00:00:00:09 - 00:00:01:18
Yeah. Hey, everybody.

00:00:01:18 - 00:00:06:06
I'm Mats Nahlinder, CEO and co-founder
of Sunstone Secure, I'm joined

00:00:06:06 - 00:00:10:14
by Robert Ficcaglia,
CTO, and co-founder of Sunstone Secure.

00:00:10:14 - 00:00:15:21
And we're going to talk about how agencies
can use OSCAL to fast track purchasing.

00:00:15:21 - 00:00:19:19
And thank you, Michaela,
for letting us talk here today and present

00:00:19:19 - 00:00:23:11
some of these ideas
the examples in this presentation.

00:00:23:11 - 00:00:27:05
And ideas are focused on FedRAMP,
because that's really where

00:00:27:12 - 00:00:29:05
most of our work been done.

00:00:29:05 - 00:00:31:14
a lot of the OSCAL work focused on.

00:00:31:14 - 00:00:35:13
But the ideas, apply just as well,
to other domains and frameworks.

00:00:35:13 - 00:00:39:05
For example, the new FISMA process
that Katie Arrington DoD,

00:00:39:16 - 00:00:45:03
or the CIO for the DoD, said to blow up
the RMF framework and replace it

00:00:45:03 - 00:00:49:05
with a more compliance focused
and real time cyber posture initiative.

00:00:49:05 - 00:00:52:05
Should work fine in that area as well.

00:00:52:11 - 00:00:53:07
So a bit about me.

00:00:53:07 - 00:00:56:05
I come from an engineering
and business background,

00:00:56:05 - 00:01:00:01
and one of the most helpful marketing
concepts I've leaned on over the years

00:01:00:01 - 00:01:04:06
is the difference between product
centric and customer centric thinking.

00:01:04:06 - 00:01:08:12
In a product centric organization,
you focus on selling what you build,

00:01:08:16 - 00:01:11:20
but in a customer centric organization,
you focus on

00:01:11:20 - 00:01:15:00
understanding
what the customer needs and deliver that.

00:01:15:00 - 00:01:19:00
Right now, when I look at how OSCAL
is positioned in the market,

00:01:19:04 - 00:01:21:05
it feels very product centric.

00:01:21:05 - 00:01:24:21
A lot of vendors, including Sunstone,
with our technology being OSCAL

00:01:24:21 - 00:01:28:15
native product, have developed
powerful tools using OSCAL.

00:01:28:18 - 00:01:31:16
But the adoption hasn't moved very far up
the value

00:01:31:16 - 00:01:35:17
chain from tools
vendors and also CSPs who be using them.

00:01:36:00 - 00:01:41:16
Some 3PAOs are experimenting with it,
but most aren't, and none of the agencies

00:01:41:16 - 00:01:45:08
that Sunstone work with
are ready to fully accept OSCAL.

00:01:45:08 - 00:01:48:16
On top of that, FedRAMP,
even removed the OSCAL mandate.

00:01:48:16 - 00:01:52:12
So that really got us thinking
about what real value does OSCAL

00:01:52:14 - 00:01:54:03
bring to agencies.

00:01:54:03 - 00:01:57:08
And how could that value actually
drive adoption?

00:01:57:13 - 00:02:01:02
From CSPs and the 3PAOs
and not the other way around.

00:02:01:22 - 00:02:05:13
So let's talk about
what agencies and clients are up against

00:02:05:13 - 00:02:07:20
when they're trying
to procure a new system.

00:02:07:20 - 00:02:11:11
So at the Sunstone-OSCAL Plug Fest
this past May,

00:02:11:16 - 00:02:15:17
someone from Amazon mentioned
how hard it is to evaluate

00:02:15:17 - 00:02:19:16
the actual quality and efficiency
of a vendor for example, being a SoC 2

00:02:19:16 - 00:02:22:23
certified product, for example,
doesn't tell you much

00:02:22:23 - 00:02:27:19
about how well the controls actually
are implemented with FedRAMP 20 X,

00:02:27:19 - 00:02:33:01
there's no conversation about letting CSPs
demonstrate compliance, more flexibly,

00:02:33:02 - 00:02:37:07
not just assigning a fixed level
like low, moderate, or high,

00:02:37:10 - 00:02:42:19
but mapping to risk in a more tailored
And also having sold systems for years,

00:02:42:19 - 00:02:46:12
I've seen situations where the suppliers
promise before the deal is

00:02:46:15 - 00:02:51:11
signed, only for the real product maturity
to show up well after the signature.

