The document discusses how artificial intelligence (AI) can help address challenges in cybersecurity. It notes that the amount of security data and knowledge is growing rapidly but humans cannot process it all. AI can help by connecting related security events, extracting information from unstructured data sources, and answering security questions. This can help reduce investigation times and free up analysts to focus on more strategic work. However, the document also warns that attackers may increasingly use AI to launch more sophisticated attacks, so defenses need to evolve as well.

1. 1 IBM Security
LEADINGTHEWAY 2019
INTERNAL USE ONLY – DO NOT DISTRIBUTE

2. AI and Cybersecurity
Jeff Crume, CISSP-ISSAP
Nov 2018
Distinguished Engineer
IBM Master Inventor
crume@us.ibm.com
INTERNAL USE ONLY – DO NOT DISTRIBUTE

3. 3 IBM Security
Quick Insights: Current Security Status
Threats Alerts Available analysts Needed knowledge Available time
Is this really sustainable?
By 2022, there will be
1.8million
unfulfilled cybersecurity jobs
SKILLS
SHORTAGE
INTERNAL USE ONLY – DO NOT DISTRIBUTE

4. 4 IBM Security
Todays reality: Do all of this in <20 minutes, all day, every day
Review security incidents in SIEM Decide which incident to focus on next
Review the data that comprise
the incident (events / flows)
Expand your search to capture
more data around that incident
Pivot the data multiple ways to find outliers
(such as unusual domains, IPs, file access)
Review the payload outlying events
for anything interesting (domains, MD5s, etc.)
Search Threat Feeds + Search Engine + Virus Total + your favorite tools for
these outliers / indicators; Find new malware is at play
Identify the name
of the malware
Search more websites for IOC information
for that malware from the internet
Take these newly found IOCs from the internet
and search from them back in SIEM
Find other internal IPs are potentially
infected with the same malware
Start another investigation
around each of these IPs
INTERNAL USE ONLY – DO NOT DISTRIBUTE

5. 5 IBM Security
There is a massive amount of noise out there; the
human brain can’t process everything on a day-to-
day basis. We need something to help, something
like AI or cognitive technologies.
Chad Holmes – Principal and Cyber-Strategy, Technology and Growth
Leader (CTO) at Ernst & Young LLP
“Cognitive security has so much potential — you can
meet your labor shortage gap, you can reduce your risk
profile, you can increase your efficiency of response. It
can help you understand the narrative story. People
consume stories — this happened, then this happened,
with this impact, by this person.
Additionally, cognitive can lower the skills it takes to get
involved in cybersecurity. It allows you to bring
in new perspectives from non-IT backgrounds into
cracking the problem.”
David Shipley – Director of Strategic Initiatives, Information Technology
Services, University of New Brunswick
INTERNAL USE ONLY – DO NOT DISTRIBUTE

6. AI and Cybersecurity
INTERNAL USE ONLY – DO NOT DISTRIBUTE

7. 7 IBM Security
A tremendous amount of security knowledge is created for human
consumption, but most of it is untapped
• Industry publications
• Forensic information
• Threat intelligence commentary
• Analyst reports
• Conference presentations
• News sources
• Newsletters
• Tweets
• Wikis
A universe of security knowledge
Dark to your defenses
Typical organizations leverage only 8% of this content*
Human Generated
Knowledge
Traditional
Security Data
security events
viewed each day200K+
security research
papers / year10K
security
blogs / year720K
security related
news articles / year180K
reported software
vulnerabilities75K+
• Security events and alerts
• Logs and configuration data
• User and network activity
• Threat and vulnerability feeds
1 Forrester Research : Can You Give The Business The Data That It Needs? , 2013
INTERNAL USE ONLY – DO NOT DISTRIBUTE

8. 8 IBM Security
1-3 Day1 Hour5 Minutes
Structured
Security Data
X-Force Exchange
Trusted partner data
Open source
Paid data
- Indicators
- Vulnerabilities
- Malware names, …
- New actors
- Campaigns
- Malware outbreaks
- Indicators, …
- Course of action
- Actors
- Trends
- Indicators, …
Crawl of Critical
Unstructured Security Data
Massive Crawl of all Security
Related Data on Web
Breach replies
Attack write-ups
Best practices
Blogs
Websites
News, …
Filtering + Machine Learning
Removes Unnecessary Information
Machine Learning /
Natural Language Processing
Extracts and Annotates Collected Data
5-10 updates / hour! 100K updates / week!
Billions of
Data Elements
Millions of
Documents
3:1 Reduction
Massive Security Knowledge GraphBillions of Nodes / Edges
Cognitive Security unlocks vast security knowledge to quickly enable
comprehensive investigative insights
INTERNAL USE ONLY – DO NOT DISTRIBUTE

9. 9 IBM Security
Connecting the dots
INTERNAL USE ONLY – DO NOT DISTRIBUTE

10. 10 IBM Security
Connecting the dots – an example
Domain
Name
URL
IP
Address
File
User
Locky
Malware
CONTAIN
RESOLVE CONNECT
LINK AV SIGNATURE
INTERNAL USE ONLY – DO NOT DISTRIBUTE

11. 11 IBM Security
Connecting the dots
INTERNAL USE ONLY – DO NOT DISTRIBUTE

12. 12 IBM Security INTERNAL USE ONLY – DO NOT DISTRIBUTE

13. 13 IBM Security
Human Expertise
Cognitive Security
Cognitive systems bridge this gap and unlock a new partnership between
security analysts and their technology
Security Analytics
• Data correlation
• Pattern identification
• Anomaly detection
• Prioritization
• Data visualization
• Workflow
• Unstructured analysis
• Natural language
• Question and answer
• Machine learning
• Bias elimination
• Tradeoff analytics
• Common sense
• Morals
• Compassion
• Abstraction
• Dilemmas
• Generalization
SECURITY
ANALYSTS
SECURITY
ANALYTICS
COGNITIVE
SECURITY
INTERNAL USE ONLY – DO NOT DISTRIBUTE

14. 14 IBM Security
Cognitive: Revolutionizing how security analysts work
• Natural language processing with security that understands, reasons, learns, and interacts
Watson determines the specific campaign (Locky),
discovers more infected endpoints, and sends results
to the incident response team
INTERNAL USE ONLY – DO NOT DISTRIBUTE

15. 15 IBM Security
Building a cognitive SOC Sogeti Luxembourg
reduced threat
investigation and root
cause determination
from three hours to
three minutes using IBM
QRadar Advisor with
Watson.
INTERNAL USE ONLY – DO NOT DISTRIBUTE

16. Adversarial AI
INTERNAL USE ONLY – DO NOT DISTRIBUTE

17. 17 IBM Security
• Generate: DeepHack tool learned
SQL injection [DEFCON’17]
• Automate: generate targeted
phishing attacks on Twitter
[Zerofox Blackhat’16]
• Refine: Neural network powered
password crackers
• Evade: Generative adversarial
networks learn novel
steganographic channels
Attacker’s Use of AI Today
AI Powered Attacks
• Poison: Microsoft Tay chatbot
poisoning via Twitter (and Watson
“poisoning” from Urban Dictionary)
[Po]
• Evade: Real-world attacks on
computer vision for facial
recognition biometrics [CCS’16]
and autonomous vehicles [OpenAI]
[Ev]
• Harden: Genetic algorithms and
reinforcement learning (OpenAI
Gym) to evade malware detectors
[Blackhat/DEFCON’17] [Ev]
Attacking AI
• Theft: Stealing machine learning
models via public APIs
[USENIX’16] [DE]
• Transferability: Practical black-box
attacks learn surrogate models for
transfer attacks [ASIACCS’17]
[ME, Ev]
• Privacy: Model inversion attacks
steal training data [CCS’15] [DE]
Theft of AI
ME: Model Extraction
DE: Data Extraction
Ev: Model Evasion
Po: Model Poisoning
INTERNAL USE ONLY – DO NOT DISTRIBUTE

18. 18 IBM Security
www.ibm.com/security/artificial-intelligence
INTERNAL USE ONLY – DO NOT DISTRIBUTE

19. © Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
FOLLOW US ON:
THANK YOU
INTERNAL USE ONLY – DO NOT DISTRIBUTE