The document discusses the application of cognitive security in addressing challenges faced by cybersecurity analysts, such as high volumes of alerts, threat identification, and resource limitations. It introduces IBM's cognitive security platform, which enhances threat detection and response by leveraging advanced analytics and external data sources. A case study on SCANA Corporation illustrates the practical benefits of using cognitive security tools like Watson, which significantly reduces investigation time and improves incident analysis.

1. SESSION ID:SESSION ID:
#RSAC
Vijay Dheap
Applied Cognitive Security:
Complementing the Security Analyst
SPO3-W03
Program Director – Cognitive Security
IBM Security
@dheap
Brant Hale
Technology Consultant
SCANA
@BrantMHale

2. #RSAC
Quick Insights: Current Security Status
Threats Alerts
Available
analysts
Knowledge
required
Available
time
Economics of Cyber Security are Unsustainable
2
• Must defend against multiple threat actors
• Must constantly maintain and monitor
defensive measures
• Greater demand for skilled resources
increases costs
• Accuracy and responsiveness are essential
• Can target multiple vulnerable organizations
• Identify and exploit a single lapse
in defensive measures
• Tools and services reduce the skills required
to engage in malicious activities
• Option to employ multiple methods of attack
over a period of time

3. #RSAC
IBM Cognitive Security Study Revealed Gaps Security
Teams want to Address
3
#2 most challenging area today
is optimizing accuracy alerts
(too many false positives)
#3 most challenging area due
to insufficient resources is
threat identification,
monitoring and escalating
potential incidents
(61% selecting)
Speed gap
The top cybersecurity challenge
today and tomorrow is
reducing average incident
response and resolution time
This is despite the fact that 80%
said their incident response
speed is much faster than two
years ago
Accuracy gapIntelligence gap
#1 most challenging area due
to insufficient resources is
threat research (65% selecting)
#3 highest cybersecurity
challenge today is keeping
current on new threats and
vulnerabilities (40% selecting)
Addressing gaps while managing cost and ROI pressures

4. #RSAC
Platform for
Custom
Analytics
Out-of the-box
Analytics
Rules
Reporting
Pattern
Detection
Search
Evolution of Security Operations
• To gain awareness of the current state of an organization’s security posture requires data and analytics
• Traditional teams limit their focus to internal security data with minimal use of external knowledge
Log
Data
Vulnerability Data /
External Threat Feeds
Flow
Data
Full Packet
Capture
Unstructured / External
Data
Modern Security Intelligence Platform
2nd Gen SIEM
1st Gen SIEM
Log
Mgmt.
Advanced Cyber
Forensics
1st Generation
Forensics
4
IncreasingSophisticationofAnalytics
Increasing Volume and Variety of Data

5. #RSAC
Evolving to meet current and future security operations
needs with cognitive enabled cyber security
Grep
Grep
Search
Pattern
Matching
Correlation and
rules
Behavioral
Analytics
Cognition
Increasing data volumes, variety and complexity
Increasingattackandthreatsophistication
Reasoning about
threats and risks
Helping security teams not only detect where the threat is but also resolving the
what, how, why, when and who to improve the overall incident response timeline
Recognition of threats and risks
Cognitive Traits:
• language comprehension
• deductive reasoning and
• self-learning
5

6. #RSAC
Cognitive security provides the ability to unlock and action the potential in all data,
internal and external, structured and unstructured. It connects obscure data points
humans couldn’t possibly spot, enabling enterprises to more quickly and accurately
detect and respond to threats, becoming more knowledgeable through the
cognitive power to understand, reason and learn.
Introducing and understanding Cognitive Security
COGNITIVE SECURITY
6

7. #RSAC
Applying Cognitive Security

8. #RSAC
Cognitive Tasks of a Security Analyst
in Investigating an Incident
8
• Review the incident data
• Review the outlying events for anything
interesting (e.g., domains, MD5s, etc.)
• Pivot on the data to find outliers
(e.g., unusual domains, IPs, file access)
• Expand your search to capture more data
around that incident
• Search for these outliers / indicators using X-
Force Exchange + Google + Virus Total + your
favorite tools
• Discover new malware is at play
• Get the name of the malware
• Gather IOC (indicators of compromise) from
additional web searches
• Investigate gathered IOC locally
• Find other internal IPs are potentially
infected with the same Malware
• Qualify the incident based on insights
gathered from threat research
• Start another investigation around each
of these IPs
Time
consuming
threat
analysis
There’s got to be
an easier way!
Apply the intelligence and
investigate the incident
Gather the threat research,
develop expertise
Gain local context leading
to the incident

9. #RSAC
A tremendous amount of security knowledge is created
for human consumption, but most of it is untapped
Traditional
Security Data
A universe of security knowledge
Dark to your defenses
Typical organizations leverage only 8% of this content*
Human Generated
Knowledge
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
Examples include:
• Research documents
• Industry publications
• Forensic information
• Threat intelligence
commentary
• Conference
presentations
• Analyst reports
• Webpages
• Wikis
• Blogs
• News sources
• Newsletters
• Tweets
9

10. #RSAC
The Foundation of Cognitive Security
10

11. #RSAC
A Glimpse into the Brain of Watson for Cyber Security
11
Constantly accumulates and
updates its information to evolve
its knowledge base
Explores its knowledge to
confidently highlight risk from
suspicious or malicious activities
Assembles insights crucial to
performing root-cause analysis
Deduces relationships and patterns
that are hard if not impossible to
do manually
Learns, adapts and never forgets

12. #RSAC
Applying Cognitive Security to Empower Security Analysts
• Manage alerts
• Research security events and anomalies
• Evaluate user activity and vulnerabilities
• Configure and tune security infrastructure
• Other
• Correlate data
• Identify patterns
• Establish Thresholds
• Enforce Policies
• Detect Anomalies
• Prioritize Incidents
Security Analytics
Security Analysts Watson for Cyber Security
• Deliver security knowledge
• Identify Threats
• Reveal additional indicators
• Surface or derive relationships
• Present evidence
• Perform local data mining
• Employ Watson for Cyber Security for threat research
• Qualify and relate threat research to security incidents
• Present findings
QRadar Advisor
SECURITY
ANALYSTS
SECURITY
ANALYTICS
QRadar
Advisor
Watson
for Cyber
Security
12

13. #RSAC
Initial Objectives and Goals of Cognitive Security
• Consult more information sources than humanly
possible to accurately assess a security incident
• Maintain the currency of security knowledge
• Remove human error and dependency
on research skills
• Reduce time required to investigate
and respond to security incidents
• Allow for repeating analysis as the incident
develops or new intelligence becomes available
13

14. #RSAC
Cognitive Security in Action @ SCANA
About SCANA Corporation
Headquartered in Cayce, South Carolina, SCANA is an
energy-based holding company that has brought power and
fuel to homes in the Carolinas and Georgia for 160 years.
SCANA is principally engaged, through subsidiaries, in
regulated electric and natural gas utility operations and
other non-regulated energy-related businesses in South
Carolina, North Carolina and Georgia.
Major Subsidiaries - SCE&G, PSNC Energy, and SCANA
Energy
14

15. #RSAC
SOC Environment at SCANA
SCANA uses QRadar as our SIEM
Multiple Deployments – separate instances for SCADA / Operational Technology
24x7x365 staffing in the SOC
Shifts of analysts
— Normal hours – Architects and most experienced staff
— Shifts – Level 1, 2, and 3 with Level 4 or 5 Shift leader and on call support
 Different backgrounds – Network/Server teams and Corporate/Military
 Standard processes are followed but research can fall out of the process
 Consistency is a challenge
Fines of up to 1 million dollars a day for security issues (CIP)
15

16. #RSAC
16
Client Connecting to Botnet IP
Watson Indicators Botnet IP
QRadar fired an offense on a user
attempting to connect to a botnet IP
Analyst found 5 correlated indicators
manually while we ran Watson
Watson showed the extent of the threat
with 50+ useful indicators
Email hashes
File hashes
IP addresses
Domains
16

17. #RSAC
17
External Scan
Watson Key Indicators Offense – External Scan
Light external scanning
Looked like Shodan
Analyst would have marked as
nuisance scan
Watson revealed additional info
Botnet CNC
SPAM servers
Malware hosting

18. #RSAC
18
Client Malware Download
Watson Key Indicators Client Malware Download
Client attempted Malware download
Malware was blocked
How much time do you spend on a
blocked threat?
Watson enriched
Malware was part of a larger campaign
Analysts used additional Indicators to
search for compromise

19. #RSAC
All Indicators – Watson took 5 minutes
19

20. #RSAC
What has SCANA gained from Watson?
Speed
Level 1 and 2 Analysts can quickly see scope of issue
Average initial investigation time without Watson - 50 minutes
— Searching reputation (X-force, Virus Total, etc)
— Reading articles
— Investigating threat feed hits
Average initial investigation time with Watson 10 minutes
— About 5 minutes for Watson and 5 minutes to review
Consistency
Analysts use different information sources based on their preference
Watson gives more consistent information from more sources
Insight
Correlation – too much data for a analyst to grasp
Watson gives a quick visual view showing connections
20

21. #RSAC
Thank you! …Questions Anyone?