prepare. protect. prosper. · 2018-08-20 · page 2 copyrigh 2018 hameleo ntegrate ervice 2.01-04...

Copyright 2018 Chameleon Integrated Services | All Rights Reserved | 2.01-04

Cybersecurity White Paper

From Star Trek to Cognitive Computing:Machines That Understand Security

X The Rise of Cognitive Computing X Data, Data, Everywhere—How to Use It X Cyber Defense in Depth

In this issue:By William J. Kapes, Chief Technologist

Prepare. Protect. Prosper.

Copyright 2018 Chameleon Integrated Services | 2.01-04

Executive Summary

Our first white paper on cybersecurity, “Maskelyne and Morse Code: New Century, Same Threat,” discussed the overwhelming nature of today’s cybersecurity threat, where cyberwarfare is the

new norm. In it, we presented historical perspective on information attacks in general. We also discussed preventive measures based on layered security. In this second white paper in our series, we delve into the need for a “super analyst” and the role that artificial intelligence (AI) can play in cyber defense, building a “defense in depth.” This concept describes an ancient military strategy of maintaining multiple layers of defense; today, it has become the practice of constructing multiple redundant defense mechanisms to deal with an overwhelming external adversary. The application of AI to cybersecurity is the next frontier and represents another layer of defense against cyberattacks available to us today.

The original television series Star Trek (1966–1969) has become a cultural icon that, since the late 1960s, has inspired significant developments in the evolution of technologies we all take

for granted today, from the original Motorola flip phone to tablet computers. Dr. Christopher Welty, a computer scientist and an original member of the IBM artificial intelligence group instrumental in bringing Watson to life, was just one among those heavily influenced by the fictional technology he saw dramatized on Star Trek as a child.¹ Speaking conversationally with a computer, and having it understand both your words and meaning, appeared to many as a natural next direction in the evolution of computer technology. While a connection between cybersecurity and natural language machine processing might not be apparent at first sight, AI, with its understanding of language, has quite recently opened up the world of computer technical analysis to include log files and reports designed to be read by real people. For instance, threat reports intended for security analysts are issued on a daily schedule, but these information flows are too large and frequent for real people to be able to follow and act on them. This intimidating scenario, rather than Captain Kirk conversing with the computer, is what brings us to the new world of the AI “super analyst.”

From Star Trek to Cognitive Computing: Machines That Understand Security


Swimming in a Sea of Cyber Data Security information and event management (SIEM) platforms that manage both information and events in a single platform are the minimum threshold today for organizations serious about their cybersecurity. These platforms were originally intended to process massive amounts of machine-generated log and security data from multiple sources and aggregate this data into a single view to identify results that differed from normal. Most SIEMs are either rule-based or use a statistical correlation engine of the sort common in network management tools. Many of these platforms grow out of network management tooling. This is a logical next step, given that network attacks are often the first line of cyberattack.

As the number of available monitoring sources has increased, the sophistication of tools available for this analysis has increased in reaction. As threat vectors have become more sophisticated, the information needed to counter threats has increased exponentially.

Organizations have responded by increasing staff and apportioning network data across available analysts. But even in a perfect world with unlimited analysts available, this approach is simply untenable for tackling the analysis of the volumes of data that continues to increase over time, faster than analysts can be trained to integrate it. Industry has stepped up to the challenge by putting into place more sophisticated SIEM platforms. Traditional antivirus vendors have used their knowledge of emerging threats (gained from innovating new defenses based on receiving reports from millions of endpoints) to create security threat intelligence services for industry.

Threat Intelligence: The Next Line of Cyber-DefenseSince we can’t control the threats, we must consider both how we will respond to the diverse threats our organizations face and which tools we will employ within our defense arsenals. Similar to nation states that have depended for millennia on intelligence and spycraft to predict possible threats, the world of cyber defense has turned to cyber threat intelligence (CTI). CTI is now becoming an increasingly high priority for businesses and government organizations, reflected in the US Department of Defense recently elevating US Cyber Command (USCYBERCOM) into a full and independent Unified Combatant Command that coordinates with the National Security Agency (NSA). CTI should indeed be an important tool in our arsenal—but getting the most from it can be challenging. A recent survey of threat intelligence users shows that the top use cases and results are unsurprising.²

Structured or tagged data are the most straightforwardly ingested for direct machine processing, and these data have been the most commonly used. However, although some other intelligence, such as proactively hunting for registry indicators in intelligence reports, have been among the least used, they can prove to be the most effective information to act upon to prevent a cyber incident.

Currently, most organizations rely on human interpretation of threat intelligence reports. This puts tremendous strain on their analyst resources. Data from reports is unstructured data, which tends to be the result of human intelligence applied in a humanly readable written format, and it can be considered a form of human-processed intelligence. On the intelligence spectrum, however, such unstructured data is as archaic as writing itself, and it has traditionally been of little use to computers. For instance, one of the clear conclusions of the recent Recorded Future webinar with the SANS Institute, concerning the data in Table 1 (next page), was that “relying purely on threat feeds is a recipe for information overload and ‘alert fatigue.’”³



Table 1 - Recorded Future Webinar with the SANS Institute

Cognitive computing can complete tasks typically performed by human experts. With unstructured data, a human brain first processes the data, then arrives at insights and finally records those insights. A good researcher rarely speaks in absolutes; instead, they will generally present their confidence levels in the insights reached as a result of their analysis.

It is important to understand that, fundamentally, this is also what cognitive computing does. Cognitive computing reads text, examines the work of others, and interprets the combined data. Then, it arrives at one or more insights and proposes conclusions, each accompanied by a confidence level.

Cyber Threat Intelligence Data SourcesWhile available CTI sources are too numerous to cover in depth here, there are several worth highlighting. The Department of Homeland Security (DHS) has set up a free source website for Automated Indicator Sharing (AIS), which allows private companies to share cyber threat indicators with the federal government. AIS aggregates information about recorded threats, such as malicious IP addresses and the addresses of the senders of phishing emails that seek to fraudulently induce individuals to disclose sensitive information. The FBI hosts a similar site, the InfraGard Portal.

Sites dedicated to particular threats are also accessible, such as the Swiss Ransomeware Tracker, The International Spamhaus Project, and the free anti-malware and antivirus identification sites VirusTotal, Malwr, and VirusShare. Another class of CTI services tailored to work best with provider-specific SIEM platforms include Alien Vault, CA Technologies, IBM X-Force, and Splunk. It is clear that there are many CTI data sources available. The point to recognize here is that it can be useful to have help sorting out the best approach for your organization. At Chameleon Integrated Services, we favor tools and services with built-in or integrated AI to help reduce data and alert fatigue.

70%

60%

50%

40%

30%

20%

10%

What are your top use cases for your CTI feed data?Select your top three uses, order is not important.

Bloc

king

mal

icio

us d

oman

s or

IPAd

dres

ses

at e

gres

s po

ints

(e.g

., fir

ewal

ls)

Addi

ng c

onte

xt to

inve

stig

atio

ns o

rco

mpr

omis

e as

sess

men

ts

Exam

inin

g DN

S se

rver

logs

for

mal

icio

us d

omai

ns o

f IP

addr

esse

s

Dow

nloa

ding

mal

war

e sa

mpl

es fr

omco

mm

erci

al re

posi

torie

s an

d re

vers

een

gine

erin

g to

gai

n ad

ditio

nal i

ndic

ator

s

Oth

er

Proa

ctiv

ely

hunt

ing

for r

egis

try

indi

cato

rs a

t the

end

poin

t

Build

ing

cust

om ID

S si

gnat

ures

for

mal

icio

us tr

affic

Addi

ng in

tern

ally

gen

erat

edin

dica

tors

to c

omm

erci

al in

dica

tors

to tr

ack

cam

paig

ns

Prov

idin

g tre

ndin

g da

ta a

nd re

port

sto

team

and

man

agem

ent

Proa

ctiv

ely

hunt

ing

for f

ilesy

stem

indi

cato

rs a

t the

end

poin

t

0%



We Need a “Super Analyst” to Make Sense of the DataBy now, you probably see the advantage in a machine that can actually understand natural language, such as that produced in CTI reports. Just as the fictional Captain Kirk from Star Trek relies on his ship’s computer to answer his questions about what lies ahead, cybersecurity officers naturally want to do the same with their own computers today. The problem is that true natural language processing is still in its early stages. Siri, Alexa, and Cortana are a far cry from translating speech to text and having that text understood and acted upon. These speech recognition platforms, as with Google’s, build complex algorithms to pull out focused meanings from phrases it understands, specifically those that are “purpose built.”

We see this approach to natural language recognition as analogous to the way the Electronic Numerical Integrator and Computer (ENIAC), first introduced to the world in 1946, revolutionized computing. Specifically, today, we believe in the capacity of purpose-built AI to revolutionize smart home devices on the Internet of Things (IoT). Alexa can download new “skills” of the user’s choice to enhance the experience with the device. Given the low cost of entry for these speech-recognition platforms, they are capable of incredible feats.

Today we can go a level deeper because AI has the capacity for a broader understanding of what constitutes knowledge. This is an enormous difference from only several years back, akin to that between the ENIAC and the first general-purpose computers capable of performing a full range of commercial and scientific applications. IBM introduced the System 360 (model 30) in 1964. It was IBM’s “moonshot” at the time—the first system to make general purpose computing practical for industry. This development helped usher in the “age of the computer.” Interestingly, the System 360 actually played a leading role in the moonshot Apollo program. A super analyst that can ingest all the information available to cybersecurity analysts today is far beyond the capacities of Siri, Alexa, or Cortana. This task will require a machine that not only understands natural language but can “think” independently. Namely, we believe that organizations are in need of a cognitive computer.

The Super Analyst and the Star Trek ConnectionIn 2011, IBM developed a question-answering computer system capable of answering questions posed in natural language. Their DeepQA project was the outgrowth of a research team led by principal investigator Dr. David Ferrucci (also a Star Trek fan). Watson was named after IBM’s first CEO, industrialist Thomas J. Watson. As a proof of the technology, Watson was initially trained to answer questions on the quiz show Jeopardy! In 2011, the Watson computer system did compete in the show against legendary champions Brad Rutter and Ken Jennings, and Watson won the first place prize of $1 million.

In a PBS documentary on the Jeopardy! win by Watson, the principal investigators talked about the influence of Star Trek on their work, recalling Captain Kirk’s human-like natural language conversations with the ship’s computer. They thought that this was a worthy pursuit. Dr. Ferrucci’s goal of “talking” to a computer, like Captain Kirk did, and receiving intelligent answers took a giant leap forward with the successful quiz show challenge. But this was just the first step on the road of continuous advancement for Watson. Since that time, IBM has applied Watson’s learning and interactive capabilities to the needs of diverse areas, everything from cancer research to legal reviews to tax return preparation. Importantly, one of IBM’s most recent applications has been to bolster cybersecurity.

Fun Fact:

Source: Quora

You would need millions if not billions of ENIACs and even then they would run at under a millionth of the iPhone’s speed. We have come a very long way since those old computers.



The Jeopardy! challenge was a game changer for what most people refer to as AI (itself a very broad category), and it had implications well beyond its famous demonstration on television. IBM is very particular about how it describes Watson and AI: the company sees Watson as a “deep question and answer” machine, a machine learning platform, and more broadly as a cognitive computing system. IBM uses a stylized Venn diagram to illustrate Watson’s AI technologies.

The many distinct technologies called “AI” today must be distinguished from each other; not all AI systems can be applied to cybersecurity in the way described in this paper. The broad category of AI encompasses cognitive computing, which in-turn encompasses both machine learning and deep learning.

We have a bewildering landscape today in which many technologies are considered to be AI. IBM’s head of research, John Kelly, describes cognitive computing and what Watson does in the following way:

Cognitive computing refers to systems that learn at scale, reason with purpose, and interact with humans naturally. Rather than being explicitly programmed, they learn and reason from their interactions with us and from their experiences with their environment. They are made possible by advances in a number of scientific fields over the past half century, and are different in important ways from the information systems that preceded them. Those systems have been deterministic; cognitive systems are probabilistic. They generate not just answers to numerical problems, but hypotheses, reasoned arguments and recommendations about more complex – and meaningful – bodies of data. What’s more, cognitive systems can make sense of the 80 percent of the world’s data that computer scientists call “unstructured.” This enables them to keep pace with the volume, complexity and unpredictability of information and systems in the modern world.4

To understand the meaning of natural language, Watson determines the usage and context of language expressions from vast inputs of unstructured data (the kind of data represented within typical intelligence reports). The successful application of any AI system to the problem of cybersecurity is a game changer. However, for a machine to have the capability to ingest the massive amounts of CTI on the internet and apply them to what it sees in the SIEM is truly a force multiplier. When you consider the vast amounts of data on cyber activity available to organizations today, and the new tools available to work with that data, cybersecurity is prepared now to move to the next level: proactive protection through predictive analytics and threat hunting.

AI Other Than Watson in the Cybersecurity SpaceThe industry has taken notice of the utility of applying AI to cybersecurity, and new partnerships are coming together on a regular basis. The pairing of AI with existing solutions is geared toward providing additional analytics horsepower to existing technologies and driving greater efficacy, efficiency, and value. This tends to happen in one of two ways. In some cases, machine learning technologies are applied to existing security defenses as helper apps. For example, Bay Dynamics and Symantec recently formed a partnership enabling the application of Bay’s AI engine, the one behind Symantec DLP, to help reduce

Arti�cial Intelligence

Cognitive

Machine Learning

Deep Learning



the noise associated with DLP alerts. Fortscale does similar things by back-ending each of endpoint detection and response (EDR), identity and access management (IAM), and cloud access security brokers (CASB)5 Other uses of AI in this space involve the analysis of massive amounts of user behavior data to find anomalous behavior that could be indicative of an insider threat. This kind of pattern recognition requires sifting through mountains of structured information to find the needles in the haystack that can lead to successful interventions. While we are on the subject of looking for insider threats, let’s take a look at another kind of threat hunting and its relevance to cyber defense.

Cyber Defense, Threat Hunting, and Osama bin LadenThreat hunting is basically searching through huge volumes of data to identify possible bad actors and potential threats to an organization’s IT infrastructure. The ultimate goal is to prevent attacks before they happen and to eliminate or at least minimize the effects of attacks. Threat hunting tools may ingest threat intelligence feeds, vulnerability analysis reports, risk assessments, malware analysis, HR employee records, security event data, system logs, and social media feeds.

While threat hunting leverages automated tools, much of the work is manually driven by an investigator who researches the answers to proactively developed questions. For instance, the investigator may choose to identify those people in a particular organization with access to highly sensitive resources who have recently expressed a negative sentiment toward their employer—because these individuals could be potential insider threats. There are, of course, limitations to this sort of activity, as it involves a great deal of factors in an effort to detect anomalous activity and then predict future events.6

As you might imagine, this is where the tools used in big data and intelligent analytics can help. A new class of analytical tools called “insight analytics” has evolved out of developments in business intelligence and predictive analytics. Insight analytics software, like that developed by i2 (later acquired by IBM), can take data from multiple sources and create visualizations to identify nonobvious connections and display patterns of behavior that might not otherwise have been clear. One kind of software, called social network analysis, determines the key players in a network and examines the effect that each has within that system—in fact, this is the specific technique used to locate Osama bin Laden.7 And, a similar technique was used to capture Saddam Hussein.

Finding bin LadenAmerican intelligence officials discovered the whereabouts of Osama bin Laden by tracking one of his couriers. Guantánamo Bay detainees gave intelligence officers the courier’s pseudonym, Abu Ahmed al-Kuwaiti, and said that he was a protégé of Khalid Sheikh Mohammed. In 2007, US officials discovered the courier’s real name and, in 2009, that he lived in Abbottābad, Pakistan. Using satellite photos and intelligence reports, the CIA inferred the identities of the inhabitants of the mansion where bin Laden was living. In September 2010, the CIA concluded that the compound was “custom-built to hide someone of significance” and that bin Laden was very likely there.8 Officials surmised that his youngest wife was living with him there.9 Once this conclusion was reached, the rest, as they say, was history.

The investigative technique of finding someone based on their connections with others (their “network”) is not dissimilar from techniques needed to identify cyber bad actors by their connections. This data can help cybersecurity information officers (CISOs) identify potential insider threats and possible methods. Indeed, this is how “super analyst” systems



that can ingest news and social media feeds from around the world can make use of insight analytics. This can go a long way toward “predicting” the next threat vector and giving CISOs a fighting chance to protect their network before an attack reaches their firewall. Just as insight analysis was used to help find Osama bin Laden, i2 Enterprise insight analysis can be used to perform threat hunting and investigations. IBM’s i2 QRadar offense investigator integrates the QRadar SIEM capabilities with i2 in order to improve the efficiency and effectiveness of their investigations. This intelligence, it is hoped, will be enough to get ahead of the next cyberattack.

Defense in Depth: An Ancient Strategy Relevant TodayDefense in depth is an ancient military strategy first historically known to be used by Hannibal in the battle of Cannae, in 216 BC. The idea that multiple layers of defense, when used properly, can mitigate the advantage of an attacker with superior numbers is as relevant today to cybersecurity as it is to military defense planning. The United States strategic nuclear triad is a defense in depth strategy based on redundancy, one that has helped make the threat of nuclear war unthinkable to the United States’ adversaries, given the difficulty of knocking out all of our missile fleets (which are easy to locate), our strategic bomber fleet (moderately hard to find), and finally our nuclear submarine fleet (quite difficult to locate). This strategy has led to the prospect of mutually assured destruction, leaving no apparent advantage to an attacker also assured of being destroyed.

As applied to IT, defense in depth today puts the most valuable resources at the center of defense, protected by the security layers associated with the network; after that, there is the host computer, then the application, and finally the data itself. As in the military example, the more redundant protective layers one can add to the model, the harder it is for an attacker to reach the ultimate goal of infiltrating your data. Adding in CTI information is like adding a “world” layer outside of your network; essentially, this adds another protective layer to your defense in depth. Understanding and responding to threats identified in this world layer before they reach your organization, through taking proactive protective measures (like closing ports, installing patches, and educating users), is obviously preferable to repairing actions following an attack.

Watson for Cybersecurity is an instance of IBM’s cognitive computing capability being focused specifically on the cybersecurity space. In this context, Watson consumes structured security information from threat intelligence feeds and your organizations’ security events and related data, in addition to unstructured sources, such as research papers, security blogs, websites and advisories. It then stores all of this in a massive corpus (a knowledge base) consisting of more than 10 billion elements, and it refreshes its understanding at the rate of 4 million more potential elements per hour. In a sense, Watson for Cybersecurity is like a security expert who reads the web 24/7, never forgets, formulates hypotheses about attacks from this highly dynamic knowledge base, and gets smarter over time, all while possessing a nearly godlike command of details. Thus, Watson can function like a “super analyst” as part of your cybersecurity, effectively adding another layer to your defense arsenal.

Adding Intelligence to the Depth of Your DefenseIt is clear that there is far too much cybersecurity intelligence data for any single person, or even a team of people, to digest. Statistics at IBM indicate that cybersecurity analysts are

Network

Host

Application

Data



able to keep up with only 8 percent of relevant, newly published information. While that is not insignificant, without machine assistance, the battle against network intruders is much more likely to be lost. Our last paper addressed the fact that we can’t change the threat, only the way we react to it. However, that is not without exceptions. Since cybersecurity is an ever-evolving game of “cat and mouse,” our actions can have an impact on the threat. Every time industry comes up with a counter, the “bad guys” need to make a change on their side. This is the case with conventional kinetic threats, a context in which raising the sophistication of our defenses can raise the cost of action to our adversaries, altering their behavior. Cognitive computing and AI represent a technological advantage that the average hacker will find difficult to match. However, state-sponsored adversaries frequently have the resources to match our defenses. Adding AI helps to level the playing field, and specifically Watson’s cutting-edge capacities can provide an advantage.

Watson’s EdgeWatson is able to analyze billions of data points gathered from network security analysis programs and correlate them against all known structured and unstructured articles, threat feeds, books, blog posts, and other sources that provide cybersecurity intelligence. What Watson provides is insight into possible threats, and it can do this up to 60 times faster than attempting the same response without it. This report includes a list of possible threats and their ranking, based on the likelihood that this is the threat being encountered. The synthesis includes collaboration with human engineers to perform analyses of root causes, particularly those encountered by the organization being attacked, and the vast amount of structured signature data, as well as insights gained by analyzing and learning from the cybersecurity corpus of information. The end result means that Watson can prepare ten times more actionable data than the analyst would otherwise have at his fingertips.¹0 In other words, Watson is the “super analyst.”