00:02:51:11 - 00:02:55:05
On the deal, and to too late
to reverse the course of the deal

00:02:55:05 - 00:02:58:05
This creates huge risk for the agencies
and the buyers.

00:02:58:07 - 00:03:02:18
I think all of us have heard harsh examples
where the CSP, the cloud

00:03:02:18 - 00:03:04:20
service provider, signed a contract

00:03:04:20 - 00:03:08:03
and a couple of years later,
they still have been able to become

00:03:08:03 - 00:03:11:03
ATO and certified
and the system being deployed.

00:03:11:12 - 00:03:16:02
So here's some value agencies can get
from actually using OSCAL in this process.

00:03:16:04 - 00:03:20:12
The risk based posture definitions,
it can customize the compliance to your

00:03:20:12 - 00:03:25:17
actual risk profile, vendor risk steering
group vendors by actual risk exposure.

00:03:25:17 - 00:03:28:22
So you look at how they, exposure risk.

00:03:28:22 - 00:03:31:24
And then you can rank and stack
the vendors from that perspective.

00:03:31:24 - 00:03:35:10
Supplier efficiency evaluation rank
the vendors based on

00:03:35:10 - 00:03:39:18
measureable effectiveness, pre-contract
clarity to know

00:03:39:21 - 00:03:44:05
the system security posture
before you sign any other contracts.

00:03:44:10 - 00:03:48:20
Bridging, sourcing and onboarding
as to reuse the proposal stage.

00:03:48:20 - 00:03:51:07
Work to streamline onboarding.

00:03:51:07 - 00:03:55:18
That's basically do all of the work
to become compliant

00:03:55:18 - 00:03:59:12
and see how the system runs
before you sign.

00:03:59:12 - 00:04:01:07
And then you basically are ready

00:04:01:07 - 00:04:05:00
for the assessment
once, signature is done, traceable risk

00:04:05:00 - 00:04:09:23
and control gaps make better decision
based on clear and traceable evidence.

00:04:10:13 - 00:04:15:03
So how would, an agency actually use OSCAL
 to speed up the procurement, cycle?

00:04:15:12 - 00:04:17:24
First, define your security posture.

00:04:17:24 - 00:04:22:04
Next, write the RFP and OSCAL format,
including KSIs.

00:04:22:10 - 00:04:24:06
This is a key security indicators.

00:04:24:06 - 00:04:28:22
Then a CSP responds with KSI
values and OSCAL catalog.

00:04:28:22 - 00:04:31:05
That includes results and evidence.

00:04:31:05 - 00:04:34:10
Then the agency would test the model
and define the risks.

00:04:34:15 - 00:04:38:20
And finally the agency can make
a more informed, risk based decision.

00:04:39:11 - 00:04:42:09
so the agency starts writing an RFP.

00:04:42:09 - 00:04:46:14
begin by defining, level of risk
they can accept that can be done

00:04:46:14 - 00:04:47:16
in a number of ways.

00:04:47:16 - 00:04:52:00
At Sunstone, we start
by defining the critical system resources

00:04:52:03 - 00:04:53:22
layer on a risk model.

00:04:53:22 - 00:04:56:01
We usually use the MITRE attack framework.

00:04:56:01 - 00:05:00:11
From there you determine which controls
are needed to manage the risk.

00:05:00:11 - 00:05:04:17
These controls are then described
in a tailored OSCAL profile catalog.

00:05:04:19 - 00:05:06:21
but not how they're actually implemented.

00:05:06:21 - 00:05:09:10
That's the CSPs work
that they should do.

00:05:09:10 - 00:05:13:00
Then you define the metrics
you want to track your KSIs.

00:05:13:00 - 00:05:13:14
This will help

00:05:13:14 - 00:05:17:17
you measure how well the solution performs
against your defined posture.

00:05:18:24 - 00:05:19:20
Now, from the

00:05:19:20 - 00:05:25:11
CSP side, when responding to this RFP,
provide the KSI values to show

00:05:25:11 - 00:05:29:13
how your system actually performs
and maturity, from the agency's

00:05:29:18 - 00:05:33:24
point of view, rather than the CSPs,
what they want to present,

00:05:33:24 - 00:05:37:24
which is usually marketing further,
then you define how your system implements

00:05:37:24 - 00:05:39:14
the OSCAL catalog controls,

00:05:39:14 - 00:05:40:23
it doesn't matter how the data

00:05:40:23 - 00:05:44:23
is gathered, as long as it's structured
and readable to the agency

00:05:44:23 - 00:05:47:23
and OSCAL format that supports
the original promise of OSCAL.

00:05:47:24 - 00:05:50:19
Common language
that makes systems interoperable,

00:05:50:19 - 00:05:53:19
and the documentation level,
no matter how different,

00:05:53:19 - 00:05:57:07
they are under the hood. At Sunstone, use,
Artemis.

00:05:57:07 - 00:06:00:02
That's our AI native digital twin.

00:06:00:02 - 00:06:03:09
It collects
telemetry and documentation, organize

00:06:03:09 - 00:06:07:09
all that information
using an OSCAL like data schema.

00:06:07:11 - 00:06:10:16
And once populated,
we build out the digital twin, which

00:06:10:16 - 00:06:13:16
in this example,
we use to respond to the RFP.

00:06:13:17 - 00:06:18:01
So here it populates the OSCAL catalog
automatically with an actual system

00:06:18:01 - 00:06:22:03
implementation and calculates
the KSIs directly from that data.

00:06:22:03 - 00:06:26:03
And you can also use it
for, simulating the compliance posture.

00:06:26:03 - 00:06:29:16
The digital twin also,
automatically generates the test control

00:06:29:16 - 00:06:33:12
workbook with the test perform
and basically the SAP

00:06:33:12 - 00:06:37:07
and the results of the test
with the underlying evidence.

00:06:37:09 - 00:06:39:16
Basically the SAR. So at Sunstone.

00:06:39:16 - 00:06:43:17
We've used Artemis, for our advisory
service for about five years.

00:06:43:17 - 00:06:47:19
And in the support of CSPs
through their compliance process

00:06:47:19 - 00:06:52:22
from start all the way through, ATO
submission and, ConMon and Artemis,

00:06:53:00 - 00:06:56:17
our own, system
been submitted for the FedRAMP

00:06:56:17 - 00:07:01:10
ATO and it's entirely, submitted in 
OSCAL fully automated testing.

00:07:01:20 - 00:07:04:11
So we also use the Artemis
digital twin

00:07:04:11 - 00:07:08:02
in our service
to auto generate gap analysis.

00:07:08:08 - 00:07:11:17
We create the SSPs procedures and policies

00:07:11:21 - 00:07:16:10
in OSCAL, and word automatically
we build out, as is mentioned, the control

00:07:16:10 - 00:07:21:19
test workbook with evidence and tests
that is used for the internal mock audit.

00:07:21:19 - 00:07:25:14
we can also be used by the 3PAO
to automate their audit.

00:07:25:14 - 00:07:29:17
But we use that for the mock audit
to make sure that our clients are ready

00:07:29:19 - 00:07:30:17
the audit.

00:07:30:17 - 00:07:34:19
once you're in the ConMon process,
then it automatically generates

00:07:34:19 - 00:07:35:12
the POAMs.

00:07:35:12 - 00:07:39:20
And the ConMon reports. With this,
approach Sunstone has provided up to,

00:07:39:23 - 00:07:44:23
10x efficiency improvements,
basically, magnitude of efficiency

00:07:44:23 - 00:07:48:17
improvement
compared to other processes that are used.

00:07:48:20 - 00:07:52:14
And with the FedRAMP
20x pushing automation to the 3

00:07:52:14 - 00:07:55:16
PAOs as well, we now can see the efficiency

00:07:55:16 - 00:07:59:15
gains to get closer to the 20 x
that was promised.

00:07:59:19 - 00:08:02:20
That is 20 x faster to ATO, 20 times

00:08:02:20 - 00:08:05:21
lower cost, and the reduction of risk.

00:08:06:15 - 00:08:09:03
So another way we can use

00:08:09:03 - 00:08:13:22
the digital twin that, Robert
will demonstrate here shortly is to have

00:08:13:22 - 00:08:18:11
the agency's use the digital twin
and attack scenarios, be simulated.

00:08:18:11 - 00:08:21:21
Vendor security efficiency can be measured
and validated

00:08:21:21 - 00:08:26:04
against the identified, and defined risks
when you wrote the RFP.

