Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
AI for Cyber Security and Adversarial AI
Domenico Raguseo
June 2019
@domenicoraguseo
IBM Security / © 2019 IBM Corporation
2 © 2018 IBM Corporation
Grow Business
Stop Threats
Prove Compliance
GetAhead of
Compliance
Enhance Security Hygiene
Detect & Stop Advanced
Threats
Orchestrate Incident
Response
Master Threat
Hunting
Secure Hybrid Cloud
Protect Critical Assets
Prevent Advanced
Fraud
GovernUsers and Identities
Let’s focus on the most critical security use cases
OutcomeOutcomeOutcomeOutcome----driven driven driven driven securitysecuritysecuritysecurity
2 © 2018 IBM Corporation
3
Reactive strategies driven by threats
Products and processes deployed in silos
Organizations and teams continue to work alone
Complexity continues to be today’s top concern
4 © 2018 IBM Corporation
SECURITYSECURITYSECURITYSECURITYORCHESTRATIONORCHESTRATIONORCHESTRATIONORCHESTRATION
& ANALYTICS& ANALYTICS& ANALYTICS& ANALYTICS
THREATTHREATTHREATTHREATINTELINTELINTELINTEL
ENDPOINTENDPOINTENDPOINTENDPOINT NETWORKNETWORKNETWORKNETWORK
MOBILEMOBILEMOBILEMOBILEADVANCEDADVANCEDADVANCEDADVANCED
FRAUDFRAUDFRAUDFRAUD
DATADATADATADATA
APPSAPPSAPPSAPPSIDENTITYIDENTITYIDENTITYIDENTITY& ACCESS& ACCESS& ACCESS& ACCESS
Build an integrated security immune system
Criminal detection
Fraud protection
Data access control
Application security managementApplication scanning
Data protection
Device management
Transaction protection
Content security
Malware protection
Endpoint detection and responseEndpoint patching and management Network forensics and threat management
Firewalls and intrusion prevention
Network visibility and segmentation
Access management
Identity governance and administration
Privileged user management
IDaaS
Mainframe security
Threat sharing
Vulnerability managementSecurity analytics
Threat and anomaly detection
Incident responseUser behavior analytics
Threat hunting and investigation
IoCs
|
|
Analysis of an Incident
Activities performed during Business Email Compromise – Case A
SECURITYSECURITYSECURITYSECURITYORCHESTRATIONORCHESTRATIONORCHESTRATIONORCHESTRATION
& ANALYTICS& ANALYTICS& ANALYTICS& ANALYTICS
THREATTHREATTHREATTHREATINTELINTELINTELINTEL
ENDPOINENDPOINENDPOINENDPOINTTTT NETWORKNETWORKNETWORKNETWORK
MOBILEMOBILEMOBILEMOBILEADVANCEDADVANCEDADVANCEDADVANCED
FRAUDFRAUDFRAUDFRAUD
DATADATADATADATA
APPSAPPSAPPSAPPSIDENTITYIDENTITYIDENTITYIDENTITY& ACCESS& ACCESS& ACCESS& ACCESS
Data access control
Application security managementApplication scanning
Data protection
Device management
Transaction protection
Content security
Malware protection
Endpoint detection and responseEndpoint patching and management
Access management
IDaaS
Mainframe security
Threat sharing IoCs
|
|
Email is received with malicious attachment and “payload” macro is executed (malware defenses fail)
Unpatched vulnerability is exploited
Command and control is
allowed to be established
Credential are
stooledKill Chain – Case A
Email is received with malicious attachment and “payload” macro is executed (malware defenses fail)
File is Downloaded from a web site
SECURITYSECURITYSECURITYSECURITYORCHESTRATIONORCHESTRATIONORCHESTRATIONORCHESTRATION
& ANALYTICS& ANALYTICS& ANALYTICS& ANALYTICS
THREATTHREATTHREATTHREATINTELINTELINTELINTEL
ENDPOINENDPOINENDPOINENDPOINTTTT NETWORKNETWORKNETWORKNETWORK
MOBILEMOBILEMOBILEMOBILEADVANCEDADVANCEDADVANCEDADVANCED
FRAUDFRAUDFRAUDFRAUD
DATADATADATADATA
APPSAPPSAPPSAPPSIDENTITYIDENTITYIDENTITYIDENTITY& ACCESS& ACCESS& ACCESS& ACCESS
Data access control
Application security managementApplication scanning
Data protection
Device management
Transaction protection
Content security
Malware protection
Endpoint detection and response
Endpoint patching and management
Access management
IDaaS
Mainframe security
Threat sharing IoCs
|
|
Email is received with malicious attachment and “payload” macro is executed (malware defenses fail)
Unpatched vulnerabilit
y is exploited
Identity and
Access
Command and control is allowed to be established
Watering hole .. A change in attach strategy . Case B
Kill Chain - Case BCase B =! Case A
Kill Chain – Case ACase B =! Case A
Attach PatternA + B
8 © 2018 IBM Corporation
The future of Incident Analysis in Cyber Security is AI
Use AI to gain a head startAutomatically investigate incidents and anomalies to identify the most likely threats
– Quickly gather insights from millions of external sources
– Apply cognitive reasoning to build relationships
9 | Welcome to the cognitive era.
9
Incident Analysis
#2 most challenging area
today is optimizing accuracy alerts (too
many false positives)
#3 most challenging area due to insufficient
resources is threat identification, monitoring
and escalating potential
incidents (61% selecting)
Speed gap
The top cybersecurity
challenge today and tomorrow is reducing
average incident response and
resolution time
This is despite the fact that 80% said their
incident response speed
is much faster than two years ago
Accuracy gapIntelligence gap
#1 most challenging area
due to insufficient resources is threat
research (65% selecting)
#3 highest cybersecurity challenge today is
keeping current on new threats and
vulnerabilities (40%
selecting)
Addressing gaps while managing cost and ROI pressures
Watson for cybersecurity unlocks a tremendous amount of security knowledge enabling rapid and comprehensive investigation insights
IBM Watsonfor cyber security
Corpus of Knowledge
Human GeneratedSecurity Knowledgeand IBM Research
Threat databases
Research reports
Security textbooks
Vulnerability disclosures
Popular websites
Blogs and social activity
Other
Threat databases
Research reports
Security textbooks
Vulnerability disclosures
Popular websites
Blogs and social activity
Other
• Maintains the currency of
• Leverages the power of collaboration and crowdsourcing of threat intelligence and activity for more accurate insights
• Security Knowledge
• Learns new threat relationships and behaviors
• Performs cognitive exploration of suspicious activities and behaviors identifying root cause and additional indicators
The Corpus of Watson for CyberSecurity in action
• Continually growing and adapting throughthe absorption of new security knowledge
• Performs cognitive exploration of suspiciousactivities and behaviors identifying rootcause and additional indicators
• Creates and finds paths and linkages easilymissed by humans
• Learns, adapts and doesn’t forget
Anomaly Detection
Detect and stop advanced threats
Advanced analytics for advanced threat detection and response across the enterprise
The User Behavior Analytics dashboard is an integrated part of the QRadar console
Intelligence Response
15 © 2018 IBM Corporation
AI and OrchestrationWhat if you could augment your teams’ intelligence and response?
Respond quickly with confidence
Orchestrate a complete and dynamic response, enabling faster, more intelligent remediation
– Create dynamic playbooks built on NIST / CERT / SANS
– Deploy response procedures and expertise
Rules
Recommendations
SIEM
Ru
les
imp
ort
ScriptARA
Attacker’s Use of AI Today
Attacker’s Use of AI Today
ME: Model Extraction
DE: Data Extraction
Ev: Model Evasion
Po: Model Poisoning
• Generate: DeepHack tool learned SQL injection [DEFCON’17]
• Automate: generate targeted phishing attacks on Twitter
[Zerofox Blackhat’16]
• Refine: Neural network powered password crackers
• Evade: Generative adversarial networks learn novel
steganographic channels
AI Powered Attacks
• Poison: Microsoft Tay chatbot poisoning via Twitter (and Watson “poisoning” from Urban Dictionary) [Po]
• Evade: Real-world attacks on computer vision for facial recognition biometrics [CCS’16] and autonomous vehicles [OpenAI] [Ev]
• Harden: Genetic algorithms and reinforcement learning (OpenAIGym) to evade malware detectors [Blackhat/DEFCON’17] [Ev]
Attacking AI
• Theft: Stealing machine learning models via public APIs [USENIX’16] [DE]
• Transferability: Practical black-
box attacks learn surrogate models for transfer attacks [ASIACCS’17] [ME, Ev]
• Privacy: Model inversion attacks
steal training data [CCS’15] [DE]
Theft of AI
Reduce Complexity
2019+
Security at the Speed of Cloud
OPERATIONAL SIMPLICITY
GLOBAL-SCALEAI & ANALYTICS
CONNECTEDECOSYSTEM
Our continued journey
19
2011-2018
Security connected across the enterprise
SECURITYSECURITYSECURITYSECURITYORCHESTRATIONORCHESTRATIONORCHESTRATIONORCHESTRATION
& ANALYTICS& ANALYTICS& ANALYTICS& ANALYTICS
APPSAPPSAPPSAPPS
MOBILEMOBILEMOBILEMOBILE
ENDPOINTENDPOINTENDPOINTENDPOINT
THREATTHREATTHREATTHREATINTELINTELINTELINTEL
NETWORKNETWORKNETWORKNETWORK
ADVANCEDADVANCEDADVANCEDADVANCEDFRAUDFRAUDFRAUDFRAUD
IDENTITYIDENTITYIDENTITYIDENTITY& ACCESS& ACCESS& ACCESS& ACCESS
DATADATADATADATA
Before 2011
Security for an IT project
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
ibm.com/security/community