When your cyber security is under attack, knowing who is behind your threats and what their motives are can help you ensure those threats don't become a reality. But cyber threat actors conduct their threats through a variety of means and for a variety of reasons. That's why it is critical to analyze a variety of data sources and proactively hunt those threats that are lying in wait. This webinar will illustrate how the IBM i2 QRadar Offense Investigator app enables analysts to push event data from QRadar directly into IBM i2 Analyst's Notebook, where users can apply a variety of visual analysis techniques across a disparate data sources, to build a more comprehensive understand of those threats and hunt them.
My INSURER PTE LTD - Insurtech Innovation Award 2024
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting Today!
1. Threat Hunting and
i2 QRadar Offense Investigator
Bob Stasio, CISSP
July, 2017
Senior Product Manager, i2 Intelligence, IBM Security
2. 2 IBM Security
• Military intelligence, counter terrorism
fusion analysis, open source intel
• Criminal investigations, counter gang,
evidence presentation, intelligence
• Fraud investigations, insider threat,
transaction analysis
• Investigate alerts, campaign tracking,
event triage, threat hunting
Who is i2 Intelligence
• Those detective shows with the
string walls…we do that, digitally
• 26+ years ago i2 began enabling
digital investigations for military
and law enforcement
• Started as desktop software,
evolved into client/server option
• Helped 4,000+ customers, used
by 80% of national security orgs
globally – gold standard in intel
History Core Use Cases Hottest Trend
National
Security
Law
Enforcement
CyberFraud Threat Hunting
• Next level of maturity for the
SOC or SIOC organization
• Find the one specific “needle” in
the massive stack of needles
• Powerful visualization and
analytics, see data in a new way
• A platform to bring together all
sources of disparate data
• Put the human in the loop to find
the other human adversary
3. 3 IBM Security
Threat Hunting Defined
Correlated Platform
QRadar X-Force
Big
Fix
IDS
Logs
i2
Intelligence
Atomic
CREATE
Hypotheses
INVESTIGATE
via Tools and
Platforms
UNCOVER
New Patterns
& TTPS
REPORT &
ENRICH
Analytics
Threat
Hunting
Cycle
Components of Threat Hunting
Threat Hunting is:
Human-led analysis
Proactive in nature
Facilitated with an analyst workbench
6. 6 IBM Security6
Level of Effort
%ofThreatsStopped
Implement a
Security Framework
Complex Investigation
Non-Linear Relationship Between Effectiveness and Cost
Tier One
SOC Analyst
Incident
Responders
Cyber
Analysts
Personnel
Example
Tier Two
SOC Analyst
Threat
Researchers
Firewall SIEM Analysis
Product
Example
INTELLIGENCE TIME HORIZON
Information Security Cyber Analysis
Advanced
Security Intelligence
Cyber Analysis and Threat Hunting
HUNTING
8. 8 IBM Security
Six Key Use Cases and Examples of Enterprise Intelligence
Customer Key Use Case Value Delivered Buyer
Cyber Threat Hunting
Net new discovery of correlating low
level alerts and offenses
SOC Director, Head of
Threat Intel, CISO, CTO
Watchlists and Vetting
Greatly increased efficiency of
investigation and increased level of
data by orders of magnitude
Lead investigator
Insider Threat
Identified discoveries of employees
abusing privileges
Head of SIU
VIP Protection
Immediate alerting of threats to
VIPs and direct link to law
enforcement
Head of Threat Intel, Cyber
Intel Director
Fraud Investigations
Identified net new money chain
transfers
Head of FIU
Threat Discovery
Immediate alerting on brand
compromises and fraud on darkweb
Head of FIU, Head of Brand
Protection
9. 9 IBM Security
Why Customers Need i2 Intelligence for Threat Hunting
Problem Description How i2 Helps
Organizations have dozens of vendor and
government data/intel feeds which are in
multiple formats and difficult to acquire. It is
nearly impossible to derive value from data
i2 is data agnostic and can ingest
structured and unstructured datasets,
then display a single-object model to
the analyst for easy analysis
A customer’s security and risk orgs are very
siloed and operate in “fiefdoms”. Threat
indicators need to be combined across
security, intelligence, fraud, and risk
i2 is an extensible solution allowing the
connection to data sources in place and
for all analysts and groups to combine
disparate data sources
Advanced cyber threats have become
commoditized through exploit kits, now a
hacker with a $500 laptop and low skillset
can negate millions in cyber investment
i2 allows for proactive searching and
anomaly recognition through built in
analytics to discover latent threat hiding
within noisy alerts
Our customer’s IT and security budgets are
constantly being slashed, asked to do more
with less. Also, it is very difficult to find
trained cyber operators with adv. skills
i2 has an easy to use analyst UI, as
one customer put it: “it takes me 6
months to train an analyst on a SIEM,
with i2 and analyst is effective in days”
Structured
Unstructured
Open Source
Overwhelming Data
Enterprise Level Analysis
Asymmetric Threat
Budget / Turnover / Skills
10. 10 IBM Security
Concept Value Description Analogy
Optimizing
Decreasing time to
know, prioritizing
indicators
• Seeing obvious issues from different angle
• Creating efficiencies in other tools/domains
• Tuning alerts to appropriate threshold
• Understanding most important alerts
• Connecting multiple events and alerts
Force
Multiplier
Understand trends and
patterns, indicators
• Discover patterns and trends over time
• Direct valuable resources for max impact
• Automate ingest, searches, functions
• Tip other collection sources using intel
• Pinpoint problem areas with analytics
Predicting
Taking advantage of
anomalies, preempting
adversary action
• Advanced differentiated information
• Using indicators to predict adv. Action
• Discovering anomalies as key indicators
• Stopping adversary before reaching goal
• Understanding trends and how they impact
Intelligence Concepts are a Spectrum of Value
Alert Fatigue
Border
Protection
Market Prediction
11. 11 IBM Security
Key Differentiators of i2 vs. Other Security Products
For Advanced Users
Tier 3, Threat Hunters
We Do Investigations
Human in the Loop
Non-Cyber Datasets
Physical, HR, Dark Web
Complexity Of Data
Volume
Of Data
Start with the
Unknown
Complexity Of Data
Volume
Of Data
Security Operations Hunting
Start with the
Known
12. 12 IBM Security
What is an Unknown Unknown Search
Offense
1
Offense
Property
b Offense
Property
a
Offense
Property
f
Offense
1
Offense
Property
i Offense
Property
c
Offense
Property
d
Offense
Property
e
Offense
Property
h
Offense
Property
g Ask the question: “show me which offenses
share the same property”
–
you don’t know the subset of offenses, not the
subset of properties to search
13. 13 IBM Security
Using the
power of
i2…
Specific Hunting Scenario
Ask the question: “Find the person who…..”
Is part of a specific organization
Is associated with with a monetary transaction
Who also made a call on a certain date
Who also came up in an alert
Which was also associated with an extracted document
Who also is associated with a vehicle tag
Which was seen in on a surveillance camera at night
Imagine the scenario:
• Investment bank wants to know if any insiders are
committing fraudulent trades
• The person would be sophisticated and perhaps
changing terminals and logins
• The person would also come in on the night shift
to cover what they are doing
This is Very Difficult!
• Data from multiple domains and silos
• Challenging to correlate facts in the case
• Existing security tools are too niche use
14. 14 IBM Security
What is Needed to Conduct Threat Hunting
SOC & SIEMThreat Intelligence
Intelligence Analysis ToolsStatistical Analysis
Foundational
Data
Organization +
Discovery
Known
Indicators
Anomaly
Detection
i2 Intelligence Area of Expertise
15. 15 IBM Security
What is i2 Intelligence?
Analyst Workbench Enterprise Server
Network & Link Analysis Transactional Timelines
Analytical Tools Geospatial Integration
Out-of-the-box analytics & visualization that help find and track
adversaries in both the government and private sector
Intuitive UI design used by 1,000’s of analysts for over 25+
years which greatly speeds up investigation with efficiency
Create products for decision making or to provide evidence of
criminal behavior or as visual aids during an investigation
Combine all internal & external data sources into a single object
model in order to understand multi-dimensional data
Advanced searching to quickly expand on an investigation by
allowing the analyst to “pivot” a search on any variable
Deep server-side analytics that allow presentation of non-obvious
relationships and data patterns to the analyst
“Front End”
Structured
Semi-Structured
Unstructured
“Back End”
Entity, Link, Property (ELP) Format
DataIngestion
Enterprise Server
17. 17 IBM Security
Announcing New App: i2 QRadar Offense Investigator app
via IBM Security App Exchange
Triage Analysis
Block and Tackle
QRadar i2 Analyst’s Notebook
Analyst can select
specific offenses with an
integrated “i2 button”
Offenses and
connected data
pushed into i2 ANB
QRadar Plugin
Data can be pulled
into i2 ANB through
the QRadar API
Offense Correlation
Hunt Investigations
Cyber Analyst
Tom with QRadar App
Tier 3 or “Hunt” Analyst:
Proactive threat analysis
Looks for trends, anomalies
Uses SIEM and analysis tool
Value of i2 threat hunting for QRadar app:
Greatly increase efficiency of investigation
Automatically enrich offences within i2 Analyst’s Notebook
Simplifies and accelerates sales cycle generated by the
IBM Security sales team
Shows “out-of-the-box” integration with IBM Security
products, specifically QRadar
19. 19 IBM Security
Example Analysis Tools Over QRadar Data
• Network Analytics
• Bar Charts and Histograms
• Copy to Timeline
• List Most Connected
• Find Connecting Network
• Activity View
20. 20 IBM Security
Understanding Workflow Between Analysts
Foundational
Security Data
Watson for
Cyber Security Physical Security
Data
QRadar
Cyber Corpus
QRadar Advisor
IBM i2
Geospatial
Data
Non-Traditional
Data
Tier 1
Analyst
Tier 2
Analyst
Tier 3
Analyst
Triage Awareness Alerting
Initial Analysis Offense Review Visibility
Aggregation Detection
Monitoring
Vulnerability Mngt
Enrichment Alerting
Increased Accuracy Hypothesis Generation
Speed Up Investigation
Context Enhancement
Event Visualization
All Source Data Analysis Deep Investigation
Mathematical Model Analysis ELP Searching
Advanced Data Queries Active Visualization
21. 21 IBM Security
A large North American custody bank gained valuable insight from
correlating multiple low-level offenses
5,000:1
Reduction in event analysis
Hours to Seconds
Decreased investigation time with the ability to
correlate multiple low-level events to identifiers
Business challenge
Visually understand how multiple low-level SIEM alerts fit together, on a daily basis. See how
individual identifiers (e.g. IP, machine name, etc) can come up on multiple events
IBM Security i2 EIA
Gained superior visualization of interconnectivity and correlation among incidents, realizing a 5,000:1
decrease in event analysis and a significant decrease in investigation time from hours to seconds
Connecting the dots
22. 22 IBM Security
A UK based saving and loan bank greatly increases the effectiveness of
fraud investigations
80% Decrease
Business challenge
Analysts spent days on fraud investigations, crawling through spreadsheets
Had to manually create diagrams once reaching a conclusion to share with law enforcement
IBM Security i2 EIA
Accelerates investigations by up to 80%, eliminates hours of spreadsheet-based analysis by presenting
data visually and helps analysts tackle complex investigations without impacting normal operations
In time to complete investigations
Minimize Risk
and catch more criminals, sharing with LE
Finding Fraud Faster
23. 23 IBM Security
CustomerUse Case Mapping
Chief Risk &
Compliance
Officer
CISO CSO Investigations
•
Threat Hunting
Incident Investigations
Event Correlation
•
Campaign Tracking
Intel Report Production
•
Threat Discovery
Watchlists
Vetting
SOC Use Cases
Threat Intel Use Cases
Insider Threat Use Cases
•
Political Unrest Assessments
Building Threat Assessments
Theft Investigations
•
Stakeholder Threat Assessment
Reputation Investigation
•
Area Threat Assessment
Event Threat Assessment
Physical Security Use Cases
VIP Protection Use Cases
Travel Risk Use Cases
•
Privilege Misuse
Money Laundering
Insider Trading
•
Account Takeover
Organized Crime Investigation
•
Insurance Fraud
Complex Fraud Investigation
Internal Fraud Use Cases
External Fraud Use Cases
SIU Use Cases
24. 24 IBM Security
i2 WW and Geo Sales Leadership
Will Martin - NA
i2 Offering Management Leadership i2 WW Technical Leadership
Jon Whitman - WW
Akiba Saeedi Bob ThimsenBob Stasio
Where You can Find the i2 Intelligence Team
David Waxman
Julian Midwinter - EURHarry McCue - GM
Steve Dalzell
Mike Kehoe - WW
IBM and Partner Use Only