onb webinar series - cognition and the future of security (oct. 2016)
TRANSCRIPT
COGNITION AND THE FUTURE OF SECURITY LEVERAGING AUTOMATION FOR BETTER HUMAN DECISION MAKING
Security teams face an onslaught of serious challenges
© 2016 IBM Corporation
Data breaches
continue with
no end in sight
Lack of timely
and actionable
intelligence
plagues security
teams
Large skills gap
in security expertise
worldwide
1 Ponemon: Cost of a Data Breach Report 2015 2 Lloyd’s Insurance, 2015 3 Ponemon: Cost of a Data Breach Report 2015 4 Ponemon: Cyber Threat Intelligence Report 2015
Traditional
Security Data
A tremendous amount of security knowledge is created for
human consumption,
Examples include:
• Research documents
• Industry publications
• Forensic information
• Threat intelligence
commentary
• Conference presentations
• Analyst reports
• Webpages
• Wikis
• Blogs
• News sources
• Newsletters
• Tweets
A universe of security knowledge
Dark to your defenses Typical organizations leverage only 8% of this content*
Human Generated
Knowledge
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
but most of it is untapped
Defenders struggle to share intelligence on threats and
adversaries, while attackers are highly collaborative
Criminal Boss
Underboss Trojan providers and C&C Managers
Crimeware toolkit owners Trojan distribution in “legitimate”
website
Campaign Managers
Affiliation Networks
Stolen Data Resellers
Consumption of
External Threat
Intelligence
Internal Sharing
ISACs
Private / Public
Sharing
Global
State of threat intelligence in 2016
Human Expertise
Cognitive Security
Cognitive systems bridge this gap and unlock a new
partnership between security analysts and their technology
Security Analytics • Data correlation
• Pattern identification
• Anomaly detection
• Prioritization
• Data visualization
• Workflow
• Unstructured analysis
• Natural language
• Question and answer
• Machine learning
• Bias elimination
• Tradeoff analytics
• Common sense
• Morals
• Compassion
• Abstraction
• Dilemmas
• Generalization SECURITY
ANALYSTS
SECURITY
ANALYTICS COGNITIVE
SECURITY
Meet Rafael Jr. Security Analyst
I investigate potential threats How and why is this
different from normal
system behavior? EXTERNAL THREAT RESEARCH Know Business Industry-Relevant Trends
INTERNAL THREAT RESEARCH Investigate Potential Network Problems
MONITOR Alarm Queues and Potential Threats
REPORT Vulnerabilities and Issues
TUNE Improve Rules
Informed Consulted Accountable Responsible
How much will it hurt
our organization?
Do I need to deal
with this now?
Who is this
information from?
Are they trustworthy?
Introducing…IBM Watson for Cyber Security
Unlock new possibilities. The world’s first Cognitive analytics solution using core Watson technology to
understand, reason, and learn about security topics and threats.
GAIN POWERFUL INSIGHTS
REDUCE THE SECURITY SKILLS GAP
SECURITY ANALYST and WATSON SECURITY ANALYST
Revolutionizing how security analysts work
Human Generated
Security
Knowledge
• Tap into the vast array
of data to uncover new patterns
• Get smarter over time
and build instincts
!!!
Enterprise
Security Analytics
Cognitive techniques to
mimic human intuition
around advanced threats
• Triage threats and make
recommendations with
confidence, at scale and speed
Watson for Cyber Security will significantly reduce threat
research and response time
Remediation Investigation and Impact Assessment Incident Triage
Manual threat analysis
Remediation Investigation and
Impact Assessment
Incident
Triage
IBM Watson for Cyber Security assisted threat analysis
Quick and accurate analysis of security threats, saving precious time and resources
Days
to
Weeks
Minutes
to
Hours
Watson enables greater insights by ingesting extensive data
sources
*IBM intends to deliver in the future as a QRadar app
IBM Watson
for cyber security
Corpus of Knowledge
Threat databases
Research reports
Security textbooks
Vulnerability disclosures
Popular websites
Blogs and social activity
Other
Security events
User activity
Configuration information
Vulnerability results
System and app logs
Security policies
Other
TEST
LEARN
INGEST
Human Generated
Security Knowledge Sourced by available
IBM Security and IBM Research
Enterprise
Security Analytics Correlated enterprise data
Not just a search engine, we’re teaching Watson to
understand and interpret the language of security
Rich dictionaries enable Watson
to link all entity representations
Machine learning enables Watson for Cyber
Security to teach itself over time
Watson Creates
Knowledge Graph
Watson Applies
Annotators to Text
Annotator
Logic
TEST
INGEST
LEARN
Hash IoC Artifact Infection
Methods Threat Name
Beyond mere algorithms, Watson evaluates supporting
evidence
Score
and Weigh
Extract
Evidence
Search
Corpus Question
• Quantity
• Proximity
• Relationship
• Domain truths /
business rules
What
vulnerabilities
are relevant to
this type of
infection?
• Research reports
• Security websites
• Publications
• Threat intelligence
• Internal scans
• Asset information
INGEST
LEARN
TEST
Meet Rafael Jr. Security Analyst
With Watson’s help • Faster investigations
• Clear backlog easier
• Increased investigative skills
• Heavy lifting done beforehand
This is the first step in ushering in a new era of security
© 2016 IBM Corporation
DEPLOY LEVERAGE INTERPRET
Cognitive Security
2015+
Security Intelligence
2005+
Moats and Castles
Pre-2005
There are numerous potential use cases where we could
envision cognitive security playing a key role
Enhance your
SOC analysts
Speed response
with external
intelligence
Identify threats
with advanced
analytics
Strengthen
application
security
Improve
enterprise risk
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied.
IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or
its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all
countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to
future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or
service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product
should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed
to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT
WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.