COGNITION AND THE FUTURE OF SECURITY LEVERAGING AUTOMATION FOR BETTER HUMAN DECISION MAKING

Security teams face an onslaught of serious challenges

© 2016 IBM Corporation

Data breaches

continue with

no end in sight

Lack of timely

and actionable

intelligence

plagues security

teams

Large skills gap

in security expertise

worldwide

1 Ponemon: Cost of a Data Breach Report 2015 2 Lloyd’s Insurance, 2015 3 Ponemon: Cost of a Data Breach Report 2015 4 Ponemon: Cyber Threat Intelligence Report 2015

Traditional

Security Data

A tremendous amount of security knowledge is created for

human consumption,

Examples include:

• Research documents

• Industry publications

• Forensic information

• Threat intelligence

commentary

• Conference presentations

• Analyst reports

• Webpages

• Wikis

• Blogs

• News sources

• Newsletters

• Tweets

A universe of security knowledge

Dark to your defenses Typical organizations leverage only 8% of this content*

Human Generated

Knowledge

• Security events and alerts

• Logs and configuration data

• User and network activity

• Threat and vulnerability feeds

but most of it is untapped

Defenders struggle to share intelligence on threats and

adversaries, while attackers are highly collaborative

Criminal Boss

Underboss Trojan providers and C&C Managers

Crimeware toolkit owners Trojan distribution in “legitimate”

website

Campaign Managers

Affiliation Networks

Stolen Data Resellers

Consumption of

External Threat

Intelligence

Internal Sharing

ISACs

Private / Public

Sharing

Global

State of threat intelligence in 2016

Human Expertise

Cognitive Security

Cognitive systems bridge this gap and unlock a new

partnership between security analysts and their technology

Security Analytics • Data correlation

• Pattern identification

• Anomaly detection

• Prioritization

• Data visualization

• Workflow

• Unstructured analysis

• Natural language

• Question and answer

• Machine learning

• Bias elimination

• Tradeoff analytics

• Common sense

• Morals

• Compassion

• Abstraction

• Dilemmas

• Generalization SECURITY

ANALYSTS

SECURITY

ANALYTICS COGNITIVE

SECURITY

Meet Rafael Jr. Security Analyst

I investigate potential threats How and why is this

different from normal

system behavior? EXTERNAL THREAT RESEARCH Know Business Industry-Relevant Trends

INTERNAL THREAT RESEARCH Investigate Potential Network Problems

MONITOR Alarm Queues and Potential Threats

REPORT Vulnerabilities and Issues

TUNE Improve Rules

Informed Consulted Accountable Responsible

How much will it hurt

our organization?

Do I need to deal

with this now?

Who is this

information from?

Are they trustworthy?

Introducing…IBM Watson for Cyber Security

Unlock new possibilities. The world’s first Cognitive analytics solution using core Watson technology to

understand, reason, and learn about security topics and threats.

GAIN POWERFUL INSIGHTS

REDUCE THE SECURITY SKILLS GAP

SECURITY ANALYST and WATSON SECURITY ANALYST

Revolutionizing how security analysts work

Human Generated

Security

Knowledge

• Tap into the vast array

of data to uncover new patterns

• Get smarter over time

and build instincts

!!!

Enterprise

Security Analytics

Cognitive techniques to

mimic human intuition

around advanced threats

• Triage threats and make

recommendations with

confidence, at scale and speed

Watson for Cyber Security will significantly reduce threat

research and response time

Remediation Investigation and Impact Assessment Incident Triage

Manual threat analysis

Remediation Investigation and

Impact Assessment

Incident

Triage

IBM Watson for Cyber Security assisted threat analysis

Quick and accurate analysis of security threats, saving precious time and resources

Days

to

Weeks

Minutes

to

Hours

Watson enables greater insights by ingesting extensive data

sources

*IBM intends to deliver in the future as a QRadar app

IBM Watson

for cyber security

Corpus of Knowledge

Threat databases

Research reports

Security textbooks

Vulnerability disclosures

Popular websites

Blogs and social activity

Other

Security events

User activity

Configuration information

Vulnerability results

System and app logs

Security policies

Other

TEST

LEARN

INGEST

Human Generated

Security Knowledge Sourced by available

IBM Security and IBM Research

Enterprise

Security Analytics Correlated enterprise data

Not just a search engine, we’re teaching Watson to

understand and interpret the language of security

Rich dictionaries enable Watson

to link all entity representations

Machine learning enables Watson for Cyber

Security to teach itself over time

Watson Creates

Knowledge Graph

Watson Applies

Annotators to Text

Annotator

Logic

TEST

INGEST

LEARN

Hash IoC Artifact Infection

Methods Threat Name

Beyond mere algorithms, Watson evaluates supporting

evidence

Score

and Weigh

Extract

Evidence

Search

Corpus Question

• Quantity

• Proximity

• Relationship

• Domain truths /

business rules

What

vulnerabilities

are relevant to

this type of

infection?

• Research reports

• Security websites

• Publications

• Threat intelligence

• Internal scans

• Asset information

INGEST

LEARN

TEST

Meet Rafael Jr. Security Analyst

With Watson’s help • Faster investigations

• Clear backlog easier

• Increased investigative skills

• Heavy lifting done beforehand

This is the first step in ushering in a new era of security

© 2016 IBM Corporation

DEPLOY LEVERAGE INTERPRET

Cognitive Security

2015+

Security Intelligence

2005+

Moats and Castles

Pre-2005

There are numerous potential use cases where we could

envision cognitive security playing a key role

Enhance your

SOC analysts

Speed response

with external

intelligence

Identify threats

with advanced

analytics

Strengthen

application

security

Improve

enterprise risk

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied.

IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or

its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all

countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to

future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or

service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.

Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product

should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed

to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT

WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.