Risky Business - Risky Biz Soap Box: Stairwell will offer platform to researchers
Episode Date: October 29, 2023In this edition of the Soap Box we hear from Mike Wiacek and Eric Foster from Stairwell. Stairwell makes a product that collects and analyses every executable file in y...our environment. You deploy file collectors to your systems and they forward all new files to Stairwell for manual and automated analysis. You can do a lot of really cool analysis once you have all that stuff in the same place. But as you’ll hear, Stairwell is broadening out the use cases for its platform. You don’t want to forward files from every system? You don’t have to. It’s still very useful as an analysis platform. It’s sort of like VirusTotal, but private and with a bunch more bells and whistles. There’s also a bunch of sharing tools in the platform, which gives it a “social network for CTI nerds” flavour.
Transcript
Discussion (0)
Hi everyone and welcome to this special Soapbox edition of the Risky Business Podcast. My
name's Patrick Gray. These Soapbox podcasts aren't the regular weekly risky business podcast.
To hear one of them, just scroll back one episode in your podcast player and you will
hear that. These Soapbox editions are wholly sponsored,
and that means everyone you hear in one of these shows paid to be here. And in this edition of
this Soapbox, we're going to hear from one of our sponsors, Stairwell. Mike Wyasek and Eric Foster
from Stairwell are joining me for this conversation. Stairwell makes a product that collects and
analyzes every executable file in
your environment. Well, that's what they were doing anyway. So you deploy file collectors to
your systems and they forward all new files to Stairwell for manual and automated analysis.
And you can do a lot of really cool analysis once you have all that stuff in the same place. And of
course, they are still doing that. But as you'll hear, Stairwell is broadening the use cases for its platform. And to be a customer of theirs soon, you won't need to plumb everything through to all of your endpoints. like this and say put it on every endpoint. But you know it's still a really great analysis platform even if you're not sending it absolutely
everything. So they're kind of like building this thing more and more so
that people can just use it as an analysis tool, submit samples to it,
analyze them and whatnot. So it's kind of like VirusTotal but private and with a
lot more bells and whistles that are sort of suited to that type of work. There's also a bunch of sharing tools in the platform, which gives it almost a bit of a
social network for CTI nerds flavor. But anyway, here's Mike Wyasek, CEO and founder of Stairwell
to kick things off by talking about how they've built out some, you know, new and pretty fancy
features. And from there, we get into future use case stuff. And the other voice you hear is their business development guy, Eric Foster. But yes,
here's Mike Wysek. Enjoy. We play with data at scale. And so one of the things that like,
you know, most people don't realize, and we don't actually talk a whole lot about on our website is,
you know, we have over a year now of fairly large passive DNS type data into the platform natively.
And so one of the things I think we showed you when we did the video demo,
my goodness, was that a year ago now already, I think? It was a while ago.
It was a while ago, yeah.
We had variant discovery. So we could say, hey, from this file, find me other files in my
environment or in these malware feeds that are similar to it and extract out IOCs from those and go on and go on.
You know, we're now able to, at least internally, not release publicly.
And I'm not supposed to say I'm forward looking too much here, I guess, but let's do it.
You know, we're able to now take into account not only the artifacts and features and structure
of the files, but also their network indicators,
their IPs, their host names, their historical resolutions, and start linking things together like that as well.
And so in a world where we're used to, I guess Eric used to work with RiskIQ and PassiveTotal
and stuff like that, where we're thinking about stuff like Farsight, PassiveTotal, domain tools, et cetera, those are great platforms for being able to look up
what are the historic resolutions of an IP address, of a domain name, or what domains map
to this IP address and get a list back. We have hundreds of billions of these resolutions in our
platform right now that are just there.
And it's like the full cross-reference of every file with every domain, with every IP
address, and on and on and on.
This is almost kind of my 14 years at Google DNA baked into what we're doing at Stairwell,
where it's not just APIi lookups to get resolutions no
no no it's the cross product of every file with every resolution cross reference multiple times
so so here's a question for you right can you foresee a time when you're going to turn
some of this data into something that's accessible to customers that aren't running stairwell
themselves you know like are you going to spin this off into like a virus total competitor? Basically is what I'm asking here. I just asked, I just asked the question,
didn't I? You asked a question. Um, so, you know, one of the questions, so one of the things is we
just sponsored, um, we were one of the sponsors of Sentinel one had labsCon in Scottsdale a few weeks ago. We weren't the sponsors for that.
Which, by the way, to interject, absolutely amazing conference and something people should absolutely look up.
If you're in this space and LabsCon isn't on your radar, you should absolutely consider that for next year.
For me, it's one of the highlights of the year in terms of super high-quality presentations, presenters.
The group there and hallway chats are just astronomically invaluable.
But we gave every one of the attendees individual access to Stairwell for free.
And it was kind of a virtual swag gift bag type thing, uh, for
them. There's nothing for them to have, but they can access it. And so for them, they're able to
come in and upload their private files if they choose to, if they just want to use your rules
over our platform, um, and do threat hunting over our file corpus. So you're already doing this.
Yeah. We're kind of already doing that.
You're giving away the accounts in show bags at conferences, but like, is there going to be a time when someone can roll up with a credit card number and just say, yeah, I'd like to play around?
It's a great idea, Patrick. It's something we've definitely been thinking about for sure.
You know, and we've seen a lot more inquiries for this kind of functionality because some people
have come to us because we are effectively private malware analysis that doesn't expose
that malware analysis to the internet. So this is why I was asking, because when we were talking
earlier, you were talking about how you can tag malware to certain families. And like, you know, you've built in an interface
to help you do all of the clustering
and a lot of automation around doing the clustering.
And I'm thinking, well,
I know a lot of ML people around there
and some of the tools they're using to do that
are quite ad hoc.
So just from a workflow optimization perspective,
like this would be useful to threat researchers.
And then I'm like, well,
is every single threat researcher
going to be an enterprise customer
feeding files automatically into this thing?
Or are you going to start selling accounts?
And, you know, the idea that you could do, you know, can you do like private tags just in your own account?
Yeah, you absolutely can.
Yeah.
One of our fundamental concepts is everything you're doing in Stairwell can be private and unique to you.
We did launch just so we were a sponsor of FSISAC just a couple of weeks ago,
you know, and launched a information sharing communities. You know, we demoed it obviously
for FSISAC. And the idea was like building a real easy interface into the product where like,
if you had a malware siting or a Yara rule or something else that you wanted to share with the community you can now literally like one click share it
with a sharing community that you've defined right there in the product like i mean jeez what was
facebook's thing that was trying to do this years ago you remember what i'm talking about right
i remember i do i i remember i can't remember what it was called but yeah yeah because they
had they had a red hot go at at sort of creating something that was a cross between a social network and a
you know threat sharing platform i can't remember what happened to it i'm very sorry there's probably
people either who loved it or hated it who are yeah seething with rage hearing me say this but
what was it threat exchange threat exchange yeah is it still a thing um there's still a page on
the internet that says get started with Threat Exchange.
I'm just going to jump in there real quick and say if you worked on Threat Exchange and
you want to try and take it to the next level, we are hiring.
So I guess it's becoming clear from this conversation that really you want to make
Stairwell a tool for threat researchers, as well as just
enterprises that want to analyze their own files? I think, I mean, absolutely. But I think one of
the most important things to think about is like threat research has always kind of been
a nice to have, not a need to have. And it's also been something that's been relegated to
the FANG companies of the world, the top 10 big banks. It's been relegated to these-
Well, and the companies and security companies that offer it as a service, right?
Exactly. It's been an ivory tower, if you will. And I think one of the challenges is I've been
in enough meetings with information sharing with government agencies and companies and so forth
over time where I remember a meeting once where, this is back when there was NKIC, if that was a thing people
remember that was part of US, it was part of US CERT before I think CISO was the common
acronym.
But it was a private meeting, they passed around a bunch of IOCs for something and literally
almost everyone in the room was sitting like, you gave me a list of domains and IPs. What do I do with this?
And you realize it's not necessarily obtaining the data.
It's how do I leverage this information to know if I have a problem or not?
And I think as tools have gotten better, it's gotten easier.
But fundamentally, what you realize is the true thing when you find a top-tier threat
researcher is they don't
just take a host name and say it's done. They'll go map through passive DNS sources. They'll try
and find secondary or tertiary names related to that, samples related to those things. They'll
try and map out what was this because any threat report that you get from a vendor or provider or
feed isn't ever, I've never seen one to be exhaustive and conclusive, right?
Yeah, it's not, they're not complete, right? And you and I have talked about that before,
which is when you've got, you know, you've seen threat reports land, you grab a hash,
stick it into stairwell and say, do we have this? Yes. Okay. Show me similar stuff. And it,
you know, from there you're able to expand it out a bit, right?
Yeah. And this is kind of tying it back. I mean,
this is kind of what I was trying to explain earlier and probably wasn't doing
a good enough job on,
on like automating components of malware reverse engineering or looking at
these kinds of threats. Right. It's,
it's those ties that Mike is talking about that goes beyond just the like,
Oh, sandbox this and run the import hash. And like, you know,
look at these
other things. It's like walking these chains. Speaking of walking the chains, one of the things
that you reminded me of, Mike, that like just blew my mind when I saw it on the product was
like, look at me, you know, we were very Yara centric, big fans of Yara as this, you know,
as the obvious Swiss army knife to like detect malware and to investigate files and stuff. And, um, you know, literally looking in
the product, figuring out that a bunch of Yara rules are matching on a bunch of IP addresses
that, you know, as Mike has talked about, we've really focused on enhancing a lot of IP and DNS
info. And I'm like, but there's nothing. And I'm looking
at the Yara rule and I'm like, what the heck am I missing here? It's literally just looking for,
in this case, like coin miner strings. And it's like, you know, literal strings that were seen
in coin miners. And I'm like, why in the world is this matching these IP addresses or domain names?
Like Mike, I think we got a bug here or something. And Mike's like, oh, no, we built this so that it's walking the chain of the analysis
from this Yara rule is matching this binary.
And that binary is communicating to these IP addresses or these host names.
And so I'm just walking that chain for you automatically.
So now this Yara rule matches that IP address.
And I mean, just literally blew my mind of something that I would have had to do,
you know, massively manually to pivot through the,
okay, yeah, now I've found this binary
with this Yara rule,
and now I'm reverse engineering that
or sandboxing it to find these IPs and domain names.
But now like being able to then
just cut through that chain,
vice, you know, or vice versa, right?
Obviously like writing a YAR rule
that is grabbing an IP address and then going,
oh yeah, here's all the binaries
that are talking to that IP address
just by executing that YAR
has been a really interesting development for us.
Yeah, look, look, look, look.
It's really clear from this conversation
that you're planning to launch something
that basically competes with VT, right?
And it's also clear that you absolutely
did not plan to say that
when we sat down to have this interview,
which is always my favorite moment doing these
because you'd be surprised how often this happens, right?
I think that's you being really great at your job, Patrick.
Thank you.
But I guess the question is,
I'm not a VT user, right? But I do get the
sense that perhaps it, you know, has it failed to keep up with the times a bit? I guess that's
what I'm wondering. I mean, Mike, you worked there, right? So. I mean, in a sense, I was,
I was the, I sponsored the acquisition of VT. I mean, you were the CEO, right? I wasn't the CEO.
What were you?
They reported to me, I guess, back in the day.
I think VT is a...
You were running Google's security.
Oh God, it got so complicated.
It hurts my head.
I started Tag at Google and then in that...
The threat analysis group.
Yeah, threat analysis group.
And then in that had kind of spear yeah threat analysis group and then in the in that hat
um uh kind of spearhead at the um google's acquisition of iris total um and then you
became then you became chronicle yes what was your title at chronicle i was a co-founder chief
security officer of okay co-founder chief security officer and then google acquired it back. Yes. Yes. Okay. So you did have some involvement and authority over VT.
Yes.
Mike is literally the guy that bought VirusTotal for Google.
And much like Cisco's acquisition of Splunk, it came, you know, Mike was trying to negotiate a license with VirusTotal.
And it was just easier to buy the whole company than to sign off on the license.
Google has a lot of paperwork to acquire, to buy software.
So it's easier to buy the company.
I'm just a joke.
But what's the, you know, I guess my, you know,
I'm wondering what are you going to be able to deliver?
You know, does VirusTotal not currently deliver
these types of features is the question.
I mean, so VirusTotal for the most part
is a public community-based file sharing thing that, you know, look, first
of all, I won't say anything negative about the team there.
Bernardo and Emiliano and the VirusTotal guys are top tier people, super smart.
And they've built something that I think has been like the backbone of a lot of security
info sharing, at least the malware level for,
geez, now like maybe 15 years or so. I don't know the exact date it started, but it's been a while.
So I think that they're a fantastic team. I think, you know, over time, VirusTotal,
I don't know. I don't know if they've necessarily kept up with what their users actually need or want. You know, there was a change recently that VirusTotal has a feature called
RetroHunt where you can put in Yara rules and then search over the last 90 days of their corpus
if you're a certain tier of user, and I think a year if you're an upper tier is how they productized
it since I've been gone. And you bought a certain number of RetroHunts. And if you put five rules
into a RetroHunt, that was one RetroHunt. And theyts. And if you put five rules into a retro hunt, that was one retro hunt.
And they changed recently that if you put five rules in one hunt, it counts as five
hunts.
And so you quickly burn down your quota.
To me, that's a change I would never have supported as a user, right?
So when I did Chronicle, for example, people said, should we charge per search?
If we're going to ingest your logs, should we charge customers per search? And one of the bully, doing a Google search costs you half of a cent per search.
That would alter your behavior of how you use it.
Even if it was such a small amount of money that it was imperceptible to your lifestyle,
even if it came out to $5 a month, it would change how you used it because you're like,
this costs me something now.
And so when you start creating things like that, where you're like, hey, it's going to
cost you an extra $30 to run this Yara rule over the last 90 days of files.
I don't know what the actual number is.
But when you start thinking about it like that, it changes how often you use it because
you're like, hey, if I have a quota, I have a fixed budget, I might need something more
important tomorrow.
So I'm not going to do that."
What that does is that changes it.
Now, it might be good for the bottom line of Google as a business there.
That's their decision.
They're free to run their business however they want.
But when I start thinking about how our users want to use Yara, how they want to use the
platform, look, putting quotas in and putting limitations on
because you're effectively operating almost as a Bloomberg terminal or LexisNexis terminal where
you're charging per search or per minute that you're on time, it alters how people perceive
the value of your product. One of the things that we've been really adamant with with Stairwell is,
you're a Stairwell customer. We have your data.
We have data from feeds. You should use it. We want you to use it. And so we've tried to do some
really smart stuff of like, how do we, you know, if you think about running a YAR scan, it takes a
lot of compute time. How do we actually make that more cost effective? And so we've been doing a lot
of work on optimizing YAR across our distributed clusters that we run. We hit a point, right? It was literally the day LabsCon started
because I was on a plane and I had the team back on the home front. We were doing a brute test of
Yara, like how fast could we get it if we turn on all the things we've been building and optimizations.
And we were running Yara at 390 gigabytes per
second scanned. And when you start thinking about like, we're almost to the point where we're doing
half a terabyte a second of scanning Yara and scanning files. You know what? Like, I don't
care. You want to run Yara rules. Let's run Yara rules. You know, we're going to blow through your
files. If you're an organization on the server as a platform, we're going to blow through your files,
not in hours, but like literally you're talking minutes at the Cerebral as a platform, we're going to blow through your files, not in hours,
but like literally you're talking minutes at the high end
if we're running with that level of service.
So it's like, you know what?
I don't want to charge you extra money.
I just want you to pay me a fair price
and we're going to offer you something
that you're not going to get anywhere else.
Yeah, yeah.
So, I mean, when's this happening?
This is so funny, by the way,
because I keep asking them these questions
and the look on their faces,
which is like,
this is absolutely not what they're supposed to be talking about.
Anyway, I'll ask you again in a couple of months, man.
Yeah, I think asking in a couple of months.
It's one of those things like, you know,
I don't think we,
in all honesty, I don't think we sat down
and we have a master plan to deal with VirusTotal
or think about VirusTotal as anything more than another player in the security space.
I think what's happening, though, is when people are, you know, we go to events like LabsCon, we do demos for individual researchers to get feedback.
Because one of the things that we often say.
Well, and I imagine the feedback was, geez, I'd love to be able to have an account poke around.
I don't want to put, you know, user agents on every single box in our enterprise, but I'd sure to be able to have an account poke around. I don't want to put user agents on every single box in our enterprise,
but I'd sure love an account and to be able to do some of the work
and analyze some of the files that we surface different other ways.
I mean, I'm guessing that was the feedback, right?
You've got it, Patrick.
Yeah.
I think from individual researchers,
they don't have the authority to think about putting stuff on machines.
They just want to be able to do their threat research.
And so we're like, yeah, let's go use it. Right. But occasionally, occasionally,
a binary is still going to land on their desk from some other team and they're going to go,
what's this? Right. And, you know, you can throw it at VT and, you know, and you can throw it into
a sandbox and say, well, it connects to these IPs and has a key logger in it. But I understand what
you mean. If you want to start, you know, doing some of that correlation and being able to tag
it and say, well, this malware looks a little bit similar to malware that's made by this APT group. I mean, you know, that's, that's valuable stuff.
Right. And then, yeah, finding that and comparing components of that against the
literally 600 million unique files that we've got in our corpus of other malware and known good.
It actually drives me to a point that, you know, like Patrick, you mentioned like almost different offerings here from stairwell. Like we've had customers buy us. One of the things
that surprised me, like they're, you know, big enterprise name you would recognize that bought
us for the first place, literally just to write better Yara rules because being able to write
exactly and back-tested against a corpus of 600 million files to go, all right, here's all the known good and all the known bad.
And I'm going to write Yara rules and back-test it against all of that and tune it down to go, oh, yeah, okay, now I've got a rule that I know is really great at finding APT29 or finding whatever the specific methodology that they're looking for.
And then using that
and then loading the RL rules into other platforms.
Like that was their primary use case.
And then to your point, they also figured out that like,
wait, we can use this like a virus total,
except it's completely private.
It's not everything I share is going to everybody else.
And oh, I don't have to wire up the API integration
to feed all the stuff to it.
I can literally just put this little piece of software
on a machine where I put all my samples and it just auto ingests them all.
Yeah, that's funny. It's like having a Google Drive directory, but malware.
Exactly. That's exactly it. And you can restrict it down to that too and go like,
oh, just pull the files from this one directory. That's my Google Drive of malware.
It's a malware Dropbox in some sense, if you think about it like that. I mean directory that's my Google Drive of malware. It's a malware Dropbox in some sense,
if you think about it like that.
I mean, that's how people ask, what is the concept?
I'm like, if you're familiar,
think about Google Drive client installed on Windows
or a Dropbox client installed locally,
that's literally how you can think about us.
It's just, you know, instead of a folder,
it's executables more broadly,
but you can limit it to just one folder,
not your suspicious trash can. Just throw stuff in there and you know limit it to just one folder, not your suspicious trash can,
just throw stuff in there and you know, it gets sucked up and monitored, which is actually,
you know, I use it like that myself. So of the researchers and people at these
conferences that you gave access to, are they using it? I mean, you would be, you would be
being creepy and watching them and seeing if they're doing stuff.
I mean, one of the things that we've done is we've actually kind of exploited the,
the shareability of the platform with them.
So in that sense, like each person got their own tenant,
if you think about it like that,
where they have their own private stuff.
But then we created a LabsCon alumni group effectively
and now using some of the functionality.
It's like something between a social network
and a Slack channel.
Kind of, yeah.
Where someone could say like, I have a sample, share it. And it gets shared as a virtual feed with all the
other people who are like LabsCon. So you kind of have this really cool community aspect to it as
well, but it's not everything. It's just what people choose to share with the larger group.
Obviously that's probably not a scalable thing. You couldn't go do that at like Def Con or Black Hat and have 700,000 people all sharing
like that.
All spamming goatsy to each other.
That's what would happen if you know it.
Yeah, that's what I'm saying.
But in that sense, that's why I was having for a smaller conference like that.
That was super exciting.
But we had some researchers.
There's one researcher who came online and he said how much can we upload and we said well how
much do you want to upload and they said i have like 40 terabytes of malware i've collected over
the years can i go drop that in there and i was like sure i mean like that's kind of crazy but
that's that'd be i mean i bet there's a few things in there you don't have yeah i'm like this is
gonna be fun so go for it and they it's kind of like it's kind of like collecting pokemon in a way really with malware at this level right like oh yeah i mean like in
that sense he even he he in particular even said like if you guys want to hunt through it i don't
care go for it see if you let me know if you find anything and um there have been cases where we've
been testing some of our newer variant discovery stuff where they've come to us and they said hey
can you try your new stuff on this file? And we're like, yeah, sure. And we've actually uncovered new variants that he wasn't aware of
in his own corpus of stuff. And so you're absolutely right. That flywheel nature of
this, it makes it really exciting to play in. But the key thing is that's not like the main
business intent, right? The main business intent is to help companies organize
and operationalize threat intelligence
and bring it downstream.
How do I get that tier one SOC analyst
to do the job of what, as Eric says,
a tier three reverse engineer would be doing?
How do we bring that down so that every security team,
whether your security team is one or two people
or 200 people,
we up-level everyone. We rebranded our website lately. We went with a different
way of thinking about it. And one of the things that we did was focused on security superheroes,
because a lot of security companies, I think they amplify the coolness of the bad guy. And I said, like, who talks about like, you know,
really trying to amplify the position of empowered defenders about empowered
people who are,
can be taken from that tier one to a tier three because they have the right
tool.
And that's how I always talk about it.
It sounds like the plan is less about, you know,
the future of the company is, I mean,
obviously you're always going to have the people who are going to plumb stuff through, right? Put agents on boxes and auto populate, you know, their stairwell tenants. But it sounds like, you know, you're probably going to a cliche, I think there's an XDR story here too.
You know, whatever you think of that term, you know, the attack surface has obviously gone from beyond just endpoints to, you know, the network got a existing network version of stairwell that we've developed in partnership with, you know, one of the leading network traffic analysis companies, Corelight.
So we've got a stairwell.
Yeah, they're a customer of ours too.
I love those guys.
Yeah, I love those guys.
And so we've got a stairwell for Corelight where you can, you know, use Corelight's out-of-band NTA to carve files
off the wire and subject them to stairwell analysis. And then we've got, by very, very
popular demand, we've got a stairwell cloud coming out very, very soon. I think the first
piece of that that we'll release is a, you know, specifically optimized for Kubernetes type environment, because we've
seen a lot of people, you know, moving more into cloud security, but so much of it has
been almost cloud posture management and cloud configuration management versus like true,
I'm going to detect actual attacks and actual bad things in the cloud.
And so we, you know, literally like we were talking earlier, you know, this is one of those great kind of roadmap items that come from a customer where they're like,
yeah, we wired up, you know, cause everything we do in stairwells API first. So it's like,
we wired up using your API to submit, you know, grabbing files from these Kubernetes instances
that we stood up and we didn't want to just go ahead and deploy the stairwell agent onto them.
It's just easier to just, you know we wired up the the files coming in
and out to submit them through the api i see what you're getting at which is that you know
the initial rollout of stairwell is like files from every box in the enterprise and now it's
like well just use the api use an agent do it however you want but the product is more about
you know the actual analysis than just collecting everything you got it exactly like you know, the actual analysis than just collecting everything. You got it exactly. Like,
you know, and eventually if you go with the right distribution and, you know, we're also looking at,
I think some really key enterprise partnerships to get a lot of these, you know, collection side
as well. So like we've got a really strong partnership right now with Tanium where, you
know, you don't have to install the stairwell agent or software. Well, that gets you a lot of US FedGov, right? Because they're quite big there.
Oh, for sure. So, you know, they've got a nice collection of customers where for those guys,
where it matters quite a bit to be able to click a button inside Tanium and say,
oh yeah, go ahead and collect those files and submit them to stairwell for analysis becomes
really interesting. And we've got existing partnerships with CrowdStrike and with Sentinel one,
where you can do that,
but it's a little more limited in the way that it works. Um, you know,
by the way that they see the world,
they don't consider a world where every file on the box could be interesting to
you. You know, they're like, well, no, we detected this.
And so we can send it to stairwell. And it's like, yeah,
but we also want to see all the things that you didn't detect and we want to we want to know
about all the things yeah yeah yeah yeah all right well we're going to wrap it up there guys uh eric
foster mike wyersek uh thank you so much for joining me for that uh for that conversation
it was very interesting patrick thank you so much man really appreciate it always good to be here
that was mike wyersec and eric foster there
from stairwell big thanks to them for that and you can find them at stairwell.com and that is it for
this edition of the soapbox i do hope you enjoyed it i'll be back in a couple of days with more
security news and analysis but until then i've been patrick gray thanks for listening you