#RSAC
SESSION ID: SPO3-W03
Applied Cognitive Security:
Complementing the Security Analyst
Vijay Dheap
Brant Hale
Program Director – Cognitive Security
IBM Security
@dheap
Technology Consultant
SCANA
@BrantMHale
#RSAC
Economics of Cyber Security are Unsustainable
Quick Insights: Current Security Status
Threats
Alerts
Available
analysts
Knowledge
required
Available
time
• Must defend against multiple threat actors
• Can target multiple vulnerable organizations
• Must constantly maintain and monitor
defensive measures
• Identify and exploit a single lapse
in defensive measures
• Greater demand for skilled resources
increases costs
• Tools and services reduce the skills required
to engage in malicious activities
• Accuracy and responsiveness are essential
• Option to employ multiple methods of attack
over a period of time
2
IBM Cognitive Security Study Revealed Gaps Security
Teams want to Address
Intelligence gap
Speed gap
#1 most challenging area due
to insufficient resources is
threat research (65% selecting)
#3 highest cybersecurity
challenge today is keeping
current on new threats and
vulnerabilities (40% selecting)
The top cybersecurity challenge
today and tomorrow is
reducing average incident
response and resolution time
This is despite the fact that 80%
said their incident response
speed is much faster than two
years ago
#RSAC
Accuracy gap
#2 most challenging area today
is optimizing accuracy alerts
(too many false positives)
#3 most challenging area due
to insufficient resources is
threat identification,
monitoring and escalating
potential incidents
(61% selecting)
Addressing gaps while managing cost and ROI pressures
3
#RSAC
Evolution of Security Operations
• To gain awareness of the current state of an organization’s security posture requires data and analytics
• Traditional teams limit their focus to internal security data with minimal use of external knowledge
Out-of the-box
Analytics
Rules
Reporting
Pattern
Detection
Search
Modern Security Intelligence Platform
Increasing Sophistication of Analytics
Platform for
Custom
Analytics
Advanced Cyber
Forensics
2nd Gen SIEM
1st Generation
Forensics
1st Gen SIEM
Log
Mgmt.
Increasing Volume and Variety of Data
Log
Data
Vulnerability Data /
External Threat Feeds
Flow
Data
Full Packet
Capture
Unstructured / External
Data
4
#RSAC
Evolving to meet current and future security operations
needs with cognitive enabled cyber security
Increasing attack and threat sophistication
Helping security teams not only detect where the threat is but also resolving the
what, how, why, when and who to improve the overall incident response timeline
Reasoning about
threats and risks
Recognition of threats and risks
Cognition
Behavioral
Analytics
Correlation and
rules
Pattern
Matching
Grep
Cognitive Traits:
• language comprehension
• deductive reasoning and
• self-learning
Search
Grep
Increasing data volumes, variety and complexity
5
#RSAC
Introducing and understanding Cognitive Security
COGNITIVE SECURITY
Cognitive security provides the ability to unlock and action the potential in all data,
internal and external, structured and unstructured. It connects obscure data points
humans couldn’t possibly spot, enabling enterprises to more quickly and accurately
detect and respond to threats, becoming more knowledgeable through the
cognitive power to understand, reason and learn.
6
#RSAC
Applying Cognitive Security
Cognitive Tasks of a Security Analyst
in Investigating an Incident
Gain local context leading
to the incident
• Review the incident data
• Review the outlying events for anything
interesting (e.g., domains, MD5s, etc.)
• Pivot on the data to find outliers
(e.g., unusual domains, IPs, file access)
• Expand your search to capture more data
around that incident
#RSAC
Gather the threat research,
develop expertise
• Search for these outliers / indicators using XForce Exchange + Google + Virus Total + your
favorite tools
• Discover new malware is at play
Apply the intelligence and
investigate the incident
• Investigate gathered IOC locally
• Find other internal IPs are potentially
infected with the same Malware
• Get the name of the malware
• Qualify the incident based on insights
gathered from threat research
• Gather IOC (indicators of compromise) from
additional web searches
• Start another investigation around each
of these IPs
Time
consuming
threat
analysis
There’s got to be
an easier way!
8
A tremendous amount of security knowledge is created
for human consumption, but most of it is untapped
Traditional
Security Data
Human Generated
Knowledge
#RSAC
• Security events and alerts • User and network activity
• Logs and configuration data • Threat and vulnerability feeds
A universe of security knowledge
Dark to your defenses
Typical organizations leverage only 8% of this content*
Examples include:
• Research documents
• Conference
presentations
• Blogs
• Forensic information
• Analyst reports
• News sources
• Threat intelligence
commentary
• Webpages
• Newsletters
• Wikis
• Tweets
• Industry publications
9
#RSAC
The Foundation of Cognitive Security
10
#RSAC
A Glimpse into the Brain of Watson for Cyber Security
Constantly accumulates and
updates its information to evolve
its knowledge base
Explores its knowledge to
confidently highlight risk from
suspicious or malicious activities
Assembles insights crucial to
performing root-cause analysis
Deduces relationships and patterns
that are hard if not impossible to
do manually
Learns, adapts and never forgets
11
#RSAC
Applying Cognitive Security to Empower Security Analysts
Security Analysts
Watson for Cyber Security
• Manage alerts
• Deliver security knowledge
• Research security events and anomalies
Watson
for Cyber
Security
• Evaluate user activity and vulnerabilities
• Configure and tune security infrastructure
• Other
SECURITY
ANALYSTS
• Identify Threats
• Reveal additional indicators
• Surface or derive relationships
• Present evidence
Security Analytics
• Correlate data
QRadar Advisor
• Identify patterns
QRadar
Advisor
• Establish Thresholds
• Enforce Policies
• Detect Anomalies
• Prioritize Incidents
SECURITY
ANALYTICS
• Perform local data mining
• Employ Watson for Cyber Security for threat research
• Qualify and relate threat research to security incidents
• Present findings
12
#RSAC
Initial Objectives and Goals of Cognitive Security
• Consult more information sources than humanly
possible to accurately assess a security incident
• Maintain the currency of security knowledge
• Remove human error and dependency
on research skills
• Reduce time required to investigate
and respond to security incidents
• Allow for repeating analysis as the incident
develops or new intelligence becomes available
13
#RSAC
Cognitive Security in Action @ SCANA
About SCANA Corporation
Headquartered in Cayce, South Carolina, SCANA is an
energy-based holding company that has brought power and
fuel to homes in the Carolinas and Georgia for 160 years.
SCANA is principally engaged, through subsidiaries, in
regulated electric and natural gas utility operations and
other non-regulated energy-related businesses in South
Carolina, North Carolina and Georgia.
Major Subsidiaries - SCE&G, PSNC Energy, and SCANA
Energy
14
#RSAC
SOC Environment at SCANA
SCANA uses QRadar as our SIEM
Multiple Deployments – separate instances for SCADA / Operational Technology
24x7x365 staffing in the SOC
Shifts of analysts
Normal hours – Architects and most experienced staff
— Shifts – Level 1, 2, and 3 with Level 4 or 5 Shift leader and on call support
—



Different backgrounds – Network/Server teams and Corporate/Military
Standard processes are followed but research can fall out of the process
Consistency is a challenge
Fines of up to 1 million dollars a day for security issues (CIP)
15
#RSAC
Client Connecting to Botnet IP
Watson Indicators
Botnet IP
QRadar fired an offense on a user
attempting to connect to a botnet IP
Analyst found 5 correlated indicators
manually while we ran Watson
Watson showed the extent of the threat
with 50+ useful indicators
Email hashes
File hashes
IP addresses
Domains
16
#RSAC
External Scan
Watson Key Indicators
Offense – External Scan
Light external scanning
Looked like Shodan
Analyst would have marked as
nuisance scan
Watson revealed additional info
Botnet CNC
SPAM servers
Malware hosting
17
#RSAC
Client Malware Download
Watson Key Indicators
Client Malware Download
Client attempted Malware download
Malware was blocked
How much time do you spend on a
blocked threat?
Watson enriched
Malware was part of a larger campaign
Analysts used additional Indicators to
search for compromise
18
#RSAC
All Indicators – Watson took 5 minutes
19
#RSAC
What has SCANA gained from Watson?
Speed
Level 1 and 2 Analysts can quickly see scope of issue
Average initial investigation time without Watson - 50 minutes
Searching reputation (X-force, Virus Total, etc)
— Reading articles
— Investigating threat feed hits
—
Average initial investigation time with Watson 10 minutes
—
About 5 minutes for Watson and 5 minutes to review
Consistency
Analysts use different information sources based on their preference
Watson gives more consistent information from more sources
Insight
Correlation – too much data for a analyst to grasp
Watson gives a quick visual view showing connections
20
#RSAC
Thank you! …Questions Anyone?