,919 --> 00:23:55,260 governments but because of the size of 603 00:23:53,220 --> 00:23:58,440 the breaches that we're seeing 604 00:23:55,260 --> 00:24:01,679 companies very very much are talking and 605 00:23:58,440 --> 00:24:04,440 taking the stuff a lot more seriously 606 00:24:01,679 --> 00:24:05,820 we also see that companies and 607 00:24:04,440 --> 00:24:08,940 organizations 608 00:24:05,820 --> 00:24:11,400 have an absolute hunger for this kind of 609 00:24:08,940 --> 00:24:13,440 data representation we've seen that with 610 00:24:11,400 --> 00:24:14,700 open Telemetry we're seeing it with some 611 00:24:13,440 --> 00:24:16,919 other things 612 00:24:14,700 --> 00:24:19,340 so this is the right project at the 613 00:24:16,919 --> 00:24:19,340 right time 614 00:24:19,620 --> 00:24:22,200 um 615 00:24:20,280 --> 00:24:24,720 and this is always a controversial thing 616 00:24:22,200 --> 00:24:27,000 to say at a open source conference but 617 00:24:24,720 --> 00:24:29,039 vendor support matters 618 00:24:27,000 --> 00:24:32,039 as much as we'd like the world to run 619 00:24:29,039 --> 00:24:34,980 100 open source it doesn't 620 00:24:32,039 --> 00:24:37,559 and if you want to keep 621 00:24:34,980 --> 00:24:39,419 sort of those being able to work 622 00:24:37,559 --> 00:24:41,400 together with these things and switch to 623 00:24:39,419 --> 00:24:43,320 open source Solutions where possible you 624 00:24:41,400 --> 00:24:44,940 need to be compatible 625 00:24:43,320 --> 00:24:47,700 and um 626 00:24:44,940 --> 00:24:49,260 I've not been able to find any other 627 00:24:47,700 --> 00:24:51,240 initiative like this that has had the 628 00:24:49,260 --> 00:24:54,059 vendor support that this has 629 00:24:51,240 --> 00:24:56,340 from very big players 630 00:24:54,059 --> 00:24:58,440 and more importantly it is this solution 631 00:24:56,340 --> 00:25:00,720 is a really good fit with our 632 00:24:58,440 --> 00:25:03,299 experiments it's actually a really good 633 00:25:00,720 --> 00:25:04,620 way of representing data for what we 634 00:25:03,299 --> 00:25:06,720 need to detect 635 00:25:04,620 --> 00:25:09,380 potential violations of our security 636 00:25:06,720 --> 00:25:09,380 policies 637 00:25:11,580 --> 00:25:17,100 so 638 00:25:13,440 --> 00:25:19,620 to summarize for for this 639 00:25:17,100 --> 00:25:20,940 it's a format and it is vendor and 640 00:25:19,620 --> 00:25:23,220 tooling neutral 641 00:25:20,940 --> 00:25:24,720 and I want I hopefully you're seeing the 642 00:25:23,220 --> 00:25:26,700 advantage of that already but I want you 643 00:25:24,720 --> 00:25:29,460 to take that as an opportunity 644 00:25:26,700 --> 00:25:30,960 in that it's being adopted I'm talking 645 00:25:29,460 --> 00:25:32,640 to people who are looking at it and 646 00:25:30,960 --> 00:25:34,679 evaluating it now 647 00:25:32,640 --> 00:25:36,240 so if you are building anything or you 648 00:25:34,679 --> 00:25:38,940 have any open source tooling and you 649 00:25:36,240 --> 00:25:42,059 generate any kind of security event it's 650 00:25:38,940 --> 00:25:44,580 in your best interest to support it 651 00:25:42,059 --> 00:25:47,340 um as I said that's a lot of big vendors 652 00:25:44,580 --> 00:25:49,020 who have a lot of this Market space and 653 00:25:47,340 --> 00:25:51,320 they are super interested in getting 654 00:25:49,020 --> 00:25:53,940 this off the ground 655 00:25:51,320 --> 00:25:54,840 the reduction in cost is a big selling 656 00:25:53,940 --> 00:25:58,980 point 657 00:25:54,840 --> 00:26:01,320 uh like when I say we spend thousands of 658 00:25:58,980 --> 00:26:04,260 dollars a day on manipulating security 659 00:26:01,320 --> 00:26:06,779 events and we are not I'm the stuff I 660 00:26:04,260 --> 00:26:08,880 work with is not large scale 661 00:26:06,779 --> 00:26:11,220 so saving thousands of dollars a day by 662 00:26:08,880 --> 00:26:13,260 not having to do that translation it's a 663 00:26:11,220 --> 00:26:15,179 super big win 664 00:26:13,260 --> 00:26:18,960 and just the greater flexibility 665 00:26:15,179 --> 00:26:21,539 so I can switch vendors a drop of a hat 666 00:26:18,960 --> 00:26:23,640 and of course that helps you compete 667 00:26:21,539 --> 00:26:25,980 when it comes to paying for vendors 668 00:26:23,640 --> 00:26:27,840 but it also means it's a lot easier to 669 00:26:25,980 --> 00:26:30,419 go you know what we could run our own 670 00:26:27,840 --> 00:26:32,220 open open source stack over here and get 671 00:26:30,419 --> 00:26:36,120 the same thing 672 00:26:32,220 --> 00:26:39,960 so it induces that back into the market 673 00:26:36,120 --> 00:26:40,980 uh if you're interested in learning more 674 00:26:39,960 --> 00:26:42,360 GitHub 675 00:26:40,980 --> 00:26:46,860 please come 676 00:26:42,360 --> 00:26:49,799 uh so we are almost at version one 677 00:26:46,860 --> 00:26:52,380 this is how brand new it is uh 678 00:26:49,799 --> 00:26:54,299 rc2 is the current version as of 679 00:26:52,380 --> 00:26:57,480 yesterday when I looked 680 00:26:54,299 --> 00:26:59,820 and um there is a schema browser 681 00:26:57,480 --> 00:27:01,020 I could delve into this game a lot 682 00:26:59,820 --> 00:27:02,760 further and I'm happy to take questions 683 00:27:01,020 --> 00:27:04,080 on it but 684 00:27:02,760 --> 00:27:06,539 um you can actually browse the full 685 00:27:04,080 --> 00:27:08,640 schema online it will say it's in draft 686 00:27:06,539 --> 00:27:09,960 it will be in draft until 1.0 is 687 00:27:08,640 --> 00:27:13,440 released 688 00:27:09,960 --> 00:27:15,559 but that is all I have so thank you very 689 00:27:13,440 --> 00:27:15,559 much 690 00:27:18,240 --> 00:27:22,440 and I will more than happily take 691 00:27:20,340 --> 00:27:25,220 questions 692 00:27:22,440 --> 00:27:25,220 if anyone has any 693 00:27:30,539 --> 00:27:37,400 um hello 694 00:27:33,419 --> 00:27:37,400 can you hear me is that on no 695 00:27:38,100 --> 00:27:43,080 okay is it I'll just talk louder there 696 00:27:40,919 --> 00:27:45,120 we go um do you know of any open source 697 00:27:43,080 --> 00:27:47,700 projects that actually do the conversion 698 00:27:45,120 --> 00:27:49,919 at the moment so security Lake vendor 699 00:27:47,700 --> 00:27:52,440 does the conversion anything like fluent 700 00:27:49,919 --> 00:27:54,600 bird blog stash Etc that kind of thing 701 00:27:52,440 --> 00:27:58,080 that is currently working on supporting 702 00:27:54,600 --> 00:28:00,960 this not not from a meeting point of 703 00:27:58,080 --> 00:28:04,039 view so they're as I say open search and 704 00:28:00,960 --> 00:28:07,080 elasticsearch have things for like 705 00:28:04,039 --> 00:28:09,059 subscribing and indexing them not enough 706 00:28:07,080 --> 00:28:11,220 open source projects and none that I've 707 00:28:09,059 --> 00:28:13,320 seriously seen will do that now you 708 00:28:11,220 --> 00:28:14,640 could write your own in something like 709 00:28:13,320 --> 00:28:16,080 