Embed Size (px)
Citation preview
1 IBM Security Summit 2017
IBM Cognitive Security Era with Watson
April 18, 2017Anthony AurigemmaVice President, IBM Security Operations & Response
2 IBM Security
Today’s security drivers
COMPLIANCEHUMAN
ERROR
SKILLS GAPADVANCED
ATTACKSINNOVATION
3 IBM Security
Attackers break through conventional safeguards every day
Source: IBM X-Force Threat Intelligence Index - 2017
$7Maverage cost of a U.S. data breachaverage time to identify data breach
201 days
20141+ Billion records
2015Unprecedented Impact
2016
4+ Billion records
4 IBM Security
Traditional security practices at the breaking point
MILLION
unfilled security positions
by 20201.585 security tools from 45 vendors
PERCENT of CEOs are
reluctant to share incident
information externally68
5 IBM Security
Threats Alerts Analysts
available
Quick Insights : Current Security Status
Available
time
”There is a massive amount of noise out there; the human brain can’t
process everything on a day-to-day basis. We need something to help,
something like AI or cognitive technologies.”Chad Holmes – Principal and Cyber-Strategy, Technology and Growth
Leader (CTO) at Ernst & Young LLP
Knowledge
needed
Is this really sustainable?
6 IBM Security
The need for cognitive security is real
“You start getting better at the soft
side of security and you can provide
additional context to the hard side of
security which helps makes better
decisions and vice versa – a clearer
picture about risk – that is what we
are on the cusp of. That is what
cognitive computing prepares us for.”
David Shipley, Director of Strategic Initiatives,
Information Technology Services, University of
New Brunswick
“There is a massive amount of
noise out there, the human
brain can’t process everything
on a day to day basis – we
need something to help,
something like AI or cognitive
technologies.”
Chad Holmes, Principal and Cyber
Strategy, Technology and Growth
Leader (CTO) at Ernst & Young LLP
“The 24/7 nature of security
operations presents a
challenge that is costly for
most organizations to staff,
which is where the appeal of
cognitive-enabled security
comes in — it never sleeps or
fatigues.”
Michael Pinch, Chief Information
Security Officer, University of
Rochester
7 IBM Security
Almost two thirds believe cognitive security solutions will address gaps – with ~20% planning to adopt in 2-3 years
Expectations Top 3 perceived benefits Adoption
Believe that
“cognitive security”
solutions can
significantly slow
down cybercriminals
57%
#1 Intelligence
#2 Speed
#3 Accuracy Although only 7% of the total
sample are currently working
on implementing cognitive-
enabled security solutions
today – this rises to 21% in
the next 2-3 years
3X
Today Next 2-3 years
Improve detection and
incident response decision-
making capabilities (40%)
Significantly improve
incident response time
(37%)
Provide increased
confidence to discriminate
between events and true
incidents (36%)
8 IBM Security
Cognitive security provides the ability to unlock and action the potential in all
data, internal and external, structured and unstructured. It connects obscure
data points humans couldn’t possibly spot, enabling enterprises to
more quickly and accurately detect and respond to threats, becoming more
knowledgeable through the cognitive power to understand, reason and learn.
Introducing and understanding
Cognitive Security
9 IBM Security
A tremendous amount of security knowledge is created for human consumption, but most of it is untapped
• Industry publications
• Forensic information
• Threat intelligence commentary
• Analyst reports
• Conference presentations
• News sources
• Newsletters
• Tweets
• Wikis
A universe of security knowledge
Dark to your defenses
Typical organizations leverage only 8% of this content*
Human Generated
Knowledge
Traditional
Security Data
security eventsviewed each day200K+
security researchpapers / year 10K
securityblogs / year720K
security relatednews articles / year180K
reported softwarevulnerabilities 75K+
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
1 Forrester Research : Can You Give The Business The Data That It Needs? , 2013
IBM INTERNAL ONLY
10 IBM Security
Today’s Reality
• We are in a constant race against time to research
and analyze the increasing number of alerts and
anomalies
• We need greater confidence in our ability to make
accurate assessments of potential security incidents
• We need to make our threat intelligence actionable
and ensure that it is up to date and relevant
• We need to overcome our struggles in acquiring,
training, and retaining enough security talent
I’m overwhelmed with alerts and anomalies to investigate. There isn’t enough time and I’m worried I am going to miss something big.”
11 IBM Security
Cognitive Security Starts HereIBM Security Introduces a Revolutionary Shift in Security Operations
IBM CONFIDENTIAL
• Employs powerful cognitive capabilities to investigate and qualify security incidents and anomalies on behalf of security analysts
• Powered by Watson for Cyber Security to tap into vast amounts of security knowledge and deliver insights relevant to specific security incidents
• Transforms SOC operations by addressing current challenges that include skills shortages, alert overloads, incident response delays, currency of security information and process risks
• Designed to be easily consumable: delivered via IBM Security App Exchange and deployed in minutes
NEW! IBM QRadar Advisor with Watson
12 IBM Security
Watson unlocks a tremendous amount of security knowledge enabling rapid and comprehensive investigation insights
• Continually growing and
adapting
• Leverages the power of
collaboration and
crowdsourcing
• Creates and finds paths
and linkages missed by
humans
• Performs cognitive
exploration of suspicious
activities and behaviors
• Learns, adapts and
doesn’t forget
13 IBM Security
QRadar Advisor
IBM CONFIDENTIAL
• Manage alerts
• Research security events and anomalies
• Evaluate user activity and vulnerabilities
• Configuration
• Other
• Data correlation
• Pattern identification
• Thresholds
• Policies
• Anomaly detection
• Prioritization
Security Analytics
Security Analysts Watson for Cyber Security
• Security knowledge
• Threat identification
• Reveal additional indicators
• Surface or derive relationships
• Evidence
• Local data mining
• Perform threat research using Watson for Cyber
Security
• Qualify and relate threat research to security incidents
• Present findings
QRadar Watson Advisor
SECURITY
ANALYSTS
SECURITY
ANALYTICS
QRadar
Advisor
Watson
for Cyber
Security
IBM Security Introduces a Revolutionary Shift in Security Operations
14 IBM Security
• Review the incident data
• Review the outlying events for anything
interesting (e.g., domains, MD5s, etc.)
• Pivot on the data to find outliers
(e.g., unusual domains, IPs, file access)
• Expand your search to capture more data
around that incident
• Search for these outliers / indicators
using X-Force Exchange + Google +
Virus Total + your favorite tools
• Discover new malware is at play
• Get the name of the malware
• Gather IOC (indicators of compromise)
from additional web searches
• Investigate gathered IOC locally
• Find other internal IPs are potentially
infected with the same Malware
• Qualify the incident based on insights
gathered from threat research
• Start another investigation around each
of these IPs
Cognitive Tasks of a Security Analyst in Investigating an Incident
Time
consuming
threat
analysis
There’s got to be
an easier way!
Apply the intelligence and
investigate the incident
Gather the threat research,
develop expertise
Gain local context leading
to the incident
15 IBM Security
QRadar Advisor with Watson in Action
Knowledgegraph
SuspiciousActivities
Deviceactivities
Other Devices
Stage 1 – Feature Hunt
Incident/Anomaly
Results and new features
SuspisousDevices
Threat
Stage 2 – Cognitive Investigation
Features
Stage 3 – Wider Feature Hunt
Incident Diagnosis
QRadar
Advisor
QRadar
Advisor
16 IBM Security
Identify Suspicious Activities
Understand • Target system
• Motive
• Objective
• Duration
Identify Compromised hosts
Understand • Target vulnerabilities
• Objective
• Attack sequence
• Scope
Identify Patient zero
Understand • Name
• Family
• Sources
• Delivery method
• Impact
Identify and understand sophisticated threats
QRadar Watson Advisor automates the cognitive tasks necessary to enrich security incidents. Security analysts are empowered with actionable insights to identify and understand sophisticated threats
MALWARE EXPLOITSSUSPICIOUS
ACTIVITY
SEE THE BIG PICTURE
“I’d equate the traditional cybersecurity analysis model to standing at the side of a freeway trying to identify potential
lawbreakers. As traffic whizzes by, it’s impossible to identify who is speeding or who might be in a stolen vehicle,”
...“Using Watson, on the other hand, is like flying over the same freeway in a helicopter.
17 IBM Security
Significantly reduce threat research and response time with QRadar Watson Advisor
RemediationInvestigation and Impact AssessmentIncident TriageDays
to Weeks
Manual threat analysis
RemediationInvestigation and
Impact Assessment
Incident
Triage
Minutes
to Hours
QRadar Watson Advisor assisted threat analysis
Quick and accurate analysis of security threats, saving precious time and resources
• Accelerates incident triage with more
automation and analysis depth
• Alleviates pressure of skills gap
• Reduces risk discovering previously
missed links
• Augments contributions of security teams
18 IBM Security
IBM QRadar Watson Advisor powered by Watson for Cyber Security
BRINGING THE POWER OF COGNITIVE SECURITY TO THE SECURITY ANALYST
IBM CONFIDENTIAL
• Consults more information sources
than humanly possible
• Maintains the currency of security
knowledge
• Removes human error and
dependency on research skills
• Repeats analysis automatically as the
incident develops or new intelligence
becomes available
• Leverages the power of collaboration
and crowdsourcing of threat
intelligence and activity for more
accurate insights
19 IBM Security
IBM Security: An integrated and intelligent security immune system
Criminal detection
Fraud protection
Workloadprotection
Cloud accesssecurity broker
Access management
Entitlements and roles
Privileged identity management
Identity management
Data access control
Application security management
Application scanning
Data monitoring
Device management
Transaction protection
Content security
Malware protection
Endpoint detectionand response
Endpoint patching and management
Virtual patching
Firewalls
Network forensics and threat management
Sandboxing
Network visibility and segmentation
Indicators of compromise
IP reputation Threat sharing
Vulnerability management Incident response
User behavior analysis
Threat hunting and investigationCognitive security
Threat and anomaly detection
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.
IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
FOLLOW US ON:
THANK YOU
BACKUP
22 IBM Security
Unlocking a new partnership between security analysts and QRadar
SECURITY ANALYST SECURITY ANALYST with QRadar Advisor
Enterprise
Security
Analytics
Cognitive
Investigation
and Insights
Enterprise
Security
Analytics
Cognitive Security
SEE THE BIG PICTURE
ACT WITH CONFIDENCE AND SPEED
“QRadar Advisor provides us with the much-needed insight to take offences we may have ignored and spend the time digging into potential attacks in order to truly understand our risk and the needed actions to mitigate a threat.”
“Results in the enhanced context graph is the
same type of information that one of the
analysts would find during their manual
research, but BIG savings in time. Maybe they
would come up with 1/3 to ½ of what was
found by Watson analysis during 3 hours of
manual research.”
23 IBM Security
“Cognitive security has so much potential — you can
meet your labor shortage gap, you can reduce your
risk profile, you can increase your efficiency of
response. It can help you understand the narrative
story. People consume stories — this happened, then
this happened, with this impact, by this person.
Additionally, cognitive can lower the skills it takes to
get involved in cybersecurity. It allows you to bring
in new perspectives from non-IT backgrounds into
cracking the problem.”
David Shipley – Director of Strategic Initiatives, Information
Technology Services, University of New Brunswick
24 IBM Security
There is a massive amount of noise out
there; the human brain can’t process
everything on a day-to-day basis. We need
something to help, something like AI or
cognitive technologies.
Chad Holmes – Principal and Cyber-Strategy, Technology and Growth
Leader (CTO) at Ernst & Young LLP
25 IBM Security
A new era is emerging where man and
machine work together to address three
gaps – in intelligence, speed and
accuracy.
The Cognitive Security Era Starts Here
26 IBM Security
Revolutionizing how security analysts will work
SECURITY ANALYST SECURITY ANALYST with QRadar Advisor
Enterprise
Security
Analytics
Human Generated
Security
Knowledge
Enterprise
Security
Analytics
Cognitive Security
GAIN POWERFUL INSIGHTS
REDUCE THE SECURITY GAPS
• Tap into the vast array
of data to uncover new patterns
• Get smarter over time
and build instincts
• Automate the threat research that
otherwise would have to be done by
security analysts
• Triage threats and make
recommendations with accuracy, at speed
and scale
27 IBM Security
QRadar Advisor with Watson for Cyber Security Addresses the Major Challenges SOC teams Face
Security teams face a race against time, having to research & analyze
increasing number of high priority security incidents
Staggering volume and noise in security data coupled with lack of actionable
intelligence plagues security teams
Security teams are not confident in their ability to consistently make
accurate assessments of potential security incidents
Acquiring, training and retaining security talent is a growing challenge that
security organizations are contending with
Faster investigations to clear backlog easier
Enriched timely information to provide greater context of
each incident
Automated reasoning that is refined with feedback and
experience to improve accuracy and develop trust
A trusted advisor to complement security analysts
