SESSION ID:SESSION ID:

#RSAC

Vijay Dheap

Applied Cognitive Security: Complementing the Security Analyst

SPO3-W03

Program Director – Cognitive SecurityIBM Security@dheap

Brant HaleTechnology ConsultantSCANA @BrantMHale

#RSAC

Quick Insights: Current Security Status

Threats AlertsAvailableanalysts

Knowledgerequired

Availabletime

Economics of Cyber Security are Unsustainable

2

• Must defend against multiple threat actors

• Must constantly maintain and monitor defensive measures

• Greater demand for skilled resources increases costs

• Accuracy and responsiveness are essential

• Can target multiple vulnerable organizations

• Identify and exploit a single lapse in defensive measures

• Tools and services reduce the skills required to engage in malicious activities

• Option to employ multiple methods of attack over a period of time

#RSACIBM Cognitive Security Study Revealed Gaps Security Teams want to Address

3

#2 most challenging area today is optimizing accuracy alerts (too many false positives)

#3 most challenging area due to insufficient resources is threat identification, monitoring and escalating potential incidents (61% selecting)

Speed gap

The top cybersecurity challenge today and tomorrow is reducing average incident response and resolution time

This is despite the fact that 80% said their incident response speed is much faster than two years ago

Accuracy gapIntelligence gap

#1 most challenging area due to insufficient resources is threat research (65% selecting)

#3 highest cybersecurity challenge today is keeping current on new threats and vulnerabilities (40% selecting)

Addressing gaps while managing cost and ROI pressures

#RSAC

Platform for Custom

Analytics

Out-of the-box Analytics

Rules

Reporting

Pattern Detection

Search

Evolution of Security Operations

• To gain awareness of the current state of an organization’s security posture requires data and analytics• Traditional teams limit their focus to internal security data with minimal use of external knowledge

LogData

Vulnerability Data / External Threat Feeds

FlowData

Full PacketCapture

Unstructured / External Data

Modern Security Intelligence Platform

2nd Gen SIEM

1st Gen SIEM

Log Mgmt.

Advanced Cyber Forensics

1st Generation Forensics

4

Incr

eas

ing

Sop

his

tica

tio

n o

f A

nal

ytic

s

Increasing Volume and Variety of Data

#RSACEvolving to meet current and future security operations needs with cognitive enabled cyber security

Grep

Grep

Search

Pattern Matching

Correlation and rules

BehavioralAnalytics

Cognition

Increasing data volumes, variety and complexity

Incr

easi

ng

atta

ck a

nd

th

reat

so

ph

isti

cati

on

Reasoning about threats and risks

Helping security teams not only detect where the threat is but also resolving the what, how, why, when and who to improve the overall incident response timeline

Recognition of threats and risks

Cognitive Traits:• language comprehension • deductive reasoning and• self-learning

5

#RSAC

Cognitive security provides the ability to unlock and action the potential in all data, internal and external, structured and unstructured. It connects obscure data points humans couldn’t possibly spot, enabling enterprises to more quickly and accurately detect and respond to threats, becoming more knowledgeable through the cognitive power to understand, reason and learn.

Introducing and understanding Cognitive Security

COGNITIVE SECURITY

6

#RSAC

Applying Cognitive Security

#RSACCognitive Tasks of a Security Analyst in Investigating an Incident

8

• Review the incident data

• Review the outlying events for anything interesting (e.g., domains, MD5s, etc.)

• Pivot on the data to find outliers (e.g., unusual domains, IPs, file access)

• Expand your search to capture more data around that incident

• Search for these outliers / indicators using X-Force Exchange + Google + Virus Total + your favorite tools

• Discover new malware is at play

• Get the name of the malware

• Gather IOC (indicators of compromise) from additional web searches

• Investigate gathered IOC locally

• Find other internal IPs are potentially infected with the same Malware

• Qualify the incident based on insights gathered from threat research

• Start another investigation around each of these IPs

Time

consuming

threat

analysis

There’s got to be an easier way!

Apply the intelligence and investigate the incident

Gather the threat research, develop expertise

Gain local context leading to the incident

#RSACA tremendous amount of security knowledge is created for human consumption, but most of it is untapped

Traditional

Security Data

A universe of security knowledge

Dark to your defensesTypical organizations leverage only 8% of this content*

Human Generated

Knowledge

• Security events and alerts

• Logs and configuration data

• User and network activity

• Threat and vulnerability feeds

Examples include:

• Research documents

• Industry publications

• Forensic information

• Threat intelligence

commentary

• Conference

presentations

• Analyst reports

• Webpages

• Wikis

• Blogs

• News sources

• Newsletters

• Tweets

9

#RSAC

The Foundation of Cognitive Security

10

#RSAC

A Glimpse into the Brain of Watson for Cyber Security

11

Constantly accumulates and updates its information to evolve its knowledge base

Explores its knowledge to confidently highlight risk from suspicious or malicious activities

Assembles insights crucial to performing root-cause analysis

Deduces relationships and patterns that are hard if not impossible to do manually

Learns, adapts and never forgets

#RSAC

Applying Cognitive Security to Empower Security Analysts

• Manage alerts

• Research security events and anomalies

• Evaluate user activity and vulnerabilities

• Configure and tune security infrastructure

• Other

• Correlate data

• Identify patterns

• Establish Thresholds

• Enforce Policies

• Detect Anomalies

• Prioritize Incidents

Security Analytics

Security Analysts Watson for Cyber Security

• Deliver security knowledge

• Identify Threats

• Reveal additional indicators

• Surface or derive relationships

• Present evidence

• Perform local data mining

• Employ Watson for Cyber Security for threat research

• Qualify and relate threat research to security incidents

• Present findings

QRadar Advisor

SECURITY

ANALYSTS

SECURITY

ANALYTICS

QRadar

Advisor

Watson

for Cyber

Security

12

#RSAC

Initial Objectives and Goals of Cognitive Security

• Consult more information sources than humanly possible to accurately assess a security incident

• Maintain the currency of security knowledge

• Remove human error and dependency on research skills

• Reduce time required to investigate and respond to security incidents

• Allow for repeating analysis as the incident develops or new intelligence becomes available

13

#RSAC

Cognitive Security in Action @ SCANA

About SCANA Corporation

Headquartered in Cayce, South Carolina, SCANA is an energy-based holding company that has brought power and fuel to homes in the Carolinas and Georgia for 160 years.

SCANA is principally engaged, through subsidiaries, in regulated electric and natural gas utility operations and other non-regulated energy-related businesses in South Carolina, North Carolina and Georgia.

Major Subsidiaries - SCE&G, PSNC Energy, and SCANA Energy

14

#RSAC

SOC Environment at SCANA

SCANA uses QRadar as our SIEMMultiple Deployments – separate instances for SCADA / Operational Technology

24x7x365 staffing in the SOCShifts of analysts

— Normal hours – Architects and most experienced staff

— Shifts – Level 1, 2, and 3 with Level 4 or 5 Shift leader and on call support Different backgrounds – Network/Server teams and Corporate/Military

Standard processes are followed but research can fall out of the process

Consistency is a challenge

Fines of up to 1 million dollars a day for security issues (CIP)

15

#RSAC

16

Client Connecting to Botnet IP

Watson Indicators Botnet IP

QRadar fired an offense on a user attempting to connect to a botnet IP

Analyst found 5 correlated indicators manually while we ran Watson

Watson showed the extent of the threat with 50+ useful indicators

Email hashes

File hashes

IP addresses

Domains

16

#RSAC

17

External Scan

Watson Key Indicators Offense – External Scan

Light external scanning

Looked like Shodan

Analyst would have marked as nuisance scan

Watson revealed additional info

Botnet CNC

SPAM servers

Malware hosting

#RSAC

18

Client Malware Download

Watson Key Indicators Client Malware Download

Client attempted Malware download

Malware was blocked

How much time do you spend on a blocked threat?

Watson enriched

Malware was part of a larger campaign

Analysts used additional Indicators to search for compromise

#RSAC

All Indicators – Watson took 5 minutes

19

#RSAC

What has SCANA gained from Watson?

SpeedLevel 1 and 2 Analysts can quickly see scope of issueAverage initial investigation time without Watson - 50 minutes— Searching reputation (X-force, Virus Total, etc)— Reading articles — Investigating threat feed hits

Average initial investigation time with Watson 10 minutes— About 5 minutes for Watson and 5 minutes to review

ConsistencyAnalysts use different information sources based on their preferenceWatson gives more consistent information from more sources

InsightCorrelation – too much data for a analyst to graspWatson gives a quick visual view showing connections

20

#RSAC

Thank you! …Questions Anyone?