Share this
dnsUNFILTERED: Tony Black, Huntress
Tony Black from Huntress chats with Mikey Pruitt about the importance of SIEM (Security Information and Event Management) in cybersecurity. The discussion features insight into Huntress' new SIEM platform, the significance of DNS queries in security investigations, and how small businesses can benefit from enterprise-grade security solutions. 
[00:00:00] Mikey Pruitt: Hey everyone. I'm Mikey Pruitt. Welcome to another episode of dnsUNFILTERED. Today I'm joined by Tony Black from Huntress SIEM Expert. Tony, why don't you say hello and give us a little introduction.
[00:00:14] Tony Black: Hi everyone. Thanks Mikey. As said, my name's Tony Black. I've been doing cybersecurity now for.
It's 15, 16 years across a multitude of roles as an engineer and analyst working with firewalls, working with DLP solutions, you name it, from the cybersecurity kind of tool perspective. And I've worked to, worked with it, done a bunch of security operations and now my current role at Huntress is as a product researcher on our new SIEM platform.
[00:00:46] Mikey Pruitt: Yeah. Huntress has a new SIEM platform. Very cool. And Tony had mentioned while we were introducing ourselves to each other backstage, that, he has that 15, 16 years as a operator trying to figure out, the alerts that matter and how to triage them. So we're gonna geek out on that in a minute.
But first, let's talk about this Huntress integration. Give us like a, just a quick overview of the sorry, not the integration, the SIEM that Huntress has released.
[00:01:14] Tony Black: So it was, it's been in, or was in early access in, early, late summer through August. We started to, onboard, full bore customers and partners in the October timeframe.
And a lot of the functionality we have right now is around, Hey, let's collect log data. Let's get into the system, let's make it searchable and visible. We are, continually in the process of delving through that identifying, Hey, these are things that we want to have our soc investigate. As you can imagine with most logging infrastructure and logging platforms, there's just a deluge of potential data that can be collected and ingested.
And not all of it is useful, not all of it is helpful. And after all logs at their core are just a recording of something that happened. Not everything that happens is interesting. There are some things that are just, Hey, I've been awake for a day. Cool, thanks Windows. I'm glad that you've been up.
Your uptime is a as a day longer than it was before. So yeah it's a lot of a lot of analysis work that we're doing on that end to ensure that, we maintain the same level of efficacy and low false positive rates that our, partners have been expecting from our EDR and our ITDR products.
[00:02:30] Mikey Pruitt: That's interesting. Huntress, the nature of your business, you're gonna need a pretty powerful tool to collect all those logs. So did you guys build this for yourselves and then it was just good enough to release?
[00:02:43] Tony Black: Yeah, we did. So the initial kind of groundwork was laid before I joined Huntress.
So I've been with Huntress now since the beginning of July. So the original kind of groundwork was laid back in January from my understanding, where it started to get built out. Our CTO, Chris Haki delved into it quite a bit. He's talked a lot about it on our, on our products webinars that we host once a month and has been a running topic now for quite some time.
Yeah, like we built the collection and ability to collect things. The ability to do some parsing and normalization. 'cause that's a, a very important part when you have, a bunch of different sources that call things, different stuff. And then, a storage backend to store and make this available for not only just the search side, but also so that we can, for bad behavior.
[00:03:31] Mikey Pruitt: Okay, so before we go any further, I think it would be wise to give the audience like a basic definition of SIEM. And actually let's start with the pronunciation. So I say SIEM, which I thought was correct for a few years, but you can correct me. Like what is a SIEM and why should you use one?
[00:03:52] Tony Black: SIEM Solutions and it's SIEM is the acronym.
So security Information and Event Management that's been around now for 20 ish years, maybe slightly more. It's actually an amalgam of two things. So there was something called SIEM, so Security Information Management and EM, security Event Management. And they merge the two together somewhere in the mid t.
Some of the first products that, came about around then were ArcSight was one of the first big names in the SIEMs space. As was RSA Envision back in that, mid OTT period was also really big in the space. Both of those products ArcSight is more or less disappeared.
From existence. There are still some places out there that use it, but for the most part, that product has, sunsetted the same way that your old packet filters no longer really exist in comparison to what's been coined The next gen firewall. And then RSA Envision merged and transformed itself into what's now called RSA NetWitness.
So the two, those two kind of components, the S-I-E-M merged together and became SIEM. 'cause they're like, Hey let's do not just collect stuff, but let's try and do some intelligence against it. And yeah, it, I've, for, as far as pronation, I've seen people call it SIEM some and SIEM it's pretty much, SIEM has been like the way that if you listen to, Gartner or any of the other folks talking about the product space, they always pronounce it SIEM.
[00:05:21] Mikey Pruitt: Yeah. So if you wanna sound like you know what you're talking about, say SIEM. Yep. So why say SIEM? Why would someone use it? Why would someone uses them?
[00:05:31] Tony Black: Yeah. So again, I'll use another example of a product kind of in this space. So a lot of people recognize Splunk as a big name in this space too.
And Splunk started their business started as an observability tool. So what they did is they were collecting, a whole bunch of data and then trying to make intelligent kind of IT operational slash business type decisions. Or at least information get reporting and those types of bits out of it.
And if you think of of what a SIEM is in comparison, a SIEM is a very similar-ish tool kind of product, just with a much more narrow focused. So instead of, looking at kind of the entire I it infrastructure and trying to facilitate what, a network operations center might need around, Hey, my, the health of my network devices or the health of my server infrastructure, if you're into server operations, the server admin, it really narrows in and focuses on the security aspect.
Now, that being said there's a lot of overlap in data between kind of those two big use cases. A lot of things that, from the IT operational side, so in the observability space, I'm gonna care about, there's a lot of overlap with what I care about on the security side of things as well.
So think of it this way in my past, I was responsible for VPN access, right? Managing the tokens, so the multi-factor tokens that you would use to, to connect in, and then the corresponding kind of bits behind the scenes for how that actually connected in. The tool that I would use to, to troubleshoot some of those things, which around which we're looking at the different authentication checks, it's like, Hey yep, my password is good.
And then, yeah, now my token is good. Cool like that same infrastructure and the same logs I would use to troubleshoot a connectivity issue and also look at security issues around, someone's account being being breached and or something funky with their tokens or them not having a token for some reason.
So there's a lot of overlap between kind of those the original like observability use case and then, the more narrow focused security side of it. Very cool. So yeah, the wrapping back what do you need it for? It gives you that infrastructure, that capability to delve into security data and to create.
Create either, whether it be search based or whether it be more real time based, some level of detective capability based upon some known criteria of a known bad thing. And then, alert you of this to allow you to investigate, qualify and either remediate if it is a true positive or put it into a false positive category and then, improve your detection from that point forward.
They're also really big in the kind of compliance and reporting space. So when you look at a lot of the compliance regulations, PCI, hipaa, Sarbanes Oxley, GDPR, like just the pick your flavor of whichever compliance requirement, almost all of them have some level of need to, or some level of requirement to move your logs off of the originating system from either an investigative perspective or just a.
Auditing perspective, so using HIPAA as an example, right? One of the requirements in HIPAA is, hey, you need to log anytime someone accesses, EMR records. PHI, anything that has PHI in it, not just changes to it, but even just viewing it is something that has to get recorded. Now that use case isn't necessarily the greatest in the SIEMs space because that is a ridiculous amount of data that doesn't necessarily have security overall security value at least out of the gate.
But that's an example of something where these types of these types of tools provide value.
[00:09:21] Mikey Pruitt: Yeah, that makes a lot of sense. Now, so your SIEM is really just filtering. The important stuff specifically re related to security,
[00:09:32] Tony Black: is that right? Yeah, and that's a bit of a shift too in terms of how the industry has been treating data collection.
And I think that's an area of differentiation we're starting to see nowadays in the market space too. So if you look, say, eight. Even as, as new as five-ish years ago the general guidance from your SIEM vendors was, Hey, collect all the stuff and shove it all into our tool, and then now it's available for searching and now you can do whatever you want with it.
Whereas now, the, that's shifting a little bit. You've got, players such as crile such as what is it, data bond. You've got these other tools that are coming out in support of these solutions, but they're really sitting in the front and playing kind of the gatekeeper or the filter or the traffic cop in some cases for data coming in.
And that's something you, we talking about kind of hunters' SIEM solution as well. That's something we were looking at too, and it's hey, we don't need to collect all the things all the time. It's let's make sure we can narrow in on that, which is providing that security value from a detective and investigation perspective and then not bringing in those things that are, hey, this is purely IT operations, or this is purely for like device health, which sure there is a little bit of a crossover in kind of security space around health too, as part of the CIH triad, right?
Things need to be available for it to actually be in the business. But there's better tools to handle that besides SIEM solutions. And hunters' perspective is always, we wanna focus on the trade, craft, the attacker and catch them before they're able to do or able to execute, ultimately what their, whatever their mission is.
[00:11:15] Mikey Pruitt: Yeah. So it sounds like the hunters solution is pretty focused, which is great. I'm curious, what are some of the other like the unique comparisons against other SIEMs in the market against the Hunt's product?
[00:11:28] Tony Black: I think the other big piece too and again this coming from someone who has ran a multitude of SIEM solutions, anything from Elastic to Splunk to blog rhythm before it became Exabeam to QRadar, I've even ran the RSA Envision way back in the day, so name, a SIEM and I probably at, probably worked with it to some degree.
The other big piece on the Hunters end is we are a fully managed solution. What I mean by that is, as as a partner, as a customer of the Hunter sip, you don't need to worry about parsers, you don't need to worry about, managing the rule base. You don't need to worry about managing any of the backend infrastructure, right?
Using, if I use Elastic as an example, right? They've got their, a suite of indexers done that are on the backend, which is ultimately where the data gets stored, et cetera. That's. Something that no Hunter's customer ever has to worry about. You don't need to worry about, split brains on who's the master in in an array of indexes or anything like that.
So a lot of the, a lot of the overhead in terms of people resources are, is not there. Sure you still, we're still gonna send you stuff and be like, Hey, we saw this bad thing. Just like anyone who has experience with the hunters EDR or it DR products. We're still gonna send you the reports and Hey, we found this bad thing.
And then, what do you wanna do about it, et cetera. Or in some cases we've identified some potential misconfigurations that, cause can cause disruption to the service we're trying to provide. But you don't have to worry about that whole infrastructure component. As a comparison, so one of the places I worked at, which was a Splunk shop for a Fortune 50 company.
We had a team of, I think it was like eight or nine people. Their only job was to keep Splunk running and we were using Splunk cloud, so we didn't even have to worry about the heavy side of the infrastructure or like
[00:13:15] Mikey Pruitt: servers, power, cores, nothing like that.
[00:13:18] Tony Black: Yeah. Because in Splunk they have this architecture with forwarders, heavy forwarders, et cetera.
And like all those still had to be managed and maintained in, inside of our environment. And there was a team of 10 people now with
[00:13:28] Mikey Pruitt: Yeah. And pars the data due to the size of
[00:13:30] Tony Black: that, that Oh, for sure. That's, I think the biggest bit, like you see that in like every CISO's concern has lately been, can I find the resources to do the job that we need to do to protect the business?
And if there's a way to, eliminate or air quote, outsource some of that management, I think that's a big win.
[00:13:54] Mikey Pruitt: The product has been out for a few months. What have you been hearing from some of the the early customers and early adopters?
[00:14:01] Tony Black: Yeah, so a lot of the, a lot of the early adopters are trying to fulfill some compliance needs around, Hey, you need to offshore your data and those types of pieces.
So everything's been going well there, like they've been happy that, being able to get those get that data off of their systems into ours so that they're in a place that to, to help satisfy. Those compliance requirements. And in addition, the cyber insurance requirements are starting to get into that same boat where it's like, Hey, you need to offshore your logs in order for, to check the box off of the cyber insurance list as well, or, their list of demands.
We've had, a number of customers work through, doing the search. So that's also a new thing on huntress end. So in, in previous products. An end user or a partner of ours, they didn't really have the ability to search their data that we were collecting from, say, the EDR, from the ITDR services.
But now in the SIEM space as it's, you can log into the hunters portal, you can go to a log section within the portal and you can search against your data and you can find things there. We've published on that same support page where, you can find how to configure our supported devices.
There's also a list of kind of starter queries. So if you're using, if you're sending us Windows logs, if you're using Sofa, or SonicWall, or FortiGate, there's some starter queries that you can use to, plot. Just copy paste and it'll come out with results that can show some interesting stuff. Again, not necessarily, hey, these are security things that you need to go remediate, an example in Windows is cool.
Let me run a search to show, the users that have been added to the local admin group on my local Windows device or remote desktop users group. Which is definitely a potential
[00:15:43] Mikey Pruitt: security event.
[00:15:45] Tony Black: Yeah. These are groups that grant extra privilege and potentially a security risk or add more risk, but.
And there's a lot of cases where it's that's normal, right? That's just normal business operations. And it's mostly to be able to generate those reports to validate Hey, that happened on the firewall side, like there's a couple in there around like firewall rule changes. Again, like potential risk.
But that's again, normal business operations and that's something that can be really used to help validate change control. Approved versus unapproved changes. So there's a few bits that are available there, I think that the customers have found value in.
[00:16:22] Mikey Pruitt: So talking about like volume of data.
So Huntress SIEM product has an integration with DNSFilter, and I know, like for example, if I turned on DNSFilter at my home, that would generate on average 30,000 DNS queries per day, obviously. The SIEM doesn't need to know about all of those, but some of them would be very interesting and needed to be stored.
So I wanna talk about the DNSFilter integration, but in their aspect of why DNS queries are so cool to add to your collection of data and not necessarily about the implementation, because I read through the huts support docs and it's five steps. So that's the easy bit. Go ahead.
[00:17:06] Tony Black: Thankfully that the one, it's one of the easier integrations. But yeah, in terms of the data from say DNSFilter, so when I in general, when I think about categorizing data, I usually put it into one of four buckets. So there, there's a buckets like, Hey, this data is useful for creating some type of detection, right?
I'm gonna use, I'm gonna use this data to directly drive a detection capability. Then there's a supporting set. So there's the next bucket, and this is where a lot of DNS logs will, will fall into, is they're gonna fall into this secondary bucket. It's Hey, I may not create a detection purely off a DNS.
There might be some edge cases where I would, but it really helps to facilitate the investigation aspect. So if there's some, suspicious or potentially malicious behavior that I'm seeing on a host. One of the, one of the beginning places I'm gonna look at is okay, what DMS queries are being done is the, you can toss out the oh, they query Google or MSN or whatever, right?
You can toss out a whole bunch, as you're saying, as just general background. But it's really interesting to see the one-offs, see the ones that are rarer or haven't been seen before. And in the case of DNSFilters functionality, it's Hey, what did it block? What was being tried that it prevented, and then why did it prevent it?
Is it just in a tracking category, which I mean, a tracking cookie is a tracking cookie. I'm like, sure there have been malicious uses of them, but most of it's just I don't want to get tracked. But yeah, like that's and it is potentially volumous, like that's the, that's the bit on there too.
And that's where, having some of the pre-filtering helps out. Now again, not necessarily on the DNS side, 'cause I am curious about DNS queries as a whole because they do provide, some level of insight as far as the investigation standpoint. Yeah, that is a good point.
[00:18:53] Mikey Pruitt: The, so you can see like the ancillary events around something that happens, something that maybe was alerted, through microsoft 365 or some other system and then see like within a timeframe around that event, what DNS queries were firing off. So you may wanna save them all Yeah, absolutely. For at least some period of time.
[00:19:13] Tony Black: Yeah. And if I look at if you, we look back and I've worked with while they back way bef when before they were absorbed by Google with Mandiant and investigators and in, in a few cases where they were brought on for, for a company I worked for and outside of just gimme logs like the first couple things that they would target and they would ask for is give me all of your DHCP logs for the last X number of days, and then give me all of your DNS logs for the x number of days. Like those are some of the first questions they're gonna ask for because of kind of the extra, as you said, like ancillary or supporting value that comes in.
And I think that's where in the SIEMs space, EE especially, the, these types of events, these supporting things, provide context that is sorely lacking in just, one-off logs by themselves, right? If I look at, say someone launched Chrome or someone launched some application on their host that's cool.
Like, all right, I see that and I can see by, turning a couple dials extra command line switches or arguments that were passed in okay, but. Again, that on its own doesn't necessarily say, Hey, this is bad, this is good, this is, you need to add that, those extra bits in there the extra context around it and what's going on while that's occurring.
And that's really the power of where SIEM solutions come into play, is being able to combine and correlate different data types from different sources together to paint a better picture. To connect dots and connect threads to, to show progressive activity as opposed to just, I saw this one thing this one time.
[00:20:53] Mikey Pruitt: Yeah. So that's great to hear. Like I've always thought that, but I've never, I'm not a SIEM expert. I'm not a, a SOC operations specialist. I've never been in that environment, but I just can imagine that the DNS queries around something are pretty valuable to. For that investigation, as you mentioned.
So I want to transition a little bit into, SIEM, Splunk, now huntress these are big like Splunk is a huge company. Enterprise is the enterprise ecosystem probably often uses SIEMs or similar technology to correlate or coate all their logs. And have a, teams of eight in some essence to manage.
So it's daunting, like the SIEM environment is scary. So like Huntress, Andy Fulter, were very big with MSPs who are, often helping small businesses and, sometimes larger businesses. But how is how is Huntress and the release you have? Reducing the friction for small businesses and MSPs to get into the SIEM game.
[00:22:03] Tony Black: And as I said, I think the kind of the biggest piece is the not requiring the extra resources to manage, maintain, because as you said, like in the most of my experience prior or my experience in, as working for specific companies has been in kind of the Fortune 500 or the larger enterprise space.
So yeah, they had the resources the teams to manage and implement and run these types of tools. The last company I was at, the Fortune 50 Healthcare Company, our security department was larger than Huntress is as a whole. We had more people just in security than Huntress has in the entire company.
[00:22:42] Speaker 3: So
[00:22:42] Tony Black: It's interesting seeing that dynamic. But yeah, the from the small and medium business size, the, as our CEO Kyle has called it the Fortune 5,000 to the Fortune 5 million. They don't really have the dedicated resources. Even our MSP partners, they are a lot of it focused on the keep the lights on kind of stuff, the maintenance that's carrying of whether it be server infrastructure, firewall, infrastructure, et cetera.
Some of them, sure, they might have 10 people on staff, but there's just like one person that does security half the time. And most of that's just, hey, we getting generated there. Their so is
[00:23:19] Mikey Pruitt: one guy,
[00:23:20] Tony Black: right? And so the kind of end goal is to, to a, alleviate as much of the admin burn as possible.
And that is probably one of the biggest resource lifesavers. That's not to say make it zero, right? Like it's impossible to make it absolutely nothing. Even if we look at, say like the hunter CDR side of things, right? You still have to install the agent. Same thing on SIEM.
You still have to install the agent. You still have to update the agent, right? There's still some administrative activity, but removing as much as we possibly can from that. Making the onboarding of sources easy, as you said, that like the DNSFilter guide is like five clicks, and the most you have to do is generate a a key and plop that into a webpage somewhere.
Some of them are a little more complicated. But yeah, try to make that as easy as easy as possible in order to bring on new devices. And just generally provide as much insight by default that we can, right? So if we're seeing, say, hey, something operationally isn't healthy.
So like an agent hasn't communicated or his data source hasn't communicated. Our goal is to. Notify and say, Hey this hasn't talked, or is that okay? Or, this configuration is precluding, good functionality or something like that. And then the, not having to be responsible for writing all of the detection logic itself, right?
We're gonna be doing that on our end, our soc exists to do that. It's part of the fully managed kind of hunter solution, right? Is it? It comes to our soc first. So we're not gonna send, all of the potential alerts that are everything that this, that the SIEM components produce down to our partners or customers.
It's all gonna be vetted and validated by a human before we end up doing that.
[00:25:03] Mikey Pruitt: But that is really impressive. That's a, that is a huge differentiator because you're getting, the expertise of huntress and your SOC as the final filter of what gets sent to you.
[00:25:14] Tony Black: Yeah, it's a hundred percent. I think that's, coming from, as I said, like coming from my background of being the one who's been in the trenches, who's been doing the SecOps, whether it be from an analyst or an engineer perspective.
If there was someone in front who that I could trust and be like, Hey, can you filter out all the junk? That would be great.
[00:25:32] Mikey Pruitt: Yeah. The human firewall. Awesome.
[00:25:35] Tony Black: Basically, yes. Because I know I've worked with a number of MSPs myself and, there's good and bad across kind of the Ms P space, like some of that.
And I think a lot of that comes through in like the level of resources that are in there, the the kind of expertise of those resources, et cetera. So for anyone who's been using Tres before, right? They can see the level of expertise of our SOC with what gets passed through from our EDR and ITDR systems today.
And that same level of service is what we're aiming for from the SIEM side as well. That's, again, that's not to say that we're perfect, right? There will still be some things that will pop through and there have been some that we've already notified. It's oh yeah, that was my, I was vulnerability scanning, or something like that, and it's okay, or I was doing a pen test or something like that. But someone has vulnerability
[00:26:23] Mikey Pruitt: scanning your network right now. They're like, yeah, I know it's me.
[00:26:26] Tony Black: Yeah, exactly. Like we, we've picked up, it's oh, hey, we saw Callie Workstation on your network. Oh yeah, that was me. I was doing some pen testing.
Okay, great. But hey we, I'm on MK catching pen testers. Like I have no issues catching pen testers.
[00:26:41] Mikey Pruitt: Yeah, you and you should. That's the whole purpose, right? Exactly. The pen test.
[00:26:45] Tony Black: I have been at orgs where they get mad when we catch the pen test. I'm like, what? Wait a second, why? I don't understand.
[00:26:52] Mikey Pruitt: I saw hilarious Reddit thread like a week or two ago. A MSP was getting requested to open the firewall ports for a pen tester and he was like that's a failed pen test. We are doing our job. So pen test over.
[00:27:09] Tony Black: Yeah, I've gotten that too. It's Hey, can you create an account and put in the domain admin group for us?
No.
[00:27:19] Mikey Pruitt: And also just back to the last point about all that, the DNSFilter and huntress they're on this mission to democratize cybersecurity. Make it SIEMple, make it easy, make it affordable. So that these small business and MSP can have enterprise grade security. I recently heard a an interviewer ask a question about a security posture between say the CIA and your mom and pop retail store that tell like dog biscuits or whatever.
And the answer is the security posture is the same. Obviously there's gonna be, there's many differences. They're, they should think like the same. They should be seeking out SIEM tools to monitor things. They should be seeking out d as filtering. The question is, which products they should buy.
The CIA probably builds in-house and contracts, whoever to build some pretty advanced systems, whereas we are giving the same tools to MSBs and SMBs.
[00:28:23] Tony Black: A hundred percent. So a lot of my, direct employer experience has been in healthcare orgs. So whether that be a insurance company, whether that be a provider a company that has had hospitals and clinics and most of them have been large, right? But the risks to a healthcare org that has, four hospitals and 75 clinics is.
Pretty much the same as some as a company or as a dental office that has four or as, an individual, help practitioner like a pair of doctors or whatnot that have a small family practice. The overall risks are the same now. Sure. They're, the amount of, or not really the amount, but the exposure is smaller.
Their footprint is smaller, so there's less. They're not gonna shut down all the
[00:29:10] Mikey Pruitt: airports across the world if something goes wrong.
[00:29:13] Tony Black: But they still hold the really interesting and really important data. That, that attackers are gonna want, they are still as susceptible to ransomware attacks as the big guys are.
There was the change healthcare ransomware attack from earlier in the year. That, that affected a huge number of small practices because that's how they get paid. So yeah. And the it's not that they're not at risk just because they're small. The risk is still there.
It's just the their exposure. So the number of endpoints are small. That's really kind of it. The data is still exactly still interesting and a lot of them will still have connections back. So I know in doctors that I've gone to, if they haven't been part of a major major network, they'll still have, data sharing.
They still even potentially have direct links back to. Say, in Allina or a Mayo or UHG or what have you, type of network to share medical data.
[00:30:11] Mikey Pruitt: Yeah, exactly. And I would argue that the repercussions are actually more severe. So think of your health company that you worked at.
Let's say they had a, a $2 million recovery cost for some type of event. They could absorb that. Whereas your mom and pop dental office, they're probably out of business.
[00:30:31] Tony Black: Yeah, and one of the things that the high Tech Act, so the follow up to HIPAA added was teeth.
So they added more from a punishment perspective in, in terms of if you lose data, if you lose records, et cetera. And so yeah, there, there are some financial repercussions tied to that and a hundred percent, like a larger organization is able to absorb those far easier than a smaller.
And, I've also, I've had this kind of discussion and argument with doctors in the past around, cybersecurity and it's Hey the number one thing you think of as a physician or as a doctor, as a medical professional is, Hey, I care. Patient care is top of priority.
That's always the thing. You hear top of mind inside of hospitals, like patient care. We do x, Y, Z because of patient care,
good cybersecurity practices is also patient care. Exactly. When a patient or someone comes in and they're providing you things like their social security number, they're providing you medical insurance information, they're providing you insurance information, all of this sort of stuff, like they're expecting a level of care on your side to protect their data so that.
Some nefarious individual or entity doesn't come in and take it and then use it for whatever. So I, I would argue that in, in that, in those scenarios, right? Cybersecurity is patient care, like the thing that you should care, put top of mind as a medical professional.
[00:31:56] Mikey Pruitt: Yeah. The patient data is essentially the patient itself or their self a
[00:32:00] Tony Black: hundred percent.
All right. And particularly with healthcare data, it's immutable, right? It doesn't change.
[00:32:07] Mikey Pruitt: Exactly.
[00:32:08] Tony Black: As opposed to say something like credit card data. The banking industry has been on top of cybersecurity for a long time because, hey, there's real dollar costs for fraud and they've gotten, they can get almost in front of it.
Basically. I've gotten calls from Capital One, which is one of the banks I've worked with. It's hey. We saw a random transaction, blah, blah, blah. Was this you? And I say no. I'm like, all right, we reverse the transaction immediately. Cancel your card and send you out a new one. That's something that credit cards can do.
You can't get a new social security number, for example. You can't get a new medical record number inside of an organization. That's not a thing.
[00:32:45] Mikey Pruitt: You could change your name, but that's a big hassle. But your social's still the same. Exactly. I signed at
[00:32:53] Tony Black: birth. It's from birth to death. You'll have the
[00:32:55] Mikey Pruitt: same number.
Tell me about, so this is let's get a little nerdy about some of the happenings that you've seen in your lifespan as the the SOC analyst. Have you se, I didn't ask you this before, but have you seen any crazy like cyber event?
[00:33:13] Tony Black: Let's see. Nothing like, there have been a couple that have occurred before. I joined an organization, so one of the projects I've been involved with was deploying a secure USB or secure flash drive system, and that all originated because someone did the thing that you hear about, but you never think happens, which is picking up a USB in a parking lot and plugging into a computer.
It's like the if you remember like long time ago, I worked at Geek Squad as kind of one of their techs, and you always hear stories about the upholder stories, right? It's my folder's broken on my computer. I'm like what do you mean? Oh, that thing where I press the button and it pops out, they're referring to their CD drive.
But like you never run into, you never think oh, that's a real thing. And likewise in the security space, I never think oh, someone just picked up a random flash drive and thought this would be a good idea just to plug in. I computer went to Las
[00:34:06] Mikey Pruitt: Vegas during a conference called DEFCON or something, and I found this USB stick.
Yeah. And like I just found this
[00:34:12] Tony Black: thing like, oh, that kind of drove, that was a bit of a snafu again, with the org before I joined on, so one of the projects I was involved with was deploying these kind of secure and encrypted USBs and creating the policies and implementing the technical controls around not even allowing other ones to mount, like into the system.
[00:34:34] Mikey Pruitt: Ah.
[00:34:36] Tony Black: Yeah, a whole bunch of stuff I into that I was gonna ask,
[00:34:38] Mikey Pruitt: like, how did that work? Like you're saying you created software essentially that would only allow a USB stick with a specific signature to mount?
[00:34:47] Tony Black: Yeah, it was it is tied to a, there's a particular piece of software that essentially will just not allow it to mount.
So it'll just dismount it from the system. Like you plug it in and you'll see a thing that, you'll see the, when the little windows pop, it says, oh, a doing, onboarding or adding device. And then shortly thereafter it'd be like device disconnected and only allowing in kind of a specific kinda category like that's and wrapping back to the logging in the same space.
That's one of the things that Microsoft implemented. I wanna say it was in like 2012 or 2012 R two, and then corresponding, I think it was Windows seven, maybe eight. They started recording a lot more information around plug and play devices, of which a removal media drive, like a thumb drive or flash stick, is considered a plug and play device.
Think the other one, actually, I wasn't really a security it could have been a security thing, but it wound up not being like the root cause of it. So the org I worked at, they, the, as with most larger organizations the desktop team and the server team are split from each other.
Right there, there's a team that manages the desktop fleet, and there's a team that manages the Windows servers and Linux servers, et cetera. And the way that and we used the Windows updates SMS and whatnot in order to do all of the updates like, Hey, push updates.
Cool, great. Normal windows kind of functionality. There were a bunch of like scripts and things tied into there too. But as part of the script, part of the scripts, one of the things that it would do is it would add on the desktop side it was add forced reboots. So every like week your system would reboot, which is generally good hygiene, like you wanna reboot every now and then just for general, like operating system health.
And then now recently I saw the recommendation of rebooting your phone that the FBI kind of came out with. But anyway, regular reboots of things are not bad, and generally are a good thing. So there was a scheduled task that got pushed and there were some accounts that would get created like the.
The admin account that the workstation team would use to do remote VA administration, they'd have something that gets added into every workstation as administrators group okay, fine. Like again, all normal stuff. In the SIEM one day I got an alert that says, Hey, the enterprise admin account named X, Y, Z got changed.
And for those I'm not familiar with what enterprise admin is. So in a Windows domain environment, people hear domain admin all the time. Okay. Yep. Everyone I think relatively knows what a domain admin is. A domain admin is one tier under an enterprise admin. And these both get created when you in, when you set up active directory.
So domain admins are allowed to do stuff within that particular domain. Enterprise admin can affect the entire forest. So if you have multiple domains under say, a forest, then enterprise admin can do everything, anything it wants to, any of them. Essentially it's domain admin across all domains.
Those accounts that are in the a really never ever be taught. Like it's, you generally don't use them because they are so risky and the passwords for them are you commonly like just throw in some random password generator at like 45 characters because you really don't want those impacted? So as I said, I got an alert that says, Hey, this got changed.
I dig into it and end up. Messaging some server admins, and oh, by the way, this is at three 30 on a Friday afternoon, which kinda lines up with when attackers do crap because they're like, oh, it's a weekend. But long story short, digging through has found out that, oh the GPO and the scripts that we're getting assigned to the workstation fleets somehow got assigned to the server fleet, and which.
Normally it would be like, okay, I guess someone just needs to go change stuff. But if you remember earlier, there was a reboot script task that got auto created. So there was a reboot task that got created on all Windows servers to reboot at 8:00 PM Sunday. So the entire Windows server infrastructure of 3000 servers would've rebooted at 8:00 PM on Sunday, which.
Again, not horrible. I guess there would probably be a service disruption, but where it becomes, especially in this case, poin, is the org I was at had hospitals and clinics, so 24, if their, these servers were running like Epic, were running the EMR system. These servers were running the things that displayed, say your stats, like patient stats.
Within different rooms like your, so essentially if these would've rebooted, it would've shut everything down and could have had some, could have had some pretty potential significant patient impacts. So yeah, like that's, again, it's, it wasn't a security issue as in hey, malicious behavior.
It was a misconfiguration that could have had some pretty drastic impacts to the business.
[00:39:57] Mikey Pruitt: Yeah, but you called it and you fixed it, and that's what humans are poor. Yep. We caught it.
[00:40:01] Tony Black: We fixed it. No servers rebooted on 8:00 PM on Sunday.