00:08:26:04 - 00:08:29:13
So in essence, you can test
drive the system before you buy it.

00:08:29:19 - 00:08:34:23
So it's to conclude this for the demo,
what this will do for the agency is

00:08:35:01 - 00:08:38:00
it will streamline
vendor selection and approval.

00:08:38:00 - 00:08:43:22
It will align procurement with compliance
and security and reduce risk, the third

00:08:43:22 - 00:08:47:08
party risk exposure and ensure that the audit

00:08:47:08 - 00:08:50:09
ready procurement workflow is intact.

00:08:50:14 - 00:08:53:19
So with that, Robert,
you want to take over and show

00:08:53:19 - 00:08:57:13
a little bit of the digital twin
and how we can use that? Yes.

00:08:57:13 - 00:08:59:12
Okay. And I somehow lost my camera.

00:08:59:12 - 00:09:00:21
But I'll try to get that back.

00:09:00:21 - 00:09:04:13
Hopefully you are seeing, Artemis
profile. Yes.

00:09:04:16 - 00:09:05:07
All right.

00:09:05:07 - 00:09:09:14
So I'll just jump right in the code
so that, you can see kind of the basis,

00:09:09:14 - 00:09:12:22
but, I know there might be some questions
about what Mats said.

00:09:12:22 - 00:09:16:12
So I’ll try to just
restate the overall workflow.

00:09:16:12 - 00:09:22:09
So the idea here is that, we are an agency
who are looking for a solution.

00:09:22:20 - 00:09:26:04
We wanted to play in our agency, and,
we're looking at,

00:09:26:04 - 00:09:29:05
you know, CSP cloud vendors
who might respond.

00:09:29:05 - 00:09:31:22
And we want to be able
to take a known catalog.

00:09:31:22 - 00:09:35:02
So for example, this in a particular Rev-5 catalog.

00:09:35:07 - 00:09:39:05
And we want to tailor that to ask for

00:09:39:05 - 00:09:43:08
specific controls
based on our assessment objectives.

00:09:43:12 - 00:09:47:06
And so, prior to this,
we'll have done a little bit of prep work

00:09:47:06 - 00:09:50:24
to define what those risks
are using MITRE attack.

00:09:50:24 - 00:09:54:15
And then Artemis
will generate this profile for you.

00:09:54:15 - 00:09:57:15
As Mats mentioned, that's primarily
AI driven.

00:09:57:15 - 00:10:01:19
So well, we do have some, snippets of code
that anchor the whole process.

00:10:01:19 - 00:10:06:19
This profile, for example, was generated
through that combination of mostly,

00:10:06:21 - 00:10:10:23
AI automation combined with, bootstrap,
Artemis code and so,

00:10:11:03 - 00:10:15:16
we were, looking for something FedRAMP
specific, we might use the 20x KSIs

00:10:15:16 - 00:10:19:06
if we're doing our own agency, tailoring,
we might define our own,

00:10:19:06 - 00:10:20:07
and we're just going to keep it

00:10:20:07 - 00:10:23:20
simple here for our demo and say,
you know, we want a secure supply chain.

00:10:23:20 - 00:10:27:23
So we're going to be looking for, attacks
that could penetrate

00:10:27:23 - 00:10:30:24
these potential vendors
and then understand

00:10:30:24 - 00:10:33:24
the posture
they have against those attacks.

00:10:33:24 - 00:10:38:00
And so, you know, I won't go through
all the different controls

00:10:38:00 - 00:10:40:09
that we got selected from the NIST catalog.

00:10:40:09 - 00:10:44:14
But, 
the idea being that you're looking for,

00:10:44:14 - 00:10:48:17
controls that have some protection
value against the,

00:10:48:17 - 00:10:53:01
you know, MITRE attacks of interest,
I will note for the OSCAL, schema purists,

00:10:53:15 - 00:10:56:22
we always try to validate
against the Json schemas.

00:10:56:22 - 00:11:00:10
probably, 
violating it in one respect here.

00:11:00:10 - 00:11:06:05
So, we're using a, measure method,
I don't see here.

00:11:06:05 - 00:11:08:12
It should say measure,
but like I said, this was automated.

