Cb Customer Spotlight Series: Q&A with Integral’s Sean McFeely

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Featuring Sean McFeely, Sr. Information Analyst at Valvoline’s Integral Defense

This year at Cb Connect 2018, we had our first ever Developer Day to recognize our vibrant partner and developer ecosystem. We had an amazing group of 100 developers attend, culminating in a hackathon. Sean McFeely, Sr. Information Analyst at Valvoline’s Integral Defense, was an attendee and speaker at Developer Day and submitted his own project, cbinterface, to the hackathon. With the help of the Cb Connect attendees, Sean’s submission was voted as the best project of the hackathon.

Read more below about Sean’s project cbinterface and how Carbon Black has increased efficiency for the Integral team.

  • Tell me about your career path and how you ended up at Integral Defense

    I first started out as a college student doing a co-op for the networking engineering team at Ashland Inc. From there I got hired on and ultimately became the Lead Network Security Engineer at Ashland, which happened to be the parent company of Valvoline. In 2016 there was a job opening on Valvoline’s cybersecurity team and I took it, moving to incident response from there. And now 2.5 years later I’m a Senior Information Analyst that gets to touch and focus on many different aspects of our operation. Additionally, we’ve recently been able to open-source all of our tools under Integral Defense LLC, which is owned by Valvoline.

  • Tell me about Integral’s process for choosing Carbon Black – how did we stand out among the competition?

    Our team tried different products and Carbon Black was the only one that met our requirements at the time. In the end, it came down to a few key factors. API access was crucial, not only for the data that Carbon Black collects, but also for live response automation. The ability to search complex ancestry, but then to also create watchlists with those same queries was a critical factor. Lastly, the ability to send a configurable subset of data to our log aggregation system was vital in being able to incorporate Carbon Black into our existing security ecosystem.

  • What prompted you to create cbinterface?

    I always want to streamline and make things easier by automating as many manual things as possible. The short answer is I was prompted to create cbinterface to save time. Cbinterface is a command line tool for interfacing with multiple Carbon Black Response environments to perform analysis and live response functions.

    The team that I work on heavily utilizes the command line. So being able to access Carbon Black response data really quickly, on the command line, is powerful for us. We have multiple environments, so Cbinterface allows you to query in one place, and then look in both environments to pull whatever process data you want. If there’s something specific you want to look for, such as a file modification, you can just print out all filemods in a process tree and grep to find what you need. Same goes for all other event types. This quick access to the process data has proven to expedite a lot of our analysis and incident response process work. Then you couple that with cbinterface’s artifact collection and script-like remediations, and it has become an essential tool for us.

  • How does cbinterface make your workflow more efficient and/or save you time?

    There was one instance that comes to mind; we were seeing a lot of Kovter infections in India and South America, where we had unreliable network connections. Traditionally, we relied on a collection of artifacts from endpoints for Incident Response, but because of bad network connections these collections could be problematic. Moreover, before cbinterface’s quick remediation capabilities, remediating infections like Kovter, with watchdog processes and multiple forms of persistence proved tricky. We couldn’t kill the watchdog processes and delete the persistence fast enough to successfully remediate the infection, especially remotely. Usually we had to issue a ticket for the PC to be completely reimaged and the user wouldn’t have a PC during that time. It would take days or weeks for a PC to get re-imaged at these remote locations and one time I remember it took about 30 days. After the development of cbinterface, we were able to quickly digest the Cb response data to understand what happened, and then remediate similar infections in record time. We can now move from initial detection to completely remediated in a few hours, and that is when we’re taking our time to learn as much as we can. Now we can respond to incidents with minimal disruption to the business and what used to take hours can now take minutes, and even seconds.

  • In your opinion, how does the Carbon Black API compare with other security tools you’ve used?

    Prior to Carbon Black I had a particularly bad experience with a popular vulnerability management solution’s API. We were attempting to take advantage of that platform’s data to provide additional context to analysts, but we gave up as we found the effort to fight their API wasn’t worth the end goal.

    But with Carbon Black the documentation around Carbon Black’s APIs is top-notch and the ability given through those APIs to access all of a sensor’s data is outstanding. There are not many vendors that flat out let you access all of their raw data, and even fewer that make that access so easy.

  • Do you consider yourself a developer? Why or why not?

    We have a small team of seven and we pride ourselves in cross-training and being able to fill in when someone’s not available. I do a little bit of everything from alert triage, incident response, threat hunting, malware analysis, and development. Most of my experience is in incident response, threat hunting, and development. One thing I really enjoy is studying new exploit methods and then creating new hunts or detections for us, specifically around endpoint behavior.

  • What was your overall takeaway from Cb Connect 2018?

    Cb Connect was one of the most valuable conferences I’ve been to. I really got a lot out of it, specifically Developer Day. All of the presenters and the content that was presented in front of me was really impressive. I was just taking notes the whole time and had a big list of items and ideas that I wanted to take back and experiment with to improve our capabilities and see what can apply to our situation.

    When we first got Carbon Black, we were not very impressed with the watchlists feeds that we got. But after going to Cb Connect and seeing some of the watchlists that the Carbon Black threat hunters are now developing I was like oh wow I definitely want to pull these in and take another look at them because they’re doing some cool stuff.

  • How have your learnings from the greater security community influenced your security practice?

    I am a learner who just jumps in – I like to learn as I go. That’s with almost everything I do, and it was the same for my understanding of the “big picture” in security. I had to get involved in all of the different areas of my team’s operation, but I also had to get out to some conferences and training courses to see how other teams are implementing security. It’s been valuable to hear other peoples’ take on the cybersecurity process and how to do cybersecurity. It’s also interesting to be able to compare and contrast with other mature teams. One thing is for sure, in the last two years it’s impressive how fast some concepts have hit the mainstream and been adapted. So, I’ve learned a lot from my exposure in the community and hopefully I’ve helped some others learn as well. Mostly, I’ve learned that I was lucky to come onboard with a highly mature, capable, and experienced team from the onset of my career in security.

  • What’s one piece of advice you would want to share with someone trying to start a career in cybersecurity?

    Don’t settle. Don’t settle with getting comfortable in just one particular area of the whole process. Continue to try and learn from the people who have more experience than you, and try to push your own boundaries and limits. The people who really excel in cybersecurity are the people that have a continuously curious mindset and always want to understand the next thing.

Want to read more about cbinterface? Check out Integral Defense’s github page. And want to learn more about Carbon Black’s Open APIs? Visit the Developer Network website at https://developer.carbonblack.com

The post Cb Customer Spotlight Series: Q&A with Integral’s Sean McFeely appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?