Cybersecurity Automation Sub Project (CASP) and Village - June 2023

Roseann Guttierrez [00:00:00]:
Our guest is Duncan Sparrell. He is, I love the title, chief cyber curmudgeon. That's a great title. Of, sFractal Consulting LLC. He is an OASIS board member and is also a cochair of the cybersecurity automation subproject. Duncan, Welcome. I hope I didn't, shortchange you on the intro. Do you have anything you wanna add to that?

Duncan Sparrell [00:00:21]:
Nope. It sounds good. I'm a lot of other things too, but that's what matters to this talk.

Roseann Guttierrez [00:00:26]:
Aren't we all? Alright, mister Duncan. So as I said, welcome. I really appreciate you being here today, giving us a little bit of your time. My first question for you is to give me an elevator pitch on the CASP project.

Duncan Sparrell [00:00:41]:
Alrighty. Well, let me start out with, one of its purposes in life is something called the cybersecurity automation village, Which we had one last week. So I'll I'll just give you some context of how CASP works into the bigger, OCA and then what it produces as output, which is the Village. You're here at the OCA Connect, so hopefully you already know what OCA is. But just as a reminder to everybody, The Open Cybersecurity Alliance is literally a screenshot right off the home page. It's for building an open ecosystem where cybersecurity Products interoperate without the need for customized integration. So that that interoperate is a really keyword. And one of the subprojects of the OCA is the CASP subproject or the cybersecurity automation subproject.

Duncan Sparrell [00:01:25]:
So that interoperate, that's part of the bigger OCA picture needs to have things talk to each other. And if they could talk to each other, automatically automagically, then they would be much more efficient. And so why why do we why do we wanna do that? Well, we wanna we wanna sort of get our actual products talking to each other, That's why we hold this thing called the cybersecurity automation village, which is where we get these projects actually interacting. Now why, yes, the elevator pitch, why do we even have this stuff at the first place? Well, we have this large set of acronym soup that we're gonna be talking about and explaining at least some of them. And so one of the reasons is just so everybody knows what the acronym stand for and everybody knows each other's project. But the real issue is because it it actually saves money. Okay. And the way it saves the end customer money, you apply the sort of risk principles.

Duncan Sparrell [00:02:16]:
Why do we do cybersecurity? I'm big into quantitative risk. This would be a whole talk of its own. But to apply those principles, you need some data and some work done by the Johns Hopkins University applied physics lab. The sort of punch line of this talk from years ago is it's a two order of magnitude sooner you kick the hackers out of your system. So if you do this automation stuff that we'll be talking about, you can kick hackers out of your system in hours instead of weeks. And that's the if you want the sort of one sentence punch word of why do we do this automation? Why do we have this subproject? It's because we want the stuff to interoperate automatically so we can kick hackers out quicker.

Roseann Guttierrez [00:02:56]:
Absolutely. Alright. Well, that leads me to my second question. So why is this important to you?

Duncan Sparrell [00:02:54]:
So I retired about 10 years ago. I retired as AT&T's chief security architect, and I had a fairly big budget. A lot of people reported to me. We did a lot of really important work. We really moved cybersecurity forward a lot, but we were operating in in human speed. And I retired and had a very good career, and and I was bored and needed something to do. So I got very involved in cybersecurity standards and in particular, the standards of, cybersecurity automation, because I think they really will make the world a safer place. So it's important to me because I really want this stuff to succeed because the hackers traditionally have been winning, and I want the defenders to win.

Roseann Guttierrez [00:03:40]:
Don't we all? Absolutely. Yes. Alright. Well, like you said, earlier, I know you said that, you had your very 1st CASP workshop. I know you've had workshops in the past, but as as the the subproject. So why don't you tell me a little bit about, you know, highlights for what happened last week?

Duncan Sparrell [00:03:57]:
Alright. Well, you know, as I sort of mentioned, the reason we're doing this is to is to save the end consumer money. And the other reason we have the village is sorta to get the different things to interoperate, and I'll talk a little bit more about that. But, of course, the other reason we get together is so that we can hand out stickers. One important really important aspect of the of the meeting was that we, we did actually have cybersecurity automation villages stickers, and, of course, we had Open Cybersecurity Alliance stick stickers. But we had, basically, a 4 hours. It was, out at the University of Southern California. We started at 10:30 in the morning, ended up at 4 PM, eastern or, I'm sorry, Pacific.

