Kestrel - May 2023
OCA Community Connect
| Roseann Guttierrez | Rating 0 (0) (0) |
| https://opencybersecurityalliance.org/ | Launched: Feb 14, 2024 |
| Season: 1 Episode: 4 | |
In this episode of OCA Community Connect, our host Roseann Guttierrez sits down with Xiaokui Shu, a senior research scientist from IBM and chair of the OCA technical steering committee, to delve into the world of cybersecurity and the Kestrel subproject. Xiaokui provides an insightful overview of Kestrel as a threat hunting language aimed at streamlining the process of identifying and addressing potential security threats. He shares the project's fascinating journey, from its inception in a DARPA program to its evolution into an open-source initiative at IBM. Xiaokui also sheds light on the challenges the Kestrel project currently faces and offers listeners the opportunity to join the conversation through the OCA Slack Space and the dedicated Kestrel channel. Whether you're a cybersecurity enthusiast or simply curious about the cutting-edge developments in threat detection, this episode provides an engaging look at the Kestrel project and how you can be a part of its ongoing growth and innovation.
Reference Links:
Open Cybersecurity Alliance (OCA) website:
https://opencybersecurityalliance.org/
Open Cybersecurity Alliance (OCA) GitHub
https://github.com/opencybersecurityalliance
Open Cybersecurity Alliance (OCA) YouTube
https://www.youtube.com/channel/UCjTpPl2oEGH_Ws251m827Cg
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
October 2018 Pages 1883–1898
https://doi.org/10.1145/3243734.3243829
Share Your Ideas & Guest Suggestions!
Got a topic or an expert in mind for "OCA Community Connect"? We’re always on the lookout for fresh insights and voices in cybersecurity and open-source innovation.
How to Contribute:
Topics: Tell us what you’re curious about in the cybersecurity world.
Guests: Know someone who’d be a great interview? We’d love to hear about them.
Reach Out: Drop us an email or message us on social media. Your suggestions help shape our show, and we can’t wait to hear from you!
SUBSCRIBE
Episode Chapters
In this episode of OCA Community Connect, our host Roseann Guttierrez sits down with Xiaokui Shu, a senior research scientist from IBM and chair of the OCA technical steering committee, to delve into the world of cybersecurity and the Kestrel subproject. Xiaokui provides an insightful overview of Kestrel as a threat hunting language aimed at streamlining the process of identifying and addressing potential security threats. He shares the project's fascinating journey, from its inception in a DARPA program to its evolution into an open-source initiative at IBM. Xiaokui also sheds light on the challenges the Kestrel project currently faces and offers listeners the opportunity to join the conversation through the OCA Slack Space and the dedicated Kestrel channel. Whether you're a cybersecurity enthusiast or simply curious about the cutting-edge developments in threat detection, this episode provides an engaging look at the Kestrel project and how you can be a part of its ongoing growth and innovation.
Reference Links:
Open Cybersecurity Alliance (OCA) website:
https://opencybersecurityalliance.org/
Open Cybersecurity Alliance (OCA) GitHub
https://github.com/opencybersecurityalliance
Open Cybersecurity Alliance (OCA) YouTube
https://www.youtube.com/channel/UCjTpPl2oEGH_Ws251m827Cg
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
October 2018 Pages 1883–1898
https://doi.org/10.1145/3243734.3243829
Share Your Ideas & Guest Suggestions!
Got a topic or an expert in mind for "OCA Community Connect"? We’re always on the lookout for fresh insights and voices in cybersecurity and open-source innovation.
How to Contribute:
Topics: Tell us what you’re curious about in the cybersecurity world.
Guests: Know someone who’d be a great interview? We’d love to hear about them.
Reach Out: Drop us an email or message us on social media. Your suggestions help shape our show, and we can’t wait to hear from you!
Roseann Guttierrez [00:00:00]:
Our featured guest, Xiaokui Xu, he is a senior research scientist from IBM. He is our OCA technical steering committee, chair, one of them, and then also will be talking to us today about the Kestrel subproject. So, Xiaokui, have I missed anything as far as your intro?
Xiaokui Shu [00:00:17]:
It's really nice. You do not miss anything.
Roseann Guttierrez [00:00:20]:
Okay. I just wanna make sure. Well, welcome. Thank you very much for being here today. My first question for you is, basically, give me an elevator pitch on what Kestrel is.
Xiaokui Shu [00:00:31]:
Kestrel is a threat hunting language that we invented, to accelerate the procedure of hunt for threat hunters. That's the main goal of Kestrel. Yeah.
Roseann Guttierrez [00:00:48]:
Alright. Alright, and what makes the subproject important to you?
Xiaokui Shu [00:00:54]:
This is really exciting project. Actually, we started planning for it, maybe 6 years ago. So when we were in a DARPA program called transparent computing and in that program, DARPA tried to set up environment to collect as much data as possible. So that's really big data security, much bigger data than what we currently have now in the commercial systems. And we were given a task that what can we do with such amount or big amount of data? And can we do better detection? Can we do better, attributing, attacks. Can we do better, kind of mitigation? Can we do better even recovering from things? So at that time, given the large amount of data we can play with, we invented something, called t-calculus. It's another language, which is kind of a the the essence of graph computation that Kestrel takes.
Xiaokui Shu [00:01:53]:
So, we invented the language and a paradigm of detection that use graph computation to do cybersecurity. And that is the first time that, we introduce it, to the society, and we published a top tier conference paper on this, to introduce the the society about the idea How people can use a form of graph commutation and to achieve their cybersecurity goals, such as doing threat detection and things. As I mentioned, we did a language at a time to, prototype the idea, to make it into something actionable. So the language was called t-calculus, and that was a big success in the DARPA program. And, we were leading the school board about detection all the time Throughout the years. So we were very excited during the 4 years of the program. And then after program, we thought, Why not to put something into more open source side so that the entire world can benefit from what we invented. So
Roseann Guttierrez [00:03:06]:
Right.
Xiaokui Shu [00:03:05]:
That's where we started. So IBM Research started to reach out to IBM Security and, to connect to real world Infrastructure, applications, datasets, and how can we consume everything. And we started to design Kestrel at the time. So it it's it's a little bit long story, but, it's a very exciting thing that, started many years ago, 6 years ago, 6 or 7.
Roseann Guttierrez [00:03:34]:
Yeah. I I had no idea of that background, so that that's awesome. Where do you think the Kestrel project needs assistance? Where do you think it needs help?
Xiaokui Shu [00:03:43]:
Yeah. We we need help everywhere. So this is a very, very young project. So Kestrel was announced 2 years ago at RSA conference. And, 2 year is a very a fairly short amount of time for open source project. We are struggling putting things into our formal ways, such as to have a formal unit test for the projects and has, very formal documentation, so to get it easy for people to consume, make it formal to have it, kind of videos and labs for people to play with it and also try to kind of bump up the quality of the code while we try to formalize about things. The basic idea the fundamental idea is there, but there are so many things that, we need to work out during the the years and try to get it more easily consumed by people, and we still need a lot of help on the code side, on documentation side, on the, use case side. Now after about 2 year time, we are very lucky that we get a lot of attractions and interest, and people are trying to use this in their real world kind of a daily job of the hunt.
Xiaokui Shu [00:04:59]:
And, we were getting feedback from a lot of hunters and also getting feedback from the development team or deployment team that, what type of thing that we may help them to better deploy Kestrel for large, kind of EDUs. But we we see a kind of a lack of, things like, some of the front end development, some of the back end, improvement and things. Lots of things that we we need help, yes.
Roseann Guttierrez [00:05:27]:
Okay. Alright. And last question: when are your meetings? So people know when they can jump in and talk to y'all.
Xiaokui Shu [00:05:35]:
Okay. So, for Kestra, currently, we do not have, kind of a periodic meeting that we have a spare time for that because we found it we already have so many meetings for people. So that's, usually, we encourage people to join the Slack channel and to chat there for their questions and schedule, meetings when there is a need. So that's the thing that when we have maybe a topic that several people are interested, and we will schedule a meeting for that, like, more like a discussion or kind of, a a temporary meeting for that topic. And when the topic gets more formalized, and we want to keep developments and maybe some other things on around it. We put it into more periodic meetings. Give you some examples.
Xiaokui Shu [00:06:25]:
In the last couple of months, we have meetings with people from OpenC2 community, to co-develop, OpenC2 or character profile for hunting that is actually what Kestrel supports. And, also, we have meetings with students from different universities to give them guidelines how can they contribute into the Kestrel project and give them, some technical help, when the students started. And they they may not have a strong cybersecurity background and things. And we also have meetings with senior students and graduate students in universities and give them ideas about the general background of Kestrel and the connection to different projects so that we can do research on the academic side about different hunting strategies and hunting paradigms and try to connect different project and try to make connections and also do evaluations on different things. So once things get for kind of, stretched, for example, the first one, the OpenC2 and the Kestrel meetings, we set up biweekly Periodic meeting for that. So that turns into a very formal meeting after the
Roseann Guttierrez [00:07:38]:
Right.
Xiaokui Shu [00:07:38]:
First few touch. We are doing Subclassification of the standards as well as the prototyping so that we are targeting, a show In one of the OCA sub project in June this year. A lot of exciting things are happening, and, if someone are interested In Kestrel and want to, chat more about it, want to ask questions. So the first stop, I will say, is go to a Slack channel, OCA Slack Space, and there is a Kestrel channel. You can ask questions. And when we gather interest around the topic, we will create meetings for that that's the current flow we have.
Roseann Guttierrez [00:08:19]:
Great. That's great. Well, thank you so much. I really appreciate your time today and to come in and answer all of our questions. Thank you for being here.
Xiaokui Shu [00:08:28]:
Thank you.