[00:40:07] Mikey Pruitt: Yeah. AI's not ready to take over yet. Maybe one day, just not yet.
Nope. Oh speaking of ai and next, what do you think looks the future looks like poor SIEM products, not necessarily interests specifically, but just in general, like logging and alerting. What do you think we're gonna see in the near future?
[00:40:26] Tony Black: I think a from the general business perspective, like we've seen it within the last year some organizational mergers, so some m and a actions that have occurred, right?
So Cisco bought Splunk. You've got Loger and Exabeam merging together. You've got Palo Alto that purchased QRadar off of IBM. So I suspect that some of that's gonna continue at least from the business side of the house, like the organization side. In terms of the overall kind of functionality, so a lot of the SIEM vendors are touting the ai ml, the and UEBA kind of functionality, which there is some benefit to you.
I'm not gonna say that there's zero, however I, it does feel like a lot of it is in is in its very early stages or infancy when it comes to providing kind of the value for what you have to give it. I do expect that's gonna go over going to continue over time. In general, it, there's been this fear that AI is gonna come in and replace jobs, and I don't necessarily think that's gonna a hundred percent be the case.
Sure. I think there might be some reduction in, say, resources required to perform a task, but I see ai, particularly from the SOC perspective, coming in as much more of a helper. As something that can do a lot of kind of automation and a lot of like regular tasks easier. Ultimately just kinda leveraging what soar so security orchestration and response like was, has been doing for years is augmenting that, adding into that, adding some more context to things and being able to handle a lot of those pieces there.
That being said too, on the UEBA front. So for those I'm familiar with the acronym user and entity behavioral analytics or user endpoint behavior analytics. There's some interesting things there too. Again, it's something that has been around for a bit. You've got in the case of of some of the vendors out there, particularly Exabeam, like they really push that UEBA is the future and whatnot.
And yeah, there is some decided interesting use cases in that space. Things around like profiling users and looking for behavioral anomalies, not just, yeah, Hey, I saw this process, do this thing, but it's looking at how people work and looking at what systems that accounts typically access and looking for behavioral or, you outliers to the general baselines.
I think that all of those solutions have to contend with their false positive rates which are significantly higher than. Than they really need to be. So I suspect that there's gonna be a lot more development in that space too to tune down and to cut out a lot of that false positive activity.
That's the one I would say, downside with kind of behavioral based analytics is, yeah, unless you get your models really tight. The false positive detection rate is pretty high.
[00:43:13] Mikey Pruitt: Yeah, that's an interesting, especially for
[00:43:14] Tony Black: like your server kind your administrative staff, your IT staff, because they operate abnormally all the time, right?
If you think about Hey, it's my Windows server team. There is no kind of regular logins that they do to systems, right? They bounce between systems in order to fix problems or what have you. So a lot of it's gonna be very hard to baseline and find abnormality. That is arguably the, your most risky accounts are those that have those administrative activities.
So those are the ones you would wanna monitor more closely. But they're also, their behavior isn't consistent, so it's hard to apply those behavioral analytics to them.
[00:43:51] Mikey Pruitt: Yeah. 'cause randomness is more frequent actually. It's like randomness is normalcy. But that is really interesting. Yeah. You're watch, the user behavior.
Recording all of that data is gonna be a tremendous amount of data. It's very hard to measure, but it is adding on top of that AI ml, let's say deciphering and, regurgitation and alert setting. With that extra data may be a great future.
[00:44:20] Tony Black: Yeah, as I said, it'll be really interesting if they can start to to create better or more, more narrow focused models in that space.
I think there is a lot of value to be had around looking at behavior. If you think about it from, say, the law enforcement perspective, like that's one of the big things they, they look for is they look for behavior changes, right? Like the way that. One of the ways that the FBI looks for potential terrorism is they monitor, they'll like, get flags on certain types of transactions, right?
It's oh, hey, someone bought 10,000 pounds of nitrate based fertilizer. That throws up a red flag, like right? Like these are abnormalities or differences in behavior that they'll be looking for. And the same holds true in the security space, right? We expect systems to behave a certain way and expect accounts and people to behave a certain way, and then looking for things that go fall outside.
Those norms are an absolute, indi potentially indicator. But I think, relying solely on that is, is something you don't really wanna do, is that you need more context, you need more. You need more breadcrumbs to connect and to build that chain of events to really say yeah, this is true malicious behavior.
Or rather than, oh hey, this is just because John had to log into the email server because I had a problem.
[00:45:34] Mikey Pruitt: Exactly. Tony, thank you so much for joining me today. We're out of time folks. That was actually a lot of fun. I've never had, I've never had as much fun talking about SIEMs, but it was a blast.
Thank you, Tony for joining me.
[00:45:48] Tony Black: Yeah. Thank you for having me.