logs Clash 710 00:28:14,640 --> 00:28:17,700 um log slash of course you could just do 711 00:28:16,080 --> 00:28:20,400 that conversion yourself but the whole 712 00:28:17,700 --> 00:28:22,980 point of this project is to not have to 713 00:28:20,400 --> 00:28:26,159 run that infrastructure 714 00:28:22,980 --> 00:28:28,320 um again we have some log stash and we 715 00:28:26,159 --> 00:28:29,760 spend a lot of time doing the conversion 716 00:28:28,320 --> 00:28:32,039 from all the different formats that we 717 00:28:29,760 --> 00:28:34,620 have uh if I could not do that that 718 00:28:32,039 --> 00:28:37,559 would be awesome so not enough is the 719 00:28:34,620 --> 00:28:40,100 answer yeah 720 00:28:37,559 --> 00:28:40,100 what questions 721 00:28:40,679 --> 00:28:43,679 but 722 00:28:46,380 --> 00:28:52,440 so you said that past attempts at Open 723 00:28:50,700 --> 00:28:54,059 Standards in this area haven't gotten 724 00:28:52,440 --> 00:28:55,320 enough uptake yeah what was different 725 00:28:54,059 --> 00:28:57,299 about this one that it got so much 726 00:28:55,320 --> 00:29:01,740 support from the start 727 00:28:57,299 --> 00:29:03,779 I honestly I think it's AWS uh and then 728 00:29:01,740 --> 00:29:06,320 marker power if I was going to guess I 729 00:29:03,779 --> 00:29:09,360 wasn't involved in that decision but 730 00:29:06,320 --> 00:29:12,120 Splunk Splunk have oh let's talk about 731 00:29:09,360 --> 00:29:14,220 AWS this is all opinion 732 00:29:12,120 --> 00:29:17,760 um go back to my disclaimer AWS 733 00:29:14,220 --> 00:29:19,580 obviously uh the kings in the um 734 00:29:17,760 --> 00:29:23,460 in the cloud spice 735 00:29:19,580 --> 00:29:26,460 and a lot of what AWS do they're very 736 00:29:23,460 --> 00:29:29,460 interested in Open Standards and open 737 00:29:26,460 --> 00:29:31,620 source where they don't own that piece 738 00:29:29,460 --> 00:29:33,120 where where if it's got to go to someone 739 00:29:31,620 --> 00:29:35,340 else they'd rather an open standard for 740 00:29:33,120 --> 00:29:39,360 it so I think their support was big one 741 00:29:35,340 --> 00:29:41,820 Splunk uh the 50-pound gorilla in the 742 00:29:39,360 --> 00:29:43,440 logging space and I think they have seen 743 00:29:41,820 --> 00:29:45,120 that they need to adapt 744 00:29:43,440 --> 00:29:46,919 to something to this because they're 745 00:29:45,120 --> 00:29:48,720 starting to lose to a lot of 746 00:29:46,919 --> 00:29:50,580 the newer competitors 747 00:29:48,720 --> 00:29:53,100 so I I think it's the combination of 748 00:29:50,580 --> 00:29:54,899 those two that have driven it and then 749 00:29:53,100 --> 00:29:56,520 you look at they've actually gone out 750 00:29:54,899 --> 00:29:59,279 and collaborated with all these 751 00:29:56,520 --> 00:30:01,200 companies so all the companies I listed 752 00:29:59,279 --> 00:30:03,480 were already on board and working on 753 00:30:01,200 --> 00:30:05,820 this before 754 00:30:03,480 --> 00:30:08,039 they announced the project 755 00:30:05,820 --> 00:30:10,620 so it's yeah it's just that vendor 756 00:30:08,039 --> 00:30:12,899 support and a lot of the heavyweights in 757 00:30:10,620 --> 00:30:14,880 the market will be supporting it same 758 00:30:12,899 --> 00:30:17,360 thing we saw of open telemetry 759 00:30:14,880 --> 00:30:20,880 right as soon as you see companies like 760 00:30:17,360 --> 00:30:23,820 datadog for example switching to going 761 00:30:20,880 --> 00:30:25,679 open Telemetry first you know that 762 00:30:23,820 --> 00:30:27,720 it's going to stay around like that's 763 00:30:25,679 --> 00:30:30,179 them taking it very seriously 764 00:30:27,720 --> 00:30:32,279 so yeah we just have never seen 765 00:30:30,179 --> 00:30:34,380 this many vendors take extended 766 00:30:32,279 --> 00:30:38,039 seriously before 767 00:30:34,380 --> 00:30:40,460 that's my that's my reading of it 768 00:30:38,039 --> 00:30:40,460 yep 769 00:30:46,559 --> 00:30:51,179 feels like I can't miss the opportunity 770 00:30:48,299 --> 00:30:52,440 to Heckle you slightly sure because I 771 00:30:51,179 --> 00:30:53,580 know this was an idea you had in the 772 00:30:52,440 --> 00:30:54,899 early days when you were looking at some 773 00:30:53,580 --> 00:30:56,580 of this yep 774 00:30:54,899 --> 00:30:58,440 um is in using sort of that open 775 00:30:56,580 --> 00:31:01,260 Telemetry tooling something like 776 00:30:58,440 --> 00:31:03,659 honeycomb just at a sampling level to at 777 00:31:01,260 --> 00:31:05,880 least have a baseline of what you know 778 00:31:03,659 --> 00:31:08,700 normal across your systems might have 779 00:31:05,880 --> 00:31:10,980 been for the past one or two months yeah 780 00:31:08,700 --> 00:31:11,700 obviously it can't be that 781 00:31:10,980 --> 00:31:13,799 um 782 00:31:11,700 --> 00:31:16,200 audit Trail level but 783 00:31:13,799 --> 00:31:18,899 what do you think of that so yeah that 784 00:31:16,200 --> 00:31:20,760 that's a good thing so obviously 785 00:31:18,899 --> 00:31:22,559 the the three pillars the security being 786 00:31:20,760 --> 00:31:25,799 confidentiality integrity and 787 00:31:22,559 --> 00:31:29,159 availability that availability piece we 788 00:31:25,799 --> 00:31:30,539 definitely still rely on traditional 789 00:31:29,159 --> 00:31:32,640 um 790 00:31:30,539 --> 00:31:34,320 open Telemetry based I'm not going to 791 00:31:32,640 --> 00:31:36,419 say honeycomb unfortunately but open 792 00:31:34,320 --> 00:31:38,039 Telemetry basings for monitoring that so 793 00:31:36,419 --> 00:31:41,399 this this is not a replacement for that 794 00:31:38,039 --> 00:31:44,580 this is a solution for just those 795 00:31:41,399 --> 00:31:46,080 security level events for that it 796 00:31:44,580 --> 00:31:47,940 developers will still need open 797 00:31:46,080 --> 00:31:49,919 Telemetry 798 00:31:47,940 --> 00:31:52,700 um and Security will still need to rely 799 00:31:49,919 --> 00:31:55,200 on that for the availability piece 800 00:31:52,700 --> 00:31:57,480 but what you'll find is I talked about 801 00:31:55,200 --> 00:31:59,460 there's an event class for findings 802 00:31:57,480 --> 00:32:02,039 and so what I'd like to see is tools 803 00:31:59,460 --> 00:32:03,539 that detect the anomalies in things like 804 00:32:02,039 --> 00:32:05,880 open Telemetry and then produce a 805 00:32:03,539 --> 00:32:07,020 finding event 806 00:32:05,880 --> 00:32:08,880 yeah 807 00:32:07,020 --> 00:32:11,460 that doesn't exist yet 808 00:32:08,880 --> 00:32:12,659 that I've seen but I'd like that 809 00:32:11,460 --> 00:32:14,159 yeah 810 00:32:12,659 --> 00:32:16,020 that's kind of how the two match does 811 00:32:14,159 --> 00:32:19,460 that make sense 812 00:32:16,020 --> 00:32:19,460 yeah yeah cool 813 00:32:19,559 --> 00:32:24,360 any more questions 814 00:32:22,200 --> 00:32:26,480 no we're done thank you very much thank 815 00:32:24,360 --> 00:32:26,480 you 816 00:32:26,820 --> 00:32:29,659 foreign