Posted on November 15, 2018
Featuring Sean McFeely, Sr. Information Analyst at Valvoline’s Integral Defense
This year at CB Connect 2018, we had our first ever Developer Day to recognize our vibrant partner and developer ecosystem. We had an amazing group of 100 developers attend, culminating in a hackathon. Sean McFeely, Sr. Information Analyst at Valvoline’s Integral Defense, was an attendee and speaker at Developer Day and submitted his own project, cbinterface, to the hackathon. With the help of the CB Connect attendees, Sean’s submission was voted as the best project of the hackathon.
Read more below about Sean’s project cbinterface and how Carbon Black has increased efficiency for the Integral team.
1. Tell me about your career path and how you ended up at Integral Defense
I first started out as a college student doing a co-op for the networking engineering team at Ashland Inc. From there I got hired on and ultimately became the Lead Network Security Engineer at Ashland, which happened to be the parent company of Valvoline. In 2016 there was a job opening on Valvoline’s cybersecurity team and I took it, moving to incident response from there. And now 2.5 years later I’m a Senior Information Analyst that gets to touch and focus on many different aspects of our operation. Additionally, we’ve recently been able to open-source all of our tools under Integral Defense LLC, which is owned by Valvoline.
2. Tell me about Integral’s process for choosing Carbon Black – how did we stand out among the competition?
Our team tried different products and Carbon Black was the only one that met our requirements at the time. In the end, it came down to a few key factors. API access was crucial, not only for the data that Carbon Black collects, but also for live response automation. The ability to search complex ancestry, but then to also create watchlists with those same queries was a critical factor. Lastly, the ability to send a configurable subset of data to our log aggregation system was vital in being able to incorporate Carbon Black into our existing security ecosystem.
3. What prompted you to create cbinterface?
I always want to streamline and make things easier by automating as many manual things as possible. The short answer is I was prompted to create cbinterface to save time. Cbinterface is a command line tool for interfacing with multiple Carbon Black EDR environments to perform analysis and live response functions. The team that I work on heavily utilizes the command line. So being able to access Carbon Black EDR data really quickly, on the command line, is powerful for us. We have multiple environments, so Cbinterface allows you to query in one place, and then look in both environments to pull whatever process data you want. If there’s something specific you want to look for, such as a file modification, you can just print out all filemods in a process tree and grep to find what you need. Same goes for all other event types. This quick access to the process data has proven to expedite a lot of our analysis and incident response process work. Then you couple that with cbinterface’s artifact collection and script-like remediations, and it has become an essential tool for us.
4. How does cbinterface make your workflow more efficient and/or save you time?
There was one instance that comes to mind; we were seeing a lot of Kovter infections in India and South America, where we had unreliable network connections. Traditionally, we relied on a collection of artifacts from endpoints for Incident Response, but because of bad network connections these collections could be problematic. Moreover, before cbinterface’s quick remediation capabilities, remediating infections like Kovter, with watchdog processes and multiple forms of persistence proved tricky. We couldn’t kill the watchdog processes and delete the persistence fast enough to successfully remediate the infection, especially remotely. Usually we had to issue a ticket for the PC to be completely reimaged and the user wouldn’t have a PC during that time. It would take days or weeks for a PC to get re-imaged at these remote locations and one time I remember it took about 30 days. After the development of cbinterface, we were able to quickly digest the EDR data to understand what happened, and then remediate similar infections in record time. We can now move from initial detection to completely remediated in a few hours, and that is when we’re taking our time to learn as much as we can. Now we can respond to incidents with minimal disruption to the business and what used to take hours can now take minutes, and even seconds.
5. In your opinion, how does the Carbon Black API compare with other security tools you’ve used?
Prior to Carbon Black I had a particularly bad experience with a popular vulnerability management solution’s API. We were attempting to take advantage of that platform’s data to provide additional context to analysts, but we gave up as we found the effort to fight their API wasn’t worth the end goal.
But with Carbon Black the documentation around Carbon Black’s APIs is top-notch and the ability given through those APIs to access all of a sensor’s data is outstanding. There are not many vendors that flat out let you access all of their raw data, and even fewer that make that access so easy.
6. Do you consider yourself a developer? Why or why not?
We have a small team of seven and we pride ourselves in cross-training and being able to fill in when someone’s not available. I do a little bit of everything from alert triage, incident response, threat hunting, malware analysis, and development. Most of my experience is in incident response, threat hunting, and development. One thing I really enjoy is studying new exploit methods and then creating new hunts or detections for us, specifically around endpoint behavior.
7. What was your overall takeaway from CB Connect 2018?
CB Connect was one of the most valuable conferences I’ve been to. I really got a lot out of it, specifically Developer Day. All of the presenters and the content that was presented in front of me was really impressive. I was just taking notes the whole time and had a big list of items and ideas that I wanted to take back and experiment with to improve our capabilities and see what can apply to our situation. When we first got Carbon Black, we were not very impressed with the watchlists feeds that we got. But after going to CB Connect and seeing some of the watchlists that the Carbon Black threat hunters are now developing I was like oh wow I definitely want to pull these in and take another look at them because they’re doing some cool stuff.
8. How have your learnings from the greater security community influenced your security practice?
I am a learner who just jumps in – I like to learn as I go. That’s with almost everything I do, and it was the same for my understanding of the “big picture” in security. I had to get involved in all of the different areas of my team’s operation, but I also had to get out to some conferences and training courses to see how other teams are implementing security. It’s been valuable to hear other peoples’ take on the cybersecurity process and how to do cybersecurity. It’s also interesting to be able to compare and contrast with other mature teams. One thing is for sure, in the last two years it’s impressive how fast some concepts have hit the mainstream and been adapted. So, I’ve learned a lot from my exposure in the community and hopefully I’ve helped some others learn as well. Mostly, I’ve learned that I was lucky to come onboard with a highly mature, capable, and experienced team from the onset of my career in security.
9. What’s one piece of advice you would want to share with someone trying to start a career in cybersecurity?
Don’t settle. Don’t settle with getting comfortable in just one particular area of the whole process. Continue to try and learn from the people who have more experience than you, and try to push your own boundaries and limits. The people who really excel in cybersecurity are the people that have a continuously curious mindset and always want to understand the next thing.
Want to read more about cbinterface? Check out Integral Defense’s github page.