Summary: AI Can Transform CybersecurityTraditional information processing only sees 20 percent of the data that is available, and is blind to the 80 percent of unstructured data that contains human-processed intelligence. Cognitive computing is the key to unlocking that information and using it as an in-depth part of a cybersecurity defense. People have asked for years, “Wouldn’t it be great if computers really understood us like they do on Star Trek?” This thought has led us to a world poised on the edge of a new revolution in computing, and has begun to unleash the real potential of artificial intelligence. While the science fiction of Star Trek has a long way to go to being realized, by striving to get there, scientific fact has today come much further than the fiction writers could have imagined half a century ago.

At Chameleon Integrated Services, we can help move your cybersecurity plans to the next level by providing support tailored to your organization—ranging from basic services to advisory services that define best practices to increase your defense-in-depth posture. Chameleon works with customers to help them “lock down” their infrastructure and comply with industry-standard Security Technical Implementation Guides (STIGs), and we partner with IBM to help our customers take advantage of advancements in cybersecurity, including the use of AI.



About Chameleon Integrated ServicesWith You from Strategic Vision to Functional Delivery

Helping you successfully capture transformational opportunities in IT modernization, cloud computing and building the workforce of the twenty-first century. Enhancing mission effectiveness by reducing cybersecurity risks. Chameleon is a proven and trusted solutions partner that delivers transformational results and successful outcomes to federal agencies, state and local governments, and commercial companies. Our unique approach is built around one set of goals—to help our clients: Prepare. Protect. Prosper.

We’re an SBA-certified small disadvantaged business, minority owned enterprise, operating under the GSA 8(a) STARS II Governmentwide Acquisition Contract. Our headquarters are in St. Louis, Missouri, with offices in the National Capital Region; Belleville, Illinois; and Montgomery, Alabama.

Contact us

Endnotes and Bibliography¹ “Watson vs. Jeopardy! Champs & the Trek Connection,” Star Trek, February 14, 2011, http://www.startrek.com/article/watson-vs-jeopardy-champs-the-trek-connection; see also Dr. John E. Kelly III, “Computing, Cognition and the Future of Knowing: How Humans and Machines are Forging a New Age of Understanding,” October 2015, https://cra.org/crn/2016/09/computing-cognition-future-knowing-humans-machines-forgingnew-age-understanding/.

² “Beyond Feeds: A Deep Dive Into Threat Intelligence Sources,” Recorded Future, August 18, 2017, https://www.recordedfuture.com/threat-intelligence-sources/.

³ “Beyond Feeds.”

4 IBM.com.

5 Jon Oltsik, “Artificial Intelligence and Cybersecurity: The Real Deal,” CSO, January 25, 2018, https://www.csoonline.com/article/3250850/security/artificial-intelligence-and-cybersecurity-the-real-deal.html.

6 IBM Security and Artificial Intelligence FAQ.

7 Amy Lee, “Osama Bin Laden Killing: How Tech Helped in the Takedown,” The Huffington Post, May 3, 2011, https://www.huffingtonpost.com/2011/05/02/osama-bin-laden-killing_n_856633.html.

8 “Trail Leading to Bin Laden Began with His Trusted Courier,” CNN, May 2, 2011, http://www.cnn.com/2011/US/05/02/bin.laden.hunt/index.html.

9 “Manhunt for Osama Bin Laden,” Wikipedia, accessed August 12, 2018, https://en.wikipedia.org/wiki/Manhunt_for_Osama_bin_Laden.

¹0 IBM, Artificial Intelligence and Cybersecurity for Dummies.

Author: William J. Kapes, Chief Technologist, Chameleon Integrated Services

Chameleon Integrated Services

https://www.chameleonis.com (314) 773-7200 [email protected]

St. Louis Headquarters

3207 Washington Blvd. St. Louis, MO 63103

Washington, D.C. Area Office

16701 Melford Blvd. Suite 131 Bowie, MD 20715


prepare. protect. prosper. · 2018-08-20 · page 2 copyrigh 2018 hameleo ntegrate ervice 2.01-04...

Documents