The following abstracts are available for delivery at security meetings and conferences.

Charles’ Biography

Charles Herring is co-Founder and Chief Technology Officer at WitFoo. WitFoo was founded to enable the sharing of information and operations across the craft of Cybersecurity. Charles leads research and development of the WitFoo Precinct platform that utilizes Apache Cassandra as a fundamental component in its architecture. Precinct ingests trillions of messages each day across hundreds of clusters to detect cybercrime and provide secure methods of sharing data and operations across corporations, organizations, law enforcement, national security and insurers.

Charles regularly speaks on research at conferences including DEFCON, Secure360 and GrrCON. Charles began his career in cybersecurity analytics in 2002 while in the US Navy serving as the Network Security Officer for the Naval Postgraduate School. After leaving active duty in 2005, he ran a consulting company that focused on data and operations sharing across private and public sector organizations. In 2012, Charles joined network behavioral and anomaly company, Lancope designing and deploying advanced network security solutions. In 2015, Charles joined Cisco Systems through the Lancope acquisition and supported the Global Security Sales Organization until launching WitFoo in 2016.

When Charles is not researching challenges in big-data and cybersecurity, he enjoys SCUBA diving, travel and long dinners with his wife, Mai.

Talk Abstracts

The following talk abstracts are available for conferences, meetings or for private discussions.

Topic 1: Artificial Intelligence to Deter Cybercrime

Technical Level: Intermediate to Advanced
Audience: Data Engineers/Scientists/Developers/Incident Responders/Law Enforcement

Abstract

Cybersecurity analysis leading to deterrence of cybercrime requires processing thousands to billions of digital signals per second. Those signals must be accurately comprehended, forensically preserved then used to detect and investigate potential cybercrime. The work products must not only assist the investigators but must be translated into language that non-technical lay audiences including judges, lawyers and jurors can understand.

This presentation explores how generative artificial intelligence (GenAI), natural language processing (NLP), graph-theory and artificial narrow intelligence (ANI) can play a role in delivering these outcomes.

The session includes demonstrations of opensource toolkits, datasets and models designed to assist in this work.

Background

Since 2016, WitFoo has researched how artificial intelligence (AI) can be used to synthesize human expertise at multi-Terabyte data rates required in cybersecurity analytics. This session includes a summary of lessons learned from that research concerning analytic modeling. 

Objectives

• Learn how to build a dataset and train a generative AI model learn it using the ArtiFish toolkit.
• Understand the strengths and weaknesses of GenAI, NLP, ANI and Graph Theory in cybersecurity analysis.
• Examine the impact of triaging digital signals on effective analysis.
• Understand how generative AI can be an effective tool in translating cybersecurity analytic data to non-technical audiences.

Topic 2: Building a Global CyberGrid 

Technical Level: Intermediate to Advanced
Audience: Data Engineers/Scientists/Developers

Abstract

Detecting, catching and successfully prosecuting cybercrime requires collaboration across private sector, law enforcement, insurance companies and national security agencies. Even small organizations produce gigabytes to terabytes of evidence across their internal and cloud instances. Much of this signal evidence contains information protected by law. 

Law enforcement needs to collect evidence from victim organizations without spending hundreds of labor hours. Organizations need a manner to package and share evidence with law enforcement without creating undo risk. Insurers need effective ways of underwriting policies and adjusting claims associated with cybercrime.

In this session, Charles Herring, co-founder and Chief Technology Officer of WitFoo, will detail how terabytes of data collected across hundreds of independent Cassandra clusters each day or safely leveraged to meet the goals of reducing cybercrime and its associated costs.

Charles will cover, build Cassandra schemas to enable cross-organizational sharing, using REST API for facilitating transport across clusters, leaning into Cassandra TTL for data garbage collection and best practices to ensure resilience and performance in diverse environments.

Topic 3: SECOPS Driving Criminal Prosecution

Technical Level: Beginner & Intermediate
Audience: Security Managers/Executives, Incident Responders

Abstract

At a key point in the history of cybersecurity operations, it was passively decided that SECOPS is an extension of IT OPS. This session will examine the thesis that SECOPS is an extension of the craft of Law Enforcement and the consequences of building SECOPS on IT models (that were derived from manufacturing models.) Approaches from Law Enforcement that can accelerate and improve SECOPS will be examined. Methods of safely leveraging law enforcement to reduce cyber risk and costs will also be demonstrated.

Resources: https://www.witfoo.com/infosec-craft/secops-driving-prosecution/

Topic 4: Flight Deck Information Assurance

Technical Level: Beginner
Audience: Security Managers/Executives, Auditors

Abstract

Naval Air Training and Operating Procedures Standardization (NATOPS) is said to be “written in blood.” NATOPS was created in 1961 after nearly 50 years of the US Navy flying aircraft. The extensive system was created to stop the extreme failures that resulted in the loss of hundreds of lives and billions of dollars in loss.

Between 2015 and 2017, WitFoo researchers worked with organizations from higher education, Fortune 500, healthcare and mid-market to test NATOPS quality assurance (QA) approaches in cyber security and information security auditing.

Objectives

• Defining the correct “unit of work” in security operations (borrowing from Maintenance Action Forms.)
• “Data Evolution” of extremely technical information that can be understood by executives (and Admirals).
• Ongoing, organic metric collection and analysis in contrast with inspections and audits
• Separating human audits and architecture audits
• Improving auditing using NATOPS Readiness Inspections approaches
• The session will include data and demonstrations of the findings.

Topic 5: Solving Big Data Problems in Cyber Security

Technical Level: Advanced
Audience: Data & System Architects, Developers

Abstract

Researchers at WitFoo in conjunction with The University of Chicago and representatives from Law Enforcement, US Military and Fortune 500 organizations conducted more than 2000 controlled experiments on production networks from 2016 through 2018 to establish a Big Data pipeline for use in CyberSecurity Operations that allows for the application of investigative workflows and indicators of compromise in near realtime as well as providing for retrospective analysis of the complete data stack when new insights and indicators are made available. The first section of the session will evaluate the strengths and limitations of Big Data technologies including Elasticsearch, Splunk, Hadoop, Kafka, MySQL NDB, Cassandra, NoSQL vs RDBM as well as pipeline philosophies including streaming and batch processing. The second section will outline the specific approaches that are used in the discovered pipeline. Detailed demo and code will be provided to illustrate adaptive and retrospective parsing, event generation and data evolution. The third section will provide a demonstration of the pipeline in use to detect emerging threats and to retrospectively find threats missed historically. Upon completion of the session, attendees will understand the philosophies, components and steps in creating an effective big data pipeline that addresses the challenges in Cyber Security Operations.

Topic 6: Breaking/Protecting Cyber Security Detection

Technical Level: Intermediate
Audience: Incident Responders, Penetration Testers

Abstract

Network Behavior Anomaly Detection (NBAD) and User and Entity Behavior Analytics (UEBA) are heralded as machine learning fueled messiahs for finding advanced attacks. The data collection and processing methodologies of these approaches create a series of new exploitable vectors that can allow attackers to navigate network and systems undetected. In this session, methods for poisoning data, transforming calculations and preventing alerts will be examined. Proof of concept Python code will be demonstrated and made available. Approaches to harden against these attacks will also be discussed as well as outlining needed changes in detection standards.

Resources: https://www.witfoo.com/infosec-craft/breaking-nbad-ueba-deck/

Topic 7: Metric Driven DevOps

Technical Level: Advanced
Audience: Data & System Architects, Developers

Abstract

Developing software that changes the world, exceeds customer expectations, provides turn-key functionality in diverse scenarios while meeting security and compliance requirements is the holy grail of Security Development Operations (SECDEVOPS). There are thousands of variables that need to be constantly addressed to find the balance that delivers sustainable and secure success. In this session, WitFoo’s chief engineers will outline an innovative approach to secure devops called Metric Driven Development.

Objectives

• Creating a metric collection infrastructure to alert on security and functionality deficiencies
• Utilizing metrics to write optimized unit and system tests
• The optimal value of code coverage, application pen-testing and static code analysis
• Integrating metrics into customer support evolutions
• The place of containerization in SECDEVOPS

• Build metric driven use cases from hypothesis to pivot

By the conclusion of the session, attendees will have the tools necessary to implement lean and effective development pipelines that deliver secure and useful code in a fraction of the time and at a fraction of the development cost.

Resources: https://www.witfoo.com/infosec-craft/exploit-con-slides-metric-driven-s…

• SOAR Playbook maintenance costs through abstraction and normalization

Topic 8: The Seven Unstable Conversations of Cyber Security

Technical Level: Beginner
Audience: Any Business or Security Personnel

Abstract

WitFoo was founded in 2016 to develop the tools and data required to mature the craft of cybersecurity operations. The research at WitFoo has focused on seven unstable conversations within each part of the craft. This session will share the findings on each of the 7 conversations and will explore remedies and impacts of them.

1. Investigators do not understand what their tools are saying
2. Managers cannot track security practice success
3. Security practice cannot express value to business
4. Security vendors cannot be held accountable
5. Organizations cannot safely share information with each other
6. Organizations cannot safely report crimes to law enforcement
7. Law enforcement lacks evidence to prosecute criminals