AI's Role in the New Cyber Security Frontier

Jeff Crume, CISSP-ISSAP

Nov 2018

Distinguished EngineerIBM Master Inventorcrume@us.ibm.com

2 IBM Security

3 IBM Security

Quick Insights: Current Security Status

Threats Alerts Available analysts Needed knowledge Available time

Is this really sustainable?

By 2022, there will be

1.8 millionunfulfilled cybersecurity jobs

SKILLSSHORTAGE

4 IBM Security

Todays reality: Do all of this in <20 minutes, all day, every dayReview security incidents in SIEM Decide which incident to focus on next

Review the data that comprise the incident (events / flows)

Expand your search to capture more data around that incident

Pivot the data multiple ways to find outliers(such as unusual domains, IPs, file access)

Review the payload outlying events for anything interesting (domains, MD5s, etc.)

Search Threat Feeds + Search Engine + Virus Total + your favorite tools for these outliers / indicators; Find new malware is at play

Identify the name of the malware

Search more websites for IOC information for that malware from the internet

Take these newly found IOCs from the internetand search from them back in SIEM

Find other internal IPs are potentially infected with the same malware

Start another investigation around each of these IPs

AI Primer

6 IBM Security

• Webster - “a branch of computer science dealing with the simulation of intelligent behavior in computers.” [1]

• OED - “the theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.” [2]

• OK, but what does that mean in plain English?

AI essentially involves making computers more able to match or exceed human intelligence in its various forms by mimicking the human ability to discover, infer and reason.

AI Defined

[1] https://www.merriam-webster.com/dictionary/artificial%20intelligence[2] https://en.oxforddictionaries.com/definition/artificial_intelligence

7 IBM Security

AI Technologies

- Reasoning, problem solving- Knowledge representation- Planning- Learning- Natural language processing- Perception- Motion and manipulation- Social intelligence- Creativity- General intelligence

8 IBM Security

Artificial Intelligence and Sub Categories

Artificial Intelligence

Cognitive

Machine LearningDeep Learning

o Machine learning is a subfield of AI and computer science that has its roots in statistics and mathematical optimization. Machine learning covers techniques in supervised and unsupervised learning for applications in prediction, analytics, and data mining.*

o Deep learning isn't an algorithm, per se, but rather a family of algorithms that implement deep networks with unsupervised learning.*

* “A beginner's guide to artificial intelligence, machine learning, and cognitive computing” https://www.ibm.com/developerworks/library/cc-beginner-guide-machine-learning-ai-cognitive/index.html

9 IBM Security

Introduction to Machine LearningA subfield of computer science that enables computers to learn without being explictlyprogrammed

- Arthur Samuel in 1959

Supervised LearningInferring a general rule or mathematicalfunction from labeled training data to be applied to other data

Primary Use Cases• Regression Analysis

o Deriving correlation relationships between variables and estimating the strength of those relationships

o Widely used for prediction and forecasting

• Classification:o Produces a model from a training set

that can assign unseen inputs into different categories

Unsupervised Learning

Detecting the presence of patterns or models from unlabeled data

Primary Use Cases• Clustering

o Data is divided into different groups based on one or more attributes

• Dimensionality Reductiono process of reducing the number of

random variables under consideration, via obtaining a set of principal variables

o Feature Selection: finding subset of the original variables

o Feature Extraction: transform high-dimensional space to a space of fewer dimensions

10 IBM Security

Cognitive Solutions Reason and Present their Reasoning Process

Grep

Grep

Search

Pattern Matching

Correlation and rules

BehavioralAnalytics

Cognition

Increasing data volumes, variety and complexityIncr

easi

ng a

ttack

and

thre

at s

ophi

stic

atio

n

Reasoning about threats and risks

Helping security teams not only detect where the threat is but also resolving the what, how, why, when and who to improve the overall incident response timeline

Recognition of threats and risks

Cognitive Traits:• language

comprehension • deductive reasoning

and• self-learning

11 IBM Security

Smart but not cognitive

AI in the Real World

13 IBM Security

13

Watson answers a grand challenge

Can we design a computing system that rivals a human’s ability to answer questions posed in natural language, interpreting meaning and context and

retrieving, analyzing and understanding vast amounts of information in real-time?

14 IBM Security 3 Min 58 Sec 4 Min 35 Sec

Final Score: Rutter - $21,600 Jennings - $24,000 Watson - $77,147

15 IBM Security

From Jeopardy! To Cancer

• 60 Minutes profile Oct 2016- IBM and UNC Lineberger Cancer Center

• 8,000 new medical research papers published per day

• Studied 1,000 patients

• Watson recommendations matched Tumor Board experts 99% of the time

• Watson found additional treatment options in 30% of cases

Transcript at https://www.cbsnews.com/amp/news/60-minutes-artificial-intelligence-charlie-rose-robot-sophia

AI and Cybersecurity

17 IBM Security

A tremendous amount of security knowledge is created for human consumption, but most of it is untapped

• Industry publications• Forensic information• Threat intelligence commentary• Analyst reports• Conference presentations• News sources• Newsletters• Tweets• Wikis

A universe of security knowledgeDark to your defensesTypical organizations leverage only 8% of this content*

Human Generated Knowledge

TraditionalSecurity Data

security eventsviewed each day200K+

security researchpapers / year 10K

securityblogs / year720Ksecurity relatednews articles / year180K

reported softwarevulnerabilities 75K+

• Security events and alerts• Logs and configuration data• User and network activity• Threat and vulnerability feeds

1 Forrester Research : Can You Give The Business The Data That It Needs? , 2013

18 IBM Security

1-3 Day1 Hour5 Minutes

StructuredSecurity Data

X-Force Exchange Trusted partner data

Open sourcePaid data

- Indicators- Vulnerabilities

- Malware names, …

- New actors- Campaigns- Malware outbreaks- Indicators, …

- Course of action- Actors

- Trends- Indicators, …

Crawl of CriticalUnstructured Security Data

Massive Crawl of all SecurityRelated Data on Web

Breach repliesAttack write-ups

Best practices

BlogsWebsitesNews, …

Filtering + Machine LearningRemoves Unnecessary Information

Machine Learning / Natural Language Processing

Extracts and Annotates Collected Data

5-10 updates / hour! 100K updates / week!

Billions ofData Elements

Millions of Documents

3:1 Reduction

Massive Security Knowledge GraphBillions of Nodes / Edges

Cognitive Security unlocks vast security knowledge to quickly enable comprehensive investigative insights

19 IBM Security

Human Expertise

Cognitive Security

Cognitive systems bridge this gap and unlock a new partnership between security analysts and their technology

Security Analytics• Data correlation

• Pattern identification

• Anomaly detection

• Prioritization

• Data visualization

• Workflow

• Unstructured analysis

• Natural language

• Question and answer

• Machine learning

• Bias elimination

• Tradeoff analytics

• Common sense

• Morals

• Compassion

• Abstraction

• Dilemmas

• Generalization SECURITY ANALYSTS

SECURITY ANALYTICS

COGNITIVESECURITY

20 IBM Security

Cognitive: Revolutionizing how security analysts work • Natural language processing with security that understands, reasons, learns, and interacts

Watson determines the specific campaign (Locky),discovers more infected endpoints, and sends results to the incident response team

21 IBM Security

Building a cognitive SOC Sogeti Luxembourg reduced threat investigation and root cause determination from three hours to three minutes using IBM QRadar Advisor with Watson.

22 IBM Security

www.ibm.com/security/artificial-intelligence

© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

FOLLOW US ON:

THANK YOU