ibm cyber security research - · pdf fileibm cyber security research © 2016 ibm...
Post on 18-Mar-2018
233 Views
Preview:
TRANSCRIPT
© 2016 IBM Corporation
Dr. Andreas Wespi
6 Sep. 2016
IBM Cyber Security Research
2© 2016 IBM Corporation
IBM ResearchMore than 3,000 scientists and engineers at 12 labs in 6 continents
China
WatsonAlmaden
Austin
TokyoHaifa
Zurich
India
Ireland
Australia
Brazil
Africa
3© 2016 IBM Corporation
IBM Security Research
Haifa
Tokyo
Security Services
Haifa
Information Security
Watson
Cryptography Virtualization, Cloud
Biometrics Information Security
Security Analytics Cognitive Security
Security Engineering Secure Hardware
ZurichZurich
Cryptography Authentication Solutions
Virtualization, Cloud Security Analytics
Identity Management Storage Security
Privacy Industrial Control Systems
China
Internet of Things
4© 2016 IBM Corporation
IBM Research’s Cyber Security Agenda Five Focus Areas
Automate identification of
critical assets
Enterprise Information Security Management for Enterprise and Cloud
Secure the foundations
Security Technologies for SoftLayer andSoftware Defined Environments
Enforce security from assets to end-
points
Security for the Mobile Enterprise and Cyber-physical Systems(SCADA/ICS)
Engineering & algorithms for
provable security
Search and Computation on Encrypted Data,Privacy, and Personal Cryptography
4
Comprehensive situational awareness
Cyber Security Analytics for Networks, Devices, Cloud, Usage and Entitle-ments, Social, Application and Business Processes
5© 2016 IBM Corporation
Cognitive is ushering in a new era of security
6© 2016 IBM Corporation
What is Cognitive and Cognitive Computing Systems?
Cognitive means “relating to the mental process involved in knowing,
learning, and understanding things.”
[Collins Cobuild Advanced Learner's English Dictionary]
“Cognitive computing systems learn and interact naturally with people
to extend what either humans or machine could do on their own. They
help human experts make better decisions by penetrating the
complexity of Big Data.”
[http://www.research.ibm.com/cognitive-computing/]
7© 2016 IBM Corporation
Once upon a time …
IBM Watson – Jeopardy! winning supercomputer
8© 2016 IBM Corporation
9© 2016 IBM Corporation
IBM Security Summit (May 10, 2016) Announcement
10© 2016 IBM Corporation
A tremendous amount of security knowledge is created for human consumption, but most of it is untapped
11© 2016 IBM Corporation
A day in the life of a threat investigator
12© 2016 IBM Corporation
13© 2016 IBM Corporation
Cognitive SystemsA new partnership between security analysts and their technology
14© 2016 IBM Corporation
IBM Watson enables insights by connecting and analyzing hundreds of internal and
external data sources in minutes rather than weeks
Integrating various types of Big Data
Learn
Test
Experience
IngestWatson Corpus
Many Terabytes of
data
Tens of Millions of
documents
Hundreds of Millions
of entities and
relationships
Internal Data
X-Force Threat
Analysis
IP Reputation
Database
Social Analytics
Fraud Analytics
QRadar SIEM
Offense Data
Entity-Relationship
Graphs
Client Data
Sources
External Data
Wikipedia
CIA Factbook
Exploit Analysis
Security Bulletins
CVEs
Bad Actor Forums
IRC & Social
Media
15© 2016 IBM Corporation
Understanding entities and relationships
IBM Watson is taught to extract entities and relationships from natural language text
sources
Learn
Test
Experience
Ingest
IP & DNS
Records
Known
Associations
Social IDs,
Aliases
Name,
Location
Armand Ayakimyan
Apsheronsk, Russia
A wide range of
annotators
enables Watson
to link all entity
representations 31.170.179.179,
ssndob.ru,
ssndob-search.info
ssndob@swissjabber.ch,
Mr. Zack, 38337, Darkill,
Darkglow, Planovoi
Cyclosa Gang, Tojava,
JoTalbot, DarkMessiah
16© 2016 IBM Corporation
Understanding entities and relationships
17© 2016 IBM Corporation
Learn
Test
Experience
Ingest • Quantity
• Proximity
• Relationship
• Domain Truths/
Business Rules
What can I do to
mitigate the risk
of a shellshock
attack?
Search
Corpus
Extract
Evidence
Score &
WeighQuestion
• Cyber Lexicon
• Bulletins
• CVE reports
• Breach
Analyses
• Forums
• Social Media
• Security
Research
IBM Watson provides answers with evidence and is iteratively trained, learning from both
successes and failures, much as humans do
Learning through expert training
18© 2016 IBM Corporation
We intend to integrate IBM Watson for Cyber Security with IBM QRadar to accelerate Cognitive Security for our clients
Send to Watson for Security
Internal Security Events and Incidents External Security Knowledge
IBM QRadar Security Intelligence Platform Watson for Cyber Security
QRadar sends Watson a
pre-analyzed security incident
Watson automatically provides
response back to Security
Analyst on probability of threat
and best practices, resulting in
substantial time savings
19© 2016 IBM Corporation
Getting smarter over time, Watson plans to apply its security instincts to a number of use cases
Enhance your
SOC analysts
Identify threats
with advanced
analytics
Improve
enterprise risk
Identify threats with
advanced analytics
Enhance your
SOC analysts
Speed response with
external intelligence
Improve
enterprise risk
Strengthen application
security
20© 2016 IBM Corporation
Convergence of IT and OT
21© 2016 IBM Corporation
Industrial Control Systems (ICS) Security
Activity 1
Instrumentation and
Collection
Activity 2
Passive Network ExplorationActivity 3
Anomaly Detection
– Identify strategic points in the
network
– Collection of network data
(e.g., NetFlow, packet header
information, DHCP/ARP data)
– Identification of devices
– Collection and inference of
information about the devices
– Understanding the traffic
flows, communication
patterns, and dependencies
– Characterize the normal
behavior of the network traffic
– Mine the traffic for abnormal
deviations
Three Environments
i) IBM Research testbed (Zurich) ii) Enel Industrial Cyber Laboratory iii) Enel Power Plant
Feature
Extraction
Behavior
modeling
Anomaly
detection
Enel – large power generator and distributor, operations in 32 countries across 4
continents In collaboration with IBM GTS and IBM Security Services
22© 2016 IBM Corporation
Passive Data Collection: Flow Level and Content Analysis
Protocol Zoo
• Many different and
proprietary protocols
Traffic Monitoring
• Network flows:
End-to-end traffic
communication patterns
• Raw packets:
Analysis of OPC packet
contents to monitor field bus
related events
Focus
OPC Servers
RTU/PLC
SCADA/HMI
Open PlatformCommunicationsProtocol
Fieldbus(ModBus, Profibus,
IEC 104, DNP3, etc.)
…
…
Sensors/Actuators
23© 2016 IBM Corporation
OPC Explorer
24© 2016 IBM Corporation
Post Quantum Cryptography
Developing efficient
primitives for cryptography
in a post quantum world
Data encrypted today will be
readable by quantum
computers tomorrow
Simple primitives are
required for basic resistance
Advanced primitives are
required for more complex
schemes
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
top related