The WitFoo Project was formed by a dozen volunteers in late 2015 that had become fed up with systemic failure in Information Security Operations. Since then we have spent more than 10,000 labor hours running experiments and building prototypes (see Origin of WitFoo for more on the history.) Along the way we developed the Precinct Suite of tools. Based on our lessons (to date) we’ve created nine disciplines under three top level categories that drive our research and development.
One of the things that bother us so severely is the complexity of Security Operations. We fundamentally believe that the complexity is not a necessity but is instead a symptom of immaturity. In addressing simplicity, we research and monitor three disciplines: organic collection, intuitive use and resilience.
Many problems in metering InfoSec are based on failure to collect key business metrics (see: Metering Incident Response 101.) Some Incident Response Platforms (IRP) and Ticketing Systems (ERP) provide methods for logging key metrics but they require responders to purposely log the information. We believe the tools we build should organically collect and report on these actions without the user having to add tasking to do so.
Every software vendor wants to make an easy to use interface. We are no exception. In addition to user interviews, we use organic collection to observe behaviors. One of our WitFookin has a strong background in e-Commerce systems and we have borrowed from those models in pragmatically determining how intuitive an interface and workflow is.
Information Security systems are so complicated that one of our partners explained to me that many analytics tools require a 20% additional investment in professional services to operationalize the software. WitFoo rates our tools on how quickly they start working out of the box. Then we try to break it. We run all of our code through static code analysis, penetration tests, load testing and live beta tests on some of the wildest networks on the planet. Tools should relieve burdens, not create new ones.
In observing what is broken in InfoSec, we quickly found situational awareness to be a core problem. There is a ton of facts and not enough evolved data. The “Wit” of WitFoo is “keenness of mind” or giving the right information at the right time in the right way. We measure our effectiveness in Wit by focusing on the disciplines of data evolution, prioritization and translation.
Evolving data was the first focus area for WitFoo. We quickly recognized reports that vendor tools are delivering are not what the analyst needs. The core deficiency wasn’t the UI but the underlying data, it was too simple and un-evolved. In my installment, Evolving Data, I cover some high level concepts. We’re endeavoring to move from events/facts all the way to spree/campaigns. We need to filter, vet and connect facts into objects that are meaningful at the business level and not just the technical level. We believe responders should be able to respond to every incident; we hate triage. To accomplish that, we must evolve data.
Once we evolve data to the Incident level, we need to bring the most critical and important to the top of the stack. We accomplish this by studying the best minds in incident response. We gather information on what makes something more or less suspicious. We build what we call “labs” to apply human logic to incidents and prioritize based upon our synthesized suspicion.
Many vendors are focused on studying data. We believe it is much more important to study the humans. As the investigator works, we need to learn what makes him/her tick. We need to capture tribal knowledge and use that to fuel evolution and prioritization. The collective wisdom & intelligence of InfoSec lies largely undocumented. We aim to collect & harness it.
Having the right information is important but it needs to be converted into action to make an impact. The “Foo” of WitFoo is “skillful execution.” In building successful Foo, we focus on the disciplines of orchestration, explanation and integration. Our goal with Foo is to give responders what they need to resolve all incidents in under 60 seconds.
Giving investigators a playbook or checklist is an ineffective (and lame) way of getting them through an investigation. In interviewing Detective Ritch, we found that while investigations use many of the same approaches, each one is unique. We need to provide the right action buttons and options to the investigator at the right time. The investigator needs the flexibility to cover all bases, a feedback mechanism and help when they get stuck.
When an investigator is working through the data, it needs to be clear what the context of the information is. We need to arm them with the context of a piece of evidence and how it might fit into the investigation. It needs to be simple and clear.
Over the course of an investigation, several types of facts have to be examined. Network packets, system logs, files and users need to be examined. These data sources lie in different domains in different tools. To make our InfoSec professional successful, we need to find a way to fetch and display that diverse data when it’s needed in the way they need it.
Building tools, training and data that allow InfoSec professionals to win the endless battles of cyber crime and warfare requires WitFoo to be disciplined and regimented in research and development. These nine disciplines assist us in evaluating our progress in helping responders in their efforts to make the world safer.