QRadar Advisor with Watson

ACCELERATING INCIDENT ANALYSIS WITH ARTIFICIAL INTELLIGENCE

Luca Dalzoppo
Business Development Manager
luca_dalzoppo@it.ibm.com

March 2018
 Your goals as a security operations team are fundamental
to business

Protect critical Respond to Outthink cyber

systems & data incidents criminals
accurately and
quickly

2 IBM Security
 But the pressures today make them hard to keep up with

Data Overload Unaddressed Threats Skills Shortage

“ My workload is
“
overwhelming and “ I don’t know where to
“
focus my time for the “ There is so much
information out there, it’s
“
repetitive. quickest response. impossible to find what’s
useful.

3 IBM Security
 Artificial intelligence bridges this gap and unlocks a new
partnership between security analysts and their technology

Human Expertise
• Common sense • Abstraction
• Morals • Dilemmas
• Compassion • Generalization

AI: Cognitive
Security Analytics Security
• Data correlation • Unstructured analysis
• Pattern identification • Natural language
• Anomaly detection • Question and answer
• Prioritization • Machine learning
• Data visualization • Bias elimination
• Workflow • Tradeoff analytics

4 IBM Security
 We want to tackle where the bulk of your team’s time is spent:
On the initial incident assessment phase

Incident Analysis Simplify these

Continuously monitor the alert queue, collect
investigative data and context including root cause
tasks
diagnosis necessary to escalate security alerts

Response
Respond to security incidents and provide remediation

Threat Hunting
Perform deep-dive analysis, look for new analytic methods
for detecting and preventing threats

5 IBM Security
 Introducing QRadar Advisor with Watson built with AI for the
front-line Security Analyst
QRadar Advisor with Watson uses
AI to accelerate incident analysis,
reduce complexity with intelligent
investigation, and ultimately
enables a faster response to
threats.
6 IBM Security
Accelerates analysis by
1 automatically investigating
indicators of compromise
(internal and external) and
suspicious behavior
Applies Cognitive reasoning
2 to discover and connect
other threat entities related
to the original incident
3 Provides critical insights to
take action on escalation
 QRadar Advisor for Watson • Uses AI to analyze real-time incidents for
delivers on these values triage
̶ Automatically investigates evidence for
1 an alert or anomaly against Watson and
Accelerated applies ‘reasoning’ to identify the likely
threat
Analysis
• Gathers external and internal threat
indicators from alert
• Performs external (threat intelligence
research) and internal research on
indicators and entities (hash, domain, IP,
users, filename etc.)
Intelligent Investigation
• Highlights the existence and identity of
threat or outliers

Faster Response • Offers natural language search bar for

security only information to speed up
assessment

7 IBM Security
 QRadar Advisor for Watson • Identifies if communication with threat has
delivers on these values occurred or was blocked
• Highlights if malware has executed
Accelerated Analysis • Identifies criticality of systems impacted in
incident and shows high value assets
• Gives visibility to higher priority risks and
2 threats from insiders
Intelligent ̶ Integrated with User Behavior Analytics
Investigation (UBA) app to show user’s risk scores
̶ Reveals previous behaviors and actions
of users
• Connects other threat entities from original
offense to show relationship
Faster Response • Provides input for ad-hoc investigation
against collections of users and entities

8 IBM Security
 QRadar Advisor for Watson
delivers on these values
Accelerated Analysis
• Provides pertinent information to take
action on escalation
• Performs automatic hunting for indicators
• Exports threat and indicators to IR process
for remediation and/or blocking

Intelligent Investigation • Automatically adds additional discovered

threat indicators to watch lists to reduce
risk of missing threats

3
Faster
Response

9 IBM Security
 How it works – App that takes QRadar to the next level

IBM QRadar Advisor with Watson

QRadar Security QRadar Advisor Watson for Cyber QRadar Advisor

Analytics Platform Performs local data Security Provides intelligence
Set up automatic mining using Applies powerful to help analysts
offense analysis to observables to gather cognitive analytics make faster triage
Advisor context leveraging external decisions
data sources to
connect insights

Advisor is quick to deploy and easy to consume

Delivered via IBM Security App Exchange, downloadable in minutes, complimentary 30-day
trials available – click here

10 IBM Security
 How it works – Building the knowledge

5 Minutes 1 Hour 1-3 Day

Structured Crawl of Critical Massive Crawl of all Security
Security Data Unstructured Security Data Related Data on Web
5-10 updates / hour! 100K updates / week!
X-Force Exchange Blogs Breach replies
Trusted partner data Websites Attack write-ups
Billions of Open source News, … Best practices Millions of
Data Elements Paid data - New actors - Course of action Documents
- Indicators - Campaigns - Actors
- Vulnerabilities - Malware outbreaks - Trends
- Malware names, … - Indicators, … - Indicators, …

Filtering + Machine Learning 3:1 Reduction

Removes Unnecessary Information

Machine Learning /
Natural Language Processing
Extracts and Annotates Collected Data

Billions of Nodes / Edges Massive Security Knowledge Graph

11 IBM Security
 How it works – Cognitive applied for cybersecurity

Ingest mass amounts of data

Classify, select, and normalize data

Natural language processing for

security context

Training and learning with feedback

Relational analysis visualized

through knowledge graphs

12 IBM Security
 How it works – Use cases further defined

Utilize locally gathered and Watson external threat

intelligence to gain broader context within your investigations

Understand and quickly assess threats to know if they

bypassed your layered defenses or if they were stopped
dead in their tracks

Realize reach of threats and its effects on other users

and systems in your ecosystem

Identify users and critical assets when they involved in an

incident and quickly pivot to gain details on user behavior
activity and asset metadata

Understand malware and ransomware sources, delivery methods

and related components to help quickly determine your impact
and next courses of action

13 IBM Security
 QRadar Advisor with Watson automates tedious tasks, simplifies
complex procedures, and presents its conclusions

Take your QRadar

offense list and
narrow in on the
indicators that matter

14 IBM Security
 We are excited to bring a variety of clients on this cognitive
journey with us

“ Advisor has been

instrumental to our security
program in the last year. We
have a lot of new analysts
and having Watson gave us
more confidence. It delivered
“ possible.
on our goals of speed and
accuracy.
“ Chose to purchase
Advisor because of our
limited staff, overwhelming
“ With increased
responsibility and scale,
we needed a solution that
“
amount of work, and a need
“ saves analysts time and
to automate as much as increase efficiencies.

GLOBAL DISTRIBUTOR OF TOP UNIVERSITY IN INDEPENDENT GOVERNMENT

ELECTRONICS MASSACHUSETTS, USA AGENCY

15 IBM Security
 Accelerate incident analysis and apply AI with
QRadar Advisor with Watson

üAccelerates incident triage with more

automation and analysis depth
üReduces risk of missing threats
üAlleviates pressure of skills gap
üAugments incident response processes with
comprehensive threat information and data

Visit our website to start a trial today

16 IBM Security
Sample Scenarios & Demo
Resources
 Client Connecting to Botnet IP
WATSON INDICATORS BOTNET IP

• QRadar fired an offense on a user

attempting to connect to a botnet IP
̶ Analyst found 5 correlated indicators
manually while we ran Watson

• Watson showed the extent of the

threat with 50+ useful indicators
̶ Email hashes
̶ File hashes
̶ IP addresses
̶ Domains

18 IBM Security
 External Scan

WATSON KEY INDICATORS OFFENSE – EXTERNAL SCAN

• Light external scanning

• Looked like Shodan
̶ Analyst would have marked as
nuisance scan

• Watson revealed additional info

̶ Botnet CNC
̶ SPAM servers
̶ Malware hosting

1919 IBM Security

 Client Malware Download

WATSON KEY INDICATORS CLIENT MALWARE DOWNLOAD

• Client attempted Malware download

̶ Malware was blocked
̶ How much time do you spend on a
blocked threat?

• Watson enriched
̶ Malware was part of a larger campaign
̶ Analysts used additional Indicators to
search for compromise

2020 IBM Security

 Resources
Knowledge Center – latest with what’s new, support, etc.
Upcoming Events – webinars, local events, etc.

Links to Short How-to Videos:

• QRadar Watson Advisor Trial Request, Download, and

Installation
• QRadar Watson Advisor Configuration
• QRadar Watson Advisor Incident Overview and Analysis

Links to informational and demo videos:

• Taking SIEM Cognitive In 3 minutes (Jose Bravo and

Chris Hankins)
• Poison Ivy Malware Video
• Suspicious Activity (CozyDuke) Video

Link to Self-Help Support Forum

AppExchange
On-demand webinar – Rock your SOC (Security
Operations Center) with Watson for Cyber Security
Solution brief

21 IBM Security
THANK YOU
FOLLOW US ON:

ibm.com/security

securityintelligence.com
xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.