Upload
lamthu
View
223
Download
0
Embed Size (px)
Citation preview
Agile Security and Orchestrated ResponseIBM SECURITY SUMMIT
John Bruce
September 19 & 21, 2017
CEO and Co-Founder, IBM Resilient
• Intro to IBM Resilient
• The current security landscape
• Orchestration and Cognitive Security
• Industry use cases
Agenda
2
Resilient Use Case: Fusion Center
3
Incident Response Platform
MANUALLYINVOKED
REMEDIATION
AUTOMATIC ENRICHMENT
MANUALLY INVOKED
ENRICHMENT
Endpoint
Security
Malware
Web
Gateway
IT Help Desk
Forensics
Identity
Management
Threat Data
Vulnerability
Management
Passive DNS
Inputs/Escalation
MILLION unfilled security positions by 20201.585 security tools from 45vendors
Current Security Practices are Unsustainable
5
SECURITY ECOSYSTEM
Integrated and Intelligent Security Immune System
Criminal detection
Fraud protection
Data access control
Application security management
Applicationscanning
Data protection
Device management
Transaction protection
Content security
Malware protection
Endpoint detectionand response
Endpoint patching and management
Network forensics and threat management
Virtual patching
Firewalls
Sandboxing
Network visibility and segmentation
Access management
Identity governance and administration
Privileged user management
IDaaS
Mainframe security
Indicators of compromise
Malware analysis
Threat sharing
Vulnerability management
Security analytics
Threat and anomaly detection
Incident response
User behavior analytics
Threat hunting and investigation
6
or·ches·tra·tionˌôrkəˈstrāSHən/nounnoun: orchestration; plural noun: orchestrations1. The arrangement or scoring of music for orchestral performance. "Prokofiev's
mastery of orchestration."2. The planning or coordination of the elements of a situation to produce a
desired effect. “The orchestration of the campaign needed tightening."
7
Orchestration for an Uncertain World
8
• In an uncertain world, you achieve resilience through orchestration, not automation. • All attacks, networks, environments, organizations, and regulations are
all different. That makes it uncertain.
• Orchestration is the union of people, process, and technology. • Needs to be dynamic and agile. • Need people in charge – backed by automation where it works.
• When you cannot remove people, you need to make them successful.• Orchestration makes it possible for responders to understand what is
going on and act quickly.• Response is hand-to-hand combat – a back-and-forth battle between
attackers and responders.
12
And Then There’s Cognition
• World is adopting AI at an incredible rate.
• Attackers are already underway, flipping defense into offense.
• Imperative that we move to Cognitive Security – leveraging AI to
augment humans across the complete OODA loop.
13
TraditionalSecurity Data
A universe of security knowledge
dark to your defensesTypical organizations leverage only 8% of this content
Human-Generated Knowledge
•Security events and alerts
•Logs and configuration data
•User and network activity
•Threat and vulnerability feeds
Examples include:
• Research documents
• Industry publications
• Forensic information
• Threat intelligence
commentary
• Conference presentations
• Analyst reports
• Webpages
• Wikis
• Blogs
• News sources
• Newsletters
• Tweets
Huge Amounts of Security Knowledge is Created for Human Consumption, but Most of it is Untapped
14
What is Fed into Watson for Cyber Security
1 Week 1 Hour5 Minutes
StructuredSecurity Data
X-Force Exchange Trusted Partner Data
Open sourcePaid data
- Indicators- Vulnerabilities
- Malware names, …
- New actors- Campaigns- Malware outbreaks- Indicators, …
- Course of action- Actors
- Trends- Indicators, …
Crawl of CriticalUnstructured Security Data
Massive Crawl of all SecurityRelated Data on Web
Breach replies
Attack write-upsBest practices
BlogsWebsitesNews, …
Filtering + Machine Learning
Removes Unnecessary Information
Machine Learning / Natural Language Processing
Extracts and Annotates Collected Data
Billions ofData Elements
Millions of Documents
5-10 updates/hour! 100K updates/week!
3:1 Reduction
Massive Security Knowledge GraphBillions of Nodes/Edges
15
• Review the incident data
• Review the outlying events for anything interesting (e.g., domains, MD5s, etc.)
• Pivot on the data to find outliers (e.g., unusual domains, IPs, file access)
• Expand your search to capture more data around that incident
• Search for these outliers / indicators using X-Force Exchange + Google + Virus Total + your favorite tools
• Discover new malware is at play
• Get the name of the malware
• Gather IOC (indicators of compromise) from additional web searches
• Investigate gathered IOC locally
• Find other internal IPs are potentially infected with the same malware
• Qualify the incident based on insights gathered from threat research
• Start another investigation around each of these IPs
Time consuming
threat analysis
There’s got to be an easier way!
Apply the intelligence and investigate the incident
Gather the threat research, develop expertise
Gain local context leading to the incident
Cognitive Tasks of a Security Analyst in Investigating an Incident
16
• Employs powerful cognitive capabilities to investigate and qualify security incidents and anomalies on behalf of security analysts
• Powered by Watson for Cyber Security to tap into vast amounts of security knowledge and deliver insights relevant to specific security incidents
• Transforms SOC operations by addressing current challenges that include skills shortages, alert overloads, incident response delays, currency of security information and process risks
• Designed to be easily consumable: delivered via IBM Security App Exchange and deployed in minutes
NEW! IBM QRadar Watson Advisor
Cognitive Security Starts Here
IBM Security Introduces a Revolutionary Shift in Security Operations
17
Closing Thoughts
• We’re in the decade of response.
• Orchestration can deliver dramatic improvement in OODA loops.
• Attackers are using AI – cognition is critical for security.
• We’re very early in a long journey.
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any
statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper
access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful,
comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products
or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU