Join Max, along with Jason Pufahl, Steve Maresca, and Matt Fusaro, as he reviews how automation can significantly help incident responders do their job better across the entire landscape of cybersecurity. Together, they discuss what automation can do for incident response and where the new generation of cybersecurity tools are leading the industry.
Incident Response and Event Automation
Listen to this episode on
[00:00:01.210] – Speaker 1
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity with your hosts, Jason Pufahl and Steve Maresca.
[00:00:11.750] – Jason Pufahl
Welcome to CyberSound. I’m your host, Jason Pufahl today, joined as usual by Steve Maresca and Matt Fusaro, and we’ve got a special guest today, Maxime Lamothe-Brassard, the founder of LimaCharlie. Max, if I’m right, you’ve got a pretty long background in intelligence. You worked at Cloud Strike, you worked at Google. So, you’ve been in this information security and your data analytics and threat analytics space for a long time.
[00:00:41.450] – Max Lamothe-Brassard
I’ve never done anything else. That’s right.
[00:00:45.050] – Jason Pufahl
That makes you feel good. No other interest in that.
[00:00:50.030] – Matt Fusaro
Very similar [inaudible 00:00:51] too.
[00:00:52.770] – Jason Pufahl
Some days it feels that way for sure. So, Max, spend a couple of minutes, give us an overview of LimaCharlie. I think you have set the stage a little bit maybe for some of this instant response and automation talk we’re going to have.
[00:01:06.170] – Max Lamothe-Brassard
Sure thing. What we do is we essentially take a security infrastructure approach to cybersecurity tools. So, what that means is everything we offer is self-serve, scale-up, scale down, multi-tenant API, first OEM friendly drop a credit card kind of thing. Like you’d use AWS, really. So that’s the foundation.
[00:01:29.400] – Max Lamothe-Brassard
And then we have primitives on top of that. So, primitives for us is EDR, the ability to ingest artifacts from endpoints. So they could be like forensic artifacts, could be memory dumps, all that kind of stuff. Ingest external logs from other sources, even other EDRs, so we can bring their data in where we have an engine to run rules over that, do retention, do visualization, all that good stuff.
[00:01:56.910] – Max Lamothe-Brassard
So, it’s really taking a bunch of the tools that have been in cybersecurity for a long time and saying, what if each individual tool wasn’t a boxed thing that you buy and that you have to just use that way but instead, it was like AWS? Like APIs and being able to just integrate it all together.
[00:02:19.550] – Jason Pufahl
I’m going to really boil it down to its most basic because I think… Max, you and I were chatting and you said it’s a tool for developers who write tools. Because we’re always looking for ways to improve our processes to make the work that we’re doing faster, more repeatable, more scalable. In a large part, that’s what you’re trying to build, a framework to allow people to actually automate and improve what they do on a daily basis.
[00:02:51.170] – Max Lamothe-Brassard
It’s taking the learnings from the DevOps side of things and IT and saying, “Hey, there’s some really good ideas in there. Let’s try to adopt those.” And just make it easier to get into the ecosystem as well. Which forensic responses is a pretty big thing where when you don’t have to call up three different salespeople and talk over the next two months to get a three-year contract. It just drops the credit card and you just get going.
[00:03:19.670] – Steve Maresca
So, this is near and dear our heart, I think, because…I joke regularly that security tools and platforms are the realm of broken dreams and unfulfilled promises, which is maybe unfair. But the data representations are all different across vendors, despite attempts to unify some standardized representation. The timelines, data retentions are all different, and we inevitably need to glue things together, sometimes on the fly, especially during incident response in ways that are inelegant but get the job done. We’re always trying to chase that elegant approach and sometimes unable to reach it.
[00:04:06.570] – Max Lamothe-Brassard
It’s a challenge. I think it’s going to get better, too. We have things like Sigma… We’re not alone to see that. I think the industry is also coming up and doing things like Sigma and [inaudible 00:04:21], and then slowly we’re getting to this common way of seeing the landscape of cyber security.
[00:04:29.150] – Matt Fusaro
It’s been nice to see over the past couple of years how that’s coming together. Tools consolidating and, quite honestly, just making frameworks that work well together. What Steve was talking about earlier, it’s near and dear to us because we come from a networking background. Those were our first working experiences and moving into security was pretty easy for the two of us. And when we did, we saw the problems. That all the tools, they don’t work very well together. It’s really difficult to get data from one thing to another.
[00:05:07.270] – Matt Fusaro
When we were building a tool, that was our chief concern. We wanted to make sure that anything that we were using, we can send to somebody else so that they could use it as well. I think that was lost in a lot of the initial companies that started creating security products. They really wanted to own the whole landscape, be that one solution, and it didn’t really work very well.
[00:05:33.230] – Max Lamothe-Brassard
Exactly. The way that I see this, I think it’s a problem that the best way to solve it is not to try to. Meaning let’s not pretend that somehow, we’re the only kid on the block and therefore that the one format we have is going to be the universal thing in trying to get everybody to come on board.
[00:05:58.610] – Max Lamothe-Brassard
An approach that I’ve really liked and that we’ve liked and we’ve seen other people do really cool stuff like Times that we did a webinar with them recently, has been to say the deep model is not going to be unified, but if we can at least agree on very basic fundamentals like JSON, and we can all agree that the way we’re going to intercommunicate is going to be through something like JSON. It’s not the utopia of one model to rule them all, but at the very least you’re not blocked by the vendor. Because back in the day that’d be great. There’s this one model, but you got to file a ticket with the vendor and wait six months. Maybe they’ll add the conversion, blah, blah, blah. So, if it’s JSON, at least you can know that at the end of the day you’re going to be able to move forward without the vendor.
[00:06:56.390] – Steve Maresca
So, for all practical matters, if you’re in the field trying to use different vendors with different APIs, you will actually need to use multiple languages that aren’t necessarily compatible with each other and do translations between different protocols, different data representations. I think that’s the crux of it. You’re trying to reduce that individual overhead or the team overhead to make better use of platforms in a way that’s not so painful to actually get the basics achieved.
[00:07:32.030] – Max Lamothe-Brassard
Yeah, absolutely. I think we’re getting there.
[00:07:37.790] – Matt Fusaro
One of the things that drew me to what you guys were building was the opportunity to save time. We talked about it on a previous podcast, how engineer burnout is a real problem. And we’re always looking for ways to make our lives easier, frankly. This seems to have that ability to save some time. Put some automation in front of things. I know that when we go and do incident response or even just some of our clients that are more SOC type engagement, even little things can take a long time to investigate, to figure out root causes. Even just deploying tools sometimes can be a real pain.
[00:08:25.940] – Max Lamothe-Brassard
Absolutely. As an incident responder or somebody doing security, there’s like a hierarchy of value, to put it really… I feel dirty saying that. [crosstalk 00:08:39]
[00:08:39.810] – Jason Pufahl
It sounds good, though, what you’re saying, right?
[00:08:42.710] – Max Lamothe-Brassard
That’s right. And negotiating with a vendor is really low in that value stack or sending up an ELK cluster and getting JSON into that, again, it’s really low. So that’s what we try to focus on. I think that’s the other part that I really enjoy about what we do, is we’re not an incident response shop. We’re not an MSSP, we’re not a threat intel company. We really just aim for all those things that aren’t really high on that hierarchy of value to what you guys do and we just try to take those away for make it easy for you.
[00:09:23.580] – Max Lamothe-Brassard
And what that means is we just end up in this really great relationship with all our users where when you go and you deploy it a customer, we’ve got your back. And it’s not like we’re competing or we’ve got other side businesses where we tried to get in and all these things. At the end of the day, when you do an engagement, if it doesn’t work out [inaudible 00:09:50], we know right away. So, we really like having this relationship where we’re just trying to take the things that are not fun out of your job.
[00:10:02.790] – Jason Pufahl
The not-fun part. I’m trying to think of it, if you could take all the not-fun parts out of my job, that would be great.
[00:10:14.610] – Max Lamothe-Brassard
Not so much like real modern incident response, but I’ve done a lot of MDR kind of space, and there’s a lot of fun in there. There’s a lot of really cool stuff to do. And if you can abstract away those not-fun parts, doing threat hunting, I don’t think I’ve ever done anything as fun in my life as that.
[00:10:38.060] – Jason Pufahl
The routine part of trying to…
[00:10:39.440] – Matt Fusaro
Except by the time you get there, you’re exhausted.
[00:10:43.110] – Jason Pufahl
Because you just spent 48 hours trying to deploy software to a client that actually can’t support mass deployment. Things like that are just a drudgery.
[00:10:54.960] – Max Lamothe-Brassard
That’s going to be happening less and less, I hope.
[00:10:58.590] – Steve Maresca
Fingers crossed. But until then, we still dwell in the realm of masochism, to some degree. I’m interested to hear a little bit about problems being solved. What specific stories do you have that are likely to resonate on that front?
[00:11:17.130] – Max Lamothe-Brassard
Sure. I think we get a lot of folks using us for incident response. So, there’s a lot of stories. And the one thing we’ve learned is by working with a lot of different like MSSPs and IR firms and all that is everybody is a little bit different. But what I really enjoy is talking to some folks that have been able to cut down a lot of that. And I’ll put forward a representative scenario of how a lot of IR folks use it.
[00:11:51.200] – Max Lamothe-Brassard
So, they get a phone call from somebody, and some of them have like 30 minutes SLAs. So, the clock is really ticking when they’re online. And what they’ve been able to do with LimaCharlie is they’ve been able to say let’s think about what we do when we do an IR in terms of the well-established process. Let’s not just jump into it, but rather when we get an IR, we need to deploy. Here’s the things we need from that customer. Here’s the order that we want to look at various things. Here’s the things that we always want to happen when we get onto this customers.
[00:12:34.260] – Max Lamothe-Brassard
And so, they’ve been able to think about that. And then they do their first IR with LimaCharlie, and they go in and they do the thing and they check all the boxes, they run the IR. And then at the end, we show them how to but, to say all the things that you did, all that configuration stuff you can take it away and export it into a config file. Infrastructure is code, it’s kind of a big DevOps, TerraForm kind of thing. So that their second IR, instead of going and configuring all the things, going through a checklist, spending an hour. Okay, now we have to go and collect those types of files from the customer and synchronize with their IT team and all that. They’re able to just go push that config file to their LimaCharlie tenant so that their first step is deploying the agent when it’s EDR. But then all the steps after, all the stuff that’s always the same is just automated.
[00:13:36.400] – Max Lamothe-Brassard
So, the classic is they’ll go and they’ll say, we want to collect every single raw Windows event log from the whole organization. We do a sweep. And so they just automate that very simply. And they have rule sets. They use things like Sigma to look for anomalies or bad things in those logs. So as those artifacts come in raw Windows event logs get parsed automatically, we alert, the rules run on them. So, they just get alerts. That’s their only interaction. And then they go, we also want live real-time Windows event logs. And so that’s set up into config.
[00:14:15.500] – Max Lamothe-Brassard
So, they don’t have to do anything. As soon as they deploy, they just start streaming real-time Windows event logs. And then there’s signal rules where the raw logs now operate on that as well. So, they build up that stack over time where they go like, you know what, whenever we go to a customer and we detect that type of compromise, there’s an autorun with an unsigned binary. We always just isolate the box from the network and then tag it with isolated so that we quickly are able to identify that. So, they’re just able to start implementing that not as a checklist but as a push-button go kind of thing.
[00:14:58.410] – Matt Fusaro
I could see that bringing a lot more consistency to the process, too. That’s a tough thing in this industry, too. You’re trying to get junior people involved in something complicated, like incident response. This is a good way to do that. You already have your processes, like you say, in code. So that can definitely make this much more accessible to people that may not have the experience to know, like your example. We do this all the time with this particular situation. Put it in a rule, we don’t have to teach that to every single responder.
[00:15:34.140] – Max Lamothe-Brassard
For newer, but even for senior responders, I think it’s useful because the Mark One Eyeball is just not that reliable, especially when you get called at like 4:00 a.m. and you’re just looking for the unsigned things in the process list. The machine should be doing that for you. You take the output of that and then you reason about it. That’s where you’re adding that value.
[00:15:59.770] – Jason Pufahl
That analyst role. You want somebody who can legitimately look at it and make some determinations out of the complex data.
[00:16:06.410] – Steve Maresca
What I want to see here, instead of sticking in the incident response discussion, is shifting to operational security. We have customers that want to take anomaly events from their network traffic, traversing internal networks and block them immediately in internal firewalls. They want to disable accounts automatically that are behaving in a way that’s different from their typical baseline.
[00:16:32.090] – Steve Maresca
Those are the be-all, end-all rarefied destinations of information security when applied appropriately. It’s just challenging to get there because of all of the hurdles that need to be vaulted in between. And I imagine—to some degree—outside of incidence response, you’re seeing those outcomes as well, to make things more efficient operationally.
[00:16:55.310] – Max Lamothe-Brassard
Absolutely. And I think you kind of hit on the key, which is those are the end destinations. But the reality is that to get there in a cookie-cutter way, I don’t think it’s going to happen. I’m just going to go and say it, every organization is different. And on that one customer, it turns out that the CEO uses that part of the network, and if it gets blocked down, he’s going to get mad. All types of unique ways or unique setups. IT is just… Not too complicated, but it’s just so complicated nowadays that this whole box product approach, diminishing returns.
[00:17:41.370] – Max Lamothe-Brassard
So, I think that’s where it’s really important for vendors to realize that those external things are going to be needed and they’re going to have to be customized, and the first-class feature of having that flexibility really has to be there. That’s why for us, it has meant things like the ability to stage payloads. That was one of the really big things in IR, but as well as in other types of response, like, how we do memory dump.
[00:18:20.430] – Max Lamothe-Brassard
Which is the idea that I have this executable or I have this NSI or the shell script, and it knows how to do things that are not an LC, LimaCharlie native. But I still want to be able to integrate that into my automation and deploy them at scale and do things very easily and in a controlled way.
[00:18:41.800] – Max Lamothe-Brassard
So that’s why we added some of those features because they’re points where we made the very clear distinction. We know exactly what’s happening everywhere, but at this point now it’s up to you. You have the keys. We’re not preventing you, but you have the keys to go and do the thing that you know needs to be done.
[00:19:10.330] – Jason Pufahl
Because I think it’s important to draw the distinction. Automated activities, say during incident response are one thing, automation of blocks or other controls just during the normal course of business from disparate sources of information, making inferences from your log correlation tool, and your SIM tool, and your IDS, so difficult.
[00:19:38.170] – Jason Pufahl
I don’t know that we’ve run across a client that is mature enough to truly be able to take those, I guess you call them proactive actions. When there’s an event that’s correlated across a variety of systems, you block something. It’s so prone to false positives. It’s very difficult for people to feel comfortable doing that. But there’s tremendous value here in improving the efficiency of engineers and making a lot of those more routine tasks a lot easier to do. The ultimate goal, of course, is that orchestration through automation for your real-time security. I don’t think we have one customer that’s in a position to be able to do that.
[00:20:16.170] – Steve Maresca
Some try. To your point, Max, it will produce an outcome that is not desirable on many occasions but increasing the signal and reducing the noise is the ultimate prior goal. Because then at least you can have more efficient review, buyer, upper-tier analysts and avoid the legwork and drudgery of getting to that point.
[00:20:42.430] – Max Lamothe-Brassard
Absolutely. And I think that’s how we get there. The utopia where we [inaudible 00:20:47] these really complex things across many different sources. I think we’re on the road to that. But the way I see it is as an industry, it goes back a little bit to the whole XDR thing. But we got to take it one step at a time and learn as an industry, like, hey, how do you do this? How do you reason about this?
[00:21:08.780] – Max Lamothe-Brassard
So, the first step is, we’re going to want to make decisions on a bunch of different data sources. Let’s start by having an easy way to bring all those data sources then we’re going to start to look across them, what this data look like? How can we automate getting signal from that? And then over time, I think it’s as an industry, we’re going to get to the point where look, we’ve done this, we’ve crawled long enough that we get a pretty good idea of what are the things that make sense for us to try to automate that way, or what are the real signals that we need.
[00:21:46.890] – Max Lamothe-Brassard
Because it’s entirely possible that what’s needed we just don’t have it today. A lot of vendors are taking all of these data sources and throwing them in a bucket and just eyeballing plausible scenarios, that how you could correlate this and block something. But the delta between those plausible scenarios and real-life, there’s a lot of road to be done.
[00:22:20.870] – Steve Maresca
There are very few events generated by a platform that indicate confidence level. And there are very few platforms that generate multiple streams of data to validate conclusions or assertions made in an event. And I think that’s the crux of it sometimes. Decisions are made inappropriately based on single data points, when in reality they may have false positives, easily determined with some supplemental context, or alternatively determined to be a false negative. So, it cuts both ways. And better data always produces better outcomes, generally speaking, as long as it can be reasoned appropriately and efficiently.
[00:23:01.730] – Max Lamothe-Brassard
I think that’s where it’s so exciting…for me, it’s very exciting to look at the type of system you just described and make a hypothesis of what that system going to look like. And I would be surprised if machine learning didn’t somehow come into play for that. But I think that’s where machine learning and cybersecurity really, truly is going to come into its own. It’s when we get to that higher-level decision-making that are just a lot more complex. And when we have hundreds of different solutions, different streams coming in, I don’t think we know what that system is right now. We’re going to get there.
[00:23:50.730] – Jason Pufahl
I think we’re over our normal time here. So, I want to be respectful to our typical podcast format. Max, anything that you want to say in closing. If there’s one message you want to get out, anything you want to try to say here.
[00:24:10.290] – Max Lamothe-Brassard
That message is that from our perspective, everybody is welcome. I think we’re part of the new generation of cybersecurity tools that tries to empower, really, and to do that in an easy way. So get in touch if you have ideas, you’re excited about the idea of where that’s leading, an AWS-like a cyber security kind of thing, get in touch. We just love chatting with [inaudible 00:24:37].
[00:24:39.210] – Jason Pufahl
I feel like my takeaway listening to this is we’re all on a team of the good guys here, and you’re pushing a platform of interoperability and cooperation. Which honestly, I think the security space needs. We’re starting to see the space mature some, I think, the ability to utilize disparate tools to some degree. Maybe this sounds grandiose, but for the greater good, I think is important. And I think you’re on that path with what you’re doing. I say I appreciate that. Matt, Steve, anything in conclusion?
[00:25:16.950] – Matt Fusaro
I like where this vision you have is going. I hope to see a lot more companies doing it. I like the open nature and the kind of, hey, here’s the platform, come use it, let it speak for itself, and do something nice with it.
[00:25:33.150] – Steve Maresca
As tool builders ourselves, it’s always encouraging and enlightening to see others take what we don’t have the time to do. So, we appreciate that as well.
[00:25:43.310] – Jason Pufahl
There you go. What I needed to do is actually, if you’re going to take the bad parts of my job, it needs to be able to read and respond to my email. So if you can develop that, that would be hugely helpful.
[00:25:53.550] – Jason Pufahl
So, Max, thanks for joining today, I appreciate it. I think it’s been an interesting podcast. As always if… I think the listener base is probably a little bit different for this one, so if people have comments or questions, reach out to us at Vancord on LinkedIn, or Vancord Security on Twitter. We’re happy to have a follow-up conversation. Certainly, bring Max back if there’s interest. And as always, we hope you got some value out of this, and have a great day.
[00:26:23.310] – Speaker 1
Stay vigilant. Stay resilient. This has been CyberSound.
[00:22:33.750] – Speaker 1
Stay vigilant. Stay resilient. This has been CyberSound.