Beruflich Dokumente
Kultur Dokumente
Ross Maughan
i2 Services WW Practice Lead
What is i2?
Our history
Over 25 years of
helping organizations
• Those detective shows with the
string walls…we do that, digitally across the world catch
• 26+ years ago i2 began enabling
digital investigations for military
the bad guys and
and law enforcement, then moved
into commercial organizations for
protect the public.
fraud and cyber investigations.
2 IBM Security
What is i2?
Main use cases
Criminal investigations,
Military intelligence, counter National Law
counter gang,
terrorism, border security, Security & Defense Enforcement
evidence presentation,
human terrain mapping. intelligence
Cyber Threat
Fraud
Analysis
Fraud investigations, anti- Investigate alerts,
money laundering, 3rd campaign tracking,
party and insider threat, event triage, threat
transaction analysis. hunting
3 IBM Security
What is i2?
Hottest trend
• Put the human in the loop to find the other human adversary
4 IBM Security
What is i2?
Generating insights, from complex and un-related data
5 IBM Security
Demo
That’s enough charts… time to show the software.
6 IBM Security
IBM i2 Enterprise Insight Analysis (EIA)
Our main product – for a comprehensive capability set
7 IBM Security
Opportunities for i2
For up-sell, driving additional value, providing competitive differentiators
• Splunk shops where you might be trying to get IBM technology in the door (we
can work with any SIEM)
8 IBM Security
i2 Professional Product Services
More than just “doing the software install”
• Our mission: ensuring our software gets successfully deployed and our customers
are happy!
• Our skills:
̶ Deep product knowledge, with years of experience
̶ Global coverage, with a pan-European team
̶ SMEs and solution architects as well as delivery resources
• Our offerings:
̶ Assistance with proof-of-concept & proof-of-technology projects
̶ Solution workshops and implementation planning
̶ Deployment ‘quick-starts’ to get customers up-and-running
̶ Full enterprise delivery and roll-out
̶ Healthchecks and support for upgrades and on-going maintenance
̶ End-user and technical training
̶ Product customisation and plug-in development
̶ Services and partner ‘assets’ for accelerated delivery or added capabilities
9 IBM Security
Example offering: Cyber Threat Analysis
Three flavors to choose from:
Pre-packaged
and top-up training after 2 months.
Cyber Threat Analysis Product: IBM Enterprise Insight Analysis (2 seats minimum)
Quick Start Services: Quick start offering, pre-built integrations and
(All customers) assets, heath check and top-up training after 2 months.
Custom
Hunting & Analysis Services: Custom engagement based on use case and
(All customers) requirements.
10 IBM Security
Where to get more information
• Subscribe (and post!) to our slack channels to get in touch with i2 experts
̶ #i2
̶ #sec-pps-hotline
• Watch my upcoming presentation, next Tuesday 29th August for more information on our Cyber Threat
Hunting services offering.
• Lots more links and reading materials in the reference charts in this presentation.
11 IBM Security
THANK YOU
FOLLOW US ON:
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informati onal purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
Some useful reference
material
Complex network analysis
14 IBM Security
Understand connections and uncover patterns over time
15 IBM Security
Understanding patterns of behaviour
16 IBM Security
Find Connecting Networks
17 IBM Security
Understanding where – Putting the here into where
18 IBM Security
Storing and sharing intelligence
19 IBM Security
Flexible and Unique Data Model
For linking rather than simply fusing data
Link
SIEM
Social Media
Non-Traditional Data
20 IBM Security
Data is the key…
High level component view of the three ways of bringing data into i2
i2 Chart
EIA
3rd Party Notebook
Data Premium
i2 Repository
Connector
i2 Platform i2 Clients
EIA
(Intel Portal &
3rdParty Services ANB-P)
Data
Over time these DAOD connectors become productised or become services assets.
External System(s)
Connector
i2 Platform i2 Clients
EIA
Connector (Intel Portal &
3rd Party Services ANB-P)
Data
21 IBM Security
Why Cyber Threat Analysis matters to your customers
Increases efficiency
• Remove manual processes in understanding threats and shorten the data to decision
process.
• We empower the user through human-led analytics, whilst maintaining mission flexibility.
Increases accuracy
• Discovering hidden patterns and non-obvious relationships to identify the critical data
within the noise.
• Reducing enterprise amnesia by capturing and sharing intelligence across the
organization.
22 IBM Security
A large North American custody bank gained valuable insight from
correlating multiple low-level offenses
Connecting the dots
5,000:1
Reduction in event analysis
Hours to Seconds
Decreased investigation time with the ability to
correlate multiple low-level events to identifiers
Business challenge
Visually understand how multiple low-level SIEM alerts fit together, on a daily basis. See how
individual identifiers (e.g. IP, machine name, etc) can come up on multiple events
80% Decrease
In time to complete investigations
Minimize Risk
and catch more criminals, sharing with LE
Business challenge
Analysts spent days on fraud investigations, crawling through spreadsheets
Had to manually create diagrams once reaching a conclusion to share with law enforcement
1M Docs Ingested
unstructured data ingestion at scale
Business challenge
Analysts had no way to automatically correlate phishing data with threat intel data
Had to manually go through hundreds of thousands of unstructured phishing reports
• Intelligence likely to be based on low level information (e.g. Host & Network Artifacts and Atomic
Indicators).
• May be gathering lots of existing intelligence feeds but find it hard to consume it or understand it.
• May be missing critical information – that are non-obvious or buried in the data that only a human
can identity.
• Using existing visualization tools that don’t scale or provide multi-dimensional analytical
capabilities.
• Unable to store, share or easily disseminate new threat intelligence.
The ’to be’ with i2…
• Improve detection through improving intelligence on Techniques, Tools, Procedures (TTPs), Strategy
and Goals of threat actors.
• Empower the SOC analyst with multi-dimensional analysis and visualization tools.
• Create their own Intelligence database and share/disseminate with others internally and/or externally
• Fuse and enrich traditional threat intel data with information from across the enterprise, open source,
dark web and other external sources.
26 IBM Security
Where do we sit in the Security eco-system?
An integrated and intelligent security immune system
Indicators of compromise
IP reputation Threat sharing
Network forensics and threat management
Endpoint patching
and management Firewalls
Antivirus Sandboxing
Malware protection Virtual patching
Network visibility and segmentation
27 IBM Security
Additional links and enablement…
• http://www.softwarecareertoday.net/faq/what-is-an-intelligence-analyst-in-cyber-security/
• https://www.interpol.int/INTERPOL-expertise/Criminal-Intelligence-analysis
28 IBM Security
Q&A
Preparedness
Response
Mitigation Recovery