Transcript

00:07 Hi everyone, happy Wednesday. For those of you that don't know me, my name is Greg Anderson. I'm the creator and CEO at DefectDojo. And we've changed the format of these office hours just a little bit. And so to walk you through the agenda of what I've prepared today, first we'll talk about the new SOC feature, why we did that, how you use it. And then we'll also share the early results from our new prioritization feature.

00:36 And then we also wanted to dedicate a section specifically to OS. Sometimes there just isn't open source news to share, but we wanted to make it clear that office hours is an opportunity to ask and answer any questions you have about DefectDojo on the OS side or the pro side. And so going forward, I'm trying to split something out every single month for OS. This one is more of a

01:05 quarter recap, if you will, just because we hadn't done this before. And so I'll share with you the latest on the pro side. I'll share with you the latest on the OS side. And I'm always happy to answer any questions that you have.

01:22 So talking about the new feature in Pro, which is SOC alerts. This is a use case that I honestly never would have thought of without being inspired by customers. When we look at things that were happening in the community though, it was clear this was kind of where the industry was heading. And so let's get into a little bit. When I think of SOC, everyone thinks of this like,

01:49 ultra modern, ultra sophisticated operation center, you know, with all these people looking at alerts. And unfortunately what I see in SOC and what the reality is for people who are members of blue teams is that they're just getting crushed. Not unlike it was in AppSec. So I started my career in AppSec at Rackspace where my co-founder and I were essentially charged with protecting an entire cloud with nine people at the

02:18 birth of cloud technology. And so that was ultimately what inspired Dojo. We were just getting crushed by all of our tools. And unfortunately that's only gotten worse since then. But when we look at the SOC side of the house and when we look at the data and alerts that SOC analysts have to deal with, the data says that on average they can only view 14% of the alerts generated, which is pretty nuts.

02:46 And then when we look at the number of tools that it now takes to run a security program, you know, 10 years ago, when I started my career in security, we were averaging around six and now it's as of last year, the average is 22, which is also pretty wild. So when we talk about like, what is the fundamental challenge that SOC analysts or people that are doing blue team experience,

03:10 it's now the same problem of AppSec, which is just essentially, I have so many of these overlapping alerts. How do I actually prioritize these things? How do we know what is valid? How do we consolidate these things, et cetera?

03:25 And so, um, yeah, again, like I would have never thought of this use case, to be honest with you. I thought these two teams would always live separately, but there started to be, you know, indicators and hints that this is what people wanted. So on the open source side of the house, we saw people contribute the Wazuh parser, which is a, uh, an HIDS and an NIDS tool. If you're familiar with that category, it's primarily focused on endpoint monitoring and detection, file integrity monitoring,

03:55 things of that nature. And then we also saw people contribute like a Microsoft Defender parser. Both of these tools, Wazuh specifically, definitely solidly in sort of the blue team category. MS Defender maybe a little more on the line, but we also started to see this on the commercial side of the house with people using the universal parser.

04:20 And so we saw, you know, people using the dojo algorithms to distill CrowdStrike, to distill Sentinel-1, to distill Palo Alto networks. And so Matt and I reached out to these people, both in the community and on the commercial side, just to try and understand like, like, Hey, why are you doing this? Is this working for you, et cetera? And so after talking with a bunch of people, I think it just became crystal clear that this is where things are ultimately going to head, even though

04:50 and I don't think any other platform has done this to my knowledge. We've looked into it extensively. I think part of it is because when we think about the security industry, everyone wants to try and fit in boxes, for the, honestly, for the purposes of marketing. So, you know, at Dojo, I've always thought about it as solving problems rather than trying to fit in a specific box. And so when we were like, well, what's the best messaging for Blue Team?

05:19 Like, I don't really care what you call it. I think if we were to try and put it in a box, primarily people are using HIDS with this new functionality today, but you know, we're going to continue to expand and add on to these features just for whatever makes sense for people that are actually using Dojo. I feel like we're playing Buzzword Bingo a little bit, but you know, that's the game that you have to play. Like even when we think about Dojo itself,

05:47 like is it DevSecOps? Is it ASPM? Is it ASOC? Is it Unified Vulnerability Management? The truth is like, I don't really care to be honest with you. Like all I care about is solving problems. You know, our wonderful marketing people, marketing cares about terms. It's important. I get it. It helps people think about the solution. But I don't know, like no one's really done this. I think it's because of categories, but it just was crystal clear to me that this is where things were headed.

06:19 And so in practice, like what this looks like today and where this feature will ultimately get to is, so the first thing we did on the commercial side was create the universal parser. And so if you're not familiar with this feature, what it allows Dojo to do is create an integration with any security tool that exports JSON, XML, or CSV.

