© 2016 IBM Corporation

Dr. Andreas Wespi

6 Sep. 2016

IBM Cyber Security Research

2© 2016 IBM Corporation

IBM ResearchMore than 3,000 scientists and engineers at 12 labs in 6 continents

China

WatsonAlmaden

Austin

TokyoHaifa

Zurich

India

Ireland

Australia

Brazil

Africa

3© 2016 IBM Corporation

IBM Security Research

Haifa

Tokyo

Security Services

Haifa

Information Security

Watson

Cryptography Virtualization, Cloud

Biometrics Information Security

Security Analytics Cognitive Security

Security Engineering Secure Hardware

ZurichZurich

Cryptography Authentication Solutions

Virtualization, Cloud Security Analytics

Identity Management Storage Security

Privacy Industrial Control Systems

China

Internet of Things

4© 2016 IBM Corporation

IBM Research’s Cyber Security Agenda Five Focus Areas

Automate identification of

critical assets

Enterprise Information Security Management for Enterprise and Cloud

Secure the foundations

Security Technologies for SoftLayer andSoftware Defined Environments

Enforce security from assets to end-

points

Security for the Mobile Enterprise and Cyber-physical Systems(SCADA/ICS)

Engineering & algorithms for

provable security

Search and Computation on Encrypted Data,Privacy, and Personal Cryptography

4

Comprehensive situational awareness

Cyber Security Analytics for Networks, Devices, Cloud, Usage and Entitle-ments, Social, Application and Business Processes

5© 2016 IBM Corporation

Cognitive is ushering in a new era of security

6© 2016 IBM Corporation

What is Cognitive and Cognitive Computing Systems?

Cognitive means “relating to the mental process involved in knowing,

learning, and understanding things.”

[Collins Cobuild Advanced Learner's English Dictionary]

“Cognitive computing systems learn and interact naturally with people

to extend what either humans or machine could do on their own. They

help human experts make better decisions by penetrating the

complexity of Big Data.”

[http://www.research.ibm.com/cognitive-computing/]

7© 2016 IBM Corporation

Once upon a time …

IBM Watson – Jeopardy! winning supercomputer

8© 2016 IBM Corporation

9© 2016 IBM Corporation

IBM Security Summit (May 10, 2016) Announcement

10© 2016 IBM Corporation

A tremendous amount of security knowledge is created for human consumption, but most of it is untapped

11© 2016 IBM Corporation

A day in the life of a threat investigator

12© 2016 IBM Corporation

13© 2016 IBM Corporation

Cognitive SystemsA new partnership between security analysts and their technology

14© 2016 IBM Corporation

IBM Watson enables insights by connecting and analyzing hundreds of internal and

external data sources in minutes rather than weeks

Integrating various types of Big Data

Learn

Test

Experience

IngestWatson Corpus

Many Terabytes of

data

Tens of Millions of

documents

Hundreds of Millions

of entities and

relationships

Internal Data

X-Force Threat

Analysis

IP Reputation

Database

Social Analytics

Fraud Analytics

QRadar SIEM

Offense Data

Entity-Relationship

Graphs

Client Data

Sources

External Data

Wikipedia

CIA Factbook

Exploit Analysis

Security Bulletins

CVEs

Bad Actor Forums

IRC & Social

Media

15© 2016 IBM Corporation

Understanding entities and relationships

IBM Watson is taught to extract entities and relationships from natural language text

sources

Learn

Test

Experience

Ingest

IP & DNS

Records

Known

Associations

Social IDs,

Aliases

Name,

Location

Armand Ayakimyan

Apsheronsk, Russia

A wide range of

annotators

enables Watson

to link all entity

representations 31.170.179.179,

ssndob.ru,

ssndob-search.info

ssndob@swissjabber.ch,

Mr. Zack, 38337, Darkill,

Darkglow, Planovoi

Cyclosa Gang, Tojava,

JoTalbot, DarkMessiah

16© 2016 IBM Corporation

Understanding entities and relationships

17© 2016 IBM Corporation

Learn

Test

Experience

Ingest • Quantity

• Proximity

• Relationship

• Domain Truths/

Business Rules

What can I do to

mitigate the risk

of a shellshock

attack?

Search

Corpus

Extract

Evidence

Score &

WeighQuestion

• Cyber Lexicon

• Bulletins

• CVE reports

• Breach

Analyses

• Forums

• Social Media

• Security

Research

IBM Watson provides answers with evidence and is iteratively trained, learning from both

successes and failures, much as humans do

Learning through expert training

18© 2016 IBM Corporation

We intend to integrate IBM Watson for Cyber Security with IBM QRadar to accelerate Cognitive Security for our clients

Send to Watson for Security

Internal Security Events and Incidents External Security Knowledge

IBM QRadar Security Intelligence Platform Watson for Cyber Security

QRadar sends Watson a

pre-analyzed security incident

Watson automatically provides

response back to Security

Analyst on probability of threat

and best practices, resulting in

substantial time savings

19© 2016 IBM Corporation

Getting smarter over time, Watson plans to apply its security instincts to a number of use cases

Enhance your

SOC analysts

Identify threats

with advanced

analytics

Improve

enterprise risk

Identify threats with

advanced analytics

Enhance your

SOC analysts

Speed response with

external intelligence

Improve

enterprise risk

Strengthen application

security

20© 2016 IBM Corporation

Convergence of IT and OT

21© 2016 IBM Corporation

Industrial Control Systems (ICS) Security

Activity 1

Instrumentation and

Collection

Activity 2

Passive Network ExplorationActivity 3

Anomaly Detection

– Identify strategic points in the

network

– Collection of network data

(e.g., NetFlow, packet header

information, DHCP/ARP data)

– Identification of devices

– Collection and inference of

information about the devices

– Understanding the traffic

flows, communication

patterns, and dependencies

– Characterize the normal

behavior of the network traffic

– Mine the traffic for abnormal

deviations

Three Environments

i) IBM Research testbed (Zurich) ii) Enel Industrial Cyber Laboratory iii) Enel Power Plant

Feature

Extraction

Behavior

modeling

Anomaly

detection

Enel – large power generator and distributor, operations in 32 countries across 4

continents In collaboration with IBM GTS and IBM Security Services

22© 2016 IBM Corporation

Passive Data Collection: Flow Level and Content Analysis

Protocol Zoo

• Many different and

proprietary protocols

Traffic Monitoring

• Network flows:

End-to-end traffic

communication patterns

• Raw packets:

Analysis of OPC packet

contents to monitor field bus

related events

Focus

OPC Servers

RTU/PLC

SCADA/HMI

Open PlatformCommunicationsProtocol

Fieldbus(ModBus, Profibus,

IEC 104, DNP3, etc.)

…

…

Sensors/Actuators

23© 2016 IBM Corporation

OPC Explorer

24© 2016 IBM Corporation

Post Quantum Cryptography

Developing efficient

primitives for cryptography

in a post quantum world

Data encrypted today will be

readable by quantum

computers tomorrow

Simple primitives are

required for basic resistance

Advanced primitives are

required for more complex

schemes

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any

kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor

shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use

of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or

capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product

or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries

or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside

your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks

on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.

IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other

systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE

IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security