260 likes | 322 Views
Applied Cognitive Security: Complementing the Security Analyst. Vijay Dheap. SPO3-W03. Program Director – Cognitive Security IBM Security @ dheap. Brant Hale. Systems Analyst VI SCANA @ BrantMHale. Economics of Cyber Security are Unsustainable.
E N D
Applied Cognitive Security: Complementing the Security Analyst Vijay Dheap SPO3-W03 Program Director – Cognitive Security IBM Security @dheap Brant Hale Systems Analyst VI SCANA @BrantMHale
IBM Cognitive Security Study Revealed Gaps Security Teams want to Address Accuracy gap Intelligence gap Speed gap #2 most challenging area today is optimizing accuracy alerts (too many false positives) #3 most challenging area due to insufficient resources is threat identification, monitoring and escalating potential incidents (61% selecting) #1 most challenging area due to insufficient resources is threat research (65% selecting) #3 highest cybersecurity challenge today is keeping current on new threats and vulnerabilities (40% selecting) The top cybersecurity challenge today and tomorrow is reducing average incident response and resolution time This is despite the fact that 80% said their incident response speed is much faster than two years ago Addressing gaps while managing cost and ROI pressures
Evolution of Security Operations • To gain awareness of the current state of an organization’s security posture requires data and analytics • Traditional teams limit their focus to internal security data with minimal use of external knowledge Modern Security Intelligence Platform Advanced Cyber Forensics 2nd Gen SIEM • Increasing Sophistication of Analytics 1st Generation Forensics 1st Gen SIEM Log Mgmt. • Increasing Volume and Variety of Data
Evolving to meet current and future security operations needs with cognitive enabled cyber security Helping security teams not only detect where the threat is but also resolving the what, how, why, when and who to improve the overall incident response timeline Reasoning about threats and risks Recognition of threats and risks Cognition Cognitive security solutions harness the power of language comprehension in performing threat research, apply deductive reasoning and self-learning capabilitiesto direct security practitioners to contextually relevant information and deliver advice on the course of action BehavioralAnalytics • Increasing attack and threat sophistication Correlation and rules Grep Pattern Matching Search Grep • Increasing data volumes, variety and complexity
Introducing and understanding Cognitive Security COGNITIVE SECURITY Cognitive security provides the ability to unlock and action the potential in all data, internal and external, structured and unstructured. It connects obscure data points humans couldn’t possibly spot, enabling enterprises to more quickly and accurately detect and respond to threats, becoming more knowledgeable through the cognitive power to understand, reason and learn.
Cognitive Tasks of a Security Analyst in Investigating an Incident • Gain local context leading to the incident • Gather the threat research, develop expertise • Apply the intelligence and investigate the incident Time consuming threat analysis There’s got to be an easier way!
A tremendous amount of security knowledge is created for human consumption, but most of it is untapped TraditionalSecurity Data • Security events and alerts • Logs and configuration data • User and network activity • Threat and vulnerability feeds A universe of security knowledge Dark to your defenses Typical organizations leverage only 8% of this content* Human Generated Knowledge • Examples include: • Research documents • Industry publications • Forensic information • Threat intelligence commentary • Conference presentations • Analyst reports • Webpages • Wikis • Blogs • News sources • Newsletters • Tweets
The Foundation of Cognitive Security Ingests external publicly available security content Performs natural language processing Accepts feedback to improve its knowledge analysis Security information from millions of sources – blogs, academic articles, research reports, etc – is curated for the system Learns and assimilates security concepts and relationships Presents evidence in the form of related indicators The system is taught the language of security through natural language processing of security content Aggregate sources of structured threat intelligence feeds are also made available to the system Gains new knowledge throughmachinelearning Given a set of indicators can explore its knowledge base to deliver insights The system then derives and maintains knowledge from all the accumulated information Watsonfor Cyber Security Provides a set of observations, the system explores and analyzes its security knowledge base to deliver tailored threat research UNDERSTAND | REASON | LEARN
A Glimpse into the Brain of Watson for Cyber Security • Constantly accumulates and updates its information to evolve its knowledge base • Explores its knowledge to confidently highlight risk from suspicious or malicious activities • Assembles insights crucial to performing root-cause analysis • Deduces relationships and patterns that are hard if not impossible to do manually • Learns, adapts and never forgets
Applying Cognitive Security to Empower Security Analysts Security Analysts Watson for Cyber Security • Manage alerts • Research security events and anomalies • Evaluate user activity and vulnerabilities • Configuration • Other • Security knowledge • Threat identification • Reveal additional indicators • Surface or derive relationships • Evidence SECURITY ANALYSTS Security Analytics • Data correlation • Pattern identification • Thresholds • Policies • Anomaly detection • Prioritization Watson Advisor • Local data mining • Perform threat research using Watson for Cyber Security • Qualify and relate threat research to security incidents • Present findings Watsonfor Cyber Security SECURITY ANALYTICS DATA MINING | KEY INSIGHTS UNDERSTAND | REASON | LEARN QRadarWatson Advisor
Initial Objectives and Goals of Cognitive Security • Consult more information sources than humanly possible to accurately assess a security incident • Maintain the currency of security knowledge • Remove human error and dependency on research skills • Reduce time required to investigate and respond to security incidents • Allow for repeating analysis as the incident develops or new intelligence becomes available
Cognitive Security in Action @ SCANA About SCANA Corporation • Headquartered in Cayce, South Carolina, SCANA is an energy-based holding company that has brought power and fuel to homes in the Carolinas and Georgia for 160 years. • SCANA is principally engaged, through subsidiaries, in regulated electric and natural gas utility operations and other non-regulated energy-related businesses in South Carolina, North Carolina and Georgia. • Major Subsidiaries - SCE&G, PSNC Energy, and SCANA Energy
SOC Environment at SCANA • SCANA uses QRadar as our SIEM • Multiple Deployments – separate instances for SCADA / Operational Technology • 24x7x365 staffing in the SOC • Shifts of analysts • Normal hours – Architects and most experienced staff • Shifts – Level 1, 2, and 3 with Level 4 or 5 Shift leader and on call support • Different backgrounds – Network/Server teams and Corporate/Military • Standard processes are followed but research can fall out of the process • Consistency is a challenge • Fines of up to 1 million dollars a day for security issues (CIP)
Client Connecting to Botnet IP Watson Indicators Botnet IP QRadar fired an offense on a user attempting to connect to a botnet IP Analyst found 5 correlated indicators manually while we ran Watson Watson showed the extent of the threat with 50+ useful indicators Email hashes File hashes IP addresses Domains
External Scan Watson Key Indicators Offense – External Scan Light external scanning Looked like Shodan Analyst would have marked as nuisance scan Watson revealed additional info Botnet CNC SPAM servers Malware hosting
Client Malware Download Watson Key Indicators Client Malware Download Client attempted Malware download Malware was blocked How much time do you spend on a blocked threat? Watson enriched Malware was part of a larger campaign Analysts used additional Indicators to search for compromise
What has SCANA gained from Watson? • Speed • Level 1 and 2 Analysts can quickly see scope of issue • Average initial investigation time without Watson - 50 minutes • Searching reputation (X-force, Virus Total, etc) • Reading articles • Investigating threat feed hits • Average initial investigation time with Watson 10 minutes • About 5 minutes for Watson and 5 minutes to review • Consistency • Analysts use different information sources based on their preference • Watson gives more consistent information from more sources • Insight • Correlation – too much data for a analyst to grasp • Watson gives a quick visual view showing connections