WitFoo Blog

WitFoo’s Global Indicator of Compromise feed is a secure and reliable way for the WitFoo community to share intelligence about emerging threat sources.

The feed is updated in near-real time as attacks occur across the WitFoo Community. It consists of the IP address and hostname of the attacking source, the tools and methods that the community is using to detect the threat and how many incidents the source has been a part of across the community.

Hits in the feed are automatically shared across the entire community and big data stacks of each deployment are retrospectively analyzed to find hits that may have been missed. All records including firewall, proxy, EDR and NetFlow records are checked for communications with the known bad indicators.

Slides for our talk at Secure360 2020 can be downloaded here.

Details on the session are posted here: https://secure360.org/session/charles-herring-metric-driven-secdevops/?conference=11809&date=20200505

Later today I am headed to see my surgeon to schedule a proceedure. I need to have a surgery that is going to leave me off my feet for a week or more. My family will have to pick up the slack at home and my co-workers will have to take on my share of the work. The surgery is disrupting to my life and carries with it a measure of enduring risk. The most troubling thing is it could have been prevented had I adopted some healthier habits earlier in life. An ounce of prevention is worth a pound of cure. 

Abstract

Developing software that changes the world, exceeds customer expectations, provides turn-key functionality in diverse scenarios while meeting security and compliance requirements is the holy grail of Security Development Operations (SECDEVOPS). There are thousands of variables that need to be constantly addressed to find the balance that delivers sustainable and secure success. In this session, WitFoo’s chief engineers will outline an innovative approach to secure devops called Metric Driven Development. It will cover the following topics:

From  IIA/ISACA IT Hacking Conference : Developing software that changes the world, exceeds customer expectations, provides turn-key functionality in diverse scenarios while meeting security and compliance requirements is the holy grail of Security Development Operations (SECDEVOPS). There are thousands of variables that need to be constantly addressed to find the balance that delivers sustainable and secure success. In this session, WitFoo’s chief engineers will outline an innovative approach to secure devops called Metric Driven Development. 

From DEFCON & GrrCON: Network Behavior Anomaly Detection (NBAD) and User and Entity Behavior Analytics (UEBA) are heralded as machine learning fueled messiahs for finding advanced attacks. The data collection and processing methodologies of these approaches create a series of new exploitable vectors that can allow attackers to navigate network and systems undetected. In this session, methods for poisoning data, transforming calculations and preventing alerts will be examined. Proof of concept code will be demonstrated and made available. Approaches to harden against these attacks will also be discussed as well as outlining needed changes in detection standards.

tldr; – Just Download the Spreadsheet

I put together an Excel spreadsheet that does all the calculations I am going to explain below. If you don’t need to know how the sausage is made, feel free to download it and plug in your numbers.Download here: ROI Calculator.xlsx

As I have had opportunity to demonstrate our product to cybersecurity veterans I am often asked “How did your very small team do this when larger, well-funded teams cannot?” It is true, the WitFoo development team has never been larger than 5 active members at any time and we have only had 10 contributors to the code-base. We don’t Frankenstein together open source code, we custom build it all. All told, our code consists of more than 4 million lines of proprietary code written by a handful of hard-hitting warrior developers. As we wrap our newest and grandest release, I’d like to share some insight into how we pulled it off.

We started WitFoo because we were moved by the pain we were seeing on the faces of our customers in previous endeavors. We knew that there had to be fundamental changes to how security software supported the craft. We decided we would study, listen and follow the needs of our front line investigators. We would build what they need to win against adversaries and to communicate with their broader business.