Cognitive computing in security uses AI to help security analysts understand threats better. It can analyze large amounts of structured and unstructured security data to find patterns humans may miss. This helps address gaps in speed, accuracy, and intelligence for security teams overwhelmed by data. IBM's Watson for Cyber Security ingests security knowledge from sources like reports, blogs, and alerts. It builds a knowledge graph to help analysts investigate incidents faster, from minutes to hours instead of days to weeks. The cognitive system can reduce the skills gap and workload for analysts.
3. Is this really sustainable ?
Too Much Data, Not Enough Resources
Threats Alerts Analysts
available
Quick Insights : Current Security Status
Available
time
”93% SOC Managers Not Able to Triage All Potential Threats”
“42 percent of cybersecurity professionals working at enterprise organizations claim
that they ignore a ‘significant number of security alerts’”
“(31 percent) of organizations forced to ignore security alerts claim they ignore 50
percent or more security alerts because they can’t keep up with the overall volume”
Knowledge
needed
4. Cognitive Security Study revealed three gaps to address
#2 most challenging area
today is optimizing
accuracy alerts (too many
false positives)
#3 most challenging area
due to insufficient
resources is threat
identification, monitoring
and escalating potential
incidents (61% selecting)
Speed gap
The top cybersecurity
challenge today and
tomorrow is reducing
average incident response
and resolution time
This is despite the fact that
80% said their incident
response speed is much
faster than two years ago
Accuracy gapIntelligence gap
#1 most challenging area
due to insufficient
resources is threat research
(65% selecting)
#3 highest cybersecurity
challenge today is keeping
current on new threats and
vulnerabilities (40%
selecting)
Addressing gaps while managing cost and ROI pressures
5. Todays reality
Review your security
incidents in a SIEM
Decide which incident
to focus on next
Review the data
(events / flows that
made up that incident)
Expand your search
to capture more data
around that incident
Pivot the data
multiple ways to find
outliers (such as
unusual domains, IPs,
file access)
Review the payload
outlying events for
anything interesting
(domains, MD5s, etc)
Search X-Force Exchange + Search
Engine + Virus Total + your favorite
tools for these outliers / indicators.
Find new Malware is at play
Get the name
of the Malware
Search more websites for information about
indicators of compromise (IOCs) for that Malware
Take these newly found IOCs from the internet
Take these newly found
IOCs from the internet
and search from them
back in a SIEM
Find other internal IPs
are potentially infected
with the same Malware.
Start another
investigation
around each of
these IPs.
6. Cognitive security provides the ability to unlock and action the
potential in all data, internal and external, structured and
unstructured.
It connects obscure data points humans couldn’t possibly spot,
enabling enterprises to more quickly and accurately detect and
respond to threats, becoming more knowledgeable through the
cognitive power to understand, reason and learn.
Introducing and understanding
Cognitive Security
7. Traditional
Security Data
A tremendous amount of security knowledge is created for
human consumption,
Examples include:
• Research documents
• Industry publications
• Forensic information
• Threat intelligence
commentary
• Conference presentations
• Analyst reports
• Webpages
• Wikis
• Blogs
• News sources
• Newsletters
• Tweets
A universe of security knowledge
Dark to your defenses
Typical organizations leverage only 8% of this content*
Human Generated
Knowledge
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
but most of it is untapped
8. Human Expertise
Cognitive Security
Cognitive systems bridge this gap and unlock a new
partnership between security analysts and their technology
Security Analytics
• Data correlation
• Pattern identification
• Anomaly detection
• Prioritization
• Data visualization
• Workflow
• Unstructured analysis
• Natural language
• Question and answer
• Machine learning
• Bias elimination
• Tradeoff analytics
• Common sense
• Morals
• Compassion
• Abstraction
• Dilemmas
• Generalization SECURITY
ANALYSTS
SECURITY
ANALYTICS
COGNITIVE
SECURITY
9. GAIN POWERFUL INSIGHTS
REDUCE THE SECURITY SKILLS GAP
SECURITY ANALYST and WATSONSECURITY ANALYST
Revolutionizing how security analysts work
Human
Generated
Security
Knowledge
• Tap into the vast array
of data to uncover new patterns
• Get smarter over time
and build instincts
!!!
Enterprise
Security Analytics
Cognitive techniques to
mimic human intuition
around advanced threats
• Triage threats and make
recommendations with
confidence, at scale and speed
10. Watson enables greater insights by ingesting extensive data
sources
*IBM intends to deliver in the future as a QRadar app
IBM Watson
for cyber security
Corpus of Knowledge
Threat databases
Research reports
Security textbooks
Vulnerability disclosures
Popular websites
Blogs and social activity
Other
Security events
User activity
Configuration information
Vulnerability results
System and app logs
Security policies
Other
TEST
LEARN
EXPERIENCE
INGEST
Human Generated
Security Knowledge
Sourced by available
IBM Security and IBM Research
Enterprise
Security Analytics
Correlated enterprise data
11. Not just a search engine, we’re teaching Watson to
understand and interpret the language of security
Rich dictionaries enable Watson
to link all entity representations
Machine learning enables Watson for Cyber
Security to teach itself over time
Watson Creates
Knowledge Graph
Watson Applies
Annotators to Text
Annotator
Logic
TEST
INGEST
EXPERIENCE
LEARN
Hash IoC Artifact
Infection
Methods
Threat Name
12. Beyond mere algorithms, Watson evaluates supporting
evidence
Score
and Weigh
Extract
Evidence
Search
Corpus
Question
• Quantity
• Proximity
• Relationship
• Domain truths /
business rules
What
vulnerabilities
are relevant to
this type of
infection?
• Research reports
• Security websites
• Publications
• Threat intelligence
• Internal scans
• Asset information
INGEST
EXPERIENCE
LEARN
TEST
14. What is fed into Watson for Cyber Security
1 Week1 Hour5 Minutes
Structured
Security Data
X-Force Exchange
Trusted Partner Data
Open source
Paid data
- Indicators
- Vulnerabilities
- Malware names, …
- New actors
- Campaigns
- Malware outbreaks
- Indicators, …
- Course of action
- Actors
- Trends
- Indicators, …
Crawl of Critical
Unstructured Security Data
Massive Crawl of all Security
Related Data on Web
Breach replies
Attack write-ups
Best practices
Blogs
Websites
News, …
Filtering + Machine Learning
Removes Unnecessary Information
Machine Learning /
Natural Language Processing
Extracts and Annotates Collected Data
Billions of
Data Elements
Millions of
Documents
5-10 updates / hour! 100K updates / week!
3:1 Reduction
Massive Security Knowledge GraphBillions of Nodes / Edges
15. There are numerous potential use cases where we could
envision cognitive security playing a key role
Enhance your
SOC analysts
Speed response
with external
intelligence
Identify threats
with advanced
analytics
Strengthen
application
security
Improve
enterprise risk
17. Review your security
incidents in SIEM/Flows
Decide which incident
to focus on next
Review the data
(events / flows that
made up that incident)
Expand your search to
capture more data
around that incident
Pivot the data multiple
ways to find outliers
(such as unusual domains,
IPs, file access)
Review the payload outlying
events for anything interesting
(domains, MD5s, etc)
Search X-Force Exchange + Google +
Virus Total + your favourite tools for
these outliers / indicators. Find new
Malware is at play
Get the name of
the Malware
Search more websites for information about
IOC (indicators of compromise) for that Malware
Take these newly found IOCs from the internet
Take these newly found
IOCs from the internet
and search from them
back in SIEM/Flows
Find other internal IPs
are potentially infected
with the same Malware.
Start another
investigation around
each of these IPs.
Meet Rafael
Level 1 Security Analyst
18. Watson for Cyber Security will significantly reduce threat
research and response time
RemediationInvestigation and Impact AssessmentIncident Triage
Manual threat analysis
Remediation
Investigation and
Impact Assessment
Incident
Triage
IBM Watson for Cyber Security assisted threat analysis
Quick and accurate analysis of
security threats, saving precious
time and resources
Days
to
Weeks
Minutes
to
Hours
19. Revisiting Rafael
Level 1 Security Analyst
With Watson’s help
• Faster investigations
• Clear backlog easier
• Increased investigative skills
• Heavy lifting done beforehand
20. Introducing…IBM Watson for Cyber Security
Unlock new possibilities.
The world’s first Cognitive analytics solution
using core Watson technology to understand,
reason, and learn about security topics
and threats.
Hinweis der Redaktion
The cognitive era is here. Digital everything means that technology’s number one job in business now is handling and responding to data. But this isn’t a story about big data’s takeover. This is a story about how cognitive capabilities are being applied to security to establish a relationship between machines and humans and how the role of technology can now change from enabler to advisor. We are ushering in this new era of cognitive security to outhink and outpace threats with security that understands, reasons and learns.
Respond to threats with greater confidence at scale and speed.
Watson for Cyber Security can understand, reason and learn, allowing people and systems to work together more collaboratively and efficiently to protect the organization.
The state of cybersecurity is reaching an inflection point as security analysts gather more data and apply more analytics to address the rapidly changing threat landscape. The increases in workload are approaching the limits of what's possible with humans alone. This is evidence that most organizations can’t process all the alerts they are getting in their environment. They are also very susceptible to variances in analyst performance and fatigue during the day, i.e. you can’t always expect your analysts to ask the right questions. Things are only set to get worse as the number of threats and their diversity keeps increasing.
http://swimlane.com/7-startling-stats-on-the-cyber-security-skills-shortage/
http://dl.acm.org/citation.cfm?id=2756528
https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf
https://www.netiq.com/communities/cool-solutions/netiq-views/84-fascinating-it-security-statistics/
http://www.kroll.com/en-us/cyber-security/data-breach-prevention/cyber-risk-assessments/data-security-statistics
This is why is it is so hard. Most analysts have to carry out these tasks time and time again throughout the day . And it has to be done in 20 or faster mins otherwise they start falling behind and the alerts start building up. This is relentless. On top of that fatigue can start creeping in and compromising the quality of the analysis, which will ultimately increasingly leave organizations exposed.
What they need is is help, from an system who can learn about security and then reason and think through these repetitive functions and analysis consistently and accurately, looking for identifying the real threat.
The state of cybersecurity is reaching an inflection point as security analysts gather more data and apply more analytics to address the rapidly changing threat landscape. The increases in workload are approaching the limits of what's possible with humans alone.
Think of all that has been accomplished using only a fraction of the available data
Cognitive systems are able to analyze security trends and distill enormous volumes of structured and unstructured data into information, and then into actionable knowledge to enable continuous security and business improvement.
It does this by understanding, reasoning and learning about constantly evolving security threats.
1. Understand and make sense of unstructured data and natural language text. This includes the ability to ingest and process information through “reading” books, reports, blogs and relevant industry data, “seeing” images and “hearing” natural speech within its context.
2. Reason based on the ability to interpret and organize information and offer explanations of what it means, along with a rationale for conclusions.
3. Learn continuously as data accumulates and insights are derived from interaction.
Watson serves as a trusted advisor to the security analyst making sense of a sea of structured and unstructured data and providing quicker and more accurate analysis of security threats, saving precious time and resources.
Let’s show ‘how’ Watson is applied in the context of security. It starts by ingesting a vast array of data (both unstructured and structured) that has been curated by security experts (humans) into a ‘corpus of knowledge’.
After ingesting this corpus of knowledge, curated by security experts, Watson begins to learn and interpret the language of security.
At this stage, Watson begins to annotate relevant data that has been provided by security experts. It builds indices and other meta data to make working with this data more efficient. It may also start building out knowledge graphs to assist in answering questions.
Security experts then provide Watson with Q/A pairings. It doesn’t give it explicit answers but rather teaches it the linguistic patterns of meaning in the security domain. This machine “knowledge” is then enhanced as security professionals interact with the system, providing feedback on the accuracy of the system’s responses.
The best way to explain the experience of Watson for Cyber Security is to actually show you. We intend to integrate Watson for Cyber Security with our leading security intelligence platform, IBM QRadar, and will demonstrate for you now how that could be experienced.
Enhance your SOC analystsCognitive systems can understand a vast sea of structured and unstructured data, to help quickly move the value of a junior analyst from a level 1 to a 2 or 3. Cognitive systems can automate ingesting information – such as research reports and best practices – to give real-time input. Previously, this knowledge and insight could only be obtained from years of experience.
Speed response with external intelligence. When the next Heartbleed hits, people will blog about how to protect yourself from it. Even though a signature is not available yet, there is natural language online that can help you answer the question. Cognitive systems can crawl to quickly discover how to protect against the next zero-day exploit.
Identify threats with advanced analyticsCognitive systems may use analysis methods such as machine learning, clustering, graph mining and entity relationship modeling to identify potential threats. They can help speed detection of risky user behavior, data exfiltration and malware detection before damage occurs.
Strengthen application security. Cognitive systems can understand the semantic context of your analytics and data, while exploring code and code structures. They can take thousands of vulnerability findings and refine results to a small set of actionable items – and take you to locations in your code where you can fix them.
Improve enterprise risk. In the future, cognitive systems could analyze corpuses of interactions, the nature of those interactions and their susceptibility to develop risk profiles for organizations, corporate actions, training and re-education. Cognitive systems could use natural language processing to find sensitive data in an organization and redact it.
Rafael uses QRadar daily
Watson for Cyber Security will arm analysts with the collective knowledge and instinct needed to respond to threats with greater confidence, at speed and scale.
19
Respond to threats with greater confidence at scale and speed.
Watson for Cyber Security can understand, reason and learn, allowing people and systems to work together more collaboratively and efficiently to protect the organization.