watson - cognitive security advisor for the security ... - ibm€¦ · watson - cognitive security...
TRANSCRIPT
Watson - Cognitive Security Advisor for the Security AnalystIBM QRADAR ADVISOR WITH WATSON
Dusan Vidovic
June 8, 2017
IT Architect/Consultant
2 IBM Security
Quick Insights: Current Security Status
Threats Alerts Available analysts Needed knowledge Available time
Is this really sustainable?
SOC managers are not able
to triage all potential threats93% of security professionals ignore
a ‘significant number of alerts’42%
of organizations are forced
to ignore 31%or more security alerts because
they can’t keep up with volume50%
4 IBM Security
• Review the incident data
• Review the outlying events for
anything interesting (e.g., domains,
MD5s, etc.)
• Pivot on the data to find outliers (e.g., unusual domains, IPs, file
access)
• Expand your search to capture
more data around that incident
• Search for these outliers /
indicators using X-Force Exchange
+ Google + Virus Total + your
favorite tools
• Discover new malware is at play
• Get the name of the malware
• Gather IOC (indicators of
compromise) from additional web
searches
• Investigate gathered IOC locally
• Find other internal IPs are
potentially infected with the same
Malware
• Qualify the incident based on
insights gathered from threat
research
• Start another investigation around
each of these IPs
Cognitive tasks of a security analyst in investigating an incident
Time
consuming
threat
analysis
Apply the intelligence and
investigate the incident
Gather the threat research,
develop expertise
Gain local context leading
to the incident
6 IBM Security
IBM Security introduces a revolutionary shift in security operations
IBM CONFIDENTIAL
• Employs powerful cognitive capabilities to
investigate and qualify security incidents
and anomalies on behalf of security analysts
• Powered by Watson for Cyber Security to tap
into vast amounts of security knowledge and
deliver insights relevant to specific security
incidents
• Transforms SOC operations by addressing current
challenges that include skills shortages, alert
overloads, incident response delays, currency
of security information and process risks
• Designed to be easily consumable: delivered via
IBM Security App Exchange and deployed in
minutes
NEW! IBM QRadar Advisor with Watson
7 IBM Security
SECURITY
ANALYSTS
SECURITY
ANALYTICS
QRadar
Advisor
Watson
for Cyber
Security
Apply cognitive analysis to security with QRadar Advisor with Watson
IBM CONFIDENTIAL
• Manage alerts
• Research security events and
anomalies
• Evaluate user activity and
vulnerabilities
• Configuration
• Other
• Data correlation
• Pattern identification
• Thresholds
• Policies
• Anomaly detection
• Prioritization
Security Analytics
Security AnalystsWatson for Cyber Security
• Security knowledge
• Threat identification
• Reveal additional indicators
• Surface or derive
relationships
• Evidence
• Local data mining
• Perform threat research using Watson for
Cyber Security
• Qualify and relate threat research to security
incidents
• Present findings
QRadar Advisor
8 IBM Security
1-3 Day1 Hour5 Minutes
StructuredSecurity Data
X-Force Exchange
Trusted partner data
Open source
Paid data- Indicators
- Vulnerabilities
- Malware names, …
- New actors
- Campaigns
- Malware outbreaks
- Indicators, …
- Course of action
- Actors
- Trends
- Indicators, …
Crawl of CriticalUnstructured Security Data
Massive Crawl of all SecurityRelated Data on Web
Breach replies
Attack write-ups
Best practices
Blogs
Websites
News, …
Filtering + Machine LearningRemoves Unnecessary Information
Machine Learning / Natural Language Processing
Extracts and Annotates Collected Data
5-10 updates / hour! 100K updates / week!
Billions ofData Elements
Millions of Documents
3:1 Reduction
Massive Security Knowledge GraphBillions of Nodes / Edges
Watson unlocks vast security knowledge to quickly enable comprehensive investigative insights
9 IBM Security
QRadar Advisor in Action
1. Offenses
5. Research results
Knowledge
graph
4. Performs threat
research and
develops expertise
3. Observables2. Gains local context
and forms threat
research strategy
Offensecontext
Deviceactivities
Equivalencyrelationships
6. Applies the intelligence
gathered to investigate
and qualify the incident
QRadar
Correlated enterprise data
12 IBM Security
Watson automates tedious tasks, and simplifies complex procedures and presents its conclusions
13 IBM Security
…and then shows how it did it!
14 IBM Security
IBM QRadar Advisor with Watson
DEMO
15 IBM Security
Cognitive Investigation
and Insights
Unlocking a new partnership between security analysts and QRadar
SECURITY ANALYST SECURITY ANALYST with QRadar Advisor
Enterprise
Security
Analytics
Enterprise
Security
Analytics
Cognitive Security
SEE THE BIG PICTURE
ACT WITH CONFIDENCE AND SPEED
“QRadar Watson Advisor provides us with
the much-needed insight to take offences
we may have ignored and spend the time
digging into potential attacks in order to
truly understand our risk and the needed
actions to mitigate a threat.”
“Results in the enhanced context graph is the
same type of information that one of the
analysts would find during their manual
research, but BIG savings in time. Maybe they
would come up with 1/3 to ½ of what was
found by Watson analysis during 3 hours of
manual research.”
18 IBM Security
QRadar Advisor with Watson for Cyber Security
Bringing the Power of Cognitive Security to the Security Analyst
IBM CONFIDENTIAL
• Accelerates alert triage with more automation
and analysis depth
• Reduces risk of missing threats
• Optimizes incident response processes with
comprehensive threat information and data
• Increases analysts knowledge, awareness and skills in
the threat domain and environment
19 IBM Security
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
21 IBM Security
Watson SEE Summit 2017 – come to hear on Cognitive, Security and more!
September 13-14, 2017
Opatija, Croatia
More info: http://www-05.ibm.com/hr/watson-see-summit/
22 IBM Security
Bruce Schneier
Chief Technology Officer, IBM Resilient; and Special Advisor, IBM Security
Security and Privacy in a Hyper-Connected World
Bruce Schneier is an internationally renowned security technologist,
called a “security guru” by the Economist. He is the author of 14
books – including the New York Times best-seller “Data and Goliath:
The Hidden Battles to Collect Your Data and Control Your World” –
as well as hundreds of articles, essays, and academic papers. His
influential newsletter “Crypto-Gram” and his blog “Schneier on
Security” are read by over 250,000 people. Schneier is a fellow at
the Berkman Center for Internet and Society at Harvard University,
a fellow at the Belfer Center at Harvard’s Kennedy School of
Government, and a board member of the Electronic Frontier
Foundation. He is also a special advisor to IBM Security.
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU