Open XDR Architecture (OXA) - July 2023

Roseann Guttierrez [00:00:00]:
Our guest is David Bizeul. I hope I said that correctly. He is the cofounder and chief scientific officer of Sequoia IO. He actually is here representing our open XDR architecture or, OXA sub project, I believe that's how we're saying it. David, you wanna say hi?

David Bizeul [00:00:19]:
Yeah. Hi, everyone. It's a pleasure to be with you today.

Roseann Guttierrez [00:00:22]:
Thank you. I'm so excited to talk to you. I know that this is a new project and so lots of good stuff is happening. You wanna give me your elevator pitch for what Open XDR architecture is?

David Bizeul [00:00:35]:
What you what you need to know is that, in Sequoia, we provide a sub platform. That means we we provide a solution that can be used to upgrade the SOC Whether it is, in a large company or MSSP. The OXA project is rough. As in Sequoia, we have we have a long story of working with the community. That that's why we had in mind, we imagined, Let's say to have this initiative to be hosted in the OCA, in order to to make something global and, to make an initiative that Could be shared, and, also brainstormed, by, by the industry. When I I looked at the OCA line, we are making standard based interoperable Cybersecurity reality. I really thought that it it would also make sense, for this OXA sub project.

Roseann Guttierrez [00:01:24]:
Awesome.

David Bizeul [00:01:25]:
So Open XDR architecture, just basically, you might know what is the, our current environment on IT technology. We have a lot of assets On the left part of the slide, so that mean computers, that mean, physical assets, that mean, virtual assets, etcetera. These assets are managed or observed by a lot of technologies. Some of them are security technologies, And these security technologies can generate data, alerts, events, etcetera. And these, alerts must, let's say, be, It's consumed, handled by, either a specific correlation solution or even, people That we'll need, let's say, to to do with that and to interpret this data into something that makes sense. When the XDR extended detection and response, arrived on the on the market. This was several years ago. The approach was really to make something, easier for the for the community.

David Bizeul [00:02:23]:
That means to have some things that can interpret, data globally, Whether, it's it it comes, let's say, from an endpoint or from a network technology or network source or even to cloud based cloud based solution, All these kind of assets should be interpreted, in the XDR platform. And the XDR is supposed to be able to Speak, with this technology in order to provide, answers, in order to provide orders, to execute some actions, and to execute some responses Into corporate environment of a specific customer. And another part of the XDR is also, let's say, to change the approach in the way Previously, SIEM used, let's say, to create scenarios to detect, what were supposed to be, to be the risk, into a company. XDR changed that, in order to detect threats, and to detect what is really known, what is really, sure today to be defined as a threat. And maybe the last the last point and the last premise of the XDR was to, to provide high value, added tasks to the users, to the the customers. The point is that, what are these high value added tasks? And on these 3 highlighted blocks, global response, CTI, and high value task, I think today we do not have this, a correct, a great solution wherever you look on the market, whatever the solution is, you have none of them, which can Provide all this kind of, let's say, correct solution. If you think about what could be, the solution About, on this, these different highlighted blocks, we can think about, what we have today in terms of standards, in terms of specific norms that could be used, let's say, to leverage part of the problem. For the ingestion aspect, we have different solutions such as ECS, OCSFs, that exist and that can help, let's say, to standardize what the product can, can generate as data, data formats to be understood as a simple a single as as something that can be interpreted by a central point.

David Bizeul [00:04:36]:
The same way we can automate, let's say, specific orders using OpenC2. OpenC2 would be used, let's say, could be used, Let's say to, provide, to transform generic orders into specific actions that can be done, on a specific technology. In terms of CTI, we all know about STIX, which, tends to be mainstream today on that street. But STIX might not be used enough, in that in our technology community and should be disseminated more, let's say, from, the STIX sources that already do that, but have, let's say, are are done, let's say, to each Specific technologies that are involved into the production of the customer or customer environment. And the last point is about orchestration. And today, we have a lot of things that tends to be real, using CACAO playbooks. And I'm sure that, by ferriting the community, we could create a very collective and interesting repository of what are the best practices in terms of security, strategies, to be, to be handled and distributed into a specific, let's say, a piloting tower, in order to Orchestrate what would be the best practices for your your security. A global API would also make sense, in order to provide registration and commands to the different technologies in order to claim, okay, I'm here, I'm the new technology, installed in this customer environment.

David Bizeul [00:06:08]:
I can do this kind of thing and dip at this kind of thing so I can consume this kind of event or this specific part of your CTI. When you mix all these different, things together, it leads, to what is the proposal of this OpenXDR architecture sub project. It's a stack of 4 different blocks. The point is to improve inbound and outbound interoperability, is to create, let's say, an open API that will make sense, let's say, to create basic interaction between technologies and a central point, to provide a way to disseminate threat intel, directly to the machine I mean, to the security technologies Installed, into, a customer environment.

Roseann Guttierrez [00:06:59]:
Based on everything you've been telling us, why is this project important to you?

David Bizeul [00:06:07]:
I can see 3 reasons, for that. The first one is that I really believe that, resource expert resources should be preserved. I want to avoid resource, exhaustion, And expert time should be preserved, and development developer time technical developer time should be preserved too. Today, in our environment, you need to do integration in every technology, and each solution has to do the integration with the rest of the world. This is this is a real nonsense. The goal of OXA sub project is to create a repository, in order to, let's say, to to create a a global mapping into You decide you you say what you do in terms of your specificities as a technology vendor, And you map it, with, some things that can be then absorbed by other technology vendors. This way, as a job, is only done once Instead of being done instead of being being done multiple times by everyone. This is the first part of the answer.

David Bizeul [00:08:10]:
The second one would be, let's say, to to place the technology ownership on the vendor side. Today, we have Very interesting start ups which can do great job, but until they are integrated into major major vendors, major, Let's say XDR solution, they won't be, it won't be it won't be possible, let's say, to use them correctly from users until they are correctly integrated. What I want to do is this way is that you replace the technology ownership on the vendor side. They will create their own mapping. And this way, as soon as they are plugged Into a the environment that can they can, the customer can leverage all the, let's say, some, the set of features that are available in this technology. And the last the last point is really probably, and the most important is to raise the bar, against attack Using CTI dis dissemination. If we allow the possibility, let's say, to translate what is generally Managed by a security team, having access to CTI down, let's say, to the security product installed into, the customer environment, You allow this security product, let's say, to, to to detect better and faster, what specific threats they could have to deal with And then to provide feedbacks, let's say, to the Observation Point, the XDR platform to say, okay. I have seen this, in my in my environment, and this should be investigated.

David Bizeul [00:09:43]:
So this is all the 3 aspects, resource exhaustion, technology ownership, and, To to elevate the the protection on customer side.

Roseann Guttierrez [00:09:51]:
Nice. Yeah. All very important points because I know, when I was on a SOC, You don't wanna spend your time creating integrations. Right? You wanna do the work, that's why you're there, so, yeah, makes sense. So, like I said, I know this is a new project for you. Where can you it's probably a loaded question. Where can you use help?

David Bizeul [00:10:09]:
Mm-mm.

Roseann Guttierrez [00:10:11]:
Yes.

David Bizeul [00:09:42]:
Well, At at the end, at the end, the project will be a success if if it's used by, if it's used by security vendors. If if I make a power a parallel, you all remember, Neo learning how to pilot an helicopter in Matrix. What I would love, is, let's say, the security industry to to do the same, to have the ability to do the same. That mean with a simple command such as, PIP install, OXA integration, product x y z, you get The knowledge, let's say, to speak and to interact with this project project x y z. This is exactly the same. With just a simple, Single repository, you get access to the ability to interact with 1 security product that is defined. Doing so, you can understand what's this security product can tell you whether it is, I don't know, something that Provide information on endpoints so you will get the knowledge about what's going on on the file system. If it's another product working on, let's say, Network communication.

David Bizeul [00:11:23]:
You get the knowledge about specific details on the network traffic, what has been, let's say, analyzed by the network analyzer, whatever you want. But the goal is to understand it as a single, a single language and in the same way, to have the ability to speak with generic orders, to these security technologies. So this is really the same parallel that Neo Neo did, in, in Matrix with The way to to learn how to pilot an an helicopter. Before reaching this, this step, we will need help. When the project, is up and ready, of course, we will wait for our contribution. That mean technical developments, Brainstorm ideas. So we will, we will organize regular meetings, and the goal will will be to share ideas, to propose things, to discuss together, and also to ask questions, if you if you observe something that Seems to be a weird direction, the project is taking. Another interesting part will could Could probably be, the proposal of playbooks if your organization have some.

David Bizeul [00:12:38]:
I spoke about the way, let's say, to create the A collaborative, repository of playbooks. This could make a lot of sense for the security industry. So if you're involved into this, Playbooks, Playbooks creation, that would be very interesting to have you, in this, this OXA sub project. So This is where I can I can think, the help of the community would make sense?

Roseann Guttierrez [00:13:03]:
Wonderful, and I love it. You get bonus points for having a matrix reference because that's, you know