applied cognitive security: complementing the security · pdf fileapplied cognitive security:...
TRANSCRIPT
SESSION ID:SESSION ID:
#RSAC
Vijay Dheap
Applied Cognitive Security: Complementing the Security Analyst
SPO3-W03
Program Director – Cognitive SecurityIBM Security@dheap
Brant HaleTechnology ConsultantSCANA @BrantMHale
#RSAC
Quick Insights: Current Security Status
Threats AlertsAvailableanalysts
Knowledgerequired
Availabletime
Economics of Cyber Security are Unsustainable
2
• Must defend against multiple threat actors
• Must constantly maintain and monitor defensive measures
• Greater demand for skilled resources increases costs
• Accuracy and responsiveness are essential
• Can target multiple vulnerable organizations
• Identify and exploit a single lapse in defensive measures
• Tools and services reduce the skills required to engage in malicious activities
• Option to employ multiple methods of attack over a period of time
#RSACIBM Cognitive Security Study Revealed Gaps Security Teams want to Address
3
#2 most challenging area today is optimizing accuracy alerts (too many false positives)
#3 most challenging area due to insufficient resources is threat identification, monitoring and escalating potential incidents (61% selecting)
Speed gap
The top cybersecurity challenge today and tomorrow is reducing average incident response and resolution time
This is despite the fact that 80% said their incident response speed is much faster than two years ago
Accuracy gapIntelligence gap
#1 most challenging area due to insufficient resources is threat research (65% selecting)
#3 highest cybersecurity challenge today is keeping current on new threats and vulnerabilities (40% selecting)
Addressing gaps while managing cost and ROI pressures
#RSAC
Platform for Custom
Analytics
Out-of the-box Analytics
Rules
Reporting
Pattern Detection
Search
Evolution of Security Operations
• To gain awareness of the current state of an organization’s security posture requires data and analytics• Traditional teams limit their focus to internal security data with minimal use of external knowledge
LogData
Vulnerability Data / External Threat Feeds
FlowData
Full PacketCapture
Unstructured / External Data
Modern Security Intelligence Platform
2nd Gen SIEM
1st Gen SIEM
Log Mgmt.
Advanced Cyber Forensics
1st Generation Forensics
4
Incr
eas
ing
Sop
his
tica
tio
n o
f A
nal
ytic
s
Increasing Volume and Variety of Data
#RSACEvolving to meet current and future security operations needs with cognitive enabled cyber security
Grep
Grep
Search
Pattern Matching
Correlation and rules
BehavioralAnalytics
Cognition
Increasing data volumes, variety and complexity
Incr
easi
ng
atta
ck a
nd
th
reat
so
ph
isti
cati
on
Reasoning about threats and risks
Helping security teams not only detect where the threat is but also resolving the what, how, why, when and who to improve the overall incident response timeline
Recognition of threats and risks
Cognitive Traits:• language comprehension • deductive reasoning and• self-learning
5
#RSAC
Cognitive security provides the ability to unlock and action the potential in all data, internal and external, structured and unstructured. It connects obscure data points humans couldn’t possibly spot, enabling enterprises to more quickly and accurately detect and respond to threats, becoming more knowledgeable through the cognitive power to understand, reason and learn.
Introducing and understanding Cognitive Security
COGNITIVE SECURITY
6
#RSAC
Applying Cognitive Security
#RSACCognitive Tasks of a Security Analyst in Investigating an Incident
8
• Review the incident data
• Review the outlying events for anything interesting (e.g., domains, MD5s, etc.)
• Pivot on the data to find outliers (e.g., unusual domains, IPs, file access)
• Expand your search to capture more data around that incident
• Search for these outliers / indicators using X-Force Exchange + Google + Virus Total + your favorite tools
• Discover new malware is at play
• Get the name of the malware
• Gather IOC (indicators of compromise) from additional web searches
• Investigate gathered IOC locally
• Find other internal IPs are potentially infected with the same Malware
• Qualify the incident based on insights gathered from threat research
• Start another investigation around each of these IPs
Time
consuming
threat
analysis
There’s got to be an easier way!
Apply the intelligence and investigate the incident
Gather the threat research, develop expertise
Gain local context leading to the incident
#RSACA tremendous amount of security knowledge is created for human consumption, but most of it is untapped
Traditional
Security Data
A universe of security knowledge
Dark to your defensesTypical organizations leverage only 8% of this content*
Human Generated
Knowledge
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
Examples include:
• Research documents
• Industry publications
• Forensic information
• Threat intelligence
commentary
• Conference
presentations
• Analyst reports
• Webpages
• Wikis
• Blogs
• News sources
• Newsletters
• Tweets
9
#RSAC
The Foundation of Cognitive Security
10
#RSAC
A Glimpse into the Brain of Watson for Cyber Security
11
Constantly accumulates and updates its information to evolve its knowledge base
Explores its knowledge to confidently highlight risk from suspicious or malicious activities
Assembles insights crucial to performing root-cause analysis
Deduces relationships and patterns that are hard if not impossible to do manually
Learns, adapts and never forgets
#RSAC
Applying Cognitive Security to Empower Security Analysts
• Manage alerts
• Research security events and anomalies
• Evaluate user activity and vulnerabilities
• Configure and tune security infrastructure
• Other
• Correlate data
• Identify patterns
• Establish Thresholds
• Enforce Policies
• Detect Anomalies
• Prioritize Incidents
Security Analytics
Security Analysts Watson for Cyber Security
• Deliver security knowledge
• Identify Threats
• Reveal additional indicators
• Surface or derive relationships
• Present evidence
• Perform local data mining
• Employ Watson for Cyber Security for threat research
• Qualify and relate threat research to security incidents
• Present findings
QRadar Advisor
SECURITY
ANALYSTS
SECURITY
ANALYTICS
QRadar
Advisor
Watson
for Cyber
Security
12
#RSAC
Initial Objectives and Goals of Cognitive Security
• Consult more information sources than humanly possible to accurately assess a security incident
• Maintain the currency of security knowledge
• Remove human error and dependency on research skills
• Reduce time required to investigate and respond to security incidents
• Allow for repeating analysis as the incident develops or new intelligence becomes available
13
#RSAC
Cognitive Security in Action @ SCANA
About SCANA Corporation
Headquartered in Cayce, South Carolina, SCANA is an energy-based holding company that has brought power and fuel to homes in the Carolinas and Georgia for 160 years.
SCANA is principally engaged, through subsidiaries, in regulated electric and natural gas utility operations and other non-regulated energy-related businesses in South Carolina, North Carolina and Georgia.
Major Subsidiaries - SCE&G, PSNC Energy, and SCANA Energy
14
#RSAC
SOC Environment at SCANA
SCANA uses QRadar as our SIEMMultiple Deployments – separate instances for SCADA / Operational Technology
24x7x365 staffing in the SOCShifts of analysts
— Normal hours – Architects and most experienced staff
— Shifts – Level 1, 2, and 3 with Level 4 or 5 Shift leader and on call support Different backgrounds – Network/Server teams and Corporate/Military
Standard processes are followed but research can fall out of the process
Consistency is a challenge
Fines of up to 1 million dollars a day for security issues (CIP)
15
#RSAC
16
Client Connecting to Botnet IP
Watson Indicators Botnet IP
QRadar fired an offense on a user attempting to connect to a botnet IP
Analyst found 5 correlated indicators manually while we ran Watson
Watson showed the extent of the threat with 50+ useful indicators
Email hashes
File hashes
IP addresses
Domains
16
#RSAC
17
External Scan
Watson Key Indicators Offense – External Scan
Light external scanning
Looked like Shodan
Analyst would have marked as nuisance scan
Watson revealed additional info
Botnet CNC
SPAM servers
Malware hosting
#RSAC
18
Client Malware Download
Watson Key Indicators Client Malware Download
Client attempted Malware download
Malware was blocked
How much time do you spend on a blocked threat?
Watson enriched
Malware was part of a larger campaign
Analysts used additional Indicators to search for compromise
#RSAC
All Indicators – Watson took 5 minutes
19
#RSAC
What has SCANA gained from Watson?
SpeedLevel 1 and 2 Analysts can quickly see scope of issueAverage initial investigation time without Watson - 50 minutes— Searching reputation (X-force, Virus Total, etc)— Reading articles — Investigating threat feed hits
Average initial investigation time with Watson 10 minutes— About 5 minutes for Watson and 5 minutes to review
ConsistencyAnalysts use different information sources based on their preferenceWatson gives more consistent information from more sources
InsightCorrelation – too much data for a analyst to graspWatson gives a quick visual view showing connections
20
#RSAC
Thank you! …Questions Anyone?