AI's Role in the New Cyber Security Frontier
Jeff Crume, CISSP-ISSAP
Nov 2018
Distinguished EngineerIBM Master [email protected]
2 IBM Security
3 IBM Security
Quick Insights: Current Security Status
Threats Alerts Available analysts Needed knowledge Available time
Is this really sustainable?
By 2022, there will be
1.8 millionunfulfilled cybersecurity jobs
SKILLSSHORTAGE
4 IBM Security
Todays reality: Do all of this in <20 minutes, all day, every dayReview security incidents in SIEM Decide which incident to focus on next
Review the data that comprise the incident (events / flows)
Expand your search to capture more data around that incident
Pivot the data multiple ways to find outliers(such as unusual domains, IPs, file access)
Review the payload outlying events for anything interesting (domains, MD5s, etc.)
Search Threat Feeds + Search Engine + Virus Total + your favorite tools for these outliers / indicators; Find new malware is at play
Identify the name of the malware
Search more websites for IOC information for that malware from the internet
Take these newly found IOCs from the internetand search from them back in SIEM
Find other internal IPs are potentially infected with the same malware
Start another investigation around each of these IPs
AI Primer
6 IBM Security
• Webster - “a branch of computer science dealing with the simulation of intelligent behavior in computers.” [1]
• OED - “the theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.” [2]
• OK, but what does that mean in plain English?
AI essentially involves making computers more able to match or exceed human intelligence in its various forms by mimicking the human ability to discover, infer and reason.
AI Defined
[1] https://www.merriam-webster.com/dictionary/artificial%20intelligence[2] https://en.oxforddictionaries.com/definition/artificial_intelligence
7 IBM Security
AI Technologies
- Reasoning, problem solving- Knowledge representation- Planning- Learning- Natural language processing- Perception- Motion and manipulation- Social intelligence- Creativity- General intelligence
8 IBM Security
Artificial Intelligence and Sub Categories
Artificial Intelligence
Cognitive
Machine LearningDeep Learning
o Machine learning is a subfield of AI and computer science that has its roots in statistics and mathematical optimization. Machine learning covers techniques in supervised and unsupervised learning for applications in prediction, analytics, and data mining.*
o Deep learning isn't an algorithm, per se, but rather a family of algorithms that implement deep networks with unsupervised learning.*
* “A beginner's guide to artificial intelligence, machine learning, and cognitive computing” https://www.ibm.com/developerworks/library/cc-beginner-guide-machine-learning-ai-cognitive/index.html
9 IBM Security
Introduction to Machine LearningA subfield of computer science that enables computers to learn without being explictlyprogrammed
- Arthur Samuel in 1959
Supervised LearningInferring a general rule or mathematicalfunction from labeled training data to be applied to other data
Primary Use Cases• Regression Analysis
o Deriving correlation relationships between variables and estimating the strength of those relationships
o Widely used for prediction and forecasting
• Classification:o Produces a model from a training set
that can assign unseen inputs into different categories
Unsupervised Learning
Detecting the presence of patterns or models from unlabeled data
Primary Use Cases• Clustering
o Data is divided into different groups based on one or more attributes
• Dimensionality Reductiono process of reducing the number of
random variables under consideration, via obtaining a set of principal variables
o Feature Selection: finding subset of the original variables
o Feature Extraction: transform high-dimensional space to a space of fewer dimensions
10 IBM Security
Cognitive Solutions Reason and Present their Reasoning Process
Grep
Grep
Search
Pattern Matching
Correlation and rules
BehavioralAnalytics
Cognition
Increasing data volumes, variety and complexityIncr
easi
ng a
ttack
and
thre
at s
ophi
stic
atio
n
Reasoning about threats and risks
Helping security teams not only detect where the threat is but also resolving the what, how, why, when and who to improve the overall incident response timeline
Recognition of threats and risks
Cognitive Traits:• language
comprehension • deductive reasoning
and• self-learning
11 IBM Security
Smart but not cognitive
AI in the Real World
13 IBM Security
13
Watson answers a grand challenge
Can we design a computing system that rivals a human’s ability to answer questions posed in natural language, interpreting meaning and context and
retrieving, analyzing and understanding vast amounts of information in real-time?
14 IBM Security 3 Min 58 Sec 4 Min 35 Sec
Final Score: Rutter - $21,600 Jennings - $24,000 Watson - $77,147
15 IBM Security
From Jeopardy! To Cancer
• 60 Minutes profile Oct 2016- IBM and UNC Lineberger Cancer Center
• 8,000 new medical research papers published per day
• Studied 1,000 patients
• Watson recommendations matched Tumor Board experts 99% of the time
• Watson found additional treatment options in 30% of cases
Transcript at https://www.cbsnews.com/amp/news/60-minutes-artificial-intelligence-charlie-rose-robot-sophia
AI and Cybersecurity
17 IBM Security
A tremendous amount of security knowledge is created for human consumption, but most of it is untapped
• Industry publications• Forensic information• Threat intelligence commentary• Analyst reports• Conference presentations• News sources• Newsletters• Tweets• Wikis
A universe of security knowledgeDark to your defensesTypical organizations leverage only 8% of this content*
Human Generated Knowledge
TraditionalSecurity Data
security eventsviewed each day200K+
security researchpapers / year 10K
securityblogs / year720Ksecurity relatednews articles / year180K
reported softwarevulnerabilities 75K+
• Security events and alerts• Logs and configuration data• User and network activity• Threat and vulnerability feeds
1 Forrester Research : Can You Give The Business The Data That It Needs? , 2013
18 IBM Security
1-3 Day1 Hour5 Minutes
StructuredSecurity Data
X-Force Exchange Trusted partner data
Open sourcePaid data
- Indicators- Vulnerabilities
- Malware names, …
- New actors- Campaigns- Malware outbreaks- Indicators, …
- Course of action- Actors
- Trends- Indicators, …
Crawl of CriticalUnstructured Security Data
Massive Crawl of all SecurityRelated Data on Web
Breach repliesAttack write-ups
Best practices
BlogsWebsitesNews, …
Filtering + Machine LearningRemoves Unnecessary Information
Machine Learning / Natural Language Processing
Extracts and Annotates Collected Data
5-10 updates / hour! 100K updates / week!
Billions ofData Elements
Millions of Documents
3:1 Reduction
Massive Security Knowledge GraphBillions of Nodes / Edges
Cognitive Security unlocks vast security knowledge to quickly enable comprehensive investigative insights
19 IBM Security
Human Expertise
Cognitive Security
Cognitive systems bridge this gap and unlock a new partnership between security analysts and their technology
Security Analytics• Data correlation
• Pattern identification
• Anomaly detection
• Prioritization
• Data visualization
• Workflow
• Unstructured analysis
• Natural language
• Question and answer
• Machine learning
• Bias elimination
• Tradeoff analytics
• Common sense
• Morals
• Compassion
• Abstraction
• Dilemmas
• Generalization SECURITY ANALYSTS
SECURITY ANALYTICS
COGNITIVESECURITY
20 IBM Security
Cognitive: Revolutionizing how security analysts work • Natural language processing with security that understands, reasons, learns, and interacts
Watson determines the specific campaign (Locky),discovers more infected endpoints, and sends results to the incident response team
21 IBM Security
Building a cognitive SOC Sogeti Luxembourg reduced threat investigation and root cause determination from three hours to three minutes using IBM QRadar Advisor with Watson.
22 IBM Security
www.ibm.com/security/artificial-intelligence
© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
FOLLOW US ON:
THANK YOU