QRadar Advisor with WatsonACCELERATING INCIDENT ANALYSIS WITH ARTIFICIAL INTELLIGENCE

Luca DalzoppoBusiness Development Managerluca_dalzoppo@it.ibm.com

March 2018

2 IBM Security

Your goals as a security operations team are fundamental to business

Protect critical systems & data

Respond to incidents

accurately and quickly

Outthink cyber criminals

3 IBM Security

But the pressures today make them hard to keep up with

Data Overload Unaddressed Threats Skills Shortage

My workload is overwhelming and

repetitive.“ “ I don’t know where to

focus my time for the quickest response.

“ “ There is so much information out there, it’s impossible to find what’s

useful.

“ “

4 IBM Security

Artificial intelligence bridges this gap and unlocks a new partnership between security analysts and their technology

Security Analytics• Data correlation• Pattern identification• Anomaly detection• Prioritization• Data visualization• Workflow

AI: Cognitive Security• Unstructured analysis• Natural language• Question and answer• Machine learning• Bias elimination• Tradeoff analytics

Human Expertise• Common sense• Morals• Compassion

• Abstraction• Dilemmas• Generalization

5 IBM Security

We want to tackle where the bulk of your team’s time is spent: On the initial incident assessment phase

Threat HuntingPerform deep-dive analysis, look for new analytic methods for detecting and preventing threats

ResponseRespond to security incidents and provide remediation

Incident Analysis Continuously monitor the alert queue, collect investigative data and context including root cause diagnosis necessary to escalate security alerts

Simplify these tasks

6 IBM Security

Introducing QRadar Advisor with Watson built with AI for the front-line Security Analyst

QRadar Advisor with Watson uses AI to accelerate incident analysis, reduce complexity with intelligent investigation, and ultimately enables a faster response to threats.

Accelerates analysis by automatically investigating indicators of compromise (internal and external) and suspicious behavior

Applies Cognitive reasoning to discover and connect other threat entities related to the original incident

Provides critical insights to take action on escalation

1

3

2

7 IBM Security

• Uses AI to analyze real-time incidents for triage

Automatically investigates evidence for an alert or anomaly against Watson and applies ‘reasoning’ to identify the likely threat

• Gathers external and internal threat indicators from alert

• Performs external (threat intelligence research) and internal research on indicators and entities (hash, domain, IP, users, filename etc.)

• Highlights the existence and identity of threat or outliers

• Offers natural language search bar for security only information to speed up assessment

QRadar Advisor for Watson delivers on these values

Accelerated Analysis

Intelligent Investigation

Faster Response

1

8 IBM Security

• Identifies if communication with threat has occurred or was blocked

• Highlights if malware has executed

• Identifies criticality of systems impacted in incident and shows high value assets

• Gives visibility to higher priority risks and threats from insiders

Integrated with User Behavior Analytics (UBA) app to show user’s risk scores

Reveals previous behaviors and actions of users

• Connects other threat entities from original offense to show relationship

• Provides input for ad-hoc investigation against collections of users and entities

Intelligent Investigation

Accelerated Analysis

Faster Response

QRadar Advisor for Watson delivers on these values

2

9 IBM Security

• Provides pertinent information to take action on escalation

• Performs automatic hunting for indicators

• Exports threat and indicators to IR process for remediation and/or blocking

• Automatically adds additional discovered threat indicators to watch lists to reduce risk of missing threats

Faster Response

Accelerated Analysis

Intelligent Investigation

QRadar Advisor for Watson delivers on these values

3

10 IBM Security

How it works – App that takes QRadar to the next level

IBM QRadar Advisor with Watson

Advisor is quick to deploy and easy to consumeDelivered via IBM Security App Exchange, downloadable in minutes, complimentary 30-day trials available – click here

QRadar AdvisorPerforms local data mining using observables to gather context

QRadar Security Analytics PlatformSet up automatic offense analysis to Advisor

Watson for Cyber SecurityApplies powerful cognitive analytics leveraging external data sources to connect insights

QRadar AdvisorProvides intelligence to help analysts make faster triage decisions

11 IBM Security

1-3 Day1 Hour5 Minutes

StructuredSecurity Data

X-Force Exchange Trusted partner data

Open sourcePaid data

- Indicators- Vulnerabilities

- Malware names, …

- New actors- Campaigns- Malware outbreaks- Indicators, …

- Course of action- Actors

- Trends- Indicators, …

Crawl of CriticalUnstructured Security Data

Massive Crawl of all SecurityRelated Data on Web

Breach repliesAttack write-ups

Best practices

BlogsWebsitesNews, …

Filtering + Machine LearningRemoves Unnecessary Information

Machine Learning / Natural Language Processing

Extracts and Annotates Collected Data

5-10 updates / hour! 100K updates / week!

Billions ofData Elements

Millions of Documents

3:1 Reduction

Massive Security Knowledge GraphBillions of Nodes / Edges

How it works – Building the knowledge

12 IBM Security

How it works – Cognitive applied for cybersecurity

Ingest mass amounts of data

Classify, select, and normalize data

Natural language processing for security context

Training and learning with feedback

Relational analysis visualized through knowledge graphs

13 IBM Security

How it works – Use cases further defined

Realize reach of threats and its effects on other users and systems in your ecosystem

Utilize locally gathered and Watson external threat intelligence to gain broader context within your investigations

Understand and quickly assess threats to know if they bypassed your layered defenses or if they were stoppeddead in their tracks

Understand malware and ransomware sources, delivery methods and related components to help quickly determine your impact and next courses of action

Identify users and critical assets when they involved in an incident and quickly pivot to gain details on user behavior activity and asset metadata

14 IBM Security

QRadar Advisor with Watson automates tedious tasks, simplifies complex procedures, and presents its conclusions

Take your QRadaroffense list and narrow in on the

indicators that matter

15 IBM Security

We are excited to bring a variety of clients on this cognitive journey with us

GLOBAL DISTRIBUTOR OF ELECTRONICS

Advisor has been instrumental to our security program in the last year. We have a lot of new analysts and having Watson gave us more confidence. It delivered on our goals of speed and accuracy.

““

Chose to purchase Advisor because of our limited staff, overwhelming amount of work, and a need to automate as much as possible.

TOP UNIVERSITY IN MASSACHUSETTS, USA

“

“

With increased responsibility and scale, we needed a solution that saves analysts time and increase efficiencies.

INDEPENDENT GOVERNMENT AGENCY

“ “

16 IBM Security

Accelerate incident analysis and apply AI with QRadar Advisor with Watson

üAccelerates incident triage with more automation and analysis depth

üReduces risk of missing threats

üAlleviates pressure of skills gap

üAugments incident response processes with comprehensive threat information and data

Visit our website to start a trial today

Sample Scenarios & Demo Resources

18 IBM Security

Client Connecting to Botnet IP

WATSON INDICATORS BOTNET IP

• QRadar fired an offense on a user attempting to connect to a botnet IP Analyst found 5 correlated indicators

manually while we ran Watson

• Watson showed the extent of the threat with 50+ useful indicators Email hashes File hashes IP addresses Domains

19 IBM Security19

External Scan

OFFENSE – EXTERNAL SCAN

• Light external scanning

• Looked like Shodan Analyst would have marked as

nuisance scan

• Watson revealed additional info Botnet CNC SPAM servers Malware hosting

WATSON KEY INDICATORS

20 IBM Security20

Client Malware Download

WATSON KEY INDICATORS CLIENT MALWARE DOWNLOAD

• Client attempted Malware download Malware was blocked How much time do you spend on a

blocked threat?

• Watson enriched Malware was part of a larger campaign Analysts used additional Indicators to

search for compromise

21 IBM Security

ResourcesKnowledge Center – latest with what’s new, support, etc.Upcoming Events – webinars, local events, etc.

Links to Short How-to Videos:

• QRadar Watson Advisor Trial Request, Download, and Installation

• QRadar Watson Advisor Configuration• QRadar Watson Advisor Incident Overview and Analysis

Links to informational and demo videos:

• Taking SIEM Cognitive In 3 minutes (Jose Bravo and Chris Hankins)

• Poison Ivy Malware Video• Suspicious Activity (CozyDuke) Video

Link to Self-Help Support Forum

AppExchangeOn-demand webinar – Rock your SOC (Security Operations Center) with Watson for Cyber SecuritySolution brief

ibm.com/security

securityintelligence.com

xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU