Umělá inteligence v bezpečnostní praxi

ACCELERATING INCIDENT ANALYSIS WITH ARTIFICIAL INTELLIGENCE

Tomáš Pokorný Security SW sales manager, Central region

IBM Security

October 2018

2 IBM Security

Agenda

• Why?

• How to solve the problem?

• How does it work?

• Benefit

3 IBM Security

Your goals as a security operations team are fundamental to business

Protect critical

systems & data

Respond to

incidents

accurately and

quickly

Outthink cyber

criminals

4 IBM Security

But the pressures today make them hard to keep up with

Data Overload Unaddressed Threats Skills Shortage

My workload is

overwhelming and

repetitive.

“ “ I don’t know where to

focus my time for the

quickest response.

“ “ There is so much

information out there, it’s

impossible to find what’s

useful.

“ “

5 IBM Security

Artificial intelligence bridges this gap and unlocks a new partnership between security analysts and their technology

Security Analytics

• Data correlation

• Pattern identification

• Anomaly detection

• Prioritization

• Data visualization

• Workflow

AI: Cognitive

Security

• Unstructured analysis

• Natural language

• Question and answer

• Machine learning

• Bias elimination

• Tradeoff analytics

Human Expertise

• Common sense

• Morals

• Compassion

• Abstraction

• Dilemmas

• Generalization

6 IBM Security

Unlocking a new partnership between security analysts and their technology

QRadar Advisor complementing the investigative resources of a SOC

• Manage alerts

• Research security events and anomalies

• Evaluate user activity and vulnerabilities

• Configuration

• Other

• Data correlation

• Pattern identification

• Thresholds

• Policies

• Anomaly detection

• Prioritization

Security Analytics

Security Analysts Watson for Cyber Security

• Security knowledge

• Threat identification

• Reveal additional indicators

• Surface or derive relationships

• Evidence

• Local data mining

• Perform threat research using Watson for Cyber Security

• Qualify and relate threat research to security incidents

• Present findings

QRadar Watson Advisor

SECURITY

ANALYSTS

SECURITY

ANALYTICS

QRadar

Advisor with

Watson

Watson

for Cyber

Security

7 IBM Security

1-3 Day 1 Hour 5 Minutes

Structured Security Data

X-Force Exchange

Trusted partner data

Open source

Paid data - Indicators

- Vulnerabilities

- Malware names, …

- New actors

- Campaigns

- Malware outbreaks

- Indicators, …

- Course of action

- Actors

- Trends

- Indicators, …

Crawl of Critical Unstructured Security Data

Massive Crawl of all Security Related Data on Web

Breach replies

Attack write-ups

Best practices

Blogs

Websites

News, …

Filtering + Machine Learning Removes Unnecessary Information

Machine Learning / Natural Language Processing

Extracts and Annotates Collected Data

5-10 updates / hour! 100K updates / week!

Billions of Data Elements

Millions of Documents

3:1 Reduction

Massive Security Knowledge Graph Billions of Nodes / Edges

How it works – Building the knowledge

8 IBM Security

How it works – App that takes QRadar to the next level

IBM QRadar Advisor with Watson

Advisor is quick to deploy and easy to consume

Delivered via IBM Security App Exchange, downloadable in minutes, complimentary 30-day trials available – click here

QRadar Advisor

Performs local data

mining using

observables to gather

context

QRadar Security

Analytics Platform

Set up automatic

offense analysis to

Advisor

Watson for Cyber

Security

Applies powerful

cognitive analytics

leveraging external

data sources to

connect insights

QRadar Advisor

Provides intelligence

to help analysts

make faster triage

decisions

9 IBM Security

QRadar Advisor in Action

1. Offenses

5. Research results

Knowledge

graph

4. Performs threat

research and

develops expertise

3. Observables 2. Gains local context

and forms threat

research strategy

Offense context

Device activities

Equivalency relationships

6. Applies the intelligence

gathered to investigate

and qualify the incident

QRadar

Correlated enterprise data

10 IBM Security

How it works – Use cases further defined

Realize reach of threats and its effects on other users

and systems in your ecosystem

Utilize locally gathered and Watson external threat

intelligence to gain broader context within your investigations

Understand and quickly assess threats to know if they

bypassed your layered defenses or if they were stopped

dead in their tracks

Understand malware and ransomware sources, delivery methods

and related components to help quickly determine your impact

and next courses of action

Identify users and critical assets when they involved in an

incident and quickly pivot to gain details on user behavior

activity and asset metadata

Sample Scenarios & Demo Resources

12 IBM Security

Client Connecting to Botnet IP

WATSON INDICATORS BOTNET IP

• QRadar fired an offense on a user

attempting to connect to a botnet IP

Analyst found 5 correlated indicators

manually while we ran Watson

• Watson showed the extent of the

threat with 50+ useful indicators

Email hashes

File hashes

IP addresses

Domains

13 IBM Security 13

External Scan

OFFENSE – EXTERNAL SCAN

• Light external scanning

• Looked like Shodan

Analyst would have marked as

nuisance scan

• Watson revealed additional info

Botnet CNC

SPAM servers

Malware hosting

WATSON KEY INDICATORS

14 IBM Security 14

Client Malware Download

WATSON KEY INDICATORS CLIENT MALWARE DOWNLOAD

• Client attempted Malware download

Malware was blocked

How much time do you spend on a

blocked threat?

• Watson enriched

Malware was part of a larger campaign

Analysts used additional Indicators to

search for compromise

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,

express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products

and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service

marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your

enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.

No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,

products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products

or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU