WitFoo Chief Technology Officer

Charles’ dedication to maturing the craft of InfoSec is built on a diverse career path across the industry. He started his career in InfoSec in the US Navy in 2002 serving as the Network Security Officer at the US Naval Postgraduate School. After leaving active duty, he was a contributing product reviewer for InfoWorld magazine focusing on network security products. Charles spent 7 years running Herring Consulting, a company dedicated to process orchestration, data sharing, and marketing. In 2012, Charles joined the Lancope team as a pre-sales engineer, promoted to Consulting Security Architect and later as Strategic Account Manager following the acquisition of Lancope by Cisco. In 2014, Charles partnered with veterans of the military, law enforcement and cybersecurity to research new approaches to improve the craft of cybersecurity operations. In 2016, that research resulted in the forming of WitFoo. When not working with cybersecurity heroes, Charles enjoys SCUBA divining with his wife, Mai.

1) Flight Deck Information Assurance Auditing

Technical Level: Beginner
Audience: Security Managers/Executives, Auditors

Naval Air Training and Operating Procedures Standardization (NATOPS) is said to be “written in blood.” NATOPS was created in 1961 after nearly 50 years of the US Navy flying aircraft. The extensive system was created to stop the extreme failures that resulted in the loss of hundreds of lives and billions of dollars in loss.

Between 2015 and 2017, WitFoo researchers worked with organizations from higher education, Fortune 500, healthcare and mid-market to test NATOPS quality assurance (QA) approaches in cyber security and information security auditing.

In this session, the following experiments and findings will be discussed:

  • Defining the correct “unit of work” in security operations (borrowing from Maintenance Action Forms.)
  • “Data Evolution” of extremely technical information that can be understood by executives (and Admirals).
  • Ongoing, organic metric collection and analysis in contrast with inspections and audits
  • Separating human audits and architecture audits
  • Improving auditing using NATOPS Readiness Inspections approaches

The session will include data and demonstrations of the findings.

2) Cruising on a Security Data Lake: Solving Big Data Challenges in SECOPS

Technical Level: Advanced
Audience: Data & System Architects, Developers

Researchers at WitFoo in conjunction with The University of Chicago and representatives from Law Enforcement, US Military and Fortune 500 organizations conducted more than 2000 controlled experiments on production networks from 2016 through 2018 to establish a Big Data pipeline for use in CyberSecurity Operations that allows for the application of investigative workflows and indicators of compromise in near realtime as well as providing for retrospective analysis of the complete data stack when new insights and indicators are made available. The first section of the session will evaluate the strengths and limitations of Big Data technologies including Elasticsearch, Splunk, Hadoop, Kafka, MySQL NDB, Cassandra, NoSQL vs RDBM as well as pipeline philosophies including streaming and batch processing. The second section will outline the specific approaches that are used in the discovered pipeline. Detailed demo and code will be provided to illustrate adaptive and retrospective parsing, event generation and data evolution. The third section will provide a demonstration of the pipeline in use to detect emerging threats and to retrospectively find threats missed historically. Upon completion of the session, attendees will understand the philosophies, components and steps in creating an effective big data pipeline that addresses the challenges in Cyber Security Operations.

3) Breaking NBAD and UEBA Detection

Technical Level: Intermediate
Audience: Incident Responders, Penetration Testers

Network Behavior Anomaly Detection (NBAD) and User and Entity Behavior Analytics (UEBA) are heralded as machine learning fueled messiahs for finding advanced attacks. The data collection and processing methodologies of these approaches create a series of new exploitable vectors that can allow attackers to navigate network and systems undetected. In this session, methods for poisoning data, transforming calculations and preventing alerts will be examined. Proof of concept Python code will be demonstrated and made available. Approaches to harden against these attacks will also be discussed as well as outlining needed changes in detection standards.

4) Metric Driven DEVOPS

Technical Level: Advanced
Audience: Data & System Architects, Developers

Developing software that changes the world, exceeds customer expectations, provides turn-key functionality in diverse scenarios while meeting security and compliance requirements is the holy grail of Security Development Operations (SECDEVOPS). There are thousands of variables that need to be constantly addressed to find the balance that delivers sustainable and secure success. In this session, WitFoo’s chief engineers will outline an innovative approach to secure devops called Metric Driven Development. It will cover the following topics:

  • Creating a metric collection infrastructure to alert on security and functionality deficiencies
  • Utilizing metrics to write optimized unit and system tests
  • The optimal value of code coverage, application pen-testing and static code analysis
  • Integrating metrics into customer support evolutions
  • The place of containerization in SECDEVOPS
  • Build metric driven use cases from hypothesis to pivot

By the conclusion of the session, attendees will have the tools necessary to implement lean and effective development pipelines that deliver secure and useful code in a fraction of the time and at a fraction of the development cost.

Key learning points:

  • Creating a metric collection infrastructure to alert on security and functionality deficiencies
  • Utilizing metrics to write optimized unit and system tests
  • The optimal value of code coverage, application pen-testing and static code analysis

5) Federating Cybersecurity Operations

Technical Level: Beginner
Audience: System Architects, Security Managers, Incident Responders, Underwriters, Auditors

Cybersecurity operations (SECOPS) requires a team possessing a wide range of skills including security frameworks, a long list of security technologies, legal, criminal investigation, forensics and risk management. Most organizations are not able to staff personnel with all those skills at the staffing levels required to address the SECOPS needs of the organization.

Attempts at outsourcing SECOPS to MSSP or other approaches struggle due to factors including risk management, availability of organizational context and diverse security control configurations. Further complicating the sharing of information are the volumes of data processed and regulatory restrictions.

From 2016 to 2020, researchers at WitFoo worked with stakeholders at managed security service providers (MSSP), law enforcement, military, higher education, enterprise and insurance underwriters to develop a SECOPS framework to solve these issues.

In this session, the following topics will be covered:

  • Forensically collecting incident data
  • Creating a standardized unit of work
  • Securely synchronizing data
  • Shipping sanitized data to protect risk concerns
  • Securely executing SOAR playbooks & data searches remotely
  • Sharing workloads between consolidated SOC’s and remote SOC’s

The following use-cases will be examined:

  • MSSP operations over many tenants
  • Ships at sea federating SOC responsibilities to a Shore SOC
  • Reporting health metrics for cybersecurity insurance underwriting
  • Creating affidavits for submission to Law Enforcement
  • Easing risk during M&A processes

6) Object Oriented SOAR

Technical Level: Intermediate
Audience: Security Managers, Incident Responders, Security Architects

Security Orchestration Automation and Response (SOAR) is a set of features with the intent of reducing security workloads in security operation centers (SOC.) The prevalent approach to SOAR is using low-level playbooks that follow programmatic flowcharts to automatically execute manual workflows when specific message signals or conditions are achieved.

As enterprises have implemented low-level SOAR to create savings, several new challenges have been identified including an unmanageable number of playbooks, unauthorized bypass of institutional change controls, growing staffing requirements and introducing new attack vectors for criminals to exploit.

This session will review research applying approaches from Object Oriented Programing and Big Data pipeline advances to solve the existing SOAR issues while still delivering on the value proposition of SOAR.

The following topics will be covered in the session:

  • Finding the appropriate trigger for SOAR
  • SOAR as part of change controls
  • Different input objects in SOAR
  • Contextualizing SOAR to attack types and business considerations
  • Reducing SOAR Playbook maintenance costs through abstraction and normalization

7) SECOPS driving Criminal Prosecution

Technical Level: Beginner
Audience: Security & Law Enforcement Personnel

At a key point in the history of cybersecurity operations, it was passively decided that SECOPS is an extension of IT OPS. This session will examine the thesis that SECOPS is an extension of the craft of Law Enforcement and the consequences of building SECOPS on IT models (that were derived from manufacturing models.)

Since 2016, WitFoo has researched the craft of SECOPS to develop tools and data that can help accelerate maturity of the craft. The session will cover many of the lessons learned and cover the following topics:

  • Why IT is built on Manufacturing craft principles
  • Why SECOPS does support IT craft principles
  • What the roadmap looks like to transition from IT based SECOPS to Law Enforcement
  • The lasting global impact of treating SEOPS as an extension of law enforcement

8) The Seven Unstable Conversations of Cybersecurity

Technical Level: Beginner
Audience: Any Business or Security Personnel

WitFoo was founded in 2016 to develop the tools and data required to mature the craft of cybersecurity operations. The research at WitFoo has focused on seven unstable conversations within each part of the craft. This session will share the findings on each of the 7 conversations and will explore remedies and impacts of them.

  1. Investigators do not understand what their tools are saying
  2. Managers cannot track security practice success
  3. Security practice cannot express value to business
  4. Security vendors cannot be held accountable
  5. Organizations cannot safely share information with each other
  6. Organizations cannot safely report crimes to law enforcement
  7. Law enforcement lacks evidence to prosecute criminals

9) Machine Learning in PsyOps & Social Engineering

Technical Level: Intermediate
Audience: Any Business or Security Personnel

Machine learning (ML) is arguably the most potent advancement in technology since atomic fission with similar benefit and risk extremes. The outcome driven nature of machine learning allows computers to rapidly test theories to find pathways to support specific goals. These approaches applied to social engineering can be used to manipulate human factors for purposes including cybersecurity breach. This session will cover the philosophies, strategies and tactics used to accomplish a successful campaign to recruit human assets to a cause. Factors to mitigate risk in these advanced social engineering attacks will also be examined.

Share This