umělá inteligence v bezpečnostní praxi - eventworld.cz · 8 ibm security how it works – app...
TRANSCRIPT
![Page 1: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/1.jpg)
Umělá inteligence v bezpečnostní praxi
ACCELERATING INCIDENT ANALYSIS WITH ARTIFICIAL INTELLIGENCE
Tomáš Pokorný Security SW sales manager, Central region
IBM Security
October 2018
![Page 2: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/2.jpg)
2 IBM Security
Agenda
• Why?
• How to solve the problem?
• How does it work?
• Benefit
![Page 3: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/3.jpg)
3 IBM Security
Your goals as a security operations team are fundamental to business
Protect critical
systems & data
Respond to
incidents
accurately and
quickly
Outthink cyber
criminals
![Page 4: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/4.jpg)
4 IBM Security
But the pressures today make them hard to keep up with
Data Overload Unaddressed Threats Skills Shortage
My workload is
overwhelming and
repetitive.
“ “ I don’t know where to
focus my time for the
quickest response.
“ “ There is so much
information out there, it’s
impossible to find what’s
useful.
“ “
![Page 5: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/5.jpg)
5 IBM Security
Artificial intelligence bridges this gap and unlocks a new partnership between security analysts and their technology
Security Analytics
• Data correlation
• Pattern identification
• Anomaly detection
• Prioritization
• Data visualization
• Workflow
AI: Cognitive
Security
• Unstructured analysis
• Natural language
• Question and answer
• Machine learning
• Bias elimination
• Tradeoff analytics
Human Expertise
• Common sense
• Morals
• Compassion
• Abstraction
• Dilemmas
• Generalization
![Page 6: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/6.jpg)
6 IBM Security
Unlocking a new partnership between security analysts and their technology
QRadar Advisor complementing the investigative resources of a SOC
• Manage alerts
• Research security events and anomalies
• Evaluate user activity and vulnerabilities
• Configuration
• Other
• Data correlation
• Pattern identification
• Thresholds
• Policies
• Anomaly detection
• Prioritization
Security Analytics
Security Analysts Watson for Cyber Security
• Security knowledge
• Threat identification
• Reveal additional indicators
• Surface or derive relationships
• Evidence
• Local data mining
• Perform threat research using Watson for Cyber Security
• Qualify and relate threat research to security incidents
• Present findings
QRadar Watson Advisor
SECURITY
ANALYSTS
SECURITY
ANALYTICS
QRadar
Advisor with
Watson
Watson
for Cyber
Security
![Page 7: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/7.jpg)
7 IBM Security
1-3 Day 1 Hour 5 Minutes
Structured Security Data
X-Force Exchange
Trusted partner data
Open source
Paid data - Indicators
- Vulnerabilities
- Malware names, …
- New actors
- Campaigns
- Malware outbreaks
- Indicators, …
- Course of action
- Actors
- Trends
- Indicators, …
Crawl of Critical Unstructured Security Data
Massive Crawl of all Security Related Data on Web
Breach replies
Attack write-ups
Best practices
Blogs
Websites
News, …
Filtering + Machine Learning Removes Unnecessary Information
Machine Learning / Natural Language Processing
Extracts and Annotates Collected Data
5-10 updates / hour! 100K updates / week!
Billions of Data Elements
Millions of Documents
3:1 Reduction
Massive Security Knowledge Graph Billions of Nodes / Edges
How it works – Building the knowledge
![Page 8: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/8.jpg)
8 IBM Security
How it works – App that takes QRadar to the next level
IBM QRadar Advisor with Watson
Advisor is quick to deploy and easy to consume
Delivered via IBM Security App Exchange, downloadable in minutes, complimentary 30-day trials available – click here
QRadar Advisor
Performs local data
mining using
observables to gather
context
QRadar Security
Analytics Platform
Set up automatic
offense analysis to
Advisor
Watson for Cyber
Security
Applies powerful
cognitive analytics
leveraging external
data sources to
connect insights
QRadar Advisor
Provides intelligence
to help analysts
make faster triage
decisions
![Page 9: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/9.jpg)
9 IBM Security
QRadar Advisor in Action
1. Offenses
5. Research results
Knowledge
graph
4. Performs threat
research and
develops expertise
3. Observables 2. Gains local context
and forms threat
research strategy
Offense context
Device activities
Equivalency relationships
6. Applies the intelligence
gathered to investigate
and qualify the incident
QRadar
Correlated enterprise data
![Page 10: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/10.jpg)
10 IBM Security
How it works – Use cases further defined
Realize reach of threats and its effects on other users
and systems in your ecosystem
Utilize locally gathered and Watson external threat
intelligence to gain broader context within your investigations
Understand and quickly assess threats to know if they
bypassed your layered defenses or if they were stopped
dead in their tracks
Understand malware and ransomware sources, delivery methods
and related components to help quickly determine your impact
and next courses of action
Identify users and critical assets when they involved in an
incident and quickly pivot to gain details on user behavior
activity and asset metadata
![Page 11: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/11.jpg)
Sample Scenarios & Demo Resources
![Page 12: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/12.jpg)
12 IBM Security
Client Connecting to Botnet IP
WATSON INDICATORS BOTNET IP
• QRadar fired an offense on a user
attempting to connect to a botnet IP
Analyst found 5 correlated indicators
manually while we ran Watson
• Watson showed the extent of the
threat with 50+ useful indicators
Email hashes
File hashes
IP addresses
Domains
![Page 13: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/13.jpg)
13 IBM Security 13
External Scan
OFFENSE – EXTERNAL SCAN
• Light external scanning
• Looked like Shodan
Analyst would have marked as
nuisance scan
• Watson revealed additional info
Botnet CNC
SPAM servers
Malware hosting
WATSON KEY INDICATORS
![Page 14: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/14.jpg)
14 IBM Security 14
Client Malware Download
WATSON KEY INDICATORS CLIENT MALWARE DOWNLOAD
• Client attempted Malware download
Malware was blocked
How much time do you spend on a
blocked threat?
• Watson enriched
Malware was part of a larger campaign
Analysts used additional Indicators to
search for compromise
![Page 15: Umělá inteligence v bezpečnostní praxi - Eventworld.cz · 8 IBM Security How it works – App that takes QRadar to the next level IBM QRadar Advisor with Watson Advisor is quick](https://reader030.vdocuments.us/reader030/viewer/2022040409/5ec5d0374a29781b3c1abfc5/html5/thumbnails/15.jpg)
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU