Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dany Gagnon, Risk Management Executive Advisor IBM Security CEE

Published byKory Bishop Modified over 7 years ago

Similar presentations

Presentation on theme: "Dany Gagnon, Risk Management Executive Advisor IBM Security CEE"— Presentation transcript:

1 Dany Gagnon, Risk Management Executive Advisor IBM Security CEE
Changing The Game With Cognitive Security LEVERAGING AUTOMATION FOR BETTER HUMAN DECISION MAKING Scala Castle of Sirmione, on the southern shores of Lake Garda in the north of Italy. It was built in 1151 by a wealthy landowner. It has very thick stone walls, over a meter thick in places. It stands in a small island separated from the mainland, joined by a drawbridge. It was absolutely ‘state of the art’, the latest in castle technology, undefeatable, and so was for a hundred years until 1251. In the thirteenth century something happened, something new and disruptive came along. Something that couldn’t be predicted at the time the castle was built. Gun powder was discovered and with it came the cannon. You won’t see it easily in this picture, but there is damage to these turrets, these impressive square massive towers were the perfect target for the cannon balls and they went flying through the walls and the castle was ransacked. After this time castle design really evolved, it changed, it moved on. People built castles with round turrets and other rounded ramparts that helped to deflect cannon balls. The point of this short story is that we are never done with security, it is a continuum, it’s changing and there are always new threats around the corner to deal with. The problems we face today and that we are talking about here, will be different tomorrow, will be different next year. They will evolve and change, and so the solutions and approaches we take have to adapt as well. Dany Gagnon, Risk Management Executive Advisor IBM Security CEE © 2016 IBM Corporation

2 This is the first step in ushering in a new era of security
Moats and Castles Pre-2005 Security Intelligence 2005+ Cognitive Security 2015+ Our path to cognitive journey started with Deep Blue playing against Garry Kasparov at chess. Then we played a much more sophisticated game: Jeopardy. Jeopardy is nothing like chess because it’s a game of natural language, of interesting questions and answers, of subtleties of the English language. A solo game that you would think a computer would be hopeless at. And yet after just a few years of work by our research team, we were able to get the system, Watson, to beat the 2 best players at this game, Jeopardy. That was 6 years ago now. And those cognitive systems we developed, we’ve been applying them to different industries, different use cases: to healthcare, to finance. And it’s very promising. REFER TO 60 MINUTES REPORT What does it mean for us here in security? What could we do if we applied this cognitive technology to security? That’s what I’m going to talk to you about today. Not so long ago that security was all about perimeter control, it was all about firewalls, antivirus, and those sorts of things. But in the last 2 years or so, we moved way beyond that. First controls alone are no longer sufficient. Think of the disruptive technologies that emerged in recent years. If you think about cloud, we can think about our increasing ability to consumerization of IT, the way that we all use smartphones and other devices to access services. Perimeter controls are no longer sufficient. So for the last 10 years or so, we created an era of security intelligence, where we used advanced security analytics to spot attacks and threats aiming at our organizations, to protect us against cyber attacks. That too is proving insufficient. The attacks that we’re facing are becoming more and more sophisticated, and we’re all struggling to keep up. So this is where we think at IBM applying some of these cognitive techniques that I will describe to you today may represent the next era of security computing. DEPLOY LEVERAGE INTERPRET © 2016 IBM Corporation

3 Security teams face an onslaught of serious challenges
Lack of timely and actionable intelligence plagues security teams Data breaches continue with no end in sight Large skills gap in security expertise worldwide If I reflect on some of the challenges that security teams face on a daily basis, certainly there is no end in sight to breaches’ sophistication. But the 2 pieces that I want to focus on are really about the skills gap. Despite the great progress in terms of security talent there is, it’s hard to get actionable and timely intelligence from our systems and to find the skilled people to interpret that. It’s a perfect storm that continues to build up. 1 Ponemon: Cost of a Data Breach Report 2015 2 Lloyd’s Insurance, 2015 3 Ponemon: Cost of a Data Breach Report 2015 4 Ponemon: Cyber Threat Intelligence Report 2015 © 2016 IBM Corporation

4 Traditional Security Data Human Generated Knowledge
A tremendous amount of security knowledge is created for human consumption, but most of it is untapped Traditional Security Data Security events and alerts Logs and configuration data User and network activity Threat and vulnerability feeds A universe of security knowledge Dark to your defenses Typical organizations leverage only 8% of this content* Human Generated Knowledge Examples include: Research documents Conference presentations News sources Industry publications Analyst reports Newsletters Forensic information Webpages Tweets Threat intelligence commentary Wikis Blogs And if I look at what organizations do today, I think that we all do a pretty good job at looking at the information within our organizations’ perimeter. We gather security logs, we look at security events, we look at traffic on our networks, we look at flows… This is all relatively well understood. But I think that we’re actually missing a huge part of the picture. And the pieces that we’re missing, if I use this iceberg analogy on this chart, is all of the human generated knowledge that is available to us. All of the research documents, the industry publications, all the investigations or forensics results. The analysts reports. Information from conferences like this where experts are sharing their knowledge. We have all of this human generated knowledge, unstructured information, that we’re simply struggling to tap into. We are barely scratching the surface of all of that information. And let me just give you a sense of the volume. I don’t think this picture does it justice. On a daily basis, worldwide, something like 2000 security blogs are published every single day. 500 news articles. 30 academic papers every single day. 25 different vulnerability reports. A wealth of human generated information. Something like 2.6 millions words pages of written information that could be valuable to all of us who as we’re trying to understand tactical cyber threats we face. But the average person can only read and understand something like 150 words per minute. So we have a massive consumption problem. There is no way that I can consume all of that valuable information being generated on a daily basis. I read something on my way to the conference here, I read something at lunch time, I’ll read something tonight, and then I’ll have to go to bed and basically reset. So how can you keep up? This is the challenge that we face.

5 UNDERSTAND | REASON | LEARN
Cognitive systems bridge this gap and unlock a new partnership between security analysts and their technology SECURITY ANALYSTS Human Expertise Common sense Morals Compassion Abstraction Dilemmas Generalization Security Analytics Cognitive Security Data correlation Pattern identification Anomaly detection Prioritization Data visualization Workflow SECURITY ANALYTICS COGNITIVE SECURITY UNDERSTAND | REASON | LEARN Unstructured analysis Natural language Question and answer Machine learning Bias elimination Tradeoff analytics So we think that by developing cognitive systems, we can start to bridge that gap. We can build systems that can help advise security professionals, security analysts. That could work hand in hand with those advanced security analytics I spoke to. Because cognitive systems are the ones that can really understand that information, that human generated knowledge. Understand it, reason and learn. And what we see in the future is building up this symbiotic relationship where the cognitive system advises the security analysts, and supports him. And work though that unstructured information and respond to questions and answers, and add a lot of power.

6 Meet Rafael Jr. Security Analyst
I investigate potential threats How and why is this different from normal system behavior? EXTERNAL THREAT RESEARCH Know Business Industry-Relevant Trends INTERNAL THREAT RESEARCH Investigate Potential Network Problems How much will it hurt our organization? Do I need to deal with this now? MONITOR Alarm Queues and Potential Threats REPORT Vulnerabilities and Issues Now let’s narrow that down a little bit more. Let’s imagine a scenario where you have the security analyst, working in the Security Operation Centre, perhaps in a CERT or CSIRT. Rafael, my fictional security analyst, is just 2 to 3 years into this job. Very bright guy, very capable. If I look at what he spends his day doing, he’s trying to absorb all of that external research data. He’s looking all the internal research, all the findings from previous instants within his organization. He’s monitoring queues, various security intelligence platforms, the alerts that he’s seeing. He’s able to follow simple procedures, report on what he’s finding and help the team improve the system. And he’s challenged. He’s challenged on a daily basis. By the volume of incidents, by the increasing sophistication, by the number of decisions and trade-offs he needs to make. And he doesn’t have the experience yet to really investigate all of these instances. Who is this information from? Are they trustworthy? TUNE Improve Rules Informed Consulted Accountable Responsible

7 IBM Watson for cyber security
Cognitive security will enables greater insights by ingesting extensive data sources TEST LEARN INGEST IBM Watson for cyber security Corpus of Knowledge Threat databases Research reports Security textbooks Vulnerability disclosures Popular websites Blogs and social activity Other Security events User activity Configuration information Vulnerability results System and app logs Security policies So imagine if we built a cognitive system to assist him. We have a project under way now, building a cognitive security system. It’s called IBM Watson for Cybersecurity. And how do we get there? There are really 3 key steps to building a cognitive system. The first thing is that it has to ingest information to build what we like to call a corpus of knowledge, a body of knowledge. And so we’ve been ingesting information into Watson for Cybersecurity. Threat research, information, research papers, publicly available information from across the internet, that we curate, we validate to see that it’s reliable, it’s trustworthy. We have recruited 8 North American universities to help us in that process, to accelerate that process. To help in the ingestion of all this information. Human Generated Security Knowledge Sourced by available IBM Security and IBM Research Enterprise Security Analytics Correlated enterprise data

8 Create Knowledge Graph Apply Annotators to Text
Not just a search engine, understand and interpret the language of security TEST INGEST LEARN Rich dictionaries enable to link all entity representations Threat Name Hash Infection Methods IoC Artifact Machine learning teaches itself over time The next piece is to really teach Watson the language of security. There are a number of Watson systems in place today, including Watson healthcare system, and it understands about medical matters, it understands all that terminology. We had to teach Watson the language of security, the vocabulary, the semantics, the terminology, the very specialized phrases and terms in security. You know honeypots is not something that the bear takes its honey out of. A backdoor is not the backdoor of your house. Lockheed is not the name of a place, it’s a malware. So all of these various specific things, we had to teach Watson all about that. And that’s we’ve been doing. We’ve been teaching the vocabulary, the language, the interrelationships. So ingesting the data, teaching the system the language. Create Knowledge Graph Apply Annotators to Text Annotator Logic

9 Beyond mere algorithms, evaluate supporting evidence
INGEST LEARN TEST Score and Weigh Extract Evidence Search Corpus Question What vulnerabilities are relevant to this type of infection? Research reports Security websites Publications Threat intelligence Internal scans Asset information Quantity Proximity Relationship Domain truths / business rules And then the next phase it’s all around testing. How do we know when the system is working? Well we needed to ask Watson controls questions. We needed to ask it questions for which we know the answer. We asked it the questions, it searched through its vast corpus of security related knowledge, all of that human generated knowledge that I spoke to, searches through it, extracts relevant evidence and presents a hypothesis. And we can look to see if Watson got the answer right. And if not, why not. Trace back through the decision path to understand how it got to that answer. What evidence did it look at? What relationships, both intuitive and knowledge-based data was it able to leverage. So as we think about this system, cognitive systems are not programmed. They’re thought. This is like a small child that you’re teaching to understand cybersecurity, to teach him the language, to teach him relevant information. And Watson will grow and learn, and develop as it goes on.

10 Reduce threat research and response time
Days to Weeks Manual threat analysis Remediation Investigation and Impact Assessment Incident Triage Minutes to Hours Assisted threat analysis Remediation Investigation and Impact Assessment Incident Triage And of course the idea here is to provide Rafael with that expert assistant, that advisory capability, so he’s able to leverage all of that knowledge. To advise him and shorten the time that it takes to investigate incidents. That’s certainly one piece of it. Prove the initial triage of incidents, the investigation phase by providing expert advice, and then of course the remediation. Quick and accurate analysis of security threats, saving precious time and resources

11 Meet Rafael Jr. Security Analyst
With the help of Cognitive Security Faster investigations Clear backlog easier Increased investigative skills Heavy lifting done beforehand So part of it is certainly about making Rafael more effective by clearing the investigation faster. It’s also about being more effective. It’s about eliminating false positives, coming to the true conclusions. So if we can get it right, this will be really powerful, this will enable Rafael to have an expert advisory system to his side to really help him to be a smarter person, someone who’s been doing it all for 10 or 15 years. It’s going to improve his productivity, his effectiveness, and it’s going to help us in the industry to tackle some skills gaps we face. And we know from our work with organizations that Rafael’s role would really welcome this type of expert advice. The ability to test out ideas and hypotheses based on what we’re seeing in the systems.

12 We intend to Accelerate Cognitive Security Adoption by Integrating with Security Intelligence Platforms SECURITY INTELLIGENCE PLATFORM COGNITIVE SECURITY Send to Watson for Security Now this is just one use case that we focus on today, and while we intend to bring that about in the short term, is to plug this capability into our QRadar security intelligence platform. This is what clients are using today on a daily basis to understand cyber attacks, to look at incidents and alerts and investigate them. We’re going to plug this advice capability in to advise and improve on its outcomes. INTERNAL SECURITY EVENTS AND INCIDENTS EXTERNAL SECURITY KNOWLEDGE

13 There are numerous potential use cases where we could envision cognitive security playing a key role
Enhance your SOC analysts Speed response with external intelligence Identify threats with advanced analytics And it’s not just about the analyst use case. If you think about the power of this technology, the ability to digest natural language, you could apply to a whole set of other use cases. You could apply to regulatory environments. Regulations are really thick, wordy documents, quite detailed, quite hard to interpret. That’s just the sort of things that cognitive systems like Watson are good at. They’re able to digest all of that information, understand the nuances, and advice. So this whole set of use cases that we might consider in the future after we go through this very exciting journey. I want to be very clear, Watson is not just some sort of analytics system. It’s a combination of technologies. It’s about machine learning, knowledge-based systems, it’s about using graph theory, statistical engines that hold all sort of capabilities under the covers. It allows Watson to act in a very humanistic fashion. And that’s why we think that it’s cognitive. Strengthen application security Improve enterprise risk

14 In the short time that I was given today, I can’t really do justice to everything we’re doing. But I hope it could be a flavor of what we’re looking at. I remain available for questions and I thank you for your time. © 2016 IBM Corporation

Download ppt "Dany Gagnon, Risk Management Executive Advisor IBM Security CEE"

Similar presentations

Artificial Intelligence

Artificial Intelligence
Chapter 1 Business Driven Technology

Chapter 1 Business Driven Technology
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing

1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing
© 2013 IBM Corporation October 4, 2013 IT Analytics and Big Data IBM Solutions Paul Smith (Smitty) Service Management Architect.

© 2013 IBM Corporation October 4, 2013 IT Analytics and Big Data IBM Solutions Paul Smith (Smitty) Service Management Architect.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
© 2010 IBM Corporation © 2011 IBM Corporation September 6, 2012 NCDHHS FAMS Overview for Behavioral Health Managed Care Organizations.

© 2010 IBM Corporation © 2011 IBM Corporation September 6, 2012 NCDHHS FAMS Overview for Behavioral Health Managed Care Organizations.
IT Job Roles & Responsibilities Shannon Ciriaco Unit 2:

IT Job Roles & Responsibilities Shannon Ciriaco Unit 2:
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
By, CA K RAGHU, PAST PRESIDENT – INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA.

By, CA K RAGHU, PAST PRESIDENT – INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA.
Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.

Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.
Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.
Genie Pal A Versatile Intelligent Assistant To Help Both Work And Personal life.

Genie Pal A Versatile Intelligent Assistant To Help Both Work And Personal life.
Protect your Digital Enterprise

Protect your Digital Enterprise
SIEM Rotem Mesika System security engineering 372.2.5204.

SIEM Rotem Mesika System security engineering
Building Evidence of Effectiveness

Building Evidence of Effectiveness
Brug robotter og AI bedre

Brug robotter og AI bedre
Creating Our Common Wealth Supporting the Growth of Others

Creating Our Common Wealth Supporting the Growth of Others
Vikas Uberoy -Channel Director ANZ

Vikas Uberoy -Channel Director ANZ

Similar presentations

Ads by Google