“Wes is a brilliant engineer and technologist. His creativity, his insight, his ability to execute on difficult technology problems and come up with solutions to those challenges is unsurpassed. As part of the CTO team, I'm fortunate to work with such an engineer. Creating sophisticated technologically-advanced distributed systems requires a comprehensive approach to requirements, architecture, design and implementation across many facets of the product delivery. Wes has the rare ability to conceptualize that vision, articulate an architecture and deliver on the detailed designs and implementation required to deliver on the complex system. He was a go-to-guy for many of the more difficult technology issues we had to solve. Any company would be lucky to have such innovative and strong talent as Wes.”
About
Activity
-
Co-wrote a blogpost about MLOps best practices for AI training cluster, for CoreWeave. It should have useful information that helps contextualize the…
Co-wrote a blogpost about MLOps best practices for AI training cluster, for CoreWeave. It should have useful information that helps contextualize the…
Shared by Wes Brown
-
Today was my last day at Lookingglass Cyber Solutions, as I move on to helping others solve hard problems. It's been an interesting and challenging…
Today was my last day at Lookingglass Cyber Solutions, as I move on to helping others solve hard problems. It's been an interesting and challenging…
Posted by Wes Brown
Experience & Education
Licenses & Certifications
Publications
-
Insights on Building Scalable Cybersecurity Systems
Lookingglass Threat Intelligence Blog
Today, enterprises are faced with a plethora of network security solutions attempting to address requirements including higher throughput, as well as advanced threat detection and mitigation. The challenges also require easy deployment across virtual and non-virtual infrastructures while also being cost-effective.
Achieving a solution across those diverse and often competing requirements can be a challenge. In this blog, we will provide insights and suggested best practices addressing…Today, enterprises are faced with a plethora of network security solutions attempting to address requirements including higher throughput, as well as advanced threat detection and mitigation. The challenges also require easy deployment across virtual and non-virtual infrastructures while also being cost-effective.
Achieving a solution across those diverse and often competing requirements can be a challenge. In this blog, we will provide insights and suggested best practices addressing how organizations may build secure network processing systems by introducing new approaches and their advantages. -
The Importance of Connected Data in Threat Intelligence
Lookingglass Threat Intelligence Blog
One of the biggest challenges threat analysts face today is assessing the validity of threat intelligence feeds. Many of those threat intelligence feeds contribute to a large amount of atomic data that is often difficult to relate and correlate in meaningful ways; therefore, it is difficult to determine the relevancy of a threat to the organization. This post talks about techniques and ways to address this.
-
Supercomputing and Malware Analysis
Hack in the Box 2012 Kuala Lumpur
For more than two years, ThreatGRID has been building a threat intelligence service where samples and content are cross-indexed and related. This allows for tremendous amounts of derived analysis, building relationships based on timing, behavioral, structural, and communications characteristics. We are able to determine origin, aims, and targets of specific samples via second and third order relationships. We track all artifacts and beheaviors, both host and network, and correlate between any…
For more than two years, ThreatGRID has been building a threat intelligence service where samples and content are cross-indexed and related. This allows for tremendous amounts of derived analysis, building relationships based on timing, behavioral, structural, and communications characteristics. We are able to determine origin, aims, and targets of specific samples via second and third order relationships. We track all artifacts and beheaviors, both host and network, and correlate between any of them.
Content is generated through dynamic and static malware analysis. We do perform de-duplication of samples that are collected in the wild and submitted through various sources. Even though a piece of malware can be identified as belonging to a particular family of rootkit or dropper, their characteristics change and evolve over time. These ephemeral behavioral characteristics are vital to identifying relationships between malware, and this is content that we don't want to miss. We've been submitting and analyzing a sample for about a year now, tracking how its functionality, content and relationships have changed over time. This approach of not deduping submissions leads to some interesting issues related to scaling, storage and infrastructure design.
This talk covers the infrastructure requirements and architectural decisions made to facilitate being able to analyze the entire worldwide output of malware samples multiple times; we have built our own in-house supercomputing cluster, with petabyte scalable storage, and a 40gbps interconnect. We will also show the value of such correlation, and why everyone should be building these relationships between content. -
Building and Using an Automated Malware Analysis Pipeline
Hack in the Box 2009
Due to the high volume of incoming malware, it is critical that a pipeline be automated, enabling an analyst to make informed decisions quickly and decide whether to spend time and money on a more rigorous review. In Brown's presentation, he will discuss how to build an automated malware analysis pipeline. Brown will discuss the virtualization platform, the guest works that run the samples, and methodologies for gaining information such as network traces, static forensics and automated binary…
Due to the high volume of incoming malware, it is critical that a pipeline be automated, enabling an analyst to make informed decisions quickly and decide whether to spend time and money on a more rigorous review. In Brown's presentation, he will discuss how to build an automated malware analysis pipeline. Brown will discuss the virtualization platform, the guest works that run the samples, and methodologies for gaining information such as network traces, static forensics and automated binary analysis. Following his presentation, attendees will use a provided Live DVD to play with malware samples and a live pipeline.
Other authorsSee publication -
Exploit Writing Using Injectable Virtual Machines
DefCon 14
Mosquito is a secure remote execution framework available via LGPL that combines high-grade cryptography and a small efficient virtual machine on both ends to ensure that intellectual property is protected. It also presents a dynamic environment on a target host that can be reprogrammed on the fly over a secure communications channel to fit the current situation. The virtual machine was written from scratch for this purpose, with a built in cryptography library, and was optimized for size with…
Mosquito is a secure remote execution framework available via LGPL that combines high-grade cryptography and a small efficient virtual machine on both ends to ensure that intellectual property is protected. It also presents a dynamic environment on a target host that can be reprogrammed on the fly over a secure communications channel to fit the current situation. The virtual machine was written from scratch for this purpose, with a built in cryptography library, and was optimized for size with an eye towards being able to inject it. The virtual machine's native programming environment is a Scheme-derived Lisp-family language, with an optimizing bytecode compiler. It is also cross-platform using ANSI C and GCC, currently running on OpenBSD, Darwin, Linux, and Win32. Compiled bytecode is portable between these platforms, much like Java except it fits within 150K on some platforms. This talk will demonstrate the use of Mosquito to write exploits on the fly while the audience watches; the advantages and flexibility of using a virtual machine will be leveraged to implement a second stage puddle-hop exploit into another host. The cross-platform advantages of writing exploits in a portable virtual machine will also be demonstrated. There will be some discussion of Mosquito itself to give context and understanding.
Other authorsSee publication
Patents
-
Systems and methods for low latency stateful threat detection and mitigation
Issued US11201887B1
Disclosed are systems and methods for securing a network. A method may include obtaining, by a detection engine, an encapsulated image defining an action for a predetermined data packet of interest; determining, by the detection engine, that the action defined by the encapsulated image should be applied to one or more data packets accessed by the detection engine; generating and deploying, by the detection engine, an action state including one or more attributes associated with the accessed…
Disclosed are systems and methods for securing a network. A method may include obtaining, by a detection engine, an encapsulated image defining an action for a predetermined data packet of interest; determining, by the detection engine, that the action defined by the encapsulated image should be applied to one or more data packets accessed by the detection engine; generating and deploying, by the detection engine, an action state including one or more attributes associated with the accessed data packet and the encapsulated image; determining, at a first execution engine executing parallel with the detection engine, that the one or more data packets comprises attributes matching the one or more attributes included in the deployed action state; and executing, by the first execution engine, the action included in the deployed action state on a received data packet to generate a processed data packet.
Other inventorsSee patent -
Systems and methods for monitoring and securing networks using a shared buffer
Issued US11196710B1
Disclosed are systems and methods for securing a network including one or more network nodes connecting a plurality of network connected devices of the network. A method may include: receiving and temporarily storing a plurality of data packets in a shared buffer of a network node; receiving requests from a first processing engine and a second processing engine to access a temporarily stored data packet; generating a first pointer and a second pointer to the temporarily stored data packet, the…
Disclosed are systems and methods for securing a network including one or more network nodes connecting a plurality of network connected devices of the network. A method may include: receiving and temporarily storing a plurality of data packets in a shared buffer of a network node; receiving requests from a first processing engine and a second processing engine to access a temporarily stored data packet; generating a first pointer and a second pointer to the temporarily stored data packet, the second pointer being different from the first pointer while pointing to the same temporarily stored data packet; and enabling the first processing engine to use the generated first pointer to access the temporarily stored data packet and the second processing engine to use the generated second pointer to access the temporarily stored data packet.
Other inventorsSee patent -
Systems and methods for dynamic zone protection of networks
Issued US 11,057,415
Disclosed are systems and methods for securing a network using one or more controllers and one or more network nodes. A method may utilize a packet processing engine configured to process incoming network packets, a processing analysis engine configured to perform relatively more complex processing and analysis, and one or more controllers configured to coordinate one or more packet processing engines and one or more processing analysis engines across a network to perform endpoint threat…
Disclosed are systems and methods for securing a network using one or more controllers and one or more network nodes. A method may utilize a packet processing engine configured to process incoming network packets, a processing analysis engine configured to perform relatively more complex processing and analysis, and one or more controllers configured to coordinate one or more packet processing engines and one or more processing analysis engines across a network to perform endpoint threat detection and mitigation.
Other inventorsSee patent -
Methods and apparatus of an immutable threat intelligence system
Issued US US20180113952A1
Apparatus and methods described herein relate to a processor that can convert intelligence data into a data structure, and that can store the data structure in a data store. The processor can calculate an identity value for the data structure. The data structure can be immutable such that data represented in the data structure is not modified. A query engine implemented by the processor can receive a request for intelligence status data, and can query an index data store for a set of identity…
Apparatus and methods described herein relate to a processor that can convert intelligence data into a data structure, and that can store the data structure in a data store. The processor can calculate an identity value for the data structure. The data structure can be immutable such that data represented in the data structure is not modified. A query engine implemented by the processor can receive a request for intelligence status data, and can query an index data store for a set of identity values correlated with data included in the request. The query engine can retrieve, from the data store, intelligence status data correlated with each identity value in the set of identity values. The query engine can also return a snapshot data structure representing at least a portion of the intelligence status data correlated with each identity value in the set of identity values, in response to the request.
-
Methods and apparatus for efficient storage and processing of global and local cyber threat data in a distributed factor graph database
Issued US US20180113952A1
Apparatus and methods described herein relate to a global workspace management compute device that can generate a workspace hierarchy tree representing a hierarchy of a set of workspaces in a network. A local workspace management compute device operatively coupled to the global workspace management compute device can, when operative, calculate workspace cyber-threat data for a local workspace in the set of workspaces based on data from a global workspace, and can provide the calculated…
Apparatus and methods described herein relate to a global workspace management compute device that can generate a workspace hierarchy tree representing a hierarchy of a set of workspaces in a network. A local workspace management compute device operatively coupled to the global workspace management compute device can, when operative, calculate workspace cyber-threat data for a local workspace in the set of workspaces based on data from a global workspace, and can provide the calculated workspace cyber-threat data to a local workspace interface so that the local workspace interface displays a representation of the set of workspaces in the network. After receiving modifications of portions of the local workspace cyber-threat data, the local workspace management compute device can define a child node of the local workspace based on the modifications. The local workspace interface can modify the representation of the set of workspaces in the network based on the child node.
Other inventorsSee patent -
Systems and methods for flight plan specific distributed ledger based aviation data link security
Filed US20220383760A1
Presented herein are systems and methods for operating a flight plan based distributed ledger system implemented on an aviation communications network. According to an aspect, data associated with communication transmissions occurring between communications elements of the aviation communications network may be recorded on the distributed ledger system. The communications elements involved in the distributed ledger system may be determined using a received flight plan. The flight plan…
Presented herein are systems and methods for operating a flight plan based distributed ledger system implemented on an aviation communications network. According to an aspect, data associated with communication transmissions occurring between communications elements of the aviation communications network may be recorded on the distributed ledger system. The communications elements involved in the distributed ledger system may be determined using a received flight plan. The flight plan information may be used to initialize the ledger information at each communications element involved in the distributed ledger system. The distributed ledger system may be updated to add or remove communications elements if the flight deviates from the original flight plan. After the flight plan is executed, the distributed ledger system may inactivate the ledger and store the ledger information in a centralized repository.
Projects
-
RawrCat Concatenative Programming Language
- Present
A Concatenative Programming Language inspired by Cat and Joy. RawrCat and SVFORTH's primary platform is JavaScript for in-browser analysis, but both also have implementations in Python to ease server-side processing via RPC calls. RawrCat's primary advantage over SVFORTH lies in its improved concurrency and anonymous functions, known as quotations, that can be pushed onto the stack and manipulated.
RawrCat essentially turns an asynchronous callback environment in the browser into a much…A Concatenative Programming Language inspired by Cat and Joy. RawrCat and SVFORTH's primary platform is JavaScript for in-browser analysis, but both also have implementations in Python to ease server-side processing via RPC calls. RawrCat's primary advantage over SVFORTH lies in its improved concurrency and anonymous functions, known as quotations, that can be pushed onto the stack and manipulated.
RawrCat essentially turns an asynchronous callback environment in the browser into a much more manageable synchronous threaded environment. Because of its threading/coroutines and channel implementation, RawrCat is particularly well suited to processing and manipulating streams of data in a granular fashion, giving the user instantaneous feedback as it processes data. -
SVFORTH - Security Visualization Forth
- Present
SVFORTH is a language environment written in JavaScript with primitives and functions that make it useful for security visualization and analysis work. It is intended to be run in a recent browser for the workshop and includes libraries for metadata and binary manipulation as well as image display. It also has a server-side implementation in the form of a node.js module, as well as Python.
-
MOSREF Secure Remote Execution Framework
- Present
A portable lisp shell combined with a cryptographically strong concurrency framework.
Other creatorsSee project
Languages
-
American Sign Language
Native or bilingual proficiency
Recommendations received
3 people have recommended Wes
Join now to viewOther similar profiles
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore MoreOthers named Wes Brown in United States
-
Wes Brown
-
Wes Brown
CEO at Wes Brown Development
-
Wes Brown
Private Equity Associate at MiddleGround Capital
-
Wes Brown
724 others named Wes Brown in United States are on LinkedIn
See others named Wes Brown