1 00:00:00,934 --> 00:00:03,870 (electronic music) 2 00:00:10,944 --> 00:00:13,179 (applause) 3 00:00:15,115 --> 00:00:18,218 - Thank you for being here, thank you for taking time. 4 00:00:18,218 --> 00:00:23,223 I understand exactly how much time, like, our time is worth. 5 00:00:24,424 --> 00:00:25,724 So we're gonna talk about that today. 6 00:00:25,725 --> 00:00:27,527 We're gonna talk about shortening some cycles, 7 00:00:27,527 --> 00:00:29,262 gonna talk about finding evil faster. 8 00:00:29,262 --> 00:00:31,765 We're gonna have a whole discussion around normal. 9 00:00:34,000 --> 00:00:37,003 I love this motto. 10 00:00:37,003 --> 00:00:40,540 It's four simple words, but how hard is it 11 00:00:40,540 --> 00:00:42,942 to actually know normal? 12 00:00:42,942 --> 00:00:45,478 How hard is it to actually find evil? 13 00:00:45,478 --> 00:00:47,380 A lot of us in this room, understand 14 00:00:47,380 --> 00:00:50,050 how hard that equation actually becomes. 15 00:00:50,050 --> 00:00:53,285 We spend a whole lot of time chasing normal, 16 00:00:53,286 --> 00:00:55,889 lookin' for evil, only to, in the end, 17 00:00:55,889 --> 00:00:59,092 find something that looks exactly like an APP, but it's not. 18 00:00:59,092 --> 00:01:00,994 And we're gonna talk about a bunch of those examples today, 19 00:01:00,994 --> 00:01:03,396 and how we can start, as a community, 20 00:01:03,396 --> 00:01:04,697 put this intelligence together 21 00:01:04,697 --> 00:01:06,332 in a way that we can all use. 22 00:01:06,332 --> 00:01:07,967 Sound good? 23 00:01:07,967 --> 00:01:09,536 Awesome. 24 00:01:09,536 --> 00:01:11,738 Look, the journey at Carbon Black 25 00:01:11,738 --> 00:01:13,807 really started with one premise, 26 00:01:13,807 --> 00:01:15,842 centrally collect the right data, 27 00:01:15,842 --> 00:01:17,510 to rewind the tape on attacks. 28 00:01:18,845 --> 00:01:21,815 But as we started this journey, we started to realize 29 00:01:23,416 --> 00:01:26,086 that collecting all of that date doesn't necessarily mean 30 00:01:26,086 --> 00:01:27,620 you can determine normal faster. 31 00:01:27,620 --> 00:01:30,457 In fact, when you start to collect all of this data, 32 00:01:30,457 --> 00:01:32,357 the more you actually start to look at it, 33 00:01:32,358 --> 00:01:34,561 the more abnormal everything becomes. 34 00:01:35,995 --> 00:01:37,230 I'm gonna talk about some of those examples today, 35 00:01:37,230 --> 00:01:39,666 and I'll give you, one of our brief hypothesis 36 00:01:39,666 --> 00:01:41,167 that we started with that was quickly 37 00:01:41,167 --> 00:01:42,635 myth-busted along the journey. 38 00:01:43,803 --> 00:01:46,339 We thought when we started, that binaries 39 00:01:46,339 --> 00:01:48,908 on an endpoint would stabilize over time. 40 00:01:50,276 --> 00:01:53,646 Actually not true, they continue to linerally increase. 41 00:01:53,646 --> 00:01:56,149 Like, why does a user continue to need executables 42 00:01:56,149 --> 00:01:58,084 when they can do their job on a thing? 43 00:01:58,084 --> 00:01:59,619 That still continues to happen. 44 00:02:00,487 --> 00:02:02,222 We wasted a lot of time. 45 00:02:03,423 --> 00:02:06,259 During our engagements, we found a lot of normal 46 00:02:06,259 --> 00:02:08,161 at the tail end of our chain. 47 00:02:08,161 --> 00:02:09,929 And it turns out none of it was evil, 48 00:02:09,929 --> 00:02:12,298 but we wasted a whole lot of time. 49 00:02:12,298 --> 00:02:13,967 So what we're gonna talk about today, 50 00:02:13,967 --> 00:02:15,902 is how we can apply those lessons 51 00:02:15,902 --> 00:02:17,803 back to what you're doing in your program, 52 00:02:17,804 --> 00:02:19,806 and hopefully inspire this community to get together 53 00:02:19,806 --> 00:02:21,608 to help fix some of this stuff. 54 00:02:21,608 --> 00:02:23,376 'Cause I'm tired of wasting time 55 00:02:23,376 --> 00:02:25,345 chasing good, known applications. 56 00:02:25,345 --> 00:02:28,615 Anybody else tired of chasing good, known applications? 57 00:02:28,615 --> 00:02:32,118 At CCM it was a pain, so we'll talk a little bit about that. 58 00:02:33,419 --> 00:02:35,889 But now we're gonna talk about evil. 59 00:02:37,290 --> 00:02:41,126 When we start, we generally ask ourselves, is this abnormal? 60 00:02:41,127 --> 00:02:42,562 I.e. a thing happened. 61 00:02:42,562 --> 00:02:44,230 Maybe it was an alert, maybe we started an instant 62 00:02:44,230 --> 00:02:46,298 response engagement, maybe we're out hunting. 63 00:02:46,299 --> 00:02:49,702 But we start with that hypothesis, is this abnormal? 64 00:02:49,702 --> 00:02:53,139 Then we start to say to ourselves, is this normal? 65 00:02:55,675 --> 00:02:58,745 The intersection of both becomes a very interesting place. 66 00:03:00,146 --> 00:03:01,847 And we start to pay attention to these things, 67 00:03:01,848 --> 00:03:04,817 we start to realize that abnormal and normal overlap 68 00:03:04,817 --> 00:03:07,587 all the time, and the buckets we use to define those, 69 00:03:07,587 --> 00:03:09,221 are probably a little incorrect. 70 00:03:10,890 --> 00:03:13,792 This year, some great work has been done 71 00:03:13,793 --> 00:03:17,730 to help actually find evil, and that work, 72 00:03:17,730 --> 00:03:19,631 thank you MITRE, by the way. 73 00:03:19,632 --> 00:03:21,734 Carbon Black is a huge fan of what happened 74 00:03:21,734 --> 00:03:23,169 with MITRE ATT&CK. 75 00:03:23,169 --> 00:03:25,838 We actually have a taxonomy, that's understandable, 76 00:03:25,838 --> 00:03:29,642 updatable, and relatable back to the kill chain. 77 00:03:29,642 --> 00:03:32,045 So now we understand the TTPs 78 00:03:32,045 --> 00:03:35,415 mapped out to the entire kill chain. 79 00:03:35,415 --> 00:03:37,784 This helps us start to focus on evil faster. 80 00:03:39,219 --> 00:03:42,120 But what happens when you start to overlay this data, 81 00:03:42,121 --> 00:03:45,458 is you get a massive amount of false positives. 82 00:03:45,458 --> 00:03:47,927 We can tell you this, because we created a watch list 83 00:03:47,927 --> 00:03:49,462 which maps back to ATT&CK MITRE, 84 00:03:49,462 --> 00:03:50,929 so if you're a Carbon Black customer, 85 00:03:50,930 --> 00:03:52,599 that'll be available in, like, a week. 86 00:03:52,599 --> 00:03:55,435 In GA we have a beta program right now, 87 00:03:55,435 --> 00:03:58,238 there's a number of false positives go through the roof. 88 00:03:59,372 --> 00:04:01,574 And this is the problem, while it allows us 89 00:04:01,574 --> 00:04:03,209 to focus on attacker behavior, 90 00:04:04,844 --> 00:04:07,647 we are still left with this giant amount of noise. 91 00:04:07,647 --> 00:04:10,149 And it becomes, what I like to refer to it as 92 00:04:10,149 --> 00:04:12,785 finding the needle in the needle stack. 93 00:04:12,785 --> 00:04:14,821 So when we take all of that away, 94 00:04:14,821 --> 00:04:17,356 we're left with all this noise, still. 95 00:04:17,357 --> 00:04:19,692 Is it a print queue, or is it the Russians? 96 00:04:19,692 --> 00:04:22,996 I don't know, we've gotta figure that out faster, right? 97 00:04:22,996 --> 00:04:24,631 Can't find evil, unless we can get through 98 00:04:24,631 --> 00:04:26,965 the cycle of knowing normal, faster. 99 00:04:32,171 --> 00:04:35,575 Abnormal and normal are intertwined, 100 00:04:35,575 --> 00:04:37,477 they're in a relationship with each other. 101 00:04:37,477 --> 00:04:39,811 It depends on how you analyze data, 102 00:04:39,812 --> 00:04:41,281 and I'll give you an example. 103 00:04:42,482 --> 00:04:44,017 Is notepad.exe at 10am, 104 00:04:45,518 --> 00:04:46,986 like, if you observe the behavior 105 00:04:46,986 --> 00:04:50,156 of that binary at 10am, it may look one way. 106 00:04:50,156 --> 00:04:52,959 But if you do it at 10am and 10pm, it's gonna change. 107 00:04:52,959 --> 00:04:54,661 If you do it every 10 seconds, it's gonna change, 108 00:04:54,661 --> 00:04:57,730 if you do it every one second, it's gonna change. 109 00:04:57,730 --> 00:05:01,234 Abnormal is based on your observations. 110 00:05:02,969 --> 00:05:04,637 So now we're gonna talk a little bit about 111 00:05:04,637 --> 00:05:06,506 the levels of abnormal that are out there. 112 00:05:06,506 --> 00:05:07,773 They exist all over the place. 113 00:05:07,774 --> 00:05:09,809 When you start looking at endpoint behavior, 114 00:05:09,809 --> 00:05:12,245 you start to quickly realize that 115 00:05:12,245 --> 00:05:14,447 there is process abnormalities. 116 00:05:14,447 --> 00:05:16,549 There are system abnormalities, 117 00:05:16,549 --> 00:05:19,484 memory based abnormalities, and certainly users 118 00:05:19,485 --> 00:05:21,721 have abnormalities all the time, right. 119 00:05:21,721 --> 00:05:24,457 Some of you guys can probably relate to this. 120 00:05:24,457 --> 00:05:26,359 What does this all mean? 121 00:05:26,359 --> 00:05:30,330 It really means that you have to understand 122 00:05:30,330 --> 00:05:33,966 each one of these to actually understand normal. 123 00:05:33,966 --> 00:05:36,302 And if you can get to know that normal, 124 00:05:36,302 --> 00:05:38,705 all of these get removed, then the focus 125 00:05:38,705 --> 00:05:40,139 becomes just finding evil. 126 00:05:41,708 --> 00:05:43,609 If we can spend our time just finding evil, 127 00:05:43,609 --> 00:05:46,445 if we can get through the cycle of knowing normal faster, 128 00:05:47,580 --> 00:05:49,048 I think we have a chance of getting down 129 00:05:49,048 --> 00:05:52,018 to a reasonable time to actually defend our systems. 130 00:05:52,018 --> 00:05:53,785 Like, if we don't, and we continue to do 131 00:05:53,786 --> 00:05:55,321 what we've done as an industry, 132 00:05:56,456 --> 00:05:57,957 we are gonna continue to have a problem. 133 00:05:57,957 --> 00:06:00,659 I mean look, Gardner says it's 180 days meantime to detect. 134 00:06:00,660 --> 00:06:03,129 I think Verizon last year, said it was 211. 135 00:06:03,129 --> 00:06:08,134 When I started in 1998, the number was 369 days. 136 00:06:09,502 --> 00:06:12,472 So, at best, in 20 years, we've gotten six months better. 137 00:06:13,806 --> 00:06:15,474 It's not a good statistic, like, 138 00:06:15,475 --> 00:06:17,944 that's just not a good look, as an industry, right. 139 00:06:19,512 --> 00:06:22,281 So now, let's talk about how we bucket normal and evil. 140 00:06:23,649 --> 00:06:26,419 Today, we generally use two buckets. 141 00:06:26,419 --> 00:06:29,955 We say something is normal, therefore it's benign. 142 00:06:29,956 --> 00:06:32,258 Or something is abnormal, therefore it's evil. 143 00:06:32,258 --> 00:06:34,861 But as an industry, how do we figure that out? 144 00:06:34,861 --> 00:06:37,430 We start to use frequency analysis, right. 145 00:06:37,430 --> 00:06:39,399 'Cause frequency analysis tells us, 146 00:06:39,399 --> 00:06:41,968 if it happens frequently, it's probably good. 147 00:06:41,968 --> 00:06:45,037 If it happens infrequently, it's probably bad, 148 00:06:45,037 --> 00:06:46,438 because that's your outlier. 149 00:06:47,940 --> 00:06:50,743 We think that's bad, we think we should actually 150 00:06:50,743 --> 00:06:52,445 focus on infrequent and malicious. 151 00:06:53,546 --> 00:06:55,782 Not frequency being the indicator. 152 00:06:55,782 --> 00:06:56,883 And we think the table's gonna look 153 00:06:56,883 --> 00:06:57,817 a little bit more like this. 154 00:07:02,822 --> 00:07:04,624 Normal things act evil all the time. 155 00:07:05,758 --> 00:07:07,827 Look, if you watch any of the cool talks 156 00:07:07,827 --> 00:07:11,431 on evading antivirus, what you'll quickly see 157 00:07:11,431 --> 00:07:12,965 is none of the attackers are actually 158 00:07:12,965 --> 00:07:15,334 dropping binaries anymore, at least the good ones. 159 00:07:15,334 --> 00:07:17,603 They're all using good, known processes. 160 00:07:17,603 --> 00:07:20,940 Whether that's PowerShell, WMI, all of these things. 161 00:07:20,940 --> 00:07:22,141 So, normal stuff acts evil. 162 00:07:22,141 --> 00:07:23,309 Why, because I approved it. 163 00:07:23,309 --> 00:07:24,677 I approved that application. 164 00:07:24,677 --> 00:07:26,212 When somebody submitted that, this application 165 00:07:26,212 --> 00:07:28,247 come up my network, and I was the CCO, I approve that. 166 00:07:28,247 --> 00:07:31,717 So guess what, it's a normal evil. 167 00:07:31,717 --> 00:07:33,286 In a Dungeons & Dragons sense, 168 00:07:33,286 --> 00:07:35,154 it looks a little bit more like this. 169 00:07:36,389 --> 00:07:38,391 And apps operate like that all the time. 170 00:07:39,625 --> 00:07:41,928 There's chaotic good apps, like CCM, 171 00:07:41,928 --> 00:07:43,094 that just stray things all over the place 172 00:07:43,095 --> 00:07:45,598 and network connections like crazy, right. 173 00:07:45,598 --> 00:07:48,668 You have abnormal benign things, like an increase in x, 174 00:07:48,668 --> 00:07:50,169 where something changes in your environment, 175 00:07:50,169 --> 00:07:52,538 but it's completely benign and you chased it down. 176 00:07:52,538 --> 00:07:53,840 It's a lot of time wasted. 177 00:07:55,308 --> 00:07:57,276 So look, here's what we're gonna do. 178 00:07:57,276 --> 00:07:58,878 I've never seen a Keynote do this, 179 00:07:58,878 --> 00:08:00,246 we're gonna play a game today. 180 00:08:00,246 --> 00:08:02,048 Everybody ready to play a game? 181 00:08:02,048 --> 00:08:02,982 - [Audience Member] Yeah. 182 00:08:02,982 --> 00:08:04,417 - It should be pretty awesome. 183 00:08:04,417 --> 00:08:06,085 The game's gonna be called, evil or not evil. 184 00:08:06,085 --> 00:08:07,986 I'm gonna give you some examples of things that happen, 185 00:08:07,987 --> 00:08:09,922 give you the front end of the chain. 186 00:08:09,922 --> 00:08:11,390 I want you to think about it, 187 00:08:11,390 --> 00:08:13,693 you don't have to shout answers, we're gonna think about it, 188 00:08:13,693 --> 00:08:14,861 we're gonna walk these in our head. 189 00:08:14,861 --> 00:08:17,029 We'll give you an example of where we won, 190 00:08:17,029 --> 00:08:19,866 and were actually right, and where we failed in our hunt. 191 00:08:21,767 --> 00:08:23,870 Alright, evil or not evil. 192 00:08:23,870 --> 00:08:27,573 You get an alert, or maybe a watch list hit that says 193 00:08:27,573 --> 00:08:31,043 your SAM file was accessed and scraped. 194 00:08:31,043 --> 00:08:32,345 Is that evil, or not evil? 195 00:08:37,015 --> 00:08:40,819 Well if you go to MITRE ATT&CK, oh look pwdump does that, 196 00:08:40,820 --> 00:08:43,456 mimikatz does that, so it must be evil, right. 197 00:08:45,024 --> 00:08:46,325 I like that answer. 198 00:08:46,325 --> 00:08:47,460 (muffled talking) 199 00:08:47,460 --> 00:08:49,495 Yeah, what's the context of that, right? 200 00:08:49,495 --> 00:08:51,964 What's the context, like, what are 201 00:08:51,964 --> 00:08:53,232 the parent things that kicked that off? 202 00:08:56,369 --> 00:08:59,805 In this particular case, we were assuming evil. 203 00:09:01,240 --> 00:09:02,575 That shouldn't happen right? 204 00:09:02,575 --> 00:09:04,810 But it turns out, we were wrong. 205 00:09:04,810 --> 00:09:07,079 And it was completely normal. 206 00:09:07,079 --> 00:09:09,180 You know what does this all the time? 207 00:09:09,181 --> 00:09:10,016 Adobe updater. 208 00:09:11,317 --> 00:09:12,552 You know what Adobe updater does? 209 00:09:12,552 --> 00:09:14,420 It like, watches all of these processes 210 00:09:14,420 --> 00:09:16,521 so it can stay up and running. 211 00:09:16,522 --> 00:09:17,857 And from Adobe's perspective, 212 00:09:17,857 --> 00:09:19,358 that probably makes perfect sense. 213 00:09:19,358 --> 00:09:21,560 I mean, after all, they've sold billions of dollars 214 00:09:21,561 --> 00:09:24,430 of software, and their software stays up all the time. 215 00:09:24,430 --> 00:09:25,698 From our perspective, we're like, 216 00:09:25,698 --> 00:09:29,068 hey Adobe, maybe you don't need to do that. 217 00:09:29,068 --> 00:09:31,437 Maybe you can create two processes, an A and a B, 218 00:09:31,437 --> 00:09:33,139 with shared view texts and just watch each other, 219 00:09:33,139 --> 00:09:37,777 and if it fails, get out of what the adversaries do, right. 220 00:09:37,777 --> 00:09:39,045 So now in this particular case, 221 00:09:39,045 --> 00:09:40,913 the red balloon is not evil. 222 00:09:40,913 --> 00:09:43,115 A child just lost his red balloon. 223 00:09:43,115 --> 00:09:44,617 But that wasted a ton of time. 224 00:09:46,085 --> 00:09:49,188 Alright, here we go, next up. 225 00:09:49,188 --> 00:09:53,326 Notepad.exe makes a netcom, good or bad? 226 00:09:54,694 --> 00:09:56,462 Supposed to happen, 'cause I was told for years 227 00:09:56,462 --> 00:09:59,699 Notepad never makes network connections unless it's evil. 228 00:10:04,570 --> 00:10:09,141 Oh, but wait, if I use file shares, and I'm a user, 229 00:10:09,141 --> 00:10:12,111 and I open a text file from a file share, well guess what. 230 00:10:12,111 --> 00:10:14,614 Notepad makin' netcoms all over the place. 231 00:10:15,815 --> 00:10:18,050 Context becomes everything to determine 232 00:10:18,050 --> 00:10:19,318 whether it's evil or not. 233 00:10:20,720 --> 00:10:23,255 In this particular case, when you start to trace it, 234 00:10:24,724 --> 00:10:27,226 you start to see that the parent process 235 00:10:28,094 --> 00:10:30,796 is actually cpuchecker.exe. 236 00:10:31,831 --> 00:10:33,532 And our tell team discovered 237 00:10:33,532 --> 00:10:37,970 a brand new piece of monera mining software, a used Notepad 238 00:10:39,372 --> 00:10:42,742 to connect back, and start the mining process. 239 00:10:42,742 --> 00:10:44,977 So is it bad that notepad.exe makes connections? 240 00:10:44,977 --> 00:10:46,245 No, that's gonna happen everyday. 241 00:10:46,245 --> 00:10:48,214 I'm guess unless you get rid of the Notepad 242 00:10:48,214 --> 00:10:49,015 in that environment, right? 243 00:10:50,116 --> 00:10:51,417 But injection's happening all the time, 244 00:10:51,417 --> 00:10:52,952 and the context becomes everything. 245 00:10:52,952 --> 00:10:54,520 If you don't have the visibility and you can 246 00:10:54,520 --> 00:10:56,322 put that picture together, you're just gonna miss it 247 00:10:56,322 --> 00:11:00,326 and assume things, and honestly waste a lot of time. 248 00:11:01,494 --> 00:11:03,129 I'm gonna reiterate that a few times. 