I believe so strongly in this. As someone who has been in enterprise security for nearly a decade now, silos and shame define the industry so heavily and it is one reason why the state of infosec is worse now than it was 10 years ago. Companies are so afraid that by talking about their security threats and sharing their info, they’re making it easier for attackers. It’s not made any better by the lack of good security tools. Even though one of the mantras in infosec is “security through obscurity is no security at all”, most of the industry still hides behind obscurity as their #1 defense.
Sigma is a great start and I want to see the project go further. But it needs vendor support, and vendors selling million dollar products don’t want to make it easier to switch, they don’t want to lower the value of their $400/hr consultants. Sigma also isn’t helped by being hosted on Github. Sigma needs its own “github”, its own repository system for its own rules. Fitting it into Github’s model just limits the potential.
Jupyter is an amazing tool and I have a handful of clients using it to great advantage in their threat hunting and incident response playbooks. But blue-team infosec is full of people who don’t want to code. Powershell support goes a long way to help this, but it still needs to be easier and more relatable to its target audience (not programmers).
Just as IT operations is going through a digital transformation into DevOps and cloud native, infosec needs its own digital transformation. One of openness and sharing, of faster change, greater abstraction, better tools, and more accessibility. So much of infosec is built on black magic and voodoo and the idea that by the time you need to prove your security works, it’ll be someone else’s problem.
It’s a hard truth the industry doesn’t want to hear, because infosec is a cash cow, and the less effective the tools are the more money companies can make selling them.