Duncan Sparrell [00:04:35]:
And it was, you know, streamed, so it went around the world, and we had people from around the world there. We had people, I think, from 4 continents. We have about 40 people overall, about 15 and 15 to 20 of them in the room. We covered a lot of the alphabet soup that we'll we'll talk about. Again, the main purpose was to get these various projects interoperating with each other, and we got a lot of them, to do that. I can go into it, in sort of a whole lot more detail, but the sort of really big picture was we we want to try and tie this together from sort of the end enterprise viewpoint. What what's the value to them? The value to them is To save money on actual real life use cases. So we created this use case.

Duncan Sparrell [00:05:18]:
Some people give us grief for the word use case maybe scenario would be a better word because once you get into the details, it's a use case, but it's a very big picture. It's more of the common english, A case where you use this stuff, and the one that we picked was a made up one that we made called the witchy watchee ransomware. So so, we broke it down into a A 6 day on 6 different days, 6 things happened related to this new invented, fake ransomware we did. And we played around, and some of this is funny and and meant to be you know, sort of bring a smile to people's face on, like, Murphy's Law. The law firm's name is Murphy's Law, stuff like that but, the and the the funny US government agency we made up was the NSA, ANSA. But but real important thing is it's actually pretty serious stuff, and and so we we, but we got together, and we had a good time doing it. But the, the 6 days start out with basically a zero day ransomware attack on a law firm.

Duncan Sparrell [00:06:17]:
They move on through sort of the the day 2 where somebody else gets attacked but takes advantage of the learnings from the 1st day. Day 3, where you sort of do some preventative action, prevent yourself from even getting hacked in the 1st place. Day 4, government agencies have some certain rules they have to follow, like comply to connect, and it sort of works into that. Day 5, we go out and arrest all the the hackers involved. And day 6, we can neither confirm or deny whether the US and, allied partners go in and remove foreign nation state assets involved in the in the attack. And that's again, just sort of, we we try and be a little bit funny while we do it, but we actually took a very lot of actual, looking sort of process the the details of day 1. I'm not gonna read through all this, but the, the actual way we did it when we met last week was we we actually worked out real life scenarios where all those different, open, technologies were used and interactions and actual real life data was was past in some of those, sort of down at the bottom, the little symbols there, the gears, the human, and the hand are, some of it was done with actual machine to machine APIs and real life data. Some of it was done with human to machine interactions.

Duncan Sparrell [00:07:32]:
Again, we wanna automate, so we want this stuff to be at speed, so we prefer the human to be on the loop as opposed to in the loop, but sometimes they have to be in the loop. And then because not everything always works and because we're not, know, perfect and have everything as much as we'd like. There's a certain amount of hand waving involved, and we got into the details of that. We sort of work through each day in which technologies went through each, Worked in these various things. Sometimes more hand waving was involved than others. And then the sort of summary was that we had an awful lot of technologies that actually talked a lot, to each other with actual machine to machine interfaces, sometimes with human to machine interfaces, and sometimes with hand waving. We had a lot of companies involved, but actual companies who brought what we call sweat equity to the table and had their stuff talk to other stuff is that sort of a string across the bottom. So, Overall, a very successful event.

Duncan Sparrell [00:08:19]:
That's sort of the the very high level summary.

Roseann Guttierrez [00:08:23]:
That's awesome. So how often do you plan on, having your meetings?

Roseann Guttierrez [00:08:28]:
do you already have a set schedule for your meetings?

Duncan Sparrell [00:07:31]:
So, again, distinguishing between CASP, which is the group of people trying to make all this stuff work, and The Village, which is where we have a wider event, invite outsiders to come watch us, and hopefully get even more people involved. CASP meets twice a month. We meet at 11 AM on the first I keep my day straight up here. Monday of the month and 4 PM EST on 3rd. And the reason we do that time time switches because we do have people from all around the world, like that very first company mentioned on the slide here, Sidearm. We actually had someone physically present, but they literally flew from Australia to California to to to attend our meeting in person For last week, but we have our weekly meetings for people in Australia. 11 AM is an absolutely horrible time, just like 4 PM is an absolutely horrible time for people in Europe. So we sort of Right.

Duncan Sparrell [00:09:20]:
You know, move the times around to share everybody. But that's the the meetings. The villages, we've been traditionally holding about once a year. We probably like to do it twice a year. The next 1 we have planned is not an actual full village. It's just sort of a quick get together and meet up as part of Borderless Cyber, which will be occurring in September in London, and the next big actual village as opposed to the sort of half day event we had. We're planning a Two day event in the Q1 of next year. We're still working with the host to get permission to say where it'll be, but it'll most Likely be at a at a site in either Washington DC or New Jersey that the host is still working out.

Duncan Sparrell [00:10:01]:
And the dates are we're still working out, but sometime probably later in the first quarter.