COGNITIVE COMPUTING IN SECURITY WITH AIOUTTHINK THREATS WITH SECURITY THAT UNDERSTANDS, REASONS AND LEARNS

Bob Kalka

VP, IBM Security

© 2016 IBM Corporation

The Lifecycle of Security Intelligence

Is this really sustainable ?Too Much Data, Not Enough Resources

Threats Alerts Analystsavailable

Quick Insights : Current Security Status

Availabletime

”93% SOC Managers Not Able to Triage All Potential Threats”

“42 percent of cybersecurity professionals working at enterprise organizations claim that they ignore a ‘significant number of security alerts’”

“(31 percent) of organizations forced to ignore security alerts claim they ignore 50 percent or more security alerts because they can’t keep up with the overall volume”

Knowledgeneeded

Cognitive Security Study revealed three gaps to address

#2 most challenging area

today is optimizing accuracy alerts (too many false positives)

#3 most challenging area

due to insufficient resources is threat identification, monitoring and escalating potential incidents (61% selecting)

Speed gap

The top cybersecurity challenge today and tomorrow is reducing average incident response and resolution time

This is despite the fact that

80% said their incident

response speed is much faster than two years ago

Accuracy gapIntelligence gap

#1 most challenging area

due to insufficient resources is threat research (65% selecting)

#3 highest cybersecurity

challenge today is keeping current on new threats and vulnerabilities (40% selecting)

Addressing gaps while managing cost and ROI pressures

Todays reality

Review your security

incidents in a SIEM

Decide which incident

to focus on next

Review the data

(events / flows that

made up that incident)

Expand your search

to capture more data

around that incident

Pivot the data

multiple ways to find

outliers (such as

unusual domains, IPs,

file access)

Review the payload

outlying events for

anything interesting

(domains, MD5s, etc)

Search X-Force Exchange + Search

Engine + Virus Total + your favorite

tools for these outliers / indicators.

Find new Malware is at play

Get the name

of the Malware

Search more websites for information about

indicators of compromise (IOCs) for that Malware

Take these newly found IOCs from the internet

Take these newly found

IOCs from the internet

and search from them

back in a SIEM

Find other internal IPs

are potentially infected

with the same Malware.

Start another

investigation

around each of

these IPs.

Cognitive security provides the ability to unlock and action the potential in all data, internal and external, structured and unstructured.

It connects obscure data points humans couldn’t possibly spot, enabling enterprises to more quickly and accurately detect and respond to threats, becoming more knowledgeable through the cognitive power to understand, reason and learn.

Introducing and understanding Cognitive Security

Traditional

Security Data

A tremendous amount of security knowledge is created for

human consumption,

Examples include:

• Research documents

• Industry publications

• Forensic information

• Threat intelligence

commentary

• Conference presentations

• Analyst reports

• Webpages

• Wikis

• Blogs

• News sources

• Newsletters

• Tweets

A universe of security knowledge

Dark to your defensesTypical organizations leverage only 8% of this content*

Human Generated

Knowledge

• Security events and alerts

• Logs and configuration data

• User and network activity

• Threat and vulnerability feeds

but most of it is untapped

Human Expertise

Cognitive Security

Cognitive systems bridge this gap and unlock a new

partnership between security analysts and their technology

Security Analytics• Data correlation

• Pattern identification

• Anomaly detection

• Prioritization

• Data visualization

• Workflow

• Unstructured analysis

• Natural language

• Question and answer

• Machine learning

• Bias elimination

• Tradeoff analytics

• Common sense

• Morals

• Compassion

• Abstraction

• Dilemmas

• Generalization SECURITY

ANALYSTS

SECURITY

ANALYTICSCOGNITIVE

SECURITY

GAIN POWERFUL INSIGHTS

REDUCE THE SECURITY SKILLS GAP

SECURITY ANALYST and WATSONSECURITY ANALYST

Revolutionizing how security analysts work

Human

Generated

Security

Knowledge

• Tap into the vast array

of data to uncover new patterns

• Get smarter over time

and build instincts

!!!

Enterprise

Security Analytics

Cognitive techniques to

mimic human intuition

around advanced threats

• Triage threats and make

recommendations with

confidence, at scale and speed

Watson enables greater insights by ingesting extensive data

sources

*IBM intends to deliver in the future as a QRadar app

IBM Watson

for cyber security

Corpus of Knowledge

Threat databases

Research reports

Security textbooks

Vulnerability disclosures

Popular websites

Blogs and social activity

Other

Security events

User activity

Configuration information

Vulnerability results

System and app logs

Security policies

Other

TEST

LEARN

EXPERIENCE

INGEST

Human Generated

Security KnowledgeSourced by available

IBM Security and IBM Research

Enterprise

Security AnalyticsCorrelated enterprise data

Not just a search engine, we’re teaching Watson to

understand and interpret the language of security

Rich dictionaries enable Watson

to link all entity representations

Machine learning enables Watson for Cyber

Security to teach itself over time

Watson Creates

Knowledge Graph

Watson Applies

Annotators to Text

Annotator

Logic

TEST

INGEST

EXPERIENCE

LEARN

Hash IoC ArtifactInfection

MethodsThreat Name

Beyond mere algorithms, Watson evaluates supporting

evidence

Score

and Weigh

Extract

Evidence

Search

CorpusQuestion

• Quantity

• Proximity

• Relationship

• Domain truths /

business rules

What

vulnerabilities

are relevant to

this type of

infection?

• Research reports

• Security websites

• Publications

• Threat intelligence

• Internal scans

• Asset information

INGEST

EXPERIENCE

LEARN

TEST

TEST

INGEST

LEARN

EXPERIENCE

The result Watson for Cyber Security will enable breakthrough insights after analyzing unstructured articles and other corpus data in minutes

What is fed into Watson for Cyber Security

1 Week 1 Hour5 Minutes

StructuredSecurity Data

X-Force Exchange Trusted Partner Data

Open sourcePaid data

- Indicators- Vulnerabilities

- Malware names, …

- New actors- Campaigns- Malware outbreaks- Indicators, …

- Course of action- Actors

- Trends- Indicators, …

Crawl of CriticalUnstructured Security Data

Massive Crawl of all SecurityRelated Data on Web

Breach repliesAttack write-ups

Best practices

BlogsWebsitesNews, …

Filtering + Machine Learning

Removes Unnecessary Information

Machine Learning / Natural Language Processing

Extracts and Annotates Collected Data

Billions ofData Elements

Millions of Documents

5-10 updates / hour! 100K updates / week!

3:1 Reduction

Massive Security Knowledge GraphBillions of Nodes / Edges

There are numerous potential use cases where we could

envision cognitive security playing a key role

Enhance your

SOC analysts

Speed response

with external

intelligence

Identify threats

with advanced

analytics

Strengthen

application

security

Improve

enterprise risk

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied.

IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or

its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all

countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to

future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or

service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.

Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product

should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed

to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT

WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

© 2016 IBM Corporation

Review your security

incidents in SIEM/Flows

Decide which incident

to focus on next

Review the data (events / flows that

made up that incident)

Expand your search to

capture more data

around that incident

Pivot the data multiple

ways to find outliers (such as unusual domains,

IPs, file access)

Review the payload outlying

events for anything interesting (domains, MD5s, etc)

Search X-Force Exchange + Google +

Virus Total + your favourite tools for

these outliers / indicators. Find new

Malware is at play

Get the name of

the Malware

Search more websites for information about

IOC (indicators of compromise) for that Malware

Take these newly found IOCs from the internet

Take these newly found

IOCs from the internet

and search from them

back in SIEM/Flows

Find other internal IPs

are potentially infected

with the same Malware.

Start another

investigation around

each of these IPs.

Meet RafaelLevel 1 Security Analyst

Watson for Cyber Security will significantly reduce threat

research and response time

RemediationInvestigation and Impact AssessmentIncident Triage

Manual threat analysis

RemediationInvestigation and

Impact Assessment

Incident

Triage

IBM Watson for Cyber Security assisted threat analysis

Quick and accurate analysis of security threats, saving precious time and resources

Days

to

Weeks

Minutes

to

Hours

Revisiting RafaelLevel 1 Security Analyst

With Watson’s help• Faster investigations

• Clear backlog easier

• Increased investigative skills

• Heavy lifting done beforehand

Introducing…IBM Watson for Cyber Security

Unlock new possibilities.The world’s first Cognitive analytics solution

using core Watson technology to understand,

reason, and learn about security topics

and threats.