00:11:08:12 - 00:11:11:16
So, now that I'm looking at it,
I don't actually see the measure,

00:11:11:16 - 00:11:16:14
but we, in our profile,
we want to distinguish between,

00:11:16:23 - 00:11:20:19
the kind of interview test NIST 800-53A Method

00:11:20:19 - 00:11:24:05
with our own measure
to differentiate it as a KSI.

00:11:24:07 - 00:11:27:13
But regardless,
that's Murphy's law of of demos.

00:11:27:13 - 00:11:30:22
I don't see that value here,
but that's okay.

00:11:30:22 - 00:11:31:22
Take my word for it.

00:11:31:22 - 00:11:33:04
That way in the profile

00:11:33:04 - 00:11:36:05
then permeating through the assessment
plan and the assessment result,

00:11:36:05 - 00:11:40:10
we can differentiate on that measure,
assessment method as a KSI.

00:11:40:10 - 00:11:43:10
So once we have the profile in hand
as an agency,

00:11:43:10 - 00:11:45:11
now I'm going to publish my RFP.

00:11:45:11 - 00:11:49:19
And that's going to combination of,
either the link to or the, raw catalog,

00:11:49:19 - 00:11:52:13
this profile.
And I'm going to publish that,

00:11:52:13 - 00:11:55:18
Artemis can be any kind of secure package
mechanism.

00:11:55:21 - 00:11:58:24
You ultimately it could be through
a trust center or something like that.

00:11:59:01 - 00:12:02:20
And the CSPs
you want to respond to that download that.

00:12:02:20 - 00:12:05:22
And in their own, either, use of Artemis
or in their own system,

00:12:05:24 - 00:12:10:09
they're going to process that and produce
a pro forma, component definition model.

00:12:10:09 - 00:12:14:20
So these are the components that they're
going to deploy to respond to the RFP.

00:12:14:20 - 00:12:18:13
And what will be representative
of what's in the production environment.

00:12:18:13 - 00:12:22:07
And they're going to generate a pro forma
assessment plan and assessment results.

00:12:22:07 - 00:12:25:07
We're just going to focus on,
what the, agency is seeing today.

00:12:25:07 - 00:12:27:16
So we probably won't have time
to go through all of that.

00:12:27:16 - 00:12:31:04
But ultimately,
what the I'm going to jump over

00:12:31:04 - 00:12:34:04
to what the digital twin
actually looks like here.

00:12:34:04 - 00:12:36:00
So yeah, here we go.

00:12:36:00 - 00:12:38:03
We're running
in, we have a kind of a Jupyter

00:12:38:03 - 00:12:40:06
notebook environment,
if for those of you familiar.

00:12:40:06 - 00:12:41:24
So, that's what you're seeing.

00:12:41:24 - 00:12:44:02
Fairly minimal user experience.

00:12:44:02 - 00:12:48:20
But, very powerful for doing, code
based analysis, with OSCAL.

00:12:48:20 - 00:12:52:21
And AI. 
There should be a full screen mode here.

00:12:52:21 - 00:12:53:23
Okay, there we go.

00:12:53:23 - 00:12:57:21
Let's had prepped this earlier, but,
there we go.

00:12:58:03 - 00:12:59:17
Hopefully
that's a little bit easier to see.

00:12:59:17 - 00:13:01:12
So what are you seeing here?

00:13:01:12 - 00:13:05:16
You're seeing an idealized view
of what we call a digital twin,

00:13:05:16 - 00:13:08:22
which behind
the scenes is a graph database.

00:13:09:00 - 00:13:12:23
we support all the, major graph vendors
we're not particularly technology

00:13:12:23 - 00:13:16:17
specific,
we support property graphs and RDF

00:13:16:18 - 00:13:18:24
ontology graphs
for those of you who really know that,

00:13:18:24 - 00:13:20:20
but ultimately,
at the end of the day, to the agency,

00:13:20:20 - 00:13:24:14
all they care is that this is kind
of their idealized view of the profile

00:13:24:14 - 00:13:28:19
and the controls that,
the controls that they want to apply

00:13:28:19 - 00:13:31:23
and the attack, minor attack threats,
they feel are relevant.

00:13:31:23 - 00:13:38:08
And the definition of the KSIs is
for either detection, or protection,

00:13:38:10 - 00:13:42:10
we do have KSIs for remediation,
but kept it simple for the demo.

00:13:42:14 - 00:13:47:21
So that gives them an ability
to visualize, which is nice and fun for demos.

00:13:47:21 - 00:13:52:09
But really the power comes when you start
to analyze the graph and you can look at,

00:13:52:09 - 00:13:56:18
you know, what are our key, ideas
for how this should be defended?

00:13:56:18 - 00:14:00:07
So if I know I'm going to deploy this
either in my agency's

00:14:00:17 - 00:14:04:03
AWS environment
or I'm going to be biased towards CSPs

00:14:04:03 - 00:14:09:02
or deploying in their own AWS environment,
I have kind of a precondition in my

00:14:09:02 - 00:14:13:00
in my analysis of the types of defensive
things that are important.

00:14:13:00 - 00:14:17:14
And so, you know,
I can kind of see, the centrality

00:14:17:14 - 00:14:20:22
and the importance of some of these,
Amazon features.

00:14:20:22 - 00:14:22:12
And by the way, love Azure.

00:14:22:12 - 00:14:23:11
We love Google Cloud.

00:14:23:11 - 00:14:24:19
So, it nothing.

00:14:24:19 - 00:14:27:13
And this is tied to a particular cloud.

00:14:27:13 - 00:14:28:21
running on Amazon today.

00:14:28:21 - 00:14:30:06
And we just know that.

00:14:30:06 - 00:14:31:21
So we're using that for our demo.

00:14:31:21 - 00:14:36:20
But we mappings exist in MITRE and others
for pretty much any cloud.

00:14:36:20 - 00:14:39:00
So you can consider this cloud agnostic.

00:14:39:00 - 00:14:43:06
Similarly we rely on a couple of different
open data projects.

00:14:43:08 - 00:14:48:04
So call out to MITRE of course, is
providing not only the attack but defend.

00:14:48:04 - 00:14:51:18
So of these relationships
come from, defend and OASP

00:14:51:22 - 00:14:54:23
and their, ontology
threat modeling projects.

00:14:54:23 - 00:14:58:23
So I just want to respect the open source
community, open data community.

00:14:58:23 - 00:15:00:12
And of course we use OSCAL.

00:15:00:12 - 00:15:02:08
Participant in CNCF. Sorry.

00:15:02:08 - 00:15:04:11
OSCAL compass, part of the CNCF project.

00:15:04:11 - 00:15:06:18
So, we're contributors and fans as well.

00:15:06:18 - 00:15:10:08
So everything, as much as possible,
we try to contribute back to open source.

00:15:11:15 - 00:15:12:01
Let's see.

00:15:12:01 - 00:15:13:01
Let me let me zoom out.

00:15:13:01 - 00:15:16:09
So this is, again,
the agency's ideal view of like,

00:15:16:09 - 00:15:20:14
what my protection posture is going
to look like after something is deployed.

00:15:20:19 - 00:15:23:18
now let's go ahead and say,
okay, as a vendor, I'm

00:15:23:18 - 00:15:26:18
going to run through my,

00:15:27:12 - 00:15:28:20
pro forma package.

00:15:28:20 - 00:15:33:20
I'm going to run essentially my component
definitions against the profile.

00:15:34:00 - 00:15:37:24
So this should be vendor
A, so I'm assuming and there it is.

00:15:38:04 - 00:15:39:11
Okay.

00:15:39:11 - 00:15:42:06
So this is vendor A and

00:15:42:06 - 00:15:47:10
I am using some of these, very important
things is that ingested my profile.

00:15:47:10 - 00:15:49:14
Artemis is mapped it
into the graph database.

00:15:49:14 - 00:15:50:21
And so we can see that,

00:15:50:21 - 00:15:54:04
I've got, a lot of controls
that I have to respond to and assess.

00:15:54:06 - 00:15:57:18
And I'm aware of all the definitions

00:15:57:18 - 00:16:01:13
of the KSIs and the threats
that the agency is interested in.

00:16:01:13 - 00:16:05:03
So now I can really tailor
both my actual components.

00:16:05:08 - 00:16:07:02
I see gaps, I can add components.

00:16:07:02 - 00:16:08:06
If I see threats

00:16:08:06 - 00:16:12:02
that we're not defending against,
I can fine tune our security posture and

00:16:12:04 - 00:16:16:14
play and simulate with the digital twin
to understand how we're going to respond.

00:16:16:14 - 00:16:18:09
and here we're, we're doing pretty good.

00:16:18:09 - 00:16:20:09
are just going to zoom in
for the purposes of the demo.

00:16:20:09 - 00:16:22:12
You know, we've deployed GuardDuty.

00:16:22:12 - 00:16:25:13
So we feel pretty protected
in a visualization.

00:16:25:13 - 00:16:28:22
You can see that it's, you know, it's
fairly center to all of these controls

00:16:29:10 - 00:16:33:02
provides different,
protection and detection capabilities.

00:16:33:04 - 00:16:37:09
But again the real power is less
visualizing it in demo and then being able

00:16:37:09 - 00:16:41:04
to, write specific queries
against the graph and say,

00:16:41:04 - 00:16:44:08
look, what are my most connected,
infrastructure nodes?

00:16:44:08 - 00:16:48:23
What are the protection detection
response capabilities that provide

00:16:49:02 - 00:16:53:00
and then be able to kind of
get into a nice, engineering loop

00:16:53:00 - 00:16:55:24
to tweak our solution
before we submit to the agency

00:16:55:24 - 00:16:59:03
and then be able to represent
that in the component definition,

00:16:59:05 - 00:17:01:10
so that
when I send that back to the agency,

00:17:01:10 - 00:17:04:10
they get this view and say,
okay, this is you know, I'm vendor A,

00:17:04:12 - 00:17:08:11
I can see that they've got a lot of things
they're supporting all the controls.

00:17:08:14 - 00:17:10:00
I'm not going to go
through the assessment.

00:17:10:00 - 00:17:13:09
Result package,
but you can probably see that,

00:17:13:13 - 00:17:17:15
they'll be able to click on various nodes
and they'll see assessment results

00:17:17:15 - 00:17:19:07
for a vendor pro forma.

00:17:19:07 - 00:17:20:08
So before an actual

00:17:20:08 - 00:17:24:12
3PAO, just here
is our notional assessment prediction

00:17:24:14 - 00:17:29:15
for these given controls and scoring on how
we think we meet these KSIs.

00:17:29:15 - 00:17:32:05
So we see that
this vendor has done a pretty good job.

00:17:32:05 - 00:17:34:20
And we feel confident
that we've got a lot of protection,

00:17:34:20 - 00:17:36:18
both in the monitoring side, the detection

00:17:36:18 - 00:17:40:10
and prevention to the various attacks
that we were interested in.

00:17:40:14 - 00:17:42:05
So we're feeling pretty confident about.

00:17:42:05 - 00:17:43:17
vendor A. vendor B,

00:17:45:24 - 00:17:46:06
Let me go like this...

00:17:46:06 - 00:17:48:05
Let me recenter.

00:17:48:05 - 00:17:49:08
There you are.

00:17:49:08 - 00:17:52:08
And let me jump back to

00:17:52:13 - 00:17:54:11
right at my full scale. Go.

00:17:54:11 - 00:17:55:03
There it is.

00:17:55:03 - 00:17:59:00
vendor B, was not so lucky.
They did not deploy GuardDuty

00:17:59:03 - 00:18:03:01
So, they have some of the core features,
but they don't have GuardDuty.

00:18:03:01 - 00:18:06:15
that allows us to say, you know, it's
kind of hard to swap back and forth.

00:18:06:15 - 00:18:10:15
But if if you either rewatch
the video later or you take my word for it

00:18:10:15 - 00:18:14:03
now, you'll see that they actually aren't
covering as many of these threats.

00:18:14:08 - 00:18:17:17
we have we have a visual,
but then more powerfully,

00:18:17:24 - 00:18:23:02
analytical model that says vendor B is
not as good a position as vendor A,

00:18:23:05 - 00:18:25:23
because I can see
while they are covering some of my threats

00:18:25:23 - 00:18:27:24
and they have some of my KSIs
implemented.

00:18:27:24 - 00:18:31:15
And again,
you can down into a particular score

00:18:31:15 - 00:18:34:23
so that you can rank, sort vendors
and subdivide them

00:18:34:23 - 00:18:38:07
into, who's supporting, 
particular KSI better.

00:18:38:07 - 00:18:39:17
But at least in this view,

00:18:39:17 - 00:18:44:06
you can just visually see there
covering less of those KSIs.

00:18:44:06 - 00:18:47:09
And the reason, of course, we know
is because while

00:18:47:09 - 00:18:50:09
they have some of the security components,
they're missing, that critical,

00:18:50:16 - 00:18:54:11
GuardDuty component, which provided
a lot of those controls and protection.

00:18:54:11 - 00:18:54:22
Right.

00:18:54:22 - 00:19:00:15
So, allows the agency to receive this
package and say, analytically, I can start

00:19:00:15 - 00:19:04:00
to simulate attacks on this environment
and see how well it performs.

00:19:04:00 - 00:19:07:09
And I know in advance,
because they don't have that GuardDuty

00:19:07:09 - 00:19:12:10
component that we're going to probably,
able to evade, in a simulated way,

00:19:12:10 - 00:19:14:03
we're going to be able to evade
a lot of those,

00:19:14:03 - 00:19:18:10
other controls, and we're going to be able
to penetrate their components.

00:19:18:10 - 00:19:20:06
So, you can expand on this model.

00:19:20:06 - 00:19:24:19
we link up the, component definitions
that come in from the vendor,

00:19:24:23 - 00:19:27:01
which can be notional.
So they don't have to have

00:19:27:01 - 00:19:29:14
all of the details
of an actual production environment.

00:19:29:14 - 00:19:31:09
we import automatically.

00:19:31:09 - 00:19:35:20
Python Pydantic for those of
you know what that is, we import of course,

00:19:35:20 - 00:19:41:02
any of the graph schemas, but
we also just import the Json or Yaml OSCAL.

00:19:41:02 - 00:19:43:00
So they submit any of these.

00:19:43:00 - 00:19:46:13
We can ingest that in the graph so
that all of the components in the system,

00:19:46:15 - 00:19:50:07
not just the standard AWS services,
but you know, whatever containers,

00:19:50:07 - 00:19:52:11
whatever
microservices can all be linked in here.

00:19:52:11 - 00:19:55:20
And again,
the same type of minor attack techniques,

00:19:56:05 - 00:19:59:09
defend protection
and mitigations can all be mapped in.

00:19:59:09 - 00:20:02:17
And so that agency gets a kind of 360
degree view

00:20:02:17 - 00:20:06:01
of the KSI and overall security posture
for that vendor.

00:20:06:01 - 00:20:07:10
And really again, just allows them

00:20:07:10 - 00:20:11:24
to do a comparison both visually
but more importantly analytically.

00:20:11:24 - 00:20:16:03
Vendor A versus vendor
B, vendor A’s KSI protection

00:20:16:03 - 00:20:18:01
versus vendor B’s KSI protection.

00:20:18:01 - 00:20:21:01
And all of this before
you've had an official,

00:20:21:01 - 00:20:25:11
3PAO audit all before you've even
had to go through your RMF process.

00:20:25:13 - 00:20:29:01
you really have a much stronger basis
for making a vendor decision.

00:20:29:05 - 00:20:32:07
And you get the ability to discuss
specific threats

00:20:32:07 - 00:20:35:07
and similarly specific threats
with the vendor collaboratively.

00:20:35:07 - 00:20:39:04
So you can add to the pro
forma assessment plan

00:20:39:04 - 00:20:42:05
and then say we're going to drill
down on this, you attack technique.

00:20:42:05 - 00:20:42:24
And we really want you

00:20:42:24 - 00:20:46:21
to demonstrate your protection,
your detection, implementation further.

00:20:47:00 - 00:20:51:00
And you can iterate on that response
and the assessment result plan.

00:20:51:00 - 00:20:54:21
So, you know, we see this being
not just a one time, static artifact,

00:20:54:21 - 00:20:58:05
but something that becomes, agile
in using this.

00:20:58:05 - 00:21:00:03
especially as you kind of whittle down
the vendors

00:21:00:03 - 00:21:03:21
and, you know, maybe now you're either
at a go no go decision with a particular

00:21:03:21 - 00:21:08:01
vendor and, the whole project or you're,
trying to compare one versus another

00:21:08:01 - 00:21:11:10
and along with the whole spectrum
of cost other factors.

00:21:11:10 - 00:21:15:23
But the security posture becomes far more
tangible in that decision making process.

00:21:15:23 - 00:21:19:12
So, I will stop here before
I take up the whole time.

00:21:20:08 - 00:21:20:13
Yeah.

00:21:20:13 - 00:21:22:21
I think we give it back to you, Michaela.

00:21:22:21 - 00:21:23:23
I'll stop the recording.