1 00:00:00,600 --> 00:00:02,635 (serene music) 2 00:00:10,210 --> 00:00:12,445 (applause) 3 00:00:15,849 --> 00:00:17,751 - [David] Hey guys, I've given this 4 00:00:17,751 --> 00:00:19,886 talk a couple of times now at different 5 00:00:19,886 --> 00:00:22,822 intelligence communities and stuff like that. 6 00:00:22,822 --> 00:00:24,724 I went to a DHS ATTE conference 7 00:00:24,724 --> 00:00:28,495 which stands for Advanced Threat Technical Exchange. 8 00:00:28,495 --> 00:00:29,929 It wasn't very technical, 9 00:00:29,929 --> 00:00:32,732 so I took out a lot of the technical portions 10 00:00:32,732 --> 00:00:34,000 just to come to a conference 11 00:00:34,000 --> 00:00:35,268 where everything is very technical. 12 00:00:35,268 --> 00:00:37,871 So sorry about that. 13 00:00:37,871 --> 00:00:41,041 We have a lot of cool images and fun things for managers, 14 00:00:41,041 --> 00:00:42,342 which is normally who I brief, 15 00:00:42,342 --> 00:00:45,512 but the majority of this presentation 16 00:00:45,512 --> 00:00:46,880 is better as a conversation. 17 00:00:46,880 --> 00:00:48,181 So we're gonna breeze through this, 18 00:00:48,181 --> 00:00:50,016 and most of what's gonna happen at the end of it, 19 00:00:50,016 --> 00:00:52,251 if you guys have questions, let's push questions. 20 00:00:52,252 --> 00:00:53,787 I kind of have a feeling you're going to, 21 00:00:53,787 --> 00:00:56,222 because of the nature of what we're doing. 22 00:00:56,222 --> 00:00:57,791 Basically, what we work on 23 00:00:57,791 --> 00:00:59,858 is what's called the ECS Program. 24 00:00:59,859 --> 00:01:03,563 The ECS is a sister program of EINSTEIN. 25 00:01:03,563 --> 00:01:06,066 Who's all heard of EINSTEIN that DHS has? 26 00:01:06,066 --> 00:01:07,434 A lot of people. 27 00:01:07,434 --> 00:01:10,336 So I mean, it is actually an exact replica 28 00:01:10,336 --> 00:01:11,738 of the EINSTEIN program. 29 00:01:13,139 --> 00:01:15,741 It's for US-based commercial infrastructure, though. 30 00:01:15,742 --> 00:01:17,477 And so I work on an ISP. 31 00:01:17,477 --> 00:01:19,579 I work for an ISP on this program 32 00:01:19,579 --> 00:01:21,547 where we cover down and we monitor 33 00:01:21,548 --> 00:01:25,418 for foreign intelligence, terrorist organizations, 34 00:01:25,418 --> 00:01:27,554 and highly funded crime syndicate activity 35 00:01:27,554 --> 00:01:30,156 in US-based critical infrastructure. 36 00:01:30,156 --> 00:01:31,524 The way that the program works, 37 00:01:31,524 --> 00:01:33,259 interested parties like ISPs-- 38 00:01:33,259 --> 00:01:35,462 I'm sorry, CenturyLink, Verizon, AT&T, 39 00:01:36,629 --> 00:01:38,832 other people are part of the program as well. 40 00:01:38,832 --> 00:01:40,032 They get cleared. 41 00:01:40,033 --> 00:01:42,302 Intel comes from federal intel communities. 42 00:01:42,302 --> 00:01:44,971 DHS collects form intel communities. 43 00:01:44,971 --> 00:01:46,473 And cleared parties identify vehicles 44 00:01:46,473 --> 00:01:50,110 to leverage intel in commercial spaces. 45 00:01:50,110 --> 00:01:54,747 So basically what that means is we set up a spot for them 46 00:01:54,747 --> 00:01:56,015 to go to route their traffic through us. 47 00:01:56,015 --> 00:01:58,585 We monitor for classified intelligence 48 00:01:58,585 --> 00:02:01,220 in commercial organizations. 49 00:02:01,221 --> 00:02:03,690 Obviously you have to take people from previous spaces 50 00:02:03,690 --> 00:02:07,861 like agencies whatnot who have access to that intel. 51 00:02:07,861 --> 00:02:09,662 They can read it, they can identify it. 52 00:02:09,662 --> 00:02:12,098 Whenever there's enriched data that's necessary, 53 00:02:12,098 --> 00:02:14,567 you submit downgrade requests, whatnot. 54 00:02:14,567 --> 00:02:19,239 So that's kind of just a background of the program itself. 55 00:02:19,239 --> 00:02:21,207 I'll give kind of a little bit of an overview 56 00:02:21,207 --> 00:02:22,742 really quickly, again, what it is, 57 00:02:22,742 --> 00:02:24,710 but we're gonna go into what we're doing 58 00:02:24,711 --> 00:02:28,781 with the basics of intel, how we're manipulating data 59 00:02:28,781 --> 00:02:33,520 using unclassified attributes of classified intel 60 00:02:33,520 --> 00:02:35,421 to identified classified intelligence 61 00:02:35,421 --> 00:02:37,090 before it becomes classified. 62 00:02:37,090 --> 00:02:39,859 And then I can push it out to the commercial community. 63 00:02:41,027 --> 00:02:43,529 I forgot I was in charge of this. 64 00:02:43,530 --> 00:02:47,100 So basically what I just went through, 65 00:02:47,100 --> 00:02:49,335 intel communities push to Homeland Security, 66 00:02:49,335 --> 00:02:53,173 which then goes down to CSPs, which then we cover down 67 00:02:53,173 --> 00:02:55,408 for critical infrastructure in the United States. 68 00:02:55,408 --> 00:02:57,677 One of the largest conversations that's happening right now 69 00:02:57,677 --> 00:03:00,380 is how we can play a role in the election platforms. 70 00:03:00,380 --> 00:03:02,582 Of course, that's a buzz in everything as 71 00:03:02,582 --> 00:03:05,817 you may or may not know but ECS is on its schedule 70, 72 00:03:05,818 --> 00:03:07,520 to be able to cover down for that, so that one of 73 00:03:07,520 --> 00:03:08,955 the things that were driving right 74 00:03:08,955 --> 00:03:10,557 now moving forward in that case. 75 00:03:12,258 --> 00:03:15,662 The way that we do that fundamentally is by setting up 76 00:03:15,662 --> 00:03:18,898 IP sub tunnels to organizations having them route their DNS 77 00:03:18,898 --> 00:03:22,402 traffic back and forth to us. 78 00:03:24,804 --> 00:03:27,674 So we cover them on DNS, SMTP, and NetFlow indicators. 79 00:03:27,674 --> 00:03:29,876 Right now were just going to talk about DNS. 80 00:03:31,044 --> 00:03:34,414 So in organizations, not every organization 81 00:03:34,414 --> 00:03:37,549 has people with clearances. 82 00:03:37,550 --> 00:03:38,818 So whenever they see something bad 83 00:03:38,818 --> 00:03:39,786 and we're going to hit them up and say, 84 00:03:39,786 --> 00:03:41,120 Hey we saw this its bad. 85 00:03:41,120 --> 00:03:42,388 Their like, Why is it bad? 86 00:03:42,388 --> 00:03:44,224 Well I can't really share that with you, 87 00:03:44,224 --> 00:03:45,158 you're just going to have to trust me. 88 00:03:45,158 --> 00:03:46,659 Yah I'm not going to trust you. 89 00:03:46,659 --> 00:03:48,361 I don't trust people I'm paying for indicators with 90 00:03:48,361 --> 00:03:50,929 and I come back through and they actually give me intel 91 00:03:50,930 --> 00:03:52,398 I still don't trust the intel. 92 00:03:52,398 --> 00:03:54,000 So I'm not going to trust you by not giving me anything. 93 00:03:54,000 --> 00:03:55,702 So how can we shift that around, 94 00:03:55,702 --> 00:03:57,637 and open above further conversation? 95 00:03:59,172 --> 00:04:02,075 So, basically non-mature organizations 96 00:04:02,075 --> 00:04:03,875 Are going to come through and say, 97 00:04:03,876 --> 00:04:06,279 Well we actually can't identify were the threat's at 98 00:04:06,279 --> 00:04:08,047 we're just dealing with DNS traffic, 99 00:04:08,047 --> 00:04:09,816 how can I identify where its coming from? 100 00:04:09,816 --> 00:04:14,821 Well being able to, basically implement honey pots. 101 00:04:17,322 --> 00:04:20,659 Leveraging of WebRTC on those apache frameworks, 102 00:04:20,660 --> 00:04:23,263 allows us for us to identify source IP addresses 103 00:04:23,263 --> 00:04:28,268 of infected threats, and utilization of Netflow 104 00:04:29,669 --> 00:04:32,005 traffic across wire are all different ways that can 105 00:04:32,005 --> 00:04:36,709 leverage and be used to identify an infected host. 106 00:04:38,144 --> 00:04:39,879 So again, what we're kind of going back through here, 107 00:04:39,879 --> 00:04:42,582 if your somebody that offers IOCs, if your someone 108 00:04:42,582 --> 00:04:44,884 that's collecting IOCs, if your somebody that's doing 109 00:04:44,884 --> 00:04:47,620 anything with IOC's on the front end of it 110 00:04:47,620 --> 00:04:50,390 collect your intel put it in one spot. 111 00:04:50,390 --> 00:04:52,025 Whenever you guys come to a conversation, 112 00:04:52,025 --> 00:04:54,460 exactly what was talking about this morning. 113 00:04:54,460 --> 00:04:56,695 When coming out of that conversation be ready to share. 114 00:04:56,696 --> 00:04:58,398 Be ready to bring stuff to the table, be ready to 115 00:04:58,398 --> 00:05:01,501 actually give it up because DHS is pushing down 116 00:05:01,501 --> 00:05:03,703 classified intelligence to whatever they can 117 00:05:03,703 --> 00:05:07,506 to help cover down on monitoring of intelligence 118 00:05:07,507 --> 00:05:08,975 in a critical infrastructure. 119 00:05:08,975 --> 00:05:11,244 If you guys are aware of things, hey we're also aware 120 00:05:11,244 --> 00:05:12,912 of activity that's going on here. 121 00:05:12,912 --> 00:05:15,381 Its the same exact infrastructure, but these domain names 122 00:05:15,381 --> 00:05:17,984 these IP addresses you guys may not be aware of. 123 00:05:17,984 --> 00:05:20,053 We'll collect it, we'll integrate it, we'll use it 124 00:05:20,053 --> 00:05:21,554 in our statistical analysis. 125 00:05:23,623 --> 00:05:26,793 Again Mitre at the top of the page of course a buzzword 126 00:05:26,793 --> 00:05:29,195 for this conference which is great. 127 00:05:29,195 --> 00:05:31,197 It's a great platform it's what we use for 128 00:05:31,197 --> 00:05:34,033 the aggregation of our intelligence and being able 129 00:05:34,033 --> 00:05:38,738 to sort of group together the attributes of our data. 130 00:05:38,738 --> 00:05:41,174 A bunch of other different pieces where you can get 131 00:05:41,174 --> 00:05:43,976 information on APT's, terrorists organization, 132 00:05:43,976 --> 00:05:45,411 and crime syndicates. 133 00:05:45,411 --> 00:05:47,613 Of course there's tons of different things you can monitor 134 00:05:47,613 --> 00:05:51,617 for, so many downloads something from Metasploit and they 135 00:05:51,617 --> 00:05:53,119 create something that's got a hash on it. 136 00:05:53,119 --> 00:05:55,455 I don't care, we're not coming down on Bob. 137 00:05:55,455 --> 00:05:57,423 We're not looking for Bob or George down the street. 138 00:05:57,423 --> 00:06:00,660 We're looking for the organizations 139 00:06:00,660 --> 00:06:02,128 that I just talked about. 140 00:06:02,128 --> 00:06:04,296 So these are where you'll be able to find them. 141 00:06:04,297 --> 00:06:05,331 Okay so automating the hard work, 142 00:06:05,331 --> 00:06:06,899 again kind of going back to that 143 00:06:06,899 --> 00:06:09,268 you guys can sort of see we're covering down on 144 00:06:09,268 --> 00:06:13,539 23 different actors and you can sort of see the outliers 145 00:06:13,539 --> 00:06:16,876 here which is pretty synonymous with what's going on 146 00:06:16,876 --> 00:06:18,344 and the commercial industry whatever everybody else 147 00:06:18,344 --> 00:06:22,048 has been reporting, hey these are the organizations 148 00:06:22,048 --> 00:06:25,251 with the highest hitting activity. 149 00:06:25,251 --> 00:06:27,753 Of course DHS is not going to let us put, 150 00:06:27,754 --> 00:06:31,391 hey this is APD-28, 29 but you guys do the math. 151 00:06:32,892 --> 00:06:34,560 So this is essentially what we're doing. 152 00:06:34,560 --> 00:06:38,331 We're pulling information in, we're doing active 153 00:06:38,331 --> 00:06:42,001 blocking, inline blocking of known bad indicators. 154 00:06:42,001 --> 00:06:44,102 And then we're actually taking the attributes 155 00:06:44,103 --> 00:06:47,073 of our known bad indicators and then 156 00:06:47,073 --> 00:06:48,808 putting them into different databases. 157 00:06:48,808 --> 00:06:50,243 And when I say attributes, I mean 158 00:06:50,243 --> 00:06:54,947 TTLs of DNS names when it was registered, 159 00:06:54,947 --> 00:06:57,817 everything that Umbrella talked about yesterday 160 00:06:57,817 --> 00:06:59,585 we're essentially doing the exact same thing 161 00:06:59,585 --> 00:07:02,421 but we're doing it with classified intelligence. 162 00:07:02,422 --> 00:07:04,757 Again, anything that I'm going to say up here is 163 00:07:04,757 --> 00:07:07,393 not going to be new we've already talked about all of it, 164 00:07:07,393 --> 00:07:10,095 it's the source of the data that's basically 165 00:07:10,096 --> 00:07:12,632 different in our case. 166 00:07:12,632 --> 00:07:15,601 Again, that conversation if you guys wanted to be 167 00:07:15,601 --> 00:07:18,171 involved in that say, hey we'd love to be able to see 168 00:07:18,171 --> 00:07:20,339 the intel that your producing that your coming up with 169 00:07:20,339 --> 00:07:22,742 after this your share with the rest of the community. 170 00:07:22,742 --> 00:07:24,811 We're happy to do that reach out to me 171 00:07:24,811 --> 00:07:27,078 contact me we're happy to provide that information 172 00:07:27,079 --> 00:07:28,581 back to you guys, hey these are other 173 00:07:28,581 --> 00:07:31,017 indicators we're finding and then going back to the source 174 00:07:31,017 --> 00:07:33,553 to identify what processes are initiating these 175 00:07:33,553 --> 00:07:35,588 to validate that it is actually a threat. 176 00:07:37,056 --> 00:07:38,591 So things we're going to go over. 177 00:07:38,591 --> 00:07:41,461 Really quickly DGA exposure and pattern based algorithm. 178 00:07:41,461 --> 00:07:43,996 Again we talked about a lot of these also, 179 00:07:45,164 --> 00:07:46,799 we're just going to go over really quickly. 180 00:07:48,201 --> 00:07:53,172 Models used for this are the DGA basically training at once. 181 00:07:54,574 --> 00:07:56,075 If you guys want to talk about this a little bit more 182 00:07:56,075 --> 00:07:57,610 I don't want to bore you with this its almost lunch time. 183 00:07:58,978 --> 00:08:00,780 But Exposure Model it actually needs to be trained 184 00:08:00,780 --> 00:08:02,381 multiple times you have to use a lot of different 185 00:08:02,381 --> 00:08:04,049 data you have to train it you have to look at it again 186 00:08:04,050 --> 00:08:06,919 train it again, training with known goods and known bads. 187 00:08:10,056 --> 00:08:13,025 So this essentially what I just said, 188 00:08:13,025 --> 00:08:17,296 allows for us to identify unclassified domains 189 00:08:17,296 --> 00:08:18,698 leveraging classified data. 190 00:08:19,832 --> 00:08:22,268 So in DGA, have you guys know the life cycle. 191 00:08:22,268 --> 00:08:24,904 There's like five or six different ways. 192 00:08:24,904 --> 00:08:28,207 Five or six hundred different ways that a DGA can 193 00:08:28,207 --> 00:08:30,142 produce or domain or hash. 194 00:08:30,142 --> 00:08:35,147 This right here is the model used for using the same 195 00:08:36,849 --> 00:08:39,785 NTP server, so you grab a time stamp you have the same 196 00:08:39,784 --> 00:08:42,121 NTP server the time stamp becomes your hash, 197 00:08:42,121 --> 00:08:45,891 you push your hash through and that way your C2 and 198 00:08:45,892 --> 00:08:48,461 your client know what the domain is supposed to look like. 199 00:08:50,162 --> 00:08:52,632 So as you can see we basically just come up and 200 00:08:52,632 --> 00:08:55,034 showing you guys randomly generated, dictionary based 201 00:08:55,034 --> 00:08:57,670 generated and hybrid generated domains. 202 00:08:59,105 --> 00:09:01,974 Exposure, Exposure again uses the attributes of it. 203 00:09:03,175 --> 00:09:06,344 What we can as it goes across the packet size, 204 00:09:06,345 --> 00:09:08,514 TTL associated, when was it registered, 205 00:09:08,514 --> 00:09:11,250 who was it registered by, email addresses registered, 206 00:09:11,250 --> 00:09:13,419 what geographical location of an IP address was used 207 00:09:13,419 --> 00:09:15,755 to register the domain, every aspect of that. 208 00:09:15,755 --> 00:09:17,456 It's pushed into there, we push it back through. 209 00:09:17,456 --> 00:09:19,692 We have a localized database. 210 00:09:19,692 --> 00:09:23,162 And all of the monitoring of it is all done passively. 211 00:09:23,162 --> 00:09:26,032 Obviously we can't do monitoring of inline traffic 212 00:09:26,032 --> 00:09:27,233 as it goes across because there's 213 00:09:27,233 --> 00:09:29,801 just too much traffic and its too quick. 214 00:09:29,802 --> 00:09:33,472 WhiteListed, obviously TrendMicro, Symantec, and Verizon 215 00:09:33,472 --> 00:09:36,675 they all use DGA in different types of exposure stuff 216 00:09:36,676 --> 00:09:38,878 like in their domain names, you have a lot of 217 00:09:38,878 --> 00:09:40,813 false positives you have to WhiteList different types 218 00:09:40,813 --> 00:09:42,515 of stuff and BlackList anything. 219 00:09:42,515 --> 00:09:44,817 I think Bambeneck was discussed yesterday. 220 00:09:45,985 --> 00:09:49,355 AlienVaults and AIS, AIS is another good source 221 00:09:49,355 --> 00:09:54,360 that DHS pushes out some of them are validated 222 00:09:55,695 --> 00:09:56,896 some them are not validated sort of take it with 223 00:09:56,896 --> 00:09:58,598 a grain of salt, but at least there's 224 00:09:58,598 --> 00:10:00,498 something there for you guys to be able to use. 225 00:10:01,734 --> 00:10:03,336 Exposure Model attributes, again TTL, 226 00:10:03,336 --> 00:10:06,505 registration, IP variations, responses, daily trends, 227 00:10:06,505 --> 00:10:07,707 and cost per query. 228 00:10:09,041 --> 00:10:10,610 So if you guys have any questions on that I'm 229 00:10:10,610 --> 00:10:12,111 happy to discuss it later. 230 00:10:13,846 --> 00:10:15,681 The pattern based algorithm. Pattern based algorithm is 231 00:10:15,681 --> 00:10:17,450 really near and dear to my heart because its one of those 232 00:10:17,450 --> 00:10:20,553 things I helped develop based on my time as an 233 00:10:20,553 --> 00:10:22,622 offensive security operator and 234 00:10:22,622 --> 00:10:24,223 offensive intelligence operator. 235 00:10:24,223 --> 00:10:26,825 So I know lots of the call back intervals are configured 236 00:10:26,826 --> 00:10:29,729 specific ways with randomized variables in there that say 237 00:10:29,729 --> 00:10:32,598 hey instead of call back every two hours use a randomized 238 00:10:32,598 --> 00:10:34,666 variable that says call back every one hour and forty five 239 00:10:34,667 --> 00:10:37,203 minutes to every two hours and fifteen minutes. 240 00:10:37,203 --> 00:10:39,170 Which then makes it nearly impossible to say 241 00:10:39,171 --> 00:10:41,474 hey this is a two hour time interval. 242 00:10:43,109 --> 00:10:45,611 So we pull all the attributes back together, identify a 243 00:10:45,611 --> 00:10:49,582 scope bandwidth, because some pieces of malware are actually 244 00:10:49,582 --> 00:10:52,251 configured to get all of your commands your supposed to run 245 00:10:52,251 --> 00:10:54,853 at one time process all of them and push them back so 246 00:10:54,854 --> 00:10:59,158 you don't need to do another query again for an IP address. 247 00:10:59,158 --> 00:11:02,628 But some of them are designed to call out get the IP 248 00:11:02,628 --> 00:11:06,265 address of your domain that's set to a TTL of one 249 00:11:06,265 --> 00:11:08,567 run a command do it again. 250 00:11:08,567 --> 00:11:10,636 So then you have groupings of call outs that 251 00:11:10,636 --> 00:11:14,339 go over the course and that actually tends to break 252 00:11:14,340 --> 00:11:18,010 your algorithm whenever they're not. 253 00:11:18,010 --> 00:11:19,512 It just doesn't process properly. 254 00:11:19,512 --> 00:11:21,513 So then you have to identify when the pieces of malware 255 00:11:21,514 --> 00:11:23,215 woke up and when it went back to sleep. 256 00:11:23,215 --> 00:11:26,585 And sometimes that can be 15-20 minutes, 257 00:11:26,585 --> 00:11:29,321 if its not actively being used. 258 00:11:29,321 --> 00:11:32,091 So you basically have to group together. 259 00:11:32,091 --> 00:11:34,860 So we use SK-learn and Python to do that 260 00:11:34,860 --> 00:11:37,196 to be able to cluster those for us. 261 00:11:38,731 --> 00:11:41,266 So basic call back interval will be set to 262 00:11:41,267 --> 00:11:45,671 7200 seconds which is two hours. 263 00:11:45,671 --> 00:11:47,773 That's sort of the base, it could be set to two hours, 264 00:11:47,773 --> 00:11:49,542 it could be set to 24 hours, it could be set to anything. 265 00:11:49,542 --> 00:11:51,644 It just depends on how much data your able to collect and 266 00:11:51,644 --> 00:11:55,281 put into your database to process your algorithm through. 267 00:11:58,084 --> 00:11:59,819 This is kind of the processes that it goes through. 268 00:11:59,819 --> 00:12:01,853 Again, it gets extremely technical 269 00:12:01,854 --> 00:12:03,122 it's right before lunch I'm not gonna do that 270 00:12:03,122 --> 00:12:05,257 it's also raining out and I think it 271 00:12:05,257 --> 00:12:07,626 kind of makes people tired. 272 00:12:08,994 --> 00:12:11,297 If anyone has any questions just let me know. 273 00:12:12,698 --> 00:12:15,634 So again kind of when we put the data back together. 274 00:12:15,634 --> 00:12:20,206 We sort of started to be able to see configured intervals. 275 00:12:20,206 --> 00:12:23,142 Obviously you had to take out your outliers 276 00:12:23,142 --> 00:12:25,745 and you see your variations and things 277 00:12:25,745 --> 00:12:27,913 start to become a little more clear. 278 00:12:30,483 --> 00:12:33,385 So again as I said, we're not the only people doing this. 279 00:12:33,385 --> 00:12:37,323 I just took a black cat course in Vegas from Cylance. 280 00:12:37,323 --> 00:12:40,025 They're doing stuff with DGA as well. 281 00:12:40,025 --> 00:12:42,661 They're doing a really great job at it if you guys 282 00:12:42,661 --> 00:12:45,231 have any questions about that Cylance people here but 283 00:12:45,231 --> 00:12:47,900 look up Tom Paste on LinkedIn, he'd be happy to have 284 00:12:47,900 --> 00:12:49,535 a conversation with you about it. 285 00:12:50,503 --> 00:12:52,371 We're going to go back through, 286 00:12:52,371 --> 00:12:55,274 this is sort of the alerting platform methodology 287 00:12:55,274 --> 00:12:58,778 you can use for that, ELK and Splunk. 288 00:12:58,778 --> 00:13:00,279 I mean Splunk is too expensive, if you wanted to do this 289 00:13:00,279 --> 00:13:03,516 in your low cost, use ELK use GrayLog they're both 290 00:13:03,516 --> 00:13:06,017 methodologies you can use that are really inexpensive. 291 00:13:06,018 --> 00:13:08,220 But you can kind of see the way it comes in. 292 00:13:08,220 --> 00:13:12,291 You pull a tap, an optical tap, pass an optical tap 293 00:13:12,291 --> 00:13:14,994 database it, in the database of the attributes we pull 294 00:13:14,994 --> 00:13:17,830 the information out with the algorithm and then 295 00:13:17,830 --> 00:13:21,567 process data, generate alerts, alerts go back out to a human 296 00:13:21,567 --> 00:13:24,537 and then that gets pushed back out to the end user. 297 00:13:24,537 --> 00:13:28,340 Again being able to put the information in and basically 298 00:13:28,340 --> 00:13:32,378 what we're doing is to being able to tag information in ELK. 299 00:13:32,378 --> 00:13:33,846 If you guys aren't familiar with that looking up 300 00:13:33,846 --> 00:13:36,415 tagging information in ELK, its a really easy way 301 00:13:36,415 --> 00:13:38,416 to be able to add filters to it and look at it 302 00:13:38,417 --> 00:13:41,020 that's data that's already in there. 303 00:13:41,020 --> 00:13:42,788 Chances are you're probably aware of it. 304 00:13:44,323 --> 00:13:46,458 Again this is Cylance interface they're doing a really 305 00:13:46,458 --> 00:13:48,928 great job, this is their DGA model that they are using. 306 00:13:48,928 --> 00:13:52,464 Predictions analysis and what not. 307 00:13:56,535 --> 00:13:59,505 So essentially you're able to see kind of different types of 308 00:13:59,505 --> 00:14:02,908 statistical analysis when outliers are processed through 309 00:14:02,908 --> 00:14:06,412 and how they're viewed in maps. 310 00:14:06,412 --> 00:14:07,913 Okey-Doke, Thanks guys. 311 00:14:07,913 --> 00:14:10,149 (applause) 312 00:14:11,383 --> 00:14:13,986 (serene music)