It wasn’t long ago that IT security meant building a network fortress of technologies and controls to keep the bad guys out. Then the cloud, BYOD, Shadow IT, and massive attacks on Home Depot, Sony, the U.S. Office of Personnel Management and other well-fortified victims arrived. Suddenly, organizations had to face the truth that they would get hacked despite their best efforts. The focus has now moved to quick, effective response.
We spoke with Michael Bright, IBM Security Operations and Response Leader for Canada, for an update on how Watson’s AI, paired with a security intelligence tool, is accelerating threat detection and response in the cloud-enabled enterprise.
MOST ORGANIZATIONS HAVE SECURITY CONTROLS IN PLACE BUT MANY LACK FULL OPERATIONAL VISIBILITY
“If you don’t have a way to get that visibility, you can’t detect and react—let alone be proactive— in the face of today’s attacks,” says Bright. In many cases, when a company is breached, it has powerful security tools generating lots of alerts. “Unfortunately, the difficulty lies in pulling all those alerts together to see the danger of the attack in progress.”
“The biggest challenge organizations face is how to analyze all that information and understand that it’s one security incident.”
SECURITY INTELLIGENCE IS ABOUT USING COGNITIVE INTELLIGENCE —A COMBINATION OF MACHINE LEARNING, NATURAL LANGUAGE PROCESSING, AND OTHER AI TECHNOLOGIES— TO DO THAT FOR YOU AUTOMATICALLY.
It’s also about the response. “In the face of a suspected attack today, an analyst typically does an online search and looks at hacker sites, security forums and blogs to figure out what this hash of a file or that fishy IP address indicates and how to respond,” says Bright. “Security intelligence harnesses analytics, cognitive computing, and automation to do most of that research and analysis for you.” That means analyzing a lot of unstructured data, as opposed to the structured data generated by various security logs.
SECURITY INTELLIGENCE PROVIDES THE DEEP SECURITY EXPERTISE AND KNOWLEDGE OF THE LATEST THREATS THAT MOST IT TEAMS SIMPLY CANNOT MATCH
“We offer an application powered by Watson called IBM QRadar with Watson,” says Bright. “It takes advantage of the QRadar infrastructure to normalize the security skills gap. When you suspect you have an issue, QRadar Advisor with Watson provides cognitive intelligence, infrastructure insight, and knowledge of everything on the Internet related to security to analyze the scope and seriousness of an attack.”
For the past two years, IBM has worked with MIT, the University of Ottawa and the University of New Brunswick, among others, to teach Watson the Internet language around security. QRadar goes out to the entire Web and the Dark Web to do its own research to give you a view of what it sees. “It will tell you based on its research that you’ve been hit by X malware perpetrated by Y attack author,” says Bright. “It even provides visualization of the attack chain and explains why you must address it.”
Resilient Incident Response Platform (IRP) is another IBM tool that spells out the steps you need to take to respond to that attack.
“In sum, QRadar shortens the time from seeing something that might be bad to the realization that it is bad. Resilient IRP shortens the time it takes to understand what attack is taking place, what it has access to and the steps you must take to mitigate it.”
EVEN IN THE CLOUD, SECURITY IS STILL SECURITY. THE ONLY DIFFERENCE IS THAT YOU MUST RELY ON A SERVICE PROVIDER
“You need to make sure each cloud service has the right security infrastructure in place and gives you full cloud visibility,” says Bright. “With Software as a Service (SaaS), such as Office 365 or Microsoft Exchange, it’s important to understand the nature of the security logging it provides and make sure it’s activated.” For example, initially, Microsoft Office 365 didn’t activate logging by default.
You also need to know where your confidential information is stored. “Is it in the cloud? What security controls do you have in that environment? How do you protect that information either in the cloud or as it leaves your organization and moves into the cloud? What are your users doing with that information? Are they copying it onto their email accounts? What are the company’s policies around putting that information out there?”
This is all critical, as there’s a transition in 2017 from hackers stealing and monetizing structured data, such as credit card information, to unstructured data, such as email archives, confidential financial information and source code.
SECURITY GURU, BRUCE SCHNEIER HAS SAID THAT THE EARLY 2000’S WAS THE AGE OF CONTROLS. NOW WE’RE IN THE AGE OF RESPONSE
“Yes, analytics and cognitive intelligence can help with detection,” says Bright “but even more important for the future is that they can enable instant response—what do I do, how do I control the threat situation and how can I be proactive in my response strategy?”
Organizations may not be able to control the behavior of hackers, but they are the pilots of what they do (or what they don’t do) about it.