OpenTalks.AI - Олег Бакшинский, AI for security

Transcript

1. AI for SECURITY OUTTHINK THREATS WITH SECURITY THAT UNDERSTANDS, REASONS

   AND LEARNS Oleg Bakshinskiy February 2018 Executive Security Advisor IBM Russia and CIS

2. 2 How do you evolve your security program for the

   future? COGNITIVE, CLOUD, and COLLABORATION INTELLIGENCE and INTEGRATION LAYERED DEFENSES

3. 3 What if you could accelerate what analysts do each

   day? Investigate threats faster Automatically triage incidents 60x faster with Watson for Cyber Security Interpret unstructured data Draw from millions of security documents Be more accurate Eliminate 98% of false positives The future of security is Cognitive

4. 4 The world’s first Cognitive analytics solution using core Watson

   technology to understand, reason, and learn about security topics and threats. Introducing IBM Watson for Cyber Security

5. Human Expertise Cognitive Security Cognitive systems bridge this gap and

   unlock a new partnership between security analysts and their technology Security Analytics • Data correlation • Pattern identification • Anomaly detection • Prioritization • Data visualization • Workflow • Unstructured analysis • Natural language • Question and answer • Machine learning • Bias elimination • Tradeoff analytics • Common sense • Discretion • Abstraction • Dilemmas • Generalization SECURITY ANALYSTS SECURITY ANALYTICS COGNITIVE SECURITY

6. Watson for Cyber Security will significantly reduce threat research and

   response time Remediation Investigation and Impact Assessment Incident Triage Manual threat analysis Remediation Investigation and Impact Assessment Incident Triage IBM Watson for Cyber Security assisted threat analysis Quick and accurate analysis of security threats, saving precious time and resources Days to Weeks Minutes to Hours

7. Watson enables greater insights by ingesting extensive Cyber Security data

   sources IBM Watson for cyber security Corpus of Knowledge Threat databases Research reports Security textbooks Vulnerability disclosures Popular websites Blogs and social activity Other Security events User activity Configuration information Vulnerability results System and app logs Security policies Other TEST LEARN EXPERIENCE INGEST Human Generated Security Knowledge Sourced by available IBM Security and IBM Research Enterprise Security Analytics Correlated enterprise data

8. Not just a search engine, we’re teaching Watson to understand

   and interpret the language of security Rich dictionaries enable Watson to link all entity representations Machine learning enables Watson for Cyber Security to teach itself over time Watson Creates Knowledge Graph Watson Applies Annotators to Text Annotator Logic TEST INGEST EXPERIENCE LEARN Hash IoC Artifact Infection Methods Threat Name

9. Beyond mere algorithms, Watson evaluates supporting evidence Score and Weigh

   Extract Evidence Search Corpus Question • Quantity • Proximity • Relationship • Domain truths / business rules What vulnerabilities are relevant to this type of infection? • Research reports • Security websites • Publications • Threat intelligence • Internal scans • Asset information INGEST EXPERIENCE LEARN TEST

10. TEST INGEST LEARN EXPERIENCE The result Watson for Cyber Security

    will enable breakthrough insights after analyzing unstructured articles and other corpus data in minutes

11. 11 1 Week 1 Hour 5 Minutes Structured Data X-Force

    Exchange Trusted Partner Feed Open source Other threat feeds - Indicators - Vulnerabilities - Malware names, … - New actors - Campaigns - Malware outbreaks - Indicators - Course of action - Actors - Trends - Indicators Unstructured Data Massive Web Crawl Breach replies Attack write-ups Best practices Blogs Websites News Filtering + Machine Learning Natural Language Processing Billions of Data Elements Millions of Documents 5-10 updates / hour! 100K updates / week! 3:1 Reduction Massive Security Knowledge Graph 10 Billion Nodes / Edges

12. 12 QRadar Advisor with Watson in action 1. Offenses 5.

    Research results Knowledge graph 4. Performs threat research and develops expertise 3. Observables 2. Gains local context and forms threat research strategy Offense context Device activities Equivalency relationships 6. Applies the intelligence gathered to investigate and qualify the incident QRadar SIEM Security Analytics Data Correlation

13. 13 Observables: Data used by QRadar Advisor Observables: the finite

    set of discrete elements that are collected from an offense and related events that are used by QRadar Watson Advisor for local analysis and external research. Only a subset are sent to Watson for Cyber Security as observations of a potential threat Observable Type Description Sent to W4CS Source IP External Source IPs that appear in an offense – enforced by respecting the Network Hierarchy defined in QRadar Yes Destination IP External Destination IPs that appear in an offense – enforced by respecting the Network Hierarchy defined in QRadar Yes File Hash Hash value of a file that is deemed suspicious Yes URL External URLs that appear in an offense Yes Domain External Domains that appear in an offense Yes Destination Port Destination Ports belonging to Destination IPs No User Agent The user agent identified by a browser or HTTP application No AV Signature Malware signatures identified by antivirus solutions No Email Address Email addresses associated with suspicious emails No Observable Type Description Sent to W4CS Source Port Source Ports belonging to Source IPs No Destination ASN Autonomous System Number of a destination IP address (from a DNS) No Source ASN Autonomous System Number of a source IP address (from a DNS) No Destination Country Name of the destination country of outbound communications No Source Country Name of source country of inbound communications No Low Level Category Low level QRadar offense category No High Level Category High level QRadar offense category No Direction Direction of communication No User name Aliases that may attempt to access critical internal infrastructure No File Name Names of suspicious files No

14. 14 Client Connecting to Botnet IP Watson Indicators Botnet IP

    • QRadar fired an offense on a user attempting to connect to a botnet IP ̶ Analyst found 5 correlated indicators manually while we ran Watson • Watson showed the extent of the threat with 50+ useful indicators ̶ Email hashes ̶ File hashes ̶ IP addresses ̶ Domains

15. 15 External Scan Watson Key Indicators Offense – External Scan

    • Light external scanning • Looked like Shodan ̶ Analyst would have marked as nuisance scan • Watson revealed additional info ̶ Botnet CNC ̶ SPAM servers ̶ Malware hosting

16. 16 Client Malware Download Watson Key Indicators Client Malware Download

    • Client attempted Malware download ̶ Malware was blocked ̶ How much time do you spend on a blocked threat? • Watson enriched ̶ Malware was part of a larger campaign ̶ Analysts used additional Indicators to search for compromise

17. 17 All Indicators – Watson took 5 minutes

18. 18 What is next ?... Project Havyn, the Voice of

    the Cognitive Security Operations Center (SOC)

19. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2017.

    All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU