Watson - Cognitive Security Advisor for the Security AnalystIBM QRADAR ADVISOR WITH WATSON

Dusan Vidovic

June 8, 2017

IT Architect/Consultant

2 IBM Security

Quick Insights: Current Security Status

Threats Alerts Available analysts Needed knowledge Available time

Is this really sustainable?

SOC managers are not able

to triage all potential threats93% of security professionals ignore

a ‘significant number of alerts’42%

of organizations are forced

to ignore 31%or more security alerts because

they can’t keep up with volume50%

4 IBM Security

• Review the incident data

• Review the outlying events for

anything interesting (e.g., domains,

MD5s, etc.)

• Pivot on the data to find outliers (e.g., unusual domains, IPs, file

access)

• Expand your search to capture

more data around that incident

• Search for these outliers /

indicators using X-Force Exchange

+ Google + Virus Total + your

favorite tools

• Discover new malware is at play

• Get the name of the malware

• Gather IOC (indicators of

compromise) from additional web

searches

• Investigate gathered IOC locally

• Find other internal IPs are

potentially infected with the same

Malware

• Qualify the incident based on

insights gathered from threat

research

• Start another investigation around

each of these IPs

Cognitive tasks of a security analyst in investigating an incident

Time

consuming

threat

analysis

Apply the intelligence and

investigate the incident

Gather the threat research,

develop expertise

Gain local context leading

to the incident

6 IBM Security

IBM Security introduces a revolutionary shift in security operations

IBM CONFIDENTIAL

• Employs powerful cognitive capabilities to

investigate and qualify security incidents

and anomalies on behalf of security analysts

• Powered by Watson for Cyber Security to tap

into vast amounts of security knowledge and

deliver insights relevant to specific security

incidents

• Transforms SOC operations by addressing current

challenges that include skills shortages, alert

overloads, incident response delays, currency

of security information and process risks

• Designed to be easily consumable: delivered via

IBM Security App Exchange and deployed in

minutes

NEW! IBM QRadar Advisor with Watson

7 IBM Security

SECURITY

ANALYSTS

SECURITY

ANALYTICS

QRadar

Advisor

Watson

for Cyber

Security

Apply cognitive analysis to security with QRadar Advisor with Watson

IBM CONFIDENTIAL

• Manage alerts

• Research security events and

anomalies

• Evaluate user activity and

vulnerabilities

• Configuration

• Other

• Data correlation

• Pattern identification

• Thresholds

• Policies

• Anomaly detection

• Prioritization

Security Analytics

Security AnalystsWatson for Cyber Security

• Security knowledge

• Threat identification

• Reveal additional indicators

• Surface or derive

relationships

• Evidence

• Local data mining

• Perform threat research using Watson for

Cyber Security

• Qualify and relate threat research to security

incidents

• Present findings

QRadar Advisor

8 IBM Security

1-3 Day1 Hour5 Minutes

StructuredSecurity Data

X-Force Exchange

Trusted partner data

Open source

Paid data- Indicators

- Vulnerabilities

- Malware names, …

- New actors

- Campaigns

- Malware outbreaks

- Indicators, …

- Course of action

- Actors

- Trends

- Indicators, …

Crawl of CriticalUnstructured Security Data

Massive Crawl of all SecurityRelated Data on Web

Breach replies

Attack write-ups

Best practices

Blogs

Websites

News, …

Filtering + Machine LearningRemoves Unnecessary Information

Machine Learning / Natural Language Processing

Extracts and Annotates Collected Data

5-10 updates / hour! 100K updates / week!

Billions ofData Elements

Millions of Documents

3:1 Reduction

Massive Security Knowledge GraphBillions of Nodes / Edges

Watson unlocks vast security knowledge to quickly enable comprehensive investigative insights

9 IBM Security

QRadar Advisor in Action

1. Offenses

5. Research results

Knowledge

graph

4. Performs threat

research and

develops expertise

3. Observables2. Gains local context

and forms threat

research strategy

Offensecontext

Deviceactivities

Equivalencyrelationships

6. Applies the intelligence

gathered to investigate

and qualify the incident

QRadar

Correlated enterprise data

12 IBM Security

Watson automates tedious tasks, and simplifies complex procedures and presents its conclusions

13 IBM Security

…and then shows how it did it!

14 IBM Security

IBM QRadar Advisor with Watson

DEMO

15 IBM Security

Cognitive Investigation

and Insights

Unlocking a new partnership between security analysts and QRadar

SECURITY ANALYST SECURITY ANALYST with QRadar Advisor

Enterprise

Security

Analytics

Enterprise

Security

Analytics

Cognitive Security

SEE THE BIG PICTURE

ACT WITH CONFIDENCE AND SPEED

“QRadar Watson Advisor provides us with

the much-needed insight to take offences

we may have ignored and spend the time

digging into potential attacks in order to

truly understand our risk and the needed

actions to mitigate a threat.”

“Results in the enhanced context graph is the

same type of information that one of the

analysts would find during their manual

research, but BIG savings in time. Maybe they

would come up with 1/3 to ½ of what was

found by Watson analysis during 3 hours of

manual research.”

18 IBM Security

QRadar Advisor with Watson for Cyber Security

Bringing the Power of Cognitive Security to the Security Analyst

IBM CONFIDENTIAL

• Accelerates alert triage with more automation

and analysis depth

• Reduces risk of missing threats

• Optimizes incident response processes with

comprehensive threat information and data

• Increases analysts knowledge, awareness and skills in

the threat domain and environment

19 IBM Security

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,

express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products

and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service

marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your

enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.

No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,

products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products

or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU

21 IBM Security

Watson SEE Summit 2017 – come to hear on Cognitive, Security and more!

September 13-14, 2017

Opatija, Croatia

More info: http://www-05.ibm.com/hr/watson-see-summit/

22 IBM Security

Bruce Schneier

Chief Technology Officer, IBM Resilient; and Special Advisor, IBM Security

Security and Privacy in a Hyper-Connected World

Bruce Schneier is an internationally renowned security technologist,

called a “security guru” by the Economist. He is the author of 14

books – including the New York Times best-seller “Data and Goliath:

The Hidden Battles to Collect Your Data and Control Your World” –

as well as hundreds of articles, essays, and academic papers. His

influential newsletter “Crypto-Gram” and his blog “Schneier on

Security” are read by over 250,000 people. Schneier is a fellow at

the Berkman Center for Internet and Society at Harvard University,

a fellow at the Belfer Center at Harvard’s Kennedy School of

Government, and a board member of the Electronic Frontier

Foundation. He is also a special advisor to IBM Security.

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,

express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products

and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service

marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your

enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.

No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,

products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products

or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU