cybersecurity in the age of smart machines · cybersecurity in the age of smart machines artifical...
TRANSCRIPT
Cybersecurity in the Age of Smart MachinesArtifical Intelligence to Make Systems More Secure
Andreas Wespi
IBM Research - Zurich
2 IBM Research
Today’s security drivers
COMPLIANCEHUMAN
ERROR
SKILLS GAPADVANCEDATTACKS
INNOVATION
3 IBM Research
INNOVATION
Today’s security drivers
Experts expect the global number of connected
“things” to reach 20.8 billion by 2020. Gartner
Only 38% of organizations say their
organizations have clearly defined roles and
accountability for safeguarding confidential or sensitive information in the cloud. Ponemon Global Cloud Data Security Study
80% of the top 100 iOS or Android apps
have been hackedSource: CBS
4 IBM Research
“Smart Devices”
5 IBM Research
Some Sample IoT Attacks
6 IBM Research
What’s the problem with IoT Security
• Large and new threat surface – “Internet of Threats”
• Attacks can cause harm also in the Physical World – security becomes a safety
problem
• Heterogeneous devices and multiple protocols
• Highly constrained environment
• Long IoT product lifetimes (10 – 20 years) – patching devices or updating
crypto algorithms not possible
7 IBM Research
Machine Learning for Securing IoT Devices as a Service
Watson IoT Platform
Aggregation
and Storage
IBM Bluemix
2b
Generic IoT Events
IoT Event
Collection1
Messaging Bus
Web UISecurity
Analytics
CognitiveSecurity Analytics
3
2a
REST API4
Reports/Alerts Batch jobs
Anomaly Reports/Alerts
Historic Data
Real-time IoT Events
Batch analysis jobs
IoT Security Analytics
• Easy to use• Cross-correlation of IoT
event streams
• Edge and cloud analytics• Integration of physical IoT
device properties
8 IBM Research
Convergence of IT and Operational Technology
9 IBM Research
Industrial Control System Security
Activity 1
Instrumentation and CollectionActivity 2
Passive Network ExplorationActivity 3
Anomaly Detection
– Identify strategic points in the
network
– Collection of network data
(e.g., NetFlow, packet header
information, DHCP/ARP data)
– Identification of devices
– Collection and inference of
information about the devices
– Understanding the traffic flows,
communication patterns, and
dependencies
– Characterize the normal behavior of
the network traffic
– Mine the traffic for abnormal
deviations
Three Environments
i) IBM Research testbed (Zurich) ii) Enel Industrial Cyber Laboratory iii) Enel Power Plant
Feature
Extraction
Behaviormodeling
Anomaly detection
10 IBM Research
Passive Data Collection and Analysis
Protocol Zoo
• Many different and proprietary
protocols
Traffic Monitoring
• Network flows:
End-to-end traffic communication
patterns
• Raw packets:
Analysis of OPC packet contents
to monitor field bus related events
Focus
OPC Servers
Remote Terminal Unit (RTU)
Programmable LogicController (PLC)
SCADA - Human-MachineInterface
Open PlatformCommunicationsProtocol (OPC)
Fieldbus(ModBus, Profibus, IEC 104, DNP3, etc.)
…
…
Sensors / Actuators
Watson for Cyber Security
12 IBM Research
Security Operations Center (SOC)
13 IBM Research
A day in the life of investigating threats…
RafaelSecurity Analyst
HOUR
Gets caught up on the latest securitynews through bulletins and social networks in order to identify new threats
1
HOURS
Repeatedly investigates potential security incidents via online sources
3
HOURS
Manually copies and pastes information from disparate and siloed tools to correlate data
4
All this mundane time spent, yet
STILL SO MANY FALSE POSITIVES!
Timeconsuming
threatanalysis
14 IBM Research
A tremendous amount of security knowledge is created for human consumption, but most of it is untapped
• Industry publications
• Forensic information
• Threat intelligence commentary
• Analyst reports
• Conference presentations
• News sources
• Newsletters
• Tweets
• Wikis
A universe of security knowledgeDark to your defenses
Typical organizations leverage only 8% of this content*
Human Generated
Knowledge
Traditional
Security Data
security eventsviewed each day200K+
security researchpapers / year 10K
securityblogs / year720K
security relatednews articles / year180K
reported softwarevulnerabilities 75K+
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
1 Forrester Research : Can You Give The Business The Data That It Needs? , 2013
15 IBM Research
QRadar Advisor with Watson for Cyber Security unlocks a new partnership between security analysts and their technology
Security Analytics
• Data correlation
• Pattern identification
• Thresholds
• Policies
• Anomaly detection
• Prioritization
SECURITY ANALYSTS
SECURITY ANALYTICS
QRadar
Advisor
IBM Watson
for cyber security
Corpus of Knowledge
• Alerts
• Security Events and anomalies
• User activity
• Vulnerabilities
• Configuration
• Other
• Threat identification
• Additional indicators
• Relationships
• Evidence
Watson For
Cyber Security
16 IBM Research
QRadar Advisor with Watson in action
1. Offenses
5. Research results
Knowledgegraph
4. Performs threat research and develops expertise
3. Observables2. Gains local context
and forms threat research strategy
Offensecontext
Deviceactivities
Equivalencyrelationships
6. Applies the intelligence gathered to investigate and qualify the incident
QRadarCorrelated enterprise data
17 IBM Research
Automatically uncovering new security context for investigations
Watson aggregates local analytics with it’s own insight and quickly determines possible malware families (eg. Locky)
Postquantum Cryptography
19 IBM Research
Quantum Computing
In May 2016, IBM made a quantum computing platform
available via the IBM Cloud
20 IBM Research
IBM Q Experience
In December, 2017, IBM launched the IBM Q Network, a collaboration with leading Fortune 500
companies and research institutions with a shared mission to …
Accelerate ResearchCollaborate with the most advanced academic and research organizations to advance quantum computing technology.
Educate and PrepareExpand and train the ecosystem of users, developers, and application specialists that will be essential to the adoption and scaling of quantum computing.
▪ > 81,000 users
▪ All 7 continents
▪ > 3 Million experiments run
▪ > 65 papers▪ > 1500 colleges and universities, 300 high
schools, 300 private institutions
21 IBM Research
2
1
IBM Q executions on real quantum computers (not simulations)
March 16-21, 2018
21
The IBM Q Experience has seen extraordinary adoption
22 IBM Research
Cryptography today
Current popular algorithms rely on one of three hard mathematical problems:
• the integer factorization problem
• the discrete logarithm problem
• the elliptic-curve discrete logarithm problem
23 IBM Research
Impact for cryptographic schemes
In asymmetric public key algorithms the security evaporates In symmetric key algorithms the effective security is halved
Grover’s algorithm
Shor’s algorithm
Quadratic improvement in brute-force attacks on symmetric encryption schemes like AES.
Exponential improvement in brute-force attacks on asymmetric encryption
schemes like RSA, ECC, ElGamel.
Quantum AlgorithmsAlgorithm Key Length Security level on
conventional
computer
Security level on
quantum
computer
RSA 1024 1024 bits 80 bits 0
RSA 2048 2048 bits 120 bits 0
ECC 256 256 bits 128 bits 0
ECC 384 384 bits 192 bits 0
AES 128 128 bits 128 bits 64 bits
AES 256 256 bits 256 bits 128 bits
24 IBM Research
Different algorithms - different risks
Factoring Algorithm (RSA) EC Discrete logarithm (ECC)
N bits Approx
#qubits
Time N bits Approx
#qubits
Time
2 * n 4 * n3 F’(n) 360 * n3
512 1024 0.54 * 109 110 700 (800) 0.5 * 109
1024 2048 4.3 * 109 163 1000 (1200) 1.6 * 109
2048 4096 34 * 109 224 1300 (1800) 4.0 * 109
3072 6144 120 * 109 256 2800 (3600) 6.0 * 109
Elliptic curve algorithms at threat much earlier
Note: Given are the number of logical qubits. Each logical qubit requires multiple physical qubits
25 IBM Research
PQC Cryptography
Based on hard problems conjectured to be quantum resistant:
Lattice-based crypto: Most well-developed
Code-based crypto: Some old unbroken schemes
(McEliece), but security poorly understood, with
many McEliece variants broken
Multivariate crypto: Most such systems are broken
Supersingular elliptic curve isogeny crypto: new
approach that is not yet well understood / slower
26 IBM Research
NIST PQC standardization : timeline and phases
2023
Today
2018 2019 2020 2021 2022 2023
Draft Call for Proposals
6/1/2016Formal Call for Proposals Finalized9/30/2016
Deadline for Submissions
2016 2017
6/1/2016
Proposal Generation
9/30/2016
10/1/2016
Submission Phase
11/30/2017
11/2/2017 11/9/2020Analysis Phase
11/10/2020 11/17/2023Draft Standards Phase
Second evaluation phase (12-18 months)- Small modifications allowed- Workshop towards end of second phase- Report findings and narrow candidates
- Select algorithms for standardization or decide more evaluation needed
Initial evaluation phase (12 -18 months)- No tweaks/modifications allowed- Workshops at beginning and end of initial evaluation phase- Report findings and narrow candidate pool
27 IBM Research
Why we need to act today
28 IBM Research
Cryptographic Agility
• We are at a cryptographic inflection point
• We need cryptographic agility
It should be simple and transparent for applications
to change underlying cryptography
Applications should only require a clean interface
and be driven by policy
Policy selected based on sensitivity of the data
being protected
ApplicationCrypto Policy
Pluggable Provider Interface
HW Providers
SW Providers
RemoteProviders
PKCS#11 MS CSP, RESTful
Application Level Interface
Policy Driven
No cryptography artifacts in
applications (algorithm, padding,
key length, etc.)
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU