OCA Community Connect

Roseann Guttierrez [00:00:00]: Our guest today is Vasilios Mavroides. He is a professor of cybersecurity at the University of Oslo, and he's also a member of our OCA governing board. We're going to be talking to him today about the CACAO roaster subproject. Very excited to hear about this. Hi, Vasilios. How are you doing today? Thanks for joining us. Vasileios Mavroeidis [00:00:19]: I'm great. Thank you. Thank you for the invitation. Glad to be here. Roseann Guttierrez [00:00:23]: Wonderful. Wonderful. Why don't we start by having you give kind of, like, a little mini story as to how you how you got in cybersecurity, how you got here today? Vasileios Mavroeidis [00:00:33]: Sure. Well, basically, my studies were in cybersecurity, but at some point, you know, after I did actually my masters, I found a job, but then I'd said that I wanted to do a PhD. Then, you know, I relocate from the UK to Norway. I'm originally from Greece, actually. So I've been all over the world. In any case, I started looking at Norway, and I did my PhD here. And then my post doc here, I worked a little as a researcher. Vasileios Mavroeidis [00:00:57]: Then finally, I got a professorship after a lot of effort. So, currently, I'm a professor for cybersecurity at the University of Oslo. Basically, conduct, mostly research, with a particular focus on cyber threat intelligence and security automation, and mostly in the context of European projects, EU funded projects, basically. I'm also an ambassador of open standards and open source. I guess this is the reason also I'm here today. Have contributed massively to the community. I joined OWASP actually almost, 8 years ago, and I supported the development of different standards such as, open c2, STIX, CACAO, the effect of the feedback for context ontology, and many others. I'm also currently having a chair at the board of directors of OASIS and the project governing board of Open Cybersecurity Alliance. Vasileios Mavroeidis [00:01:50]: What else? I'm also co chairing FIRST, Automation Special Interest Group, and I'm a member of different Ad hoc working groups related to cybersecurity. This is more or less cybersecurity domain for about, 10 years now. Roseann Guttierrez [00:02:04]: Okay. Well, why don't you tell us the elevator pitch for the CACAO roaster project? Vasileios Mavroeidis [00:02:10]: Right. So what is the CACAO roasters sub-project? Basically, you know, within Oasis, we identified the need of developing cybersecurity playbook standard, and, we always have this. To make the long story short, we try to do for playbooks, what, STIX, for example, did for cyber threat intelligence. So we needed a robust method to encode cybersecurity playbooks so defenders can exchange them, and the full focus is on interoperability. Basically, the pain point was, we have structural approaches that can be machine processable, basically, for threat intelligence. These standard generally involve, are doing great in encoding detection engineering but then the concept of, "So now what?" was still unresolved. Roseann Guttierrez [00:02:57]: Right. Vasileios Mavroeidis [00:02:57]: And for this reason, you know, we established this technical committee within OASIS. It's, by Brett Jordan and Alan Thompson. I'm also the secretary of this, technical committee, and I have contributed so massively to the development of the specification among other, people and many organizations that have been participating. At some point, the standard, you know, came into a robust stage and, you know, it's all about adoption and verifying basically the standard. You can imagine people that know, STIX, you know, it's exactly the same principle. We'll have a specification. The specification is encoded basically into a machine readable format in particular, JSON. But then, you know, it's really impossible to start creating your playbooks manually. Vasileios Mavroeidis [00:03:43]: So you can't expect some people to start writing their playbooks, you know, in JSON. So we came up with the idea of developing a software to support adoption and basically allow defenders to start creating their own interoperable playbooks, to experiment with CACAO playbooks. And and this is like, you know, 2 fold or 3 fold. Or so, basically, you know, it's not only about the project itself, but will allow you to create playbooks, exchange playbooks, visualize playbooks, digitally sign playbooks, and verify them, but it's also, you know, a means to validate, the specification. Because we develop products such as the specification. But then, you know, when you start developing an actual software, right, it's a it's a good means for validating it, how good it is. So we also expect that the, you know, the community started creating playbooks. I assume that the community have started, have started adopting the CACAO roster. Vasileios Mavroeidis [00:04:40]: I have multiple use cases to discuss later. But at the same time, we also identify, you know, you know, a new use cases, some fascinating use cases, but also issues with the specification we'll have to address in the future. So we can have a perfect standard for security playbooks. Roseann Guttierrez [00:04:59]: That's great. Yeah. I I checked out the project over the weekend and really like, the ease of use on it. And and I do definitely see how it makes it easier for people to jump in and start creating things right away. So that's really great. So what makes the subproject important to you? Why is it important? Vasileios Mavroeidis [00:05:17]: So as I said, you know, I'm a standards person, and, my focusing is on, cybersecurity automation. And if you should take it up a little higher, level, you know, our shares here at the University of Oslo deals a lot with, enhancing, the capacity of security operation centers, and we are focusing on national security authorities and, operators of essential services. Maybe what you call the critical infrastructure. They are or would mean in the US. Right? There were many needs regarding that. So the authorities need to, you know, we have these directives, in the EU that all about cross border collaboration slash cooperation, the ability to exchange intelligence equally, the ability to collaborate in, incident response activities. That was our motivation when we start, the committee. We developed, the project, and now we validate the Roster itself and the request within the context of European projects. Vasileios Mavroeidis [00:06:12]: So we have multiple national security authorities that use their Roster to create playbooks, couple these playbooks with a cyber threat intelligence in particular, STIX, and not only now exchange. Right? Threat intelligence, but basically as we call it here, defensive trade craft. Roseann Guttierrez [00:06:28]: Right. Vasileios Mavroeidis [00:06:29]: And multiple use cases. Right? I mean, most of the people will will think about, you know, about incident response and methodologies, but we have use cases regarding business continuity, resilience, regulatory compliance, security policy, compliance, whatever is related with cybersecurity operations from detection, to response. No. Writing exercises, playbooks for engagement, basically, you know, like, how you engage with adversaries in real time active defense. And and most importantly, you know, how these things, come together because the cybersecurity of specific entities or I would say of too many entities, you know, is quite, immature. So, you know, if you have a standard that will allow you to exchange this defensive knowledge, you know, as we're saying in the past, for, CTI detection can become another prevention. So it's it's a similar concept now with, playbooks. Roseann Guttierrez [00:07:33]: Right. I I love how you can sign them too. That's great. Okay. So as a new project, where can you use some help? Vasileios Mavroeidis [00:07:39]: The main, thing that we want to do here is to create a community around the Roster. So, you know, this was developed by us. Certainly, it's not perfect. It's an open source project. We developed it, basically, our spare time. So we would like the community to contribute, not only to, code to improve, the project. So it doesn't like finding bugs that, you know, initiating pull request to fix something, but also coming up with, you know, use cases, such as we have the use case that we would like the roster to export STIX 2.1 course of action objects that can also incorporate cybersecurity playbooks. Right? So we need the community to support the project. Vasileios Mavroeidis [00:08:28]: We would like to create a playbooks knowledge base. This is a common issue, right now because people saw the Roster, but, immediately, they start asking, but but why you have not made, you know, a series of playbooks available? I mean, it's a reasonable request, but it takes time to do that, especially if you want to make you know, to develop and contribute playbooks that make sense. It will be nice if we have the community supporting us, with, generating and, making available their playbooks. And, also, we would like to identify, use cases to, let's say, extend the project. One, let's say, complex use case would be that, okay, we have now, an application that will allow us to generate playbooks. Right? Let's call it a user interface right now. What about the orchestration power? Basically, the orchestrator itself. So I do know, though, that there are, there is a European entity. Vasileios Mavroeidis [00:09:27]: Thay have already, contact us. They are developing, a native, CACAO Orchestrator. So, you know, another project will be to couple our application, which will be the user interface of their orchestrator. We would like to have such kind of, use cases. Right? We need to create also, an API based on the needs of the community. We'd like to interconnect the system with incident case management system, with, CM, you know, to expand. And, I mean, the the the underlying, cause is that, we want to create environments, cybersecurity environments that can be as automated as possible. When I say when I when I see people that use the the Roster or, like the CACAO specification, I say that, you know, even though that it's a machine processable format, right, you should not have only in your mind that, you could create something that is fully automated. Vasileios Mavroeidis [00:10:23]: I think that this specification can be used in the context of, you know, in the principle of automate as you go. Right? You can even have these playbooks, generated basically to your standard operating procedures now. Right? They're not going to be encoded in a slide deck or a word document. Now you can have them in a format. We have a software. You can exchange them even if the actions are performed fully manually. Right? Roseann Guttierrez [00:10:54]: Right. Just a place to start. Right? Vasileios Mavroeidis [00:10:53]: Correct. Correct. You can have a knowledge base of playbooks. The playbooks have, so many, really contextual metadata. You can filter your playbooks based on your needs, based on your sector, based on, the, adversary, basically based, you know, on the intrusion set, let's say, based on TTPs, based on what they address. So I I think the the the community will shift to this direction in the future to have, you know, a knowledge base of playbooks, but then also you need to have a knowledge management system to be able to find the right information there and the right playbooks. Roseann Guttierrez [00:11:30]: Right. It sounds like there's lots of places, yeah, lots of places that you can get that assistance for sure. Thank you so much for being here with me today, and letting me ask you questions.

Roseann Guttierrez [00:00:00]: Our guest, Kenneth Peoples. He is a principal cybersecurity architect for Red Hat, and we're gonna ask him some questions about Kestrel as a service. Kenneth, I'm gonna let you actually start and kinda give a, a quick, you know, bio. Kenneth Peeples [00:00:14]: Sure. Absolutely. Thank you. Glad to be here with everybody. I was really looking forward to, sharing the Kestrel as a service project. So I'm a Red Hat cybersecurity architect. I've been working, mainly department of defense for a number of years And help the government with, security issues to help them solve problems. Kenneth Peeples [00:00:43]: So I, go on-site help in these DOD projects. I started my doctorate 2 years ago At Colorado State University, and I'm in the doctorate of engineering program, which means I have a practicum or a project, and then I have my dissertation. And so the Kestrel as a service is part of my practicum. I also do some, work on some other projects and internal initiatives For Red Hat as well. Roseann Guttierrez [00:01:22]: Awesome. Well, thank you so much. I I really, really appreciate you taking the time to talk with us today. My first Question for you is give me your elevator pitch on Kestrel as a service. Kenneth Peeples [00:01:33]: Yeah. So I am really excited about the project. I think it is filling in some gaps that we've identified, and I've been working with Open Cybersecurity Alliance to get the subproject going, working with folks like Shu and Claudia, and I just really enjoyed putting this platform together. So the elevator pitch is how can I build a platform For crowd hunting, for threat collaboration with a threat hunting team, and, that's where Kestrel as a service comes in. There are many components. I'm just gonna list a couple, and we can dive into into those as As we move forward in this session, but we've created a Dockerfile that has the Kestrel language and runtime, OpenC2, STIX shifter, all those for a, threat hunting container. That is riding on Kubernetes, which is the container platform and managed by JupyterHub for the notebook sharing, also, we're using Ansible Core for automation to do the deployment, along with VirtualBox Vagrant. And so those are are different components To build infrastructure platform as a service and software as a service. And so we have Examples to build the virtual machines, which is the, infrastructure as a service And using either Ubuntu or Red Hat. Kenneth Peeples [00:03:29]: And then on top of the virtual machines, whether it's A single node mini cube or a multinode cluster. Then we put JupyterHub on top of it and Integrate Keycloak with authentication so that users sign in. And if it's a, shared project, Then others can sign in to that project and share, snippets of code, share the, notebook that has the threat hunting flows and steps in it. And so the whole target of Kestrel as a service is to be able to speed up, crowd hunting. Roseann Guttierrez [00:04:17]: Okay. Kenneth Peeples [00:04:17]: And sometimes Roseann Guttierrez [00:04:20]: Go ahead. Sorry. Kenneth Peeples [00:04:21]: Yeah. And I was just gonna say, we've talked more as we get into what's important, in some of these pieces. But With doing the crowd hunting, a team threat hunting platform, the outcome Should be improved mean time to detect. Roseann Guttierrez [00:04:40]: Gotcha. Okay. So basically, it's taking Kestrel that someone would load, like, locally and work on by themselves, right, and then providing a vehicle to have multiple people kind of touch it and then and work on it together, essentially. Yeah. Okay. Alright. So why is this project important to you? I mean, I know, yeah, it's It's part of your dissertation, but I did, take a sneak peek at your GitHub. And I looked at the very, very bottom, and there's kind of a dedication there. Kenneth Peeples [00:05:14]: Yeah. I'm glad you saw that. So, a couple answers to that question, why it's important to me. The, the first part of that is my parents, and that's the dedication that you mentioned. My parents have always been in IT. And if you look at all the old pictures of the magnetic tapes, The size of the original disk drives and and so forth. When I was, you know, elementary Elementary school age, I would go to the computer rooms, and they would have the raised floors. They would have all the lights On the console, the magnetic tapes going in background. Kenneth Peeples [00:05:59]: They would have the punch cards. If everybody remembers the punch cards, but you don't wanna drop the Punch cards. Roseann Guttierrez [00:06:07]: No. Kenneth Peeples [00:06:07]: And and so, you know, my parents were always And still are an inspiration to me of, you know, work and and family. And so, I have a passion for security, and I, came across Kestrel, I started talking with Shu, and I thought this was, great for me to work on Personally, for that passion, of security plus, my hope is The cyber incidents that continue to occur, there's an additional solution that people can use to minimize the impact of those incidents. Roseann Guttierrez [00:06:57]: Nice. Nice. Yes. Passionate. That's that's good. That that's why we have you here, right, as a contributor Yeah. Yeah. To kinda give an example of, you know, what some people are working on. Roseann Guttierrez [00:07:07]: So that's awesome. Alright. Last question. Everybody needs help. Right? All the projects, they always need help. Where could you use some help, and what are some ideas for how people might help you? Kenneth Peeples [00:07:18]: Yeah. And I appreciate that question. And I think it goes to all of open cybersecurity alliance to me in that, You know, generally, at the high level, the open source communities, they can't succeed without having Those that wanna collaborate and commit and give back, not just using a project, but getting involved in the project and helping it move forward. It's very important. So for me, with Kestrel as a service, as I mentioned before, there's a lot of different components that are involved. It's a a platform. And so there are several places where I could use help. One is building out the best ways to deploy the platform. Right now, Kenneth Peeples [00:08:11]: I have mini cube in a full cluster, but there's that's Kubernetes. But there are other container platforms that it would be nice to get it onto and and tested. So that goes to the code, Creation and testing of the infrastructures code, the example, hunt books That would be a help to have more of those. I've started attending conferences and talking about Kestrel as a service. That also means I'm talking about Kestrel, talking about, STIX shifter, talking about OpenC2, These other components that are in there too. So I'm trying to get more of the word out to get help to make this a great Crowd Hunt tool. And so one of the other pieces that's coming up, hopefully, this end of this month, I wrote a article for the Red Hat Research Quarterly, and I hope that we'll get more of the word out and and share, Open Cybersecurity Alliance and share Kestrel as a service. And so that should be published soon. Kenneth Peeples [00:09:27]: And If you look at the repository, there is a set of steps To go through, to stand up the environment on the single node Kubernetes, the the mini cube. And so it would be great To have help there. But I would say to get people started, because we do want people to participate in OCA and Kestrel as a service and the other components I mentioned. There's the repositories in GitHub. I know organizations can become the OCA sponsors. Mine falls under, IBM. So I know OCA is always looking for more organizations there to help, And there's the the OCA project governance board. But there is for Kestrel as a service specifically. Kenneth Peeples [00:10:26]: There's the Slack channel. So if you wanna get involved, getting on the Slack channel and pinging me or any of the others is Always a help. There's the website, open cybersecurity alliance.org, and then there's the GitHub. Roseann Guttierrez [00:10:42]: Nice

Roseann Guttierrez [00:00:00]: Our guest is David Bizeul. I hope I said that correctly. He is the cofounder and chief scientific officer of Sequoia IO. He actually is here representing our open XDR architecture or, OXA sub project, I believe that's how we're saying it. David, you wanna say hi? David Bizeul [00:00:19]: Yeah. Hi, everyone. It's a pleasure to be with you today. Roseann Guttierrez [00:00:22]: Thank you. I'm so excited to talk to you. I know that this is a new project and so lots of good stuff is happening. You wanna give me your elevator pitch for what Open XDR architecture is? David Bizeul [00:00:35]: What you what you need to know is that, in Sequoia, we provide a sub platform. That means we we provide a solution that can be used to upgrade the SOC Whether it is, in a large company or MSSP. The OXA project is rough. As in Sequoia, we have we have a long story of working with the community. That that's why we had in mind, we imagined, Let's say to have this initiative to be hosted in the OCA, in order to to make something global and, to make an initiative that Could be shared, and, also brainstormed, by, by the industry. When I I looked at the OCA line, we are making standard based interoperable Cybersecurity reality. I really thought that it it would also make sense, for this OXA sub project. Roseann Guttierrez [00:01:24]: Awesome. David Bizeul [00:01:25]: So Open XDR architecture, just basically, you might know what is the, our current environment on IT technology. We have a lot of assets On the left part of the slide, so that mean computers, that mean, physical assets, that mean, virtual assets, etcetera. These assets are managed or observed by a lot of technologies. Some of them are security technologies, And these security technologies can generate data, alerts, events, etcetera. And these, alerts must, let's say, be, It's consumed, handled by, either a specific correlation solution or even, people That we'll need, let's say, to to do with that and to interpret this data into something that makes sense. When the XDR extended detection and response, arrived on the on the market. This was several years ago. The approach was really to make something, easier for the for the community. David Bizeul [00:02:23]: That means to have some things that can interpret, data globally, Whether, it's it it comes, let's say, from an endpoint or from a network technology or network source or even to cloud based cloud based solution, All these kind of assets should be interpreted, in the XDR platform. And the XDR is supposed to be able to Speak, with this technology in order to provide, answers, in order to provide orders, to execute some actions, and to execute some responses Into corporate environment of a specific customer. And another part of the XDR is also, let's say, to change the approach in the way Previously, SIEM used, let's say, to create scenarios to detect, what were supposed to be, to be the risk, into a company. XDR changed that, in order to detect threats, and to detect what is really known, what is really, sure today to be defined as a threat. And maybe the last the last point and the last premise of the XDR was to, to provide high value, added tasks to the users, to the the customers. The point is that, what are these high value added tasks? And on these 3 highlighted blocks, global response, CTI, and high value task, I think today we do not have this, a correct, a great solution wherever you look on the market, whatever the solution is, you have none of them, which can Provide all this kind of, let's say, correct solution. If you think about what could be, the solution About, on this, these different highlighted blocks, we can think about, what we have today in terms of standards, in terms of specific norms that could be used, let's say, to leverage part of the problem. For the ingestion aspect, we have different solutions such as ECS, OCSFs, that exist and that can help, let's say, to standardize what the product can, can generate as data, data formats to be understood as a simple a single as as something that can be interpreted by a central point. David Bizeul [00:04:36]: The same way we can automate, let's say, specific orders using OpenC2. OpenC2 would be used, let's say, could be used, Let's say to, provide, to transform generic orders into specific actions that can be done, on a specific technology. In terms of CTI, we all know about STIX, which, tends to be mainstream today on that street. But STIX might not be used enough, in that in our technology community and should be disseminated more, let's say, from, the STIX sources that already do that, but have, let's say, are are done, let's say, to each Specific technologies that are involved into the production of the customer or customer environment. And the last point is about orchestration. And today, we have a lot of things that tends to be real, using CACAO playbooks. And I'm sure that, by ferriting the community, we could create a very collective and interesting repository of what are the best practices in terms of security, strategies, to be, to be handled and distributed into a specific, let's say, a piloting tower, in order to Orchestrate what would be the best practices for your your security. A global API would also make sense, in order to provide registration and commands to the different technologies in order to claim, okay, I'm here, I'm the new technology, installed in this customer environment. David Bizeul [00:06:08]: I can do this kind of thing and dip at this kind of thing so I can consume this kind of event or this specific part of your CTI. When you mix all these different, things together, it leads, to what is the proposal of this OpenXDR architecture sub project. It's a stack of 4 different blocks. The point is to improve inbound and outbound interoperability, is to create, let's say, an open API that will make sense, let's say, to create basic interaction between technologies and a central point, to provide a way to disseminate threat intel, directly to the machine I mean, to the security technologies Installed, into, a customer environment. Roseann Guttierrez [00:06:59]: Based on everything you've been telling us, why is this project important to you? David Bizeul [00:06:07]: I can see 3 reasons, for that. The first one is that I really believe that, resource expert resources should be preserved. I want to avoid resource, exhaustion, And expert time should be preserved, and development developer time technical developer time should be preserved too. Today, in our environment, you need to do integration in every technology, and each solution has to do the integration with the rest of the world. This is this is a real nonsense. The goal of OXA sub project is to create a repository, in order to, let's say, to to create a a global mapping into You decide you you say what you do in terms of your specificities as a technology vendor, And you map it, with, some things that can be then absorbed by other technology vendors. This way, as a job, is only done once Instead of being done instead of being being done multiple times by everyone. This is the first part of the answer. David Bizeul [00:08:10]: The second one would be, let's say, to to place the technology ownership on the vendor side. Today, we have Very interesting start ups which can do great job, but until they are integrated into major major vendors, major, Let's say XDR solution, they won't be, it won't be it won't be possible, let's say, to use them correctly from users until they are correctly integrated. What I want to do is this way is that you replace the technology ownership on the vendor side. They will create their own mapping. And this way, as soon as they are plugged Into a the environment that can they can, the customer can leverage all the, let's say, some, the set of features that are available in this technology. And the last the last point is really probably, and the most important is to raise the bar, against attack Using CTI dis dissemination. If we allow the possibility, let's say, to translate what is generally Managed by a security team, having access to CTI down, let's say, to the security product installed into, the customer environment, You allow this security product, let's say, to, to to detect better and faster, what specific threats they could have to deal with And then to provide feedbacks, let's say, to the Observation Point, the XDR platform to say, okay. I have seen this, in my in my environment, and this should be investigated. David Bizeul [00:09:43]: So this is all the 3 aspects, resource exhaustion, technology ownership, and, To to elevate the the protection on customer side. Roseann Guttierrez [00:09:51]: Nice. Yeah. All very important points because I know, when I was on a SOC, You don't wanna spend your time creating integrations. Right? You wanna do the work, that's why you're there, so, yeah, makes sense. So, like I said, I know this is a new project for you. Where can you it's probably a loaded question. Where can you use help? David Bizeul [00:10:09]: Mm-mm. Roseann Guttierrez [00:10:11]: Yes. David Bizeul [00:09:42]: Well, At at the end, at the end, the project will be a success if if it's used by, if it's used by security vendors. If if I make a power a parallel, you all remember, Neo learning how to pilot an helicopter in Matrix. What I would love, is, let's say, the security industry to to do the same, to have the ability to do the same. That mean with a simple command such as, PIP install, OXA integration, product x y z, you get The knowledge, let's say, to speak and to interact with this project project x y z. This is exactly the same. With just a simple, Single repository, you get access to the ability to interact with 1 security product that is defined. Doing so, you can understand what's this security product can tell you whether it is, I don't know, something that Provide information on endpoints so you will get the knowledge about what's going on on the file system. If it's another product working on, let's say, Network communication. David Bizeul [00:11:23]: You get the knowledge about specific details on the network traffic, what has been, let's say, analyzed by the network analyzer, whatever you want. But the goal is to understand it as a single, a single language and in the same way, to have the ability to speak with generic orders, to these security technologies. So this is really the same parallel that Neo Neo did, in, in Matrix with The way to to learn how to pilot an an helicopter. Before reaching this, this step, we will need help. When the project, is up and ready, of course, we will wait for our contribution. That mean technical developments, Brainstorm ideas. So we will, we will organize regular meetings, and the goal will will be to share ideas, to propose things, to discuss together, and also to ask questions, if you if you observe something that Seems to be a weird direction, the project is taking. Another interesting part will could Could probably be, the proposal of playbooks if your organization have some. David Bizeul [00:12:38]: I spoke about the way, let's say, to create the A collaborative, repository of playbooks. This could make a lot of sense for the security industry. So if you're involved into this, Playbooks, Playbooks creation, that would be very interesting to have you, in this, this OXA sub project. So This is where I can I can think, the help of the community would make sense? Roseann Guttierrez [00:13:03]: Wonderful, and I love it. You get bonus points for having a matrix reference because that's, you know

Roseann Guttierrez [00:00:00]: Our guest is Duncan Sparrell. He is, I love the title, chief cyber curmudgeon. That's a great title. Of, sFractal Consulting LLC. He is an OASIS board member and is also a cochair of the cybersecurity automation subproject. Duncan, Welcome. I hope I didn't, shortchange you on the intro. Do you have anything you wanna add to that? Duncan Sparrell [00:00:21]: Nope. It sounds good. I'm a lot of other things too, but that's what matters to this talk. Roseann Guttierrez [00:00:26]: Aren't we all? Alright, mister Duncan. So as I said, welcome. I really appreciate you being here today, giving us a little bit of your time. My first question for you is to give me an elevator pitch on the CASP project. Duncan Sparrell [00:00:41]: Alrighty. Well, let me start out with, one of its purposes in life is something called the cybersecurity automation village, Which we had one last week. So I'll I'll just give you some context of how CASP works into the bigger, OCA and then what it produces as output, which is the Village. You're here at the OCA Connect, so hopefully you already know what OCA is. But just as a reminder to everybody, The Open Cybersecurity Alliance is literally a screenshot right off the home page. It's for building an open ecosystem where cybersecurity Products interoperate without the need for customized integration. So that that interoperate is a really keyword. And one of the subprojects of the OCA is the CASP subproject or the cybersecurity automation subproject. Duncan Sparrell [00:01:25]: So that interoperate, that's part of the bigger OCA picture needs to have things talk to each other. And if they could talk to each other, automatically automagically, then they would be much more efficient. And so why why do we why do we wanna do that? Well, we wanna we wanna sort of get our actual products talking to each other, That's why we hold this thing called the cybersecurity automation village, which is where we get these projects actually interacting. Now why, yes, the elevator pitch, why do we even have this stuff at the first place? Well, we have this large set of acronym soup that we're gonna be talking about and explaining at least some of them. And so one of the reasons is just so everybody knows what the acronym stand for and everybody knows each other's project. But the real issue is because it it actually saves money. Okay. And the way it saves the end customer money, you apply the sort of risk principles. Duncan Sparrell [00:02:16]: Why do we do cybersecurity? I'm big into quantitative risk. This would be a whole talk of its own. But to apply those principles, you need some data and some work done by the Johns Hopkins University applied physics lab. The sort of punch line of this talk from years ago is it's a two order of magnitude sooner you kick the hackers out of your system. So if you do this automation stuff that we'll be talking about, you can kick hackers out of your system in hours instead of weeks. And that's the if you want the sort of one sentence punch word of why do we do this automation? Why do we have this subproject? It's because we want the stuff to interoperate automatically so we can kick hackers out quicker. Roseann Guttierrez [00:02:56]: Absolutely. Alright. Well, that leads me to my second question. So why is this important to you? Duncan Sparrell [00:02:54]: So I retired about 10 years ago. I retired as AT&T's chief security architect, and I had a fairly big budget. A lot of people reported to me. We did a lot of really important work. We really moved cybersecurity forward a lot, but we were operating in in human speed. And I retired and had a very good career, and and I was bored and needed something to do. So I got very involved in cybersecurity standards and in particular, the standards of, cybersecurity automation, because I think they really will make the world a safer place. So it's important to me because I really want this stuff to succeed because the hackers traditionally have been winning, and I want the defenders to win. Roseann Guttierrez [00:03:40]: Don't we all? Absolutely. Yes. Alright. Well, like you said, earlier, I know you said that, you had your very 1st CASP workshop. I know you've had workshops in the past, but as as the the subproject. So why don't you tell me a little bit about, you know, highlights for what happened last week? Duncan Sparrell [00:03:57]: Alright. Well, you know, as I sort of mentioned, the reason we're doing this is to is to save the end consumer money. And the other reason we have the village is sorta to get the different things to interoperate, and I'll talk a little bit more about that. But, of course, the other reason we get together is so that we can hand out stickers. One important really important aspect of the of the meeting was that we, we did actually have cybersecurity automation villages stickers, and, of course, we had Open Cybersecurity Alliance stick stickers. But we had, basically, a 4 hours. It was, out at the University of Southern California. We started at 10:30 in the morning, ended up at 4 PM, eastern or, I'm sorry, Pacific. Duncan Sparrell [00:04:35]: And it was, you know, streamed, so it went around the world, and we had people from around the world there. We had people, I think, from 4 continents. We have about 40 people overall, about 15 and 15 to 20 of them in the room. We covered a lot of the alphabet soup that we'll we'll talk about. Again, the main purpose was to get these various projects interoperating with each other, and we got a lot of them, to do that. I can go into it, in sort of a whole lot more detail, but the sort of really big picture was we we want to try and tie this together from sort of the end enterprise viewpoint. What what's the value to them? The value to them is To save money on actual real life use cases. So we created this use case. Duncan Sparrell [00:05:18]: Some people give us grief for the word use case maybe scenario would be a better word because once you get into the details, it's a use case, but it's a very big picture. It's more of the common english, A case where you use this stuff, and the one that we picked was a made up one that we made called the witchy watchee ransomware. So so, we broke it down into a A 6 day on 6 different days, 6 things happened related to this new invented, fake ransomware we did. And we played around, and some of this is funny and and meant to be you know, sort of bring a smile to people's face on, like, Murphy's Law. The law firm's name is Murphy's Law, stuff like that but, the and the the funny US government agency we made up was the NSA, ANSA. But but real important thing is it's actually pretty serious stuff, and and so we we, but we got together, and we had a good time doing it. But the, the 6 days start out with basically a zero day ransomware attack on a law firm. Duncan Sparrell [00:06:17]: They move on through sort of the the day 2 where somebody else gets attacked but takes advantage of the learnings from the 1st day. Day 3, where you sort of do some preventative action, prevent yourself from even getting hacked in the 1st place. Day 4, government agencies have some certain rules they have to follow, like comply to connect, and it sort of works into that. Day 5, we go out and arrest all the the hackers involved. And day 6, we can neither confirm or deny whether the US and, allied partners go in and remove foreign nation state assets involved in the in the attack. And that's again, just sort of, we we try and be a little bit funny while we do it, but we actually took a very lot of actual, looking sort of process the the details of day 1. I'm not gonna read through all this, but the, the actual way we did it when we met last week was we we actually worked out real life scenarios where all those different, open, technologies were used and interactions and actual real life data was was past in some of those, sort of down at the bottom, the little symbols there, the gears, the human, and the hand are, some of it was done with actual machine to machine APIs and real life data. Some of it was done with human to machine interactions. Duncan Sparrell [00:07:32]: Again, we wanna automate, so we want this stuff to be at speed, so we prefer the human to be on the loop as opposed to in the loop, but sometimes they have to be in the loop. And then because not everything always works and because we're not, know, perfect and have everything as much as we'd like. There's a certain amount of hand waving involved, and we got into the details of that. We sort of work through each day in which technologies went through each, Worked in these various things. Sometimes more hand waving was involved than others. And then the sort of summary was that we had an awful lot of technologies that actually talked a lot, to each other with actual machine to machine interfaces, sometimes with human to machine interfaces, and sometimes with hand waving. We had a lot of companies involved, but actual companies who brought what we call sweat equity to the table and had their stuff talk to other stuff is that sort of a string across the bottom. So, Overall, a very successful event. Duncan Sparrell [00:08:19]: That's sort of the the very high level summary. Roseann Guttierrez [00:08:23]: That's awesome. So how often do you plan on, having your meetings? Roseann Guttierrez [00:08:28]: do you already have a set schedule for your meetings? Duncan Sparrell [00:07:31]: So, again, distinguishing between CASP, which is the group of people trying to make all this stuff work, and The Village, which is where we have a wider event, invite outsiders to come watch us, and hopefully get even more people involved. CASP meets twice a month. We meet at 11 AM on the first I keep my day straight up here. Monday of the month and 4 PM EST on 3rd. And the reason we do that time time switches because we do have people from all around the world, like that very first company mentioned on the slide here, Sidearm. We actually had someone physically present, but they literally flew from Australia to California to to to attend our meeting in person For last week, but we have our weekly meetings for people in Australia. 11 AM is an absolutely horrible time, just like 4 PM is an absolutely horrible time for people in Europe. So we sort of Right. Duncan Sparrell [00:09:20]: You know, move the times around to share everybody. But that's the the meetings. The villages, we've been traditionally holding about once a year. We probably like to do it twice a year. The next 1 we have planned is not an actual full village. It's just sort of a quick get together and meet up as part of Borderless Cyber, which will be occurring in September in London, and the next big actual village as opposed to the sort of half day event we had. We're planning a Two day event in the Q1 of next year. We're still working with the host to get permission to say where it'll be, but it'll most Likely be at a at a site in either Washington DC or New Jersey that the host is still working out. Duncan Sparrell [00:10:01]: And the dates are we're still working out, but sometime probably later in the first quarter.

Roseann Guttierrez [00:00:00]: Our featured guest, Xiaokui Xu, he is a senior research scientist from IBM. He is our OCA technical steering committee, chair, one of them, and then also will be talking to us today about the Kestrel subproject. So, Xiaokui, have I missed anything as far as your intro? Xiaokui Shu [00:00:17]: It's really nice. You do not miss anything. Roseann Guttierrez [00:00:20]: Okay. I just wanna make sure. Well, welcome. Thank you very much for being here today. My first question for you is, basically, give me an elevator pitch on what Kestrel is. Xiaokui Shu [00:00:31]: Kestrel is a threat hunting language that we invented, to accelerate the procedure of hunt for threat hunters. That's the main goal of Kestrel. Yeah. Roseann Guttierrez [00:00:48]: Alright. Alright, and what makes the subproject important to you? Xiaokui Shu [00:00:54]: This is really exciting project. Actually, we started planning for it, maybe 6 years ago. So when we were in a DARPA program called transparent computing and in that program, DARPA tried to set up environment to collect as much data as possible. So that's really big data security, much bigger data than what we currently have now in the commercial systems. And we were given a task that what can we do with such amount or big amount of data? And can we do better detection? Can we do better, attributing, attacks. Can we do better, kind of mitigation? Can we do better even recovering from things? So at that time, given the large amount of data we can play with, we invented something, called t-calculus. It's another language, which is kind of a the the essence of graph computation that Kestrel takes. Xiaokui Shu [00:01:53]: So, we invented the language and a paradigm of detection that use graph computation to do cybersecurity. And that is the first time that, we introduce it, to the society, and we published a top tier conference paper on this, to introduce the the society about the idea How people can use a form of graph commutation and to achieve their cybersecurity goals, such as doing threat detection and things. As I mentioned, we did a language at a time to, prototype the idea, to make it into something actionable. So the language was called t-calculus, and that was a big success in the DARPA program. And, we were leading the school board about detection all the time Throughout the years. So we were very excited during the 4 years of the program. And then after program, we thought, Why not to put something into more open source side so that the entire world can benefit from what we invented. So Roseann Guttierrez [00:03:06]: Right. Xiaokui Shu [00:03:05]: That's where we started. So IBM Research started to reach out to IBM Security and, to connect to real world Infrastructure, applications, datasets, and how can we consume everything. And we started to design Kestrel at the time. So it it's it's a little bit long story, but, it's a very exciting thing that, started many years ago, 6 years ago, 6 or 7. Roseann Guttierrez [00:03:34]: Yeah. I I had no idea of that background, so that that's awesome. Where do you think the Kestrel project needs assistance? Where do you think it needs help? Xiaokui Shu [00:03:43]: Yeah. We we need help everywhere. So this is a very, very young project. So Kestrel was announced 2 years ago at RSA conference. And, 2 year is a very a fairly short amount of time for open source project. We are struggling putting things into our formal ways, such as to have a formal unit test for the projects and has, very formal documentation, so to get it easy for people to consume, make it formal to have it, kind of videos and labs for people to play with it and also try to kind of bump up the quality of the code while we try to formalize about things. The basic idea the fundamental idea is there, but there are so many things that, we need to work out during the the years and try to get it more easily consumed by people, and we still need a lot of help on the code side, on documentation side, on the, use case side. Now after about 2 year time, we are very lucky that we get a lot of attractions and interest, and people are trying to use this in their real world kind of a daily job of the hunt. Xiaokui Shu [00:04:59]: And, we were getting feedback from a lot of hunters and also getting feedback from the development team or deployment team that, what type of thing that we may help them to better deploy Kestrel for large, kind of EDUs. But we we see a kind of a lack of, things like, some of the front end development, some of the back end, improvement and things. Lots of things that we we need help, yes. Roseann Guttierrez [00:05:27]: Okay. Alright. And last question: when are your meetings? So people know when they can jump in and talk to y'all. Xiaokui Shu [00:05:35]: Okay. So, for Kestra, currently, we do not have, kind of a periodic meeting that we have a spare time for that because we found it we already have so many meetings for people. So that's, usually, we encourage people to join the Slack channel and to chat there for their questions and schedule, meetings when there is a need. So that's the thing that when we have maybe a topic that several people are interested, and we will schedule a meeting for that, like, more like a discussion or kind of, a a temporary meeting for that topic. And when the topic gets more formalized, and we want to keep developments and maybe some other things on around it. We put it into more periodic meetings. Give you some examples. Xiaokui Shu [00:06:25]: In the last couple of months, we have meetings with people from OpenC2 community, to co-develop, OpenC2 or character profile for hunting that is actually what Kestrel supports. And, also, we have meetings with students from different universities to give them guidelines how can they contribute into the Kestrel project and give them, some technical help, when the students started. And they they may not have a strong cybersecurity background and things. And we also have meetings with senior students and graduate students in universities and give them ideas about the general background of Kestrel and the connection to different projects so that we can do research on the academic side about different hunting strategies and hunting paradigms and try to connect different project and try to make connections and also do evaluations on different things. So once things get for kind of, stretched, for example, the first one, the OpenC2 and the Kestrel meetings, we set up biweekly Periodic meeting for that. So that turns into a very formal meeting after the Roseann Guttierrez [00:07:38]: Right. Xiaokui Shu [00:07:38]: First few touch. We are doing Subclassification of the standards as well as the prototyping so that we are targeting, a show In one of the OCA sub project in June this year. A lot of exciting things are happening, and, if someone are interested In Kestrel and want to, chat more about it, want to ask questions. So the first stop, I will say, is go to a Slack channel, OCA Slack Space, and there is a Kestrel channel. You can ask questions. And when we gather interest around the topic, we will create meetings for that that's the current flow we have. Roseann Guttierrez [00:08:19]: Great. That's great. Well, thank you so much. I really appreciate your time today and to come in and answer all of our questions. Thank you for being here. Xiaokui Shu [00:08:28]: Thank you.