249 00:11:03,996 --> 00:11:04,964 What's my part in here. 250 00:11:04,964 --> 00:11:06,699 Oh, this is a good one. 251 00:11:06,699 --> 00:11:11,036 MSBuild, I hate MSBuild right now. 252 00:11:11,037 --> 00:11:13,339 MSBuild got put on every Windows 10 box. 253 00:11:14,573 --> 00:11:17,242 And MSBuild, and I'll tell you right now, 254 00:11:17,243 --> 00:11:18,911 if you work in a company that doesn't 255 00:11:18,911 --> 00:11:21,113 have a lot of engineers, and you see MSBuild activity, 256 00:11:21,113 --> 00:11:22,748 like, immediately look into that. 257 00:11:22,748 --> 00:11:25,117 So, we'll just skip the part where we play the game, 258 00:11:25,117 --> 00:11:27,319 and say, if you don't have engineers building things 259 00:11:27,319 --> 00:11:29,088 you shouldn't have MSBuild running. 260 00:11:30,222 --> 00:11:31,824 What's the problem with MSBuild? 261 00:11:32,925 --> 00:11:35,194 Is it evil, is it not evil? 262 00:11:37,063 --> 00:11:38,464 Like, how often should that happen, 263 00:11:38,464 --> 00:11:40,666 when the parent process isn't Visual Studio? 264 00:11:43,069 --> 00:11:44,336 These are questions we all have to answer 265 00:11:44,336 --> 00:11:45,304 when we're not hunting, right, 266 00:11:45,304 --> 00:11:47,039 when we're doing IR engagements. 267 00:11:47,039 --> 00:11:48,174 So, what's that answer? 268 00:11:49,575 --> 00:11:51,677 The answer becomes, context becomes everything. 269 00:11:51,677 --> 00:11:56,482 MSBuild will make all kinds of network connections, 270 00:11:56,482 --> 00:11:58,918 because most of the time, developers are 271 00:11:58,918 --> 00:12:02,154 compiling things on the network, right. 272 00:12:02,154 --> 00:12:04,056 They're so scored repositories are getting a lot of network, 273 00:12:04,056 --> 00:12:05,991 so guess what, I might as well go, netcon, netcon, 274 00:12:05,991 --> 00:12:08,794 it's gonna look like lateral movement all over the place. 275 00:12:08,794 --> 00:12:09,662 So, is it evil? 276 00:12:10,996 --> 00:12:13,499 In this particular case, there's a whole lot of activity, 277 00:12:13,499 --> 00:12:15,201 but it was abnormal and benign. 278 00:12:15,201 --> 00:12:16,602 We throw a whole bunch of red balloons 279 00:12:16,602 --> 00:12:18,771 when it turns out it wasn't, however, 280 00:12:20,906 --> 00:12:23,375 Joe Casazza from Red Canary is presenting at lunch, 281 00:12:23,375 --> 00:12:25,911 he's gonna deep dive into MSBuild and why it's bad, 282 00:12:25,911 --> 00:12:28,414 but just to tee up his talk a little bit, 283 00:12:28,414 --> 00:12:31,083 I can make anything run, I can make mimikatz run 284 00:12:31,083 --> 00:12:33,618 and it's gonna launch, that's MSBuild, right. 285 00:12:33,619 --> 00:12:36,288 But that activity that it does, the behaviors 286 00:12:36,288 --> 00:12:39,225 that are expressed by MSBuild post that happening, 287 00:12:39,225 --> 00:12:41,160 we should have visibility to, and be able to stop. 288 00:12:41,160 --> 00:12:42,261 That's how you're gonna determine 289 00:12:42,261 --> 00:12:43,863 whether it's actually evil or not. 290 00:12:45,197 --> 00:12:46,866 Alright, one of my favorite ones. 291 00:12:48,300 --> 00:12:50,935 Powershell.exe starts making network connections 292 00:12:50,936 --> 00:12:51,737 that are boxes. 293 00:12:54,006 --> 00:12:55,741 Evil, not evil? 294 00:12:59,345 --> 00:13:00,780 You gotta make a call, come on, we got like, 295 00:13:00,780 --> 00:13:03,249 two minutes, when we triage this stuff, right. 296 00:13:03,249 --> 00:13:04,950 Alright, he's in the camp of evil. 297 00:13:06,152 --> 00:13:09,522 I'm in the camp of evil too, 'cause PowerShell's 298 00:13:09,522 --> 00:13:10,689 pretty awesome. 299 00:13:10,689 --> 00:13:12,992 I mean look, we've seen it rise ever since 300 00:13:12,992 --> 00:13:14,360 PowerShell empire came out, right. 301 00:13:14,360 --> 00:13:15,861 There's droppers every where. 302 00:13:15,861 --> 00:13:18,564 It's pretty awesome the stuff you can do with PowerShell. 303 00:13:18,564 --> 00:13:20,366 My system administrators, however, would tell me 304 00:13:20,366 --> 00:13:21,667 don't be on PowerShell. 305 00:13:21,667 --> 00:13:24,170 Like, we can't do our job without PowerShell. 306 00:13:24,170 --> 00:13:26,104 I can't do data center automation, 307 00:13:26,105 --> 00:13:28,140 I can't do rebuilds of endpoints. 308 00:13:28,140 --> 00:13:29,909 I can't do any of that stuff because 309 00:13:29,909 --> 00:13:33,112 we've built our entire operations around PowerShell. 310 00:13:33,112 --> 00:13:35,747 So good luck banning that, right. 311 00:13:35,748 --> 00:13:38,317 How do I determine whether PowerShell doin' something, 312 00:13:38,317 --> 00:13:41,187 making a network connection to a new box, is good or bad? 313 00:13:42,488 --> 00:13:44,456 That's the life we live, those are 314 00:13:44,456 --> 00:13:46,492 the questions we have to answer. 315 00:13:46,492 --> 00:13:48,727 But if I had that, what I'm gonna refer to 316 00:13:48,727 --> 00:13:52,898 as normal intelligence, and we treated it like we do 317 00:13:52,898 --> 00:13:56,235 with adversarial threat intelligence, as a community, 318 00:13:56,235 --> 00:13:59,338 like, we exchanged it, we talk about it, 319 00:13:59,338 --> 00:14:01,674 we've got a place to go find this stuff together, 320 00:14:01,674 --> 00:14:02,975 that's where we need to be. 321 00:14:02,975 --> 00:14:05,244 Because this cycle becomes shorter then. 322 00:14:05,244 --> 00:14:07,313 I certainly know what it was like 323 00:14:07,313 --> 00:14:08,881 when I actually had a real job, 324 00:14:09,982 --> 00:14:12,284 and this would happen, we had trouble. 325 00:14:12,284 --> 00:14:15,120 Spreadsheets, I had text messages to people 326 00:14:15,120 --> 00:14:17,156 who were way smarter than me. 327 00:14:17,156 --> 00:14:18,590 You know, hey Ben, have you seen this before, 328 00:14:18,591 --> 00:14:20,159 Mike, have you seen this before? 329 00:14:20,159 --> 00:14:22,361 How many of us live in that world, where it's like, 330 00:14:22,361 --> 00:14:23,829 is this, I gotta make the call, 331 00:14:23,829 --> 00:14:26,464 is it actually evil, or is it good, right. 332 00:14:26,465 --> 00:14:27,700 And we err on the side of not 333 00:14:27,700 --> 00:14:30,202 interrupting the user all the time. 334 00:14:30,202 --> 00:14:33,038 So we have to walk that razor line, 335 00:14:33,038 --> 00:14:35,341 as responders and threat hunters all the time. 336 00:14:36,909 --> 00:14:38,310 'Cause I can tell you what it's like to be 337 00:14:38,310 --> 00:14:40,579 in an engineering company, when you developer 338 00:14:40,579 --> 00:14:42,348 from actually being able to push out a binary 339 00:14:42,348 --> 00:14:44,717 that sells millions of dollars worth of stuff, 340 00:14:44,717 --> 00:14:47,086 it's gonna be a bad day for you in that seat. 341 00:14:47,086 --> 00:14:51,090 So, in this particular case, it's abnormal, benign, 342 00:14:51,090 --> 00:14:53,993 because uh oh, it was my system administrators 343 00:14:55,194 --> 00:14:57,596 orchestrating things on endpoints, right. 344 00:14:57,596 --> 00:15:00,599 You have to see the behaviors of something like PowerShell. 345 00:15:00,599 --> 00:15:02,434 And I was gonna swap this out, and I'm sure a couple people 346 00:15:02,434 --> 00:15:05,704 in my company would be upset that I didn't with WMI. 347 00:15:05,704 --> 00:15:09,007 And I'm gonna briefly add one to this list, which is WMI, 348 00:15:09,008 --> 00:15:10,342 and it's gonna fall in the same category. 349 00:15:10,342 --> 00:15:13,812 If you look at WMI, and how it actually works, 350 00:15:13,812 --> 00:15:15,347 SCCM is gonna spray that out. 351 00:15:15,347 --> 00:15:16,814 So if you have SCCM in your environment, 352 00:15:16,815 --> 00:15:18,284 you're gonna have to know that. 353 00:15:18,284 --> 00:15:20,319 You're gonna have to know how WMI actually looks 354 00:15:20,319 --> 00:15:22,488 to find it when it's being evil. 355 00:15:22,488 --> 00:15:24,857 So, just know that the bad guys know that we're after 356 00:15:24,857 --> 00:15:26,891 PowerShell, and they've already moved on to WMI. 357 00:15:26,892 --> 00:15:29,295 So, expect a lot of lateral movement to be that. 358 00:15:30,829 --> 00:15:33,031 Alright, I'm gonna go to the last one. 359 00:15:34,300 --> 00:15:35,534 Dllhost.exe. 360 00:15:39,271 --> 00:15:42,540 When is it okay for dllhost.exe to kick off 361 00:15:42,541 --> 00:15:45,844 something like a command interpreter, like, 362 00:15:45,844 --> 00:15:47,446 I'll just use cmd.exe (mumbles). 363 00:15:52,584 --> 00:15:54,920 This one, I didn't come here to give answers. 364 00:15:54,920 --> 00:15:57,823 'Cause, ultimately, no one has all the answers 365 00:15:57,823 --> 00:16:00,526 when it comes to this game, but as a group, 366 00:16:00,526 --> 00:16:02,227 we're really smart. 367 00:16:02,227 --> 00:16:03,963 We can start to put this data together, 368 00:16:03,963 --> 00:16:05,564 and start to talk to each other. 369 00:16:05,564 --> 00:16:07,565 And vendors can stop competing 370 00:16:07,566 --> 00:16:10,235 on things like false positive rates. 371 00:16:10,235 --> 00:16:12,004 I think we're gonna get better on that. 372 00:16:13,172 --> 00:16:14,940 So in this particular case, I don't know. 373 00:16:14,940 --> 00:16:16,542 We've got a whole bunch more investigating to do. 374 00:16:16,542 --> 00:16:18,644 But how much time did we waste until we actually get 375 00:16:18,644 --> 00:16:21,613 an answer on whether or not this is normal behavior 376 00:16:21,613 --> 00:16:23,882 for an approved application in my environment. 377 00:16:28,687 --> 00:16:29,922 This is extremely hard. 378 00:16:31,623 --> 00:16:32,491 We wanna help. 379 00:16:34,126 --> 00:16:35,928 We wanna help all of you in this room, 380 00:16:35,928 --> 00:16:36,862 because we've seen what happens 381 00:16:36,862 --> 00:16:38,063 when a community gets together. 382 00:16:38,063 --> 00:16:39,497 If you're a customer of Carbon Black, 383 00:16:39,498 --> 00:16:41,200 you're part of the user exchange, 384 00:16:41,200 --> 00:16:43,469 and this happens on a daily basis. 385 00:16:43,469 --> 00:16:46,205 Defenders exchanging information with defenders, 386 00:16:46,205 --> 00:16:49,041 and actually getting through these cycles faster. 387 00:16:49,041 --> 00:16:51,643 As a community, we need that, it cannot be exclusive 388 00:16:51,643 --> 00:16:54,246 to one organization, and one set of customers. 389 00:16:54,246 --> 00:16:56,682 'Cause no vendor out there is gonna sell a hundred percent 390 00:16:56,682 --> 00:16:59,685 of the market, it's just not gonna happen, right. 391 00:16:59,685 --> 00:17:01,387 So, if we continue to hoard that information, 392 00:17:01,387 --> 00:17:04,123 we continue to not give it away as a community, 393 00:17:04,123 --> 00:17:07,126 we are doing a disservice to ourselves as a company. 394 00:17:07,126 --> 00:17:09,728 Imagine a world without all of this noise, 395 00:17:09,728 --> 00:17:11,163 and third party applications. 396 00:17:12,297 --> 00:17:13,766 Imagine a world, where we could actually 397 00:17:13,766 --> 00:17:17,503 help to educate major software vendors, 398 00:17:17,502 --> 00:17:20,271 that their applications look exactly like an APT. 399 00:17:20,271 --> 00:17:24,076 Imagine a world, and some of you may actually work 400 00:17:24,076 --> 00:17:25,778 for a major software manufacturer. 401 00:17:26,944 --> 00:17:28,012 You may actually be able to influence 402 00:17:28,012 --> 00:17:29,947 this problem in your company. 403 00:17:29,948 --> 00:17:32,317 But imagine a world, where you have to approve 404 00:17:32,317 --> 00:17:34,153 a new application comin' in, and you can 405 00:17:34,153 --> 00:17:37,022 look the vendor in the face, and say 406 00:17:37,022 --> 00:17:39,358 do you trigger any of MITRE ATT&CK? 407 00:17:40,526 --> 00:17:43,629 So, now I know, right at the beginning of it. 408 00:17:43,629 --> 00:17:45,597 They don't actually know that what they're doing 409 00:17:45,597 --> 00:17:48,267 is causing us pain and wasting time. 410 00:17:48,267 --> 00:17:49,935 What they're doing, from their perspective, 411 00:17:49,935 --> 00:17:52,905 makes perfect sense, 'cause their binaries work. 412 00:17:52,905 --> 00:17:56,208 Look, Microsoft has sold a lot of binaries, right. 