- The document discusses the new era of cognitive security using IBM's Watson technology.
- Watson can help security analysts by using cognitive techniques to analyze large amounts of security data and knowledge that typically remain untapped. This helps analysts gain insights faster and reduce the security skills gap.
- The document provides an example of how Watson could assist a security analyst, significantly reducing the time spent on manual threat analysis and investigation from days/weeks to minutes/hours.
1. The New Era of Cognitive Security
IBM SECURITY ROADSHOW
Peter Allor
29 August 2016
Senior Security Strategist, IBM Security
Project Manager, Disclosures, IBM
2. 2 IBM Security
Today’s security challenges
• Organized Crime
• Malicious Insiders
• Nation States
• Hacktivists
ACTORS TARGETS VECTORS
• Healthcare
• Manufacturing
• Government
• Financials
• Ransomware
• Phishing, Exploit Kits
• Stealthy Malware
• Denial of Service
REALITY
• Cloud, mobile, IoT
• Compliance
• Human error
• Skills gap
3. 3 IBM Security
The attackers have organized…
Global data sharing
Marketplace for products and services
Trusting relationships and networks
Organized cyber gangs
Criminal Boss
Underboss
Campaign
Managers
Affiliation
Networks
Stolen
Data
Resellers
4. 4 IBM Security
Today’s attacks require a strategic security approach
• Build multiple perimeters
• Protect all systems
• Use signature-based methods
• Periodically scan for known threats
• Shut down systems
Tactical Approach
Compliance-driven, reactionary
Today’s Attacks
• Assume constant compromise
• Prioritize high-risk assets
• Use behavioral-based methods
• Continuously monitor activity
• Gather, preserve, retrace evidence
Strategic Approach
Intelligent, orchestrated, automated
Indiscriminate malware,
spam and DDoS activity
Advanced, persistent, organized,
politically or financially motivated
It takes power and precision to stop adversaries and unknown threats
Yesterday’s Attacks
5. 5 IBM Security
COGNITIVE, CLOUD,
and COLLABORATION
The next era of security
INTELLIGENCE
and INTEGRATION
PERIMETER
CONTROLS
6. 6 IBM Security
Evolving to Cognitive
Scale and magnify human cognition by leveraging automation
Technique Outcome
Human-centric
communications
• Advanced visualizations
• Interactive vulnerability analysis,
risk assessment, remediation,
possible attribution
• Ease the task of the
security analyst
Natural language
sources and
processing
• Textual descriptions of past and
current security breaches
• Integrated vulnerability data per
application and OS version
• Consolidate
threat intelligence
Continuous machine
learning
• Deep learning and ensemble
weighting techniques
• Continuous extraction of
features and patterns
• Context in real time
• Improve threat analyst
decision-making
Evidence-based
reasoning
• Provide evidence
• Spot flawed logic
• Enable analysts to weigh
possible alternative outcomes
• Improve human reasoning
7. 7 IBM Security
Most security knowledge is untapped…
Traditional
Security Data
Human Generated
Knowledge
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
• Threat intelligence
• Research documents
• Industry publications
• Forensic information
• Conference presentations
• Analyst reports
• Blogs
• Webpages
• Wikis
• News sources
• Wikis
• Newsletters
• Tweets
A universe of security knowledge dark to your defenses
8. 8 IBM Security
The world’s first Cognitive
analytics solution using core
Watson technology to
understand, reason, and
learn about security topics
and threats
Watson for Cyber Security
Unlocking new possibilities
9. 9 IBM Security
Revolutionizing how security analysts work
Gain powerful insights
• Tap into the vast array
of data to uncover new patterns
• Get smarter over time
and build instincts
Reduce the security skills gap
• Triage threats and make
recommendations with
confidence, at scale and speed
Save time and costs
• Handle mass minutiae,
so you can work on offense
not endless defense
SECURITY ANALYST
Enterprise
Security Analytics
SECURITY ANALYST and WATSON
!!!
Cognitive techniques to mimic human
intuition around advanced threats
Human Generated
Security Knowledge
10. 10 IBM Security
Human Expertise
Cognitive Security
Cognitive systems bridge this gap and unlock a new partnership between
security analysts and their technology
Security Analytics
• Data correlation
• Pattern identification
• Anomaly detection
• Prioritization
• Data visualization
• Workflow
• Unstructured analysis
• Natural language
• Question and answer
• Machine learning
• Bias elimination
• Tradeoff analytics
• Common sense
• Morals
• Compassion
• Abstraction
• Dilemmas
• Generalization
SECURITY
ANALYSTS
SECURITY
ANALYTICS
COGNITIVE
SECURITY
11. 11 IBM Security
A day in the life of investigating threats…
Rafael
Security Analyst
HOUR
Gets caught up on the latest security
news through bulletins and social
networks in order to identify new threats
1
HOURS
Repeatedly investigates potential
security incidents via online sources
3
HOURS
Manually copies and pastes
information from disparate and siloed
tools to correlate data
4
All this mundane time spent, yet
STILL SO MANY FALSE POSITIVES!
Time
consuming
threat
analysis
12. 12 IBM Security
What I need is to feel human again.
I need help from an experienced
and trusted
security advisor.”
13. 13 IBM Security
The world’s first Cognitive analytics
solution using core Watson technology
to help analysts understand, reason, and
learn about security topics and threats.
Unlock new possibilities.
Introducing… IBM Watson for cyber security
14. 14 IBM Security
Watson for cyber security will significantly reduce threat research
and response time
RemediationInvestigation and Impact AssessmentIncident Triage
Days
to Weeks
Manual threat analysis
Remediation
Investigation and
Impact Assessment
Incident
Triage
Minutes
to Hours
IBM Watson for cyber security assisted threat analysis
Quick and accurate analysis
of security threats, saving
precious time and resources
15. 15 IBM Security
With the help of Watson, Rafael can become more proactive
• Faster investigations
• Clear backlog easier
• Increased investigative skills
• Heavy lifting done beforehand
Rafael
Security Analyst
Less time on the mundane,
more time being human!
Quick and accurate analysis
of security threats, saving precious
time and resources
16. 16 IBM Security
We intend to integrate Watson for cyber security with IBM QRadar
to accelerate Cognitive Security for our clients
SendtoWatsonfor Security
Internal Security Events and Incidents External Security Knowledge
IBM QRadar Security Intelligence Platform Watson for cyber security
QRadar sends Watson a
pre-analyzed security incident
Watson automatically provides
response back to Security
Analyst on probability of threat
and best practices, resulting in
substantial time savings
17. 17 IBM Security
Cognitive systems scale knowledge
Adapt and make sense of all
data; “read” text, “see”
images and “hear” natural
speech with context
Understand
Interpret information,
organize it and offer
explanations of what it
means, with rationale
for the conclusions
Reason
Accumulate data and
derive insight at every
interaction, perpetually
Learn
IBM Confidential
ANALYTICS
COGNITIVE
INFORMATION
Knowledge
DATASENSORS
Cognitive systems curate knowledge from data without constant human intervention
Security intelligence + big data analytics + Cognitive Security = maximum security
18. 18 IBM Security
Application of Cognitive Computing to Cyber Security
• Understanding of natural
language, images and other
sensory information.
• Complex reasoning and deep
interaction with experts
• Hypothesis and question
generation across arbitrary
domains; meta-heuristic to
automate algorithm choices
20. 20 IBM Security
Watson saves the security analyst valuable time spent trying
to keep pace manually
Watson continuously crawls the internet for all information related to security
in blogs, reports, advisories, and vulnerability disclosures
21. 21 IBM Security
Watson helps uncover new connections previously unknown
to the security analyst
Watson aggregates local analytics with it’s own insight and quickly determines
two possible malware families and an exploit kit (Locky or Dridex)
SHARED UNDER NDA UNTIL MAY 10, 2016
22. 22 IBM Security
Watson determines the specific campaign (Locky) and discovers more
infected endpoints, sending results to incident response team
Significantly reduces the attack surface by bringing new insights
to the investigation and response process