Kalka, Bob - ibm cognitive 1017 - ESD · :dwvrq hqdeohv juhdwhu lqvljkwv e\ lqjhvwlqj h[whqvlyh...
Transcript of Kalka, Bob - ibm cognitive 1017 - ESD · :dwvrq hqdeohv juhdwhu lqvljkwv e\ lqjhvwlqj h[whqvlyh...
COGNITIVE CYBERSECURITYCONCEPTS AND PRACTICES
Bob KalkaVP, IBM Security
© 2016 IBM Corporation
The Lifecycle of Security Intelligence
Is this really sustainable ?Too Much Data, Not Enough Resources
Threats Alerts Analystsavailable
Quick Insights : Current Security Status
Availabletime
”93% SOC Managers Not Able to Triage All Potential Threats”
“42 percent of cybersecurity professionals working at enterprise organizations claim that they ignore a ‘significant number of security alerts’”
“(31 percent) of organizations forced to ignore security alerts claim they ignore 50 percent or more security alerts because they can’t keep up with the overall volume”
Knowledgeneeded
Cognitive Security Study revealed three gaps to address
#2 most challenging area today is optimizing accuracy alerts (too many false positives)
#3 most challenging area due to insufficient resources is threat identification, monitoring and escalating potential incidents (61% selecting)
Speed gap
The top cybersecurity challenge today and tomorrow is reducing average incident response and resolution time
This is despite the fact that 80% said their incident response speed is much faster than two years ago
Accuracy gapIntelligence gap
#1 most challenging area due to insufficient resources is threat research (65% selecting)
#3 highest cybersecurity challenge today is keeping current on new threats and vulnerabilities (40% selecting)
Addressing gaps while managing cost and ROI pressures
TraditionalSecurity Data
A tremendous amount of security knowledge is created for human consumption,
Examples include:
• Research documents
• Industry publications
• Forensic information
• Threat intelligence commentary
• Conference presentations
• Analyst reports
• Webpages
• Wikis
• Blogs
• News sources
• Newsletters
• Tweets
A universe of security knowledgeDark to your defensesTypical organizations leverage only 8% of this content*
Human Generated Knowledge
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
but most of it is untapped
Human Expertise
Cognitive Security
Cognitive systems bridge this gap and unlock a new partnership between security analysts and their technology
Security Analytics• Data correlation
• Pattern identification
• Anomaly detection
• Prioritization
• Data visualization
• Workflow
• Unstructured analysis
• Natural language
• Question and answer
• Machine learning
• Bias elimination
• Tradeoff analytics
• Common sense
• Morals
• Compassion
• Abstraction
• Dilemmas
• Generalization SECURITY ANALYSTS
SECURITY ANALYTICS
COGNITIVESECURITY
Watson enables greater insights by ingesting extensive data sources
*IBM intends to deliver in the future as a QRadar app
IBM Watsonfor cyber security
Corpus of Knowledge
Threat databases
Research reports
Security textbooks
Vulnerability disclosures
Popular websites
Blogs and social activity
Other
Security events
User activity
Configuration information
Vulnerability results
System and app logs
Security policies
Other
TEST
LEARN
EXPERIENCE
INGEST
Human GeneratedSecurity KnowledgeSourced by available IBM Security and IBM Research
EnterpriseSecurity AnalyticsCorrelated enterprise data
Not just a search engine, we’re teaching Watson to understand and interpret the language of security
Rich dictionaries enable Watson to link all entity representations
Machine learning enables Watson for Cyber Security to teach itself over time
Watson Creates Knowledge Graph
Watson Applies Annotators to Text
Annotator Logic
TEST
INGEST
EXPERIENCE
LEARN
Hash IoC ArtifactInfectionMethodsThreat Name
Beyond mere algorithms, Watson evaluates supporting evidence
Score and Weigh
ExtractEvidence
Search Corpus
Question
• Quantity
• Proximity
• Relationship
• Domain truths / business rules
Whatvulnerabilities are relevant to this type of infection?
• Research reports
• Security websites
• Publications
• Threat intelligence
• Internal scans
• Asset information
INGEST
EXPERIENCE
LEARN
TEST
TEST
INGEST
LEARN
EXPERIENCE
The result Watson for Cyber Security will enable breakthrough insights after analyzing unstructured articles and other corpus data in minutes
What is fed into Watson for Cyber Security
1 Week 1 Hour5 Minutes
StructuredSecurity Data
X-Force Exchange Trusted Partner Data
Open sourcePaid data
- Indicators- Vulnerabilities
- Malware names, …
- New actors- Campaigns- Malware outbreaks- Indicators, …
- Course of action- Actors
- Trends- Indicators, …
Crawl of CriticalUnstructured Security Data
Massive Crawl of all SecurityRelated Data on Web
Breach repliesAttack write-ups
Best practices
BlogsWebsitesNews, …
Filtering + Machine LearningRemoves Unnecessary Information
Machine Learning / Natural Language Processing
Extracts and Annotates Collected Data
Billions ofData Elements
Millions of Documents
5-10 updates / hour! 100K updates / week!
3:1 Reduction
Massive Security Knowledge GraphBillions of Nodes / Edges
There are numerous potential use cases where we could envision cognitive security playing a key role
Enhance your SOC analysts
Speed response with external intelligence
Identify threats with advanced
analytics
Strengthen application
security
Improve enterprise risk
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in allcountries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
© 2016 IBM Corporation