06:42 And it allows you to map and define those fields on your own, including the deduplication strategies, including the auto triage strategies, et cetera. We did this for a couple different reasons. You know, we support over 200 different security tools natively, but we got requests to say, change the format of a given parser. And you can't really do that when, you know, 10K plus organizations are using the platform. And so

07:12 for example, if you don't like the way we've built the semgrep parser, you can use the universal parser to instead build a new integration or build a new integration. I think the other thing we saw a lot last year was much more vendor format updates than I would say is typical. And so rather than having to wait on the Dojo team or the Dojo community to go and update a parser, this gave people another avenue to sort of

07:41 instantly heal an integration or self heal an integration if formats changed. And it was taking the dojo time to get to the dojo team time to get to it. The next thing we did was prioritization. So prioritization is all about adding real world risk to findings through enrichment. And so one of the insights dashboards is designed to be a be all end all view of

08:10 prioritization in security for those that want to work on a prioritized basis or a risk-based basis rather than just mitigating every single finding that exists. And so from there, we did it first for AppSec findings, this is what it looks like with the priority and the risk, et cetera. But then we moved on to SOC findings as well, just given that the use cases seem to have converged.

08:39 We wanted to create a single consolidated place for people to look at SOC risks based on prioritization, given that SOC analysts now have to contend with the same thing that AppSec professionals do. And when we look at that prioritization, I have some early data that I thought was really interesting. When we talk about people that use Dojo, I think about the use cases as sub 30K findings, which I would describe as

09:07 uh, not a ton of alerts to deal with. And then I think there are people that are around 30K findings, which is the majority. And then we have people on like the extremes that are doing like millions of findings a month. And so I thought the most applicable data to share was the, the 30K finding mark. And so, um, typically with prioritization, if an organization has 30,000 findings that will distill into about 80 that, um, need immediate action in some form

09:37 due to their exploitability, reachability, or how prevalent they are in your endpoints. And so if you didn't look at all those findings that Dojo disqualified, and you assume that each finding takes about 30 minutes for a human to look at, which is about the average from what our data says, that would be 15,000 hours saved, which is, that's a lot. And so, you know, like even if you had

10:04 the staff and the budget to hire people to do those 15,000 hours, which are two mountains in and of themselves, right? To both have the funding and find the talent in security is impossible essentially without prioritization. And so, you know, my hope with everything that we do and everything that we develop is that you get to relax a little bit. That's what I'm here to do at the end of the day is, you know, make the job for anyone in security easier. And so I hope these new things both

10:33 prioritization and SOC will help security professionals to do that. And so like everything, we'll keep iterating on this. I think the request that's crystal clear on the commercial side is the new sort of connector style integration for SOC based tools. So you don't have to do anything with the data yourself. And then the other thing, I mean, that's crystal clear to me in terms of where we're going to head

11:01 is using AppSec and SOC data together for better enrichment and prioritization. So to give you an example of that, all the exploit data that anyone uses always has a lag, if you will, because there's always a group of people that are first to be exploited, if that makes sense. Like EPSS is only as good as once people get exploited, it's the percentage of people that are actively being exploited essentially.

11:29 But so there's kind of a gap between when things start to get exploited and when we know things are exploitable, if that makes sense. And so this is something we can actually close with both pieces of the data set. So for example, if you have a Linux machine that is under attack and they're using a Windows based vulnerability, and probably no one should get woken up in the middle of the night because of that. But if it's the case where

11:59 you see an attack against a system that you know you're vulnerable to because we have that AppSec data to prove that, that should probably be escalated. And so that's what the team's working on right now with regard to prioritization in that enhancement. And I believe that should actually address the gap between when we know things are exploitable essentially and when things first start to get exploited.

12:27 So with that part concluded, that is the latest on the pro side of the house. Let me pause there for questions, if that's OK, before we talk about OS and OS updates. Greg, I think one question came in, actually, of what the SOC feature is. We plan to have any first-party integrations with the SOC, bigger SOC platforms. And I guess also, are there any tool limitations as of right now with tools that actually we can import files with?

12:55 Correct, correct. Yeah. So with the connector style integration, it won't require any intervention by the team to have that data come in essentially. So connectors in pro connect directly to the tool, automatically pull that data on a regular basis, automatically enrich it, et cetera. And so those are coming, we're in the early stages of partnership with all those vendors to make sure we can

13:24 you know, maintain those connections, make sure that they always work, make sure that they scale, et cetera. But that will be part of the next update in this space is we're just part of it is looking at which tools will people benefit from the most first. And so we kind of already have that data. We know it's Wazuh. We know it's Sentinel-1. We know it's Palo Alto Networks, et cetera. And we all have

13:50 technical partnerships that are blossoming with all those different vendors as we speak to create those connectors for SOC tools.

14:02 Did that answer the question, Chris? I think so. And I haven't seen any questions come in. So maybe flux will start trickling more questions later on.

14:12 Wonderful. Okay, so we'll move on to the OS side of the house. Again, this is kind of a quarterly update, if you will. I wish we had something to share every month on the open source side of the house. It just wouldn't be as exciting. I'm trying to think what we can do there. We'll figure it out as we go. But there is also a lot of phenomenal news on the open side of the house of DefectDojo. So

14:38 first on the contributor side, we passed 450 contributors, which is incredibly exciting. DefectDojo is about being a force for good in security. So the more active the community is, the more places that it reaches, we want security to be accessible for everyone rather than just enterprises. And so I always love to see community stats continuing to go up in meaningful ways. And I think 450 is a really major threshold

15:08 in terms of unique contributors. And then the other thing we're doing, so if you don't know, we have a Slack channel on the OWASP Slack in partnership with OWASP, and we've added paid resources to that channel to help people with open source. Again, we want to do everything we can to support the open source community. Given that we commercialized and given we were able to get funding,

15:36 this just made sense to us as a way to give back. And so you'll notice that there are many more questions being answered there. We want to be as helpful and supportive as the community as we can, given that's what makes Dojo special and that's how we got there. And so you'll notice people in those channels that are dedicated to help and are helping people. When we look at various updates to open source,

16:04 we've updated certain parsers. Excuse me, we've added new parsers, etc. And so I just wanted to call these out as other improvements, either Dojo staff or the community is making to continue to improve how we integrate with tools and how that data is imported. And then this was all community supplied. I want to make that clear, but we've seen a massive expansion in the number of vulnerability IDs that are supported.

16:34 I think this is partially driven by the risks that occurred with the CVE database and its potential, you know, shut down. I mean, CVE has been the gold standard in VULN IDs for a really long time, but you know, to always be flexible and allow Dojo to, you know, fit how you want it to, to your processes and your deduplication strategies, et cetera.

16:58 I think that is what has given rise to supporting all these different vulnerability IDs, including the new European standards. And then finally, some of the UI improvements. So how do I put this gently? The filters in Dojo open source didn't look great. Like you can always tell when I wrote something to be honest, because it looks awful. It looks like a child like plastered some paint on a canvas. Like how did this get out into production?

17:26 That's how you know that I worked on something. And so also supplied from the community was a restyling of the open source filters. And so now they're much easier to see, they're much easier to work with, just a quality of life enhancement that I think makes open source a lot easier to use and work with. And then one of the pieces of feedback that we got is when we started to work in develop pro,

17:53 we put the docs together because dojo docs are actually fairly annoying to build, to put it gently. And so we didn't want to have like one doc site that was outdated or one that was updated. And so we just kind of slapped them together. And I think when we look at having a pure OS experience to make sure we're doing right by the community, et cetera, one of the pieces of feedback was

18:19 the want for a separate doc site. And so we're trying to figure out how we achieve that. I actually really like how Grafana has done their site. They have like a drop down based on version. We just slapped it all together because we needed to get something out the door that people could easily read and access, but it wasn't intended to muddy the open source experience, shall we say, just like there's also

18:47 an environment variable to turn off any of the pro things in OS. So we have tried to point out areas in OS where we know pro solves just to be educational, helpful, et cetera. But there is also a means to disable those. We want to make sure we're always doing right by OS. So many people have gotten open source wrong. And it's very important to us to do everything we can to

19:15 you know, always do right by the community, honor the roots that Dojo came from, et cetera.

19:21 And then when we talk about things that are coming to open source, one of the things that we've talked about quite a bit is V3. And so the first thing we did, which took honestly years, over a year, was making some underlying changes to the model to make them more API V3 compatible, shall we call it. I think it has to do with inheritance data structure,

19:48 just making those things easier to work with from an API perspective. And then the other thing that we did is we fed a bunch of data on open source to AI to understand where the community's pain points had been with open source. And so one of the things that was really clear to us was consolidating import and reimport. Like which one do you use today? The truth is you can just always use reimport. They function

20:18 um, the same. Reimport is just the smart version essentially, but we never really shut down the import function. Um, we also don't want to break people's current integrations with our API. And so, um, you'll start to see the API V3 icon in open source Dojo here shortly. And so the first thing we're going to do there is just, uh, restructure things that we know have been confusing without breaking V2 essentially.

20:48 And so we're looking at data model changes and other things that are just generally non-intuitive that you'll start to see updates on first in the API and then potentially in the UI. I don't think we totally have clear direction on that yet, but I do think we know exactly what we need to fix based on all that data that we aggregated and how we can improve the experience of open source for the community.

21:16 Um, and I think that is it. So I'm happy to answer any questions that anyone has. I always really appreciate, um, you taking the time to come out and listen to office hours and engage. And then, um, the final thing I just want to note before I get to questions is we've also significantly improved the infrastructure of how we do pro, which has allowed us to get our costs down to a point where we can, uh, offer something for free essentially.

21:46 And so we have a new, a thousand findings tier for pro. And if that's something that's of interest to you, you can use it totally free. I think this code, we're doing it in batches just to try and understand the infrastructure cost. We try to be as capital efficient as we can for the sake of investors, employees, but also the community, because when you raise a bunch of money, eventually you do have to pay it back. And so I think this is only for the first 20 people,

22:15 if I recall correctly. And the reason for that is we want to better understand the costs of offering a free tier to understand if we can support it with our current funding, et cetera. And so if that's something that you're interested in, please feel free to take advantage. If it's not, totally understand. But I'm happy to take any questions that anyone has.