413 00:17:56,208 --> 00:17:58,343 We have to help educate them. 414 00:17:58,343 --> 00:18:00,479 We really do, like, that's a big part of our job. 415 00:18:00,479 --> 00:18:04,383 They don't know that all this noise lands on us 416 00:18:04,383 --> 00:18:06,552 and we've got to cut through it. 417 00:18:06,552 --> 00:18:09,088 So we all have work to do as a community. 418 00:18:09,088 --> 00:18:10,355 What we need to start doing, is linking 419 00:18:10,355 --> 00:18:12,257 application software development 420 00:18:12,257 --> 00:18:13,992 with threat hunting and incident response, 421 00:18:13,992 --> 00:18:15,594 and feed that back over to them. 422 00:18:18,530 --> 00:18:21,300 Here's what Carbon Black would like to do about all of this. 423 00:18:21,300 --> 00:18:24,636 We would like to provide MITRE with good, known binaries 424 00:18:24,636 --> 00:18:29,207 and false positives for every single TTP in MITRE ATT&CK. 425 00:18:31,076 --> 00:18:33,745 So, imagine having a repository where you can go 426 00:18:33,745 --> 00:18:36,581 and quickly rule out whether it's a false positive. 427 00:18:37,883 --> 00:18:39,585 Where you can start to manage 428 00:18:39,585 --> 00:18:41,587 normal intelligence in your environment. 429 00:18:42,721 --> 00:18:44,423 We wanna help developers do the right thing, 430 00:18:44,423 --> 00:18:45,491 stop yelling at them. 431 00:18:46,959 --> 00:18:48,160 We need to get into their world, 432 00:18:48,160 --> 00:18:49,661 and they need to get into our world. 433 00:18:49,661 --> 00:18:51,897 We gotta get together, and get a little weird for a while. 434 00:18:53,031 --> 00:18:54,765 We wanna reduce false positive rates 435 00:18:54,766 --> 00:18:57,336 for everybody in the industry, not just ourselves. 436 00:18:57,336 --> 00:19:00,439 Look, I'll stay on the stage and say 437 00:19:00,439 --> 00:19:02,274 I've never worked for another vendor. 438 00:19:02,274 --> 00:19:04,610 I came here because of Carbon Black's vision, 439 00:19:04,610 --> 00:19:06,578 I came here, because of a mission, 440 00:19:06,578 --> 00:19:09,081 but more importantly, I came here, 441 00:19:09,081 --> 00:19:12,551 it's fundamental to the company, we are defenders. 442 00:19:12,551 --> 00:19:15,553 Like, we do this on a daily basis, and we live with the pain 443 00:19:15,554 --> 00:19:18,090 on a daily basis, so we understand it. 444 00:19:19,424 --> 00:19:21,326 We want to save everybody time. 445 00:19:22,761 --> 00:19:24,329 You know, Ben has talked about this, 446 00:19:24,329 --> 00:19:26,298 JJ talked about this last year. 447 00:19:27,866 --> 00:19:30,536 One of the most precious commodities we have, is time. 448 00:19:30,536 --> 00:19:33,305 They're giving us more money, right. 449 00:19:33,305 --> 00:19:36,642 We're at 98 billion dollar market cap now, in this period. 450 00:19:38,076 --> 00:19:40,679 That has grown extremely, since 1998. 451 00:19:40,679 --> 00:19:42,147 They're giving us more money. 452 00:19:43,115 --> 00:19:45,083 They are giving us more people. 453 00:19:45,083 --> 00:19:46,685 Now granted, everyone I've talked to says 454 00:19:46,685 --> 00:19:48,187 six to nine months to actually get someone 455 00:19:48,187 --> 00:19:50,522 in the seat, trained to be effective. 456 00:19:51,690 --> 00:19:53,058 We need to start cutting that down, 457 00:19:53,058 --> 00:19:54,626 'cause our army ain't gettin' big fast enough. 458 00:19:54,626 --> 00:19:56,828 Look, I work with Universities all the time, 459 00:19:58,197 --> 00:20:00,732 we're not graduating people fast enough, right. 460 00:20:00,732 --> 00:20:02,167 So we have to do something different. 461 00:20:02,167 --> 00:20:04,735 This idea that we can continue to make linear progress 462 00:20:04,736 --> 00:20:08,307 and get .1% better on efficacy or detection 463 00:20:08,307 --> 00:20:10,809 is just not the world we can live with. 464 00:20:11,877 --> 00:20:13,412 Most of the people in this room 465 00:20:13,412 --> 00:20:15,314 are quite aware of what's happening across the world. 466 00:20:15,314 --> 00:20:18,850 Geopolitically, cyberworld-wise, all of those things. 467 00:20:20,619 --> 00:20:25,057 We now have nation state tools makin' the common ransomware. 468 00:20:25,057 --> 00:20:27,125 That's the world we live in, and we gotta change it. 469 00:20:27,125 --> 00:20:29,828 We continue to do this thing, where we make linear progress, 470 00:20:29,828 --> 00:20:31,530 but it's not gonna get better. 471 00:20:31,530 --> 00:20:33,732 Ultimately, we're gonna be the ones stuck with it. 472 00:20:33,732 --> 00:20:35,533 We're gonna be the ones at 3am triagin' it, 473 00:20:35,534 --> 00:20:37,102 and trying to figure it out for our company, 474 00:20:37,102 --> 00:20:39,571 whether or not we just lost millions out the front door. 475 00:20:41,640 --> 00:20:43,575 So I'm gonna call this normal intelligence for now, 476 00:20:43,575 --> 00:20:45,577 you can pick on me all you want. 477 00:20:45,577 --> 00:20:47,079 We can come up with a different name. 478 00:20:47,079 --> 00:20:50,148 I really don't care, as long as the effort gets done. 479 00:20:50,148 --> 00:20:53,017 What I wanna challenge everyone with in this room, 480 00:20:53,018 --> 00:20:56,688 vendors, competitors, defenders, 481 00:20:56,688 --> 00:20:58,257 let's go fix this as a community. 482 00:20:58,257 --> 00:21:01,126 We have seen the power of community at Carbon Black. 483 00:21:01,126 --> 00:21:03,695 We want that for all of us, not just our customers. 484 00:21:05,097 --> 00:21:08,066 So let's stop competing on this stuff, it's intelligence. 485 00:21:08,066 --> 00:21:10,335 We have spent so much time on threat intelligence 486 00:21:10,335 --> 00:21:11,837 and looking at adversarial behaviors, 487 00:21:11,837 --> 00:21:15,407 that we have ignored our home-field advantage for too long. 488 00:21:15,407 --> 00:21:17,109 For far too long, we've given up. 489 00:21:17,109 --> 00:21:20,178 I've sat in the room with major CISOs who've said, 490 00:21:20,178 --> 00:21:22,614 asset managements is never gonna happen. 491 00:21:22,614 --> 00:21:24,483 Not if you give up. 492 00:21:24,483 --> 00:21:26,418 Look, I'm a cynic too, I don't think you can 493 00:21:26,418 --> 00:21:28,453 work in security and not be a cynic. 494 00:21:28,453 --> 00:21:29,955 But if you give up from the start 495 00:21:29,955 --> 00:21:33,058 and say something can never happen, it will never happen. 496 00:21:34,192 --> 00:21:36,094 We in this room are this community. 497 00:21:37,529 --> 00:21:40,098 Like, you know I spent time talking to Phil this morning, 498 00:21:40,098 --> 00:21:41,233 and I asked him about the growth 499 00:21:41,233 --> 00:21:43,135 of this particular event. 500 00:21:43,135 --> 00:21:44,770 Like, have we seen as threat hunters, 501 00:21:44,770 --> 00:21:46,972 and incident responders, more people 502 00:21:46,972 --> 00:21:48,874 wanting to get in this game. 503 00:21:48,874 --> 00:21:50,676 The answer is yes, it's one of the most 504 00:21:50,676 --> 00:21:52,811 rapidly growing summits that SANS has. 505 00:21:54,246 --> 00:21:55,514 That's awesome. 506 00:21:55,514 --> 00:21:57,916 So guess what, we are the leaders. 507 00:21:57,916 --> 00:21:59,618 Like, we are the community. 508 00:21:59,618 --> 00:22:02,254 We need to remember that, especially 509 00:22:02,254 --> 00:22:03,588 when it comes to vendors out there. 510 00:22:03,588 --> 00:22:05,123 We can drive change. 511 00:22:07,459 --> 00:22:09,394 So imagine the world without the noise. 512 00:22:14,099 --> 00:22:16,301 How much easier would it be if we could 513 00:22:16,301 --> 00:22:18,003 rule out a false positive, faster. 514 00:22:19,137 --> 00:22:21,406 How much easier would it be to say, 515 00:22:21,406 --> 00:22:25,844 oh, this is normal behavior for WMI net ccm. 516 00:22:25,844 --> 00:22:27,746 And oh, by the way, I'm gonna go 517 00:22:27,746 --> 00:22:28,580 share that out in the community. 518 00:22:29,514 --> 00:22:32,383 So, Carbon Black is committed to 519 00:22:32,384 --> 00:22:34,319 setting up a slack channel around this, 520 00:22:35,487 --> 00:22:36,955 so that you can ask questions for normal. 521 00:22:36,955 --> 00:22:38,657 Now, I couldn't commit every resource in the company 522 00:22:38,657 --> 00:22:41,592 to manning that, but Mike Mascuzza, the CTO of the company 523 00:22:41,593 --> 00:22:43,428 has guaranteed that we will man that 524 00:22:43,428 --> 00:22:45,764 for an hour, one day a week. 525 00:22:45,764 --> 00:22:48,033 What we're asking is for anybody else 526 00:22:48,033 --> 00:22:50,334 that wants to participate, man another hour during the week. 527 00:22:50,335 --> 00:22:53,171 It's just an hour, put a couple of your experts in there 528 00:22:53,171 --> 00:22:54,973 so we can exchange normal, start talking about it, 529 00:22:54,973 --> 00:22:57,442 rule the stuff out fast in the community. 530 00:22:57,442 --> 00:22:58,410 'Cause the conversations are happening 531 00:22:58,410 --> 00:23:00,212 in our UEX, and it's awesome. 532 00:23:01,613 --> 00:23:03,615 But that's only gonna impact Carbon Black customers. 533 00:23:03,615 --> 00:23:06,318 We want to impact the entire industry. 534 00:23:06,318 --> 00:23:09,588 I didn't come into this industry, to like, 535 00:23:09,588 --> 00:23:11,490 make incremental change, and I certainly 536 00:23:11,490 --> 00:23:14,159 didn't come to a vendor like Carbon Black, 537 00:23:14,159 --> 00:23:17,028 who has the ability to lead, and the willingness 538 00:23:17,028 --> 00:23:19,297 to actually stand up and lead. 539 00:23:19,297 --> 00:23:20,899 We could hoard this information. 540 00:23:22,334 --> 00:23:25,604 We certainly could, and keep our false positive rates low. 541 00:23:25,604 --> 00:23:26,838 We know that some of this information 542 00:23:26,838 --> 00:23:28,874 is probably gonna help our competitors 543 00:23:28,874 --> 00:23:31,042 like, we're fully aware of that. 544 00:23:31,042 --> 00:23:32,276 We don't care, why? 545 00:23:32,277 --> 00:23:34,212 'Cause it makes your life better, 546 00:23:34,212 --> 00:23:35,747 and we have to have that commitment. 547 00:23:35,747 --> 00:23:37,416 The leaders in this industry, have got to 548 00:23:37,416 --> 00:23:39,751 have that commitment, and as a community, 549 00:23:39,751 --> 00:23:42,921 we've got to stand up and demand that from our vendor. 550 00:23:42,921 --> 00:23:46,758 So again, imagine your world without this noise. 551 00:23:47,926 --> 00:23:49,593 How much faster can we find evil? 552 00:23:50,996 --> 00:23:54,132 Oh, this all sounds great, Rick, sounds awesome. 553 00:23:55,600 --> 00:23:57,535 But, but, but, we've heard things like this before. 554 00:23:57,536 --> 00:23:58,904 Yeah, you probably have. 555 00:24:00,405 --> 00:24:02,274 Hey, but wait, wouldn't this give adversaries 556 00:24:02,274 --> 00:24:04,810 a roadmap for how to evade technology? 557 00:24:04,810 --> 00:24:07,678 Yeah, but guess what, they're right now, how. 558 00:24:07,679 --> 00:24:09,214 I mean look, some of us in the room 559 00:24:09,214 --> 00:24:11,149 can't actually go and do it, but if you go look at things 560 00:24:11,149 --> 00:24:13,517 like marble and grasshopper, and you know, 561 00:24:13,518 --> 00:24:15,454 some of these vault seven and vault, they already know. 562 00:24:15,454 --> 00:24:16,288 They already know. 563 00:24:19,024 --> 00:24:22,226 I don't think we should be held up by but. 564 00:24:24,629 --> 00:24:25,664 It's a terrible way to hold yourself up. 565 00:24:25,664 --> 00:24:27,399 But, but, but, but, but. 566 00:24:27,399 --> 00:24:29,234 Arguing about edge cases. 567 00:24:29,234 --> 00:24:31,903 Can we do something about this problem. 568 00:24:31,903 --> 00:24:33,939 I mean, for once as a community, agree this is a problem, 569 00:24:33,939 --> 00:24:36,508 and actually do something about it, and get together. 570 00:24:36,508 --> 00:24:38,944 I sit on a whole lot of committees with other 571 00:24:38,944 --> 00:24:41,312 vendors and competitors in a space and it gets weird. 572 00:24:41,313 --> 00:24:44,249 And let me tell you something, the adversary, 573 00:24:44,249 --> 00:24:46,885 they don't care about our politics. 574 00:24:46,885 --> 00:24:49,621 They don't care about who owns the market space, 575 00:24:49,621 --> 00:24:51,256 or who's the best vendor, like 576 00:24:52,424 --> 00:24:53,758 they don't care about any of that. 577 00:24:53,758 --> 00:24:55,193 That is not a consideration to them, no. 578 00:24:55,193 --> 00:24:57,429 But here we sit, as a community, arguing about edge cases. 579 00:24:57,429 --> 00:24:58,997 Not getting together to actually, 580 00:24:58,997 --> 00:25:01,466 drastically change this game, and we have got to. 581 00:25:02,601 --> 00:25:04,369 I just wrote a blog, to kind of tee this up, 582 00:25:04,369 --> 00:25:06,538 and I said, you know, we're hurdling 583 00:25:06,538 --> 00:25:08,607 toward something as a community. 584 00:25:08,607 --> 00:25:09,875 And I can't figure out if that thing 585 00:25:09,875 --> 00:25:11,543 is disaster or safety. 586 00:25:11,543 --> 00:25:13,277 Like, to be honest with you, some days I wake up 587 00:25:13,278 --> 00:25:16,181 and I go, oh, this is the day, like, we're doomed. 588 00:25:17,315 --> 00:25:18,783 I'm also really trying to stay optimistic 589 00:25:18,783 --> 00:25:21,052 about the problem, because we are making a dent. 590 00:25:22,220 --> 00:25:24,155 There are good things that are happening. 591 00:25:24,155 --> 00:25:25,557 Our community has got to get together 592 00:25:25,557 --> 00:25:27,492 and demand that we're actually gonna 593 00:25:27,492 --> 00:25:29,226 be a community around this stuff. 594 00:25:31,263 --> 00:25:33,365 Spent some time with Carl yesterday, 595 00:25:33,365 --> 00:25:34,833 he said the same thing. 596 00:25:34,833 --> 00:25:38,470 Yeah, we waste time and companies are paying for it. 597 00:25:39,804 --> 00:25:43,708 Like, cool, $300, $400 an hour, awesome. 598 00:25:43,708 --> 00:25:46,144 You just spent six hours, find an SCCM. 599 00:25:47,445 --> 00:25:48,879 It's not good, right. 600 00:25:48,880 --> 00:25:50,615 So we all have these internal sources of intelligence, 601 00:25:50,615 --> 00:25:52,951 we have to treat it like external threat intel. 602 00:25:56,521 --> 00:26:00,825 Yeah, I'm a poker player, and I've worked 603 00:26:00,825 --> 00:26:02,527 a long time to actually go play 604 00:26:02,527 --> 00:26:04,229 in the World Series if Poker. 605 00:26:04,229 --> 00:26:05,597 What I can tell you about this, 606 00:26:05,597 --> 00:26:07,566 is poker is very interestingly, a whole lot 607 00:26:07,566 --> 00:26:10,001 like incident response and threat handling. 608 00:26:10,001 --> 00:26:12,237 You have a constant changing set of statistics. 609 00:26:12,237 --> 00:26:14,139 Well, you have a baseline set of statistics, 610 00:26:14,139 --> 00:26:16,107 It changes per hand. 611 00:26:16,107 --> 00:26:19,511 As an example, is that player aggressive? 612 00:26:20,979 --> 00:26:22,847 Have you seen hands from him before? 613 00:26:22,847 --> 00:26:25,050 Context in poker becomes everything, as well, 614 00:26:25,050 --> 00:26:27,886 because per hand statistics change. 615 00:26:27,886 --> 00:26:31,156 Aces aren't always the best hand to play, trust me. 616 00:26:32,324 --> 00:26:34,326 Normal and abnormal gets really weird. 617 00:26:35,493 --> 00:26:36,695 Is it normal for someone to just go all in 618 00:26:36,695 --> 00:26:38,096 when they pay $10, 000 on the first hand 619 00:26:38,096 --> 00:26:39,864 in the World Series of Poker? 620 00:26:39,864 --> 00:26:41,833 Yeah, I can tell you that happens on a regular basis, 621 00:26:41,833 --> 00:26:43,635 so it's not abnormal, but I have to 622 00:26:43,635 --> 00:26:45,470 factor that in to how I play. 623 00:26:45,470 --> 00:26:48,740 To actually have a chance of playing a hand and winning. 624 00:26:49,908 --> 00:26:52,977 I think for us, we have to do the same, okay. 625 00:26:52,978 --> 00:26:56,982 Look, we can't choose when the gaze of Sowron 626 00:26:56,982 --> 00:26:59,417 comes upon our systems, we can't choose 627 00:26:59,417 --> 00:27:00,619 when evil's gonna hit us. 628 00:27:01,753 --> 00:27:04,356 But we can choose what to do once they're 629 00:27:04,356 --> 00:27:05,624 inside our environments. 630 00:27:05,624 --> 00:27:07,559 We can choose what to do to set ourselves up 631 00:27:07,559 --> 00:27:09,561 to be successful when that does happen 632 00:27:09,561 --> 00:27:11,062 and get through those cycles faster. 633 00:27:11,062 --> 00:27:12,964 That's what we can do first. 634 00:27:12,964 --> 00:27:15,567 I can't control an adversary when they're doing their thing. 635 00:27:15,567 --> 00:27:17,469 Once they get on my network, I can probably control 'em. 636 00:27:17,469 --> 00:27:19,971 But we have no control over them, what we can control 637 00:27:19,971 --> 00:27:22,307 is who we are as a community, and how we learn 638 00:27:22,307 --> 00:27:24,242 and it's gotta change. 639 00:27:29,080 --> 00:27:32,583 Knowing normal is everything. 640 00:27:32,584 --> 00:27:34,986 We spend far too long focused on finding evil, 641 00:27:36,121 --> 00:27:37,555 we need to get through the cycle faster. 642 00:27:38,723 --> 00:27:40,524 We need to actually act like a community. 643 00:27:41,693 --> 00:27:44,496 We need massive leaps in progress, 644 00:27:44,496 --> 00:27:46,398 not linear changes. 645 00:27:47,832 --> 00:27:50,402 I wanted to say thank you to the entire Carbon Black team. 646 00:27:50,402 --> 00:27:52,237 This was a true team effort. 647 00:27:52,237 --> 00:27:54,372 I also wanted to thank SANS, it was a goal of mine 648 00:27:54,372 --> 00:27:59,077 to Keynote a SANS event for, probably the last 15 years, 649 00:27:59,077 --> 00:28:00,545 so thank you for the opportunity, 650 00:28:00,545 --> 00:28:02,047 and thank each and every one of you 651 00:28:02,047 --> 00:28:04,749 for being in the room, and for doing what you do. 652 00:28:04,749 --> 00:28:06,885 It's extremely important, what we do. 653 00:28:08,053 --> 00:28:09,587 And we don't get told that enough, 654 00:28:09,587 --> 00:28:11,523 so as a defender, as someone who has wasted a lot of time 655 00:28:11,523 --> 00:28:13,824 alongside all the rest of us, I would just like 656 00:28:13,825 --> 00:28:15,026 to personally thank you. 657 00:28:16,094 --> 00:28:18,296 Keep up the good fight, let's talk more, 658 00:28:18,296 --> 00:28:20,165 let's get together as a community. 659 00:28:20,165 --> 00:28:22,600 We are Carbon Black, and I am proud to (mumbles). 660 00:28:23,768 --> 00:28:25,136 Thank you. 661 00:28:25,136 --> 00:28:27,372 (applause) 662 00:28:30,875 --> 00:28:33,778 (electronic music)