Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
QRadar Advisor with WatsonACCELERATING INCIDENT ANALYSIS WITH ARTIFICIAL INTELLIGENCE
Luca DalzoppoBusiness Development [email protected]
March 2018
2 IBM Security
Your goals as a security operations team are fundamental to business
Protect critical systems & data
Respond to incidents
accurately and quickly
Outthink cyber criminals
3 IBM Security
But the pressures today make them hard to keep up with
Data Overload Unaddressed Threats Skills Shortage
My workload is overwhelming and
repetitive.“ “ I don’t know where to
focus my time for the quickest response.
“ “ There is so much information out there, it’s impossible to find what’s
useful.
“ “
4 IBM Security
Artificial intelligence bridges this gap and unlocks a new partnership between security analysts and their technology
Security Analytics• Data correlation• Pattern identification• Anomaly detection• Prioritization• Data visualization• Workflow
AI: Cognitive Security• Unstructured analysis• Natural language• Question and answer• Machine learning• Bias elimination• Tradeoff analytics
Human Expertise• Common sense• Morals• Compassion
• Abstraction• Dilemmas• Generalization
5 IBM Security
We want to tackle where the bulk of your team’s time is spent: On the initial incident assessment phase
Threat HuntingPerform deep-dive analysis, look for new analytic methods for detecting and preventing threats
ResponseRespond to security incidents and provide remediation
Incident Analysis Continuously monitor the alert queue, collect investigative data and context including root cause diagnosis necessary to escalate security alerts
Simplify these tasks
6 IBM Security
Introducing QRadar Advisor with Watson built with AI for the front-line Security Analyst
QRadar Advisor with Watson uses AI to accelerate incident analysis, reduce complexity with intelligent investigation, and ultimately enables a faster response to threats.
Accelerates analysis by automatically investigating indicators of compromise (internal and external) and suspicious behavior
Applies Cognitive reasoning to discover and connect other threat entities related to the original incident
Provides critical insights to take action on escalation
1
3
2
7 IBM Security
• Uses AI to analyze real-time incidents for triage
Automatically investigates evidence for an alert or anomaly against Watson and applies ‘reasoning’ to identify the likely threat
• Gathers external and internal threat indicators from alert
• Performs external (threat intelligence research) and internal research on indicators and entities (hash, domain, IP, users, filename etc.)
• Highlights the existence and identity of threat or outliers
• Offers natural language search bar for security only information to speed up assessment
QRadar Advisor for Watson delivers on these values
Accelerated Analysis
Intelligent Investigation
Faster Response
1
8 IBM Security
• Identifies if communication with threat has occurred or was blocked
• Highlights if malware has executed
• Identifies criticality of systems impacted in incident and shows high value assets
• Gives visibility to higher priority risks and threats from insiders
Integrated with User Behavior Analytics (UBA) app to show user’s risk scores
Reveals previous behaviors and actions of users
• Connects other threat entities from original offense to show relationship
• Provides input for ad-hoc investigation against collections of users and entities
Intelligent Investigation
Accelerated Analysis
Faster Response
QRadar Advisor for Watson delivers on these values
2
9 IBM Security
• Provides pertinent information to take action on escalation
• Performs automatic hunting for indicators
• Exports threat and indicators to IR process for remediation and/or blocking
• Automatically adds additional discovered threat indicators to watch lists to reduce risk of missing threats
Faster Response
Accelerated Analysis
Intelligent Investigation
QRadar Advisor for Watson delivers on these values
3
10 IBM Security
How it works – App that takes QRadar to the next level
IBM QRadar Advisor with Watson
Advisor is quick to deploy and easy to consumeDelivered via IBM Security App Exchange, downloadable in minutes, complimentary 30-day trials available – click here
QRadar AdvisorPerforms local data mining using observables to gather context
QRadar Security Analytics PlatformSet up automatic offense analysis to Advisor
Watson for Cyber SecurityApplies powerful cognitive analytics leveraging external data sources to connect insights
QRadar AdvisorProvides intelligence to help analysts make faster triage decisions
11 IBM Security
1-3 Day1 Hour5 Minutes
StructuredSecurity Data
X-Force Exchange Trusted partner data
Open sourcePaid data
- Indicators- Vulnerabilities
- Malware names, …
- New actors- Campaigns- Malware outbreaks- Indicators, …
- Course of action- Actors
- Trends- Indicators, …
Crawl of CriticalUnstructured Security Data
Massive Crawl of all SecurityRelated Data on Web
Breach repliesAttack write-ups
Best practices
BlogsWebsitesNews, …
Filtering + Machine LearningRemoves Unnecessary Information
Machine Learning / Natural Language Processing
Extracts and Annotates Collected Data
5-10 updates / hour! 100K updates / week!
Billions ofData Elements
Millions of Documents
3:1 Reduction
Massive Security Knowledge GraphBillions of Nodes / Edges
How it works – Building the knowledge
12 IBM Security
How it works – Cognitive applied for cybersecurity
Ingest mass amounts of data
Classify, select, and normalize data
Natural language processing for security context
Training and learning with feedback
Relational analysis visualized through knowledge graphs
13 IBM Security
How it works – Use cases further defined
Realize reach of threats and its effects on other users and systems in your ecosystem
Utilize locally gathered and Watson external threat intelligence to gain broader context within your investigations
Understand and quickly assess threats to know if they bypassed your layered defenses or if they were stoppeddead in their tracks
Understand malware and ransomware sources, delivery methods and related components to help quickly determine your impact and next courses of action
Identify users and critical assets when they involved in an incident and quickly pivot to gain details on user behavior activity and asset metadata
14 IBM Security
QRadar Advisor with Watson automates tedious tasks, simplifies complex procedures, and presents its conclusions
Take your QRadaroffense list and narrow in on the
indicators that matter
15 IBM Security
We are excited to bring a variety of clients on this cognitive journey with us
GLOBAL DISTRIBUTOR OF ELECTRONICS
Advisor has been instrumental to our security program in the last year. We have a lot of new analysts and having Watson gave us more confidence. It delivered on our goals of speed and accuracy.
““
Chose to purchase Advisor because of our limited staff, overwhelming amount of work, and a need to automate as much as possible.
TOP UNIVERSITY IN MASSACHUSETTS, USA
“
“
With increased responsibility and scale, we needed a solution that saves analysts time and increase efficiencies.
INDEPENDENT GOVERNMENT AGENCY
“ “
16 IBM Security
Accelerate incident analysis and apply AI with QRadar Advisor with Watson
üAccelerates incident triage with more automation and analysis depth
üReduces risk of missing threats
üAlleviates pressure of skills gap
üAugments incident response processes with comprehensive threat information and data
Visit our website to start a trial today
Sample Scenarios & Demo Resources
18 IBM Security
Client Connecting to Botnet IP
WATSON INDICATORS BOTNET IP
• QRadar fired an offense on a user attempting to connect to a botnet IP Analyst found 5 correlated indicators
manually while we ran Watson
• Watson showed the extent of the threat with 50+ useful indicators Email hashes File hashes IP addresses Domains
19 IBM Security19
External Scan
OFFENSE – EXTERNAL SCAN
• Light external scanning
• Looked like Shodan Analyst would have marked as
nuisance scan
• Watson revealed additional info Botnet CNC SPAM servers Malware hosting
WATSON KEY INDICATORS
20 IBM Security20
Client Malware Download
WATSON KEY INDICATORS CLIENT MALWARE DOWNLOAD
• Client attempted Malware download Malware was blocked How much time do you spend on a
blocked threat?
• Watson enriched Malware was part of a larger campaign Analysts used additional Indicators to
search for compromise
21 IBM Security
ResourcesKnowledge Center – latest with what’s new, support, etc.Upcoming Events – webinars, local events, etc.
Links to Short How-to Videos:
• QRadar Watson Advisor Trial Request, Download, and Installation
• QRadar Watson Advisor Configuration• QRadar Watson Advisor Incident Overview and Analysis
Links to informational and demo videos:
• Taking SIEM Cognitive In 3 minutes (Jose Bravo and Chris Hankins)
• Poison Ivy Malware Video• Suspicious Activity (CozyDuke) Video
Link to Self-Help Support Forum
AppExchangeOn-demand webinar – Rock your SOC (Security Operations Center) with Watson for Cyber SecuritySolution brief
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU