i2 Overview

FRIDAY LUNCHTIME EDUCATION SESSIONS

Ross Maughan
i2 Services WW Practice Lead
 What is i2?
Our history

Over 25 years of
helping organizations
• Those detective shows with the
string walls…we do that, digitally across the world catch
• 26+ years ago i2 began enabling
digital investigations for military
the bad guys and
and law enforcement, then moved
into commercial organizations for
protect the public.
fraud and cyber investigations.

• Helped 4,000+ customers, used

by 80% of national security orgs
globally – gold standard in intel.

2 IBM Security
 What is i2?
Main use cases

Criminal investigations,
Military intelligence, counter National Law
counter gang,
terrorism, border security, Security & Defense Enforcement
evidence presentation,
human terrain mapping. intelligence

Cyber Threat
Fraud
Analysis
Fraud investigations, anti- Investigate alerts,
money laundering, 3rd campaign tracking,
party and insider threat, event triage, threat
transaction analysis. hunting

3 IBM Security
 What is i2?
Hottest trend

Threat Analysis & Threat Hunting

• Next level of maturity for the SOC or SIOC organization

• Find the one specific “needle” in the massive stack of needles

• Powerful visualization and analytics, see data in a new way

• A platform to bring together all sources of disparate data

• Put the human in the loop to find the other human adversary

4 IBM Security
 What is i2?
Generating insights, from complex and un-related data

5 IBM Security
 Demo
That’s enough charts… time to show the software.

6 IBM Security
 IBM i2 Enterprise Insight Analysis (EIA)
Our main product – for a comprehensive capability set

7 IBM Security
 Opportunities for i2
For up-sell, driving additional value, providing competitive differentiators

• If your customer is creating or already has a:

̶ Threat Intelligence Team
̶ Threat Hunting Team
̶ Fraud Investigation Team

• If your customer is ready for Proactive Defense:

̶ Next generation SOCs (beyond just the SIEM)
̶ They want to combine external and internal intelligence sources
̶ They are trying to get value out of a security data lake

• If you hear any of these use cases raised:

̶ Threat Hunting, Cyber Threat Analysis, Cyber Threat Intelligence, Campaign Tracking, APT
Analysis, Tier 3 Investigation, Data Trend Analysis, Patterns and Anomaly Analysis, Threat
Intelligence Platform

• Splunk shops where you might be trying to get IBM technology in the door (we
can work with any SIEM)

8 IBM Security
 i2 Professional Product Services
More than just “doing the software install”

• Our mission: ensuring our software gets successfully deployed and our customers
are happy!
• Our skills:
̶ Deep product knowledge, with years of experience
̶ Global coverage, with a pan-European team
̶ SMEs and solution architects as well as delivery resources

• Our offerings:
̶ Assistance with proof-of-concept & proof-of-technology projects
̶ Solution workshops and implementation planning
̶ Deployment ‘quick-starts’ to get customers up-and-running
̶ Full enterprise delivery and roll-out
̶ Healthchecks and support for upgrades and on-going maintenance
̶ End-user and technical training
̶ Product customisation and plug-in development
̶ Services and partner ‘assets’ for accelerated delivery or added capabilities

9 IBM Security
 Example offering: Cyber Threat Analysis
Three flavors to choose from:

Product: IBM i2 Analyst’s Notebook Cyber Edition

Entry Level Add-ons: i2 QRadar Offense Investigator (free on app-store)
(QRadar Customers) Services: Install & configuration, user training, heath check

Pre-packaged
and top-up training after 2 months.

Cyber Threat Analysis Product: IBM Enterprise Insight Analysis (2 seats minimum)
Quick Start Services: Quick start offering, pre-built integrations and
(All customers) assets, heath check and top-up training after 2 months.

Advanced Threat Product: IBM Enterprise Insight Analysis (2 seats minimum)

Custom
Hunting & Analysis Services: Custom engagement based on use case and
(All customers) requirements.

10 IBM Security
 Where to get more information

• i2 Perspectives Learning Path

̶ Lots of nice, short videos and self paced learning.
̶ http://ibm.biz/i2-Perspectives

• Subscribe (and post!) to our slack channels to get in touch with i2 experts
̶ #i2
̶ #sec-pps-hotline

• Watch my upcoming presentation, next Tuesday 29th August for more information on our Cyber Threat
Hunting services offering.

• Lots more links and reading materials in the reference charts in this presentation.

11 IBM Security
THANK YOU
FOLLOW US ON:

ibm.com/security

securityintelligence.com
xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informati onal purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
Some useful reference
material
 Complex network analysis

14 IBM Security
 Understand connections and uncover patterns over time

15 IBM Security
 Understanding patterns of behaviour

16 IBM Security
 Find Connecting Networks

17 IBM Security
 Understanding where – Putting the here into where

18 IBM Security
 Storing and sharing intelligence

• Put real-time intelligence

at point of need
• Facilitate team
collaboration
• Retain organizational
memory of prior threats
• Share and disseminate
intelligence with other
users, or build into future
detection processes.

19 IBM Security
 Flexible and Unique Data Model
For linking rather than simply fusing data

Structured Security Data Entity Threat Intelligence

Link

SIEM

Social Media

i2 EIA allows multiple types of Property

data to be integrated in one Entity: the “noun” of the data
objects model. This combines the model: person, place, thing or an
Entity, Links, properties across event
multiple data sets. A SIEM alone
can’t understand this multi- HR Link: describes the relationship
Records between two objects
dimensional environment.

Property: are the “adjective” and

describe the objects

Non-Traditional Data

20 IBM Security
 Data is the key…
High level component view of the three ways of bringing data into i2

Import or Connect Analyst’s

i2 Chart
EIA
3rd Party Notebook
Data Premium

i2 Repository

EIA Data Store

ETL

Connector
i2 Platform i2 Clients

EIA
(Intel Portal &
3rdParty Services ANB-P)
Data

Over time these DAOD connectors become productised or become services assets.

External System(s)
Connector
i2 Platform i2 Clients

EIA
Connector (Intel Portal &
3rd Party Services ANB-P)
Data

21 IBM Security
 Why Cyber Threat Analysis matters to your customers

Increases efficiency
• Remove manual processes in understanding threats and shorten the data to decision
process.
• We empower the user through human-led analytics, whilst maintaining mission flexibility.

Increases accuracy
• Discovering hidden patterns and non-obvious relationships to identify the critical data
within the noise.
• Reducing enterprise amnesia by capturing and sharing intelligence across the
organization.

Cost-effective and proven solution

• Commercial off-the-shelf software.
• Pre-built services assets and data connectors.
• 25 years of heritage capability and experience across all industry sectors
• Over 4000 clients, more than 400,000 users in 150 countries in 18 languages

22 IBM Security
 A large North American custody bank gained valuable insight from
correlating multiple low-level offenses
Connecting the dots

5,000:1
Reduction in event analysis

Hours to Seconds
Decreased investigation time with the ability to
correlate multiple low-level events to identifiers

Business challenge
 Visually understand how multiple low-level SIEM alerts fit together, on a daily basis. See how
individual identifiers (e.g. IP, machine name, etc) can come up on multiple events

IBM Security i2 EIA

Gained superior visualization of interconnectivity and correlation among incidents, realizing a 5,000:1
decrease in event analysis and a significant decrease in investigation time from hours to seconds

23 IBM Security IBM INTERNAL USE ONLY

 A UK based saving and loan bank greatly increases the effectiveness of
fraud investigations
Finding Fraud Faster

80% Decrease
In time to complete investigations

Minimize Risk
and catch more criminals, sharing with LE

Business challenge
 Analysts spent days on fraud investigations, crawling through spreadsheets
 Had to manually create diagrams once reaching a conclusion to share with law enforcement

IBM Security i2 EIA

Accelerates investigations by up to 80%, eliminates hours of spreadsheet-based analysis by presenting
data visually and helps analysts tackle complex investigations without impacting normal operations

24 IBM Security IBM INTERNAL USE ONLY

 A large multinational investment bank and financial services firm expands
i2 investigation investment to cyber hunting and threat intelligence
Cyber Threat Hunting

1M Docs Ingested
unstructured data ingestion at scale

Net New Discovery

discovered previously unknown campaign

Business challenge
 Analysts had no way to automatically correlate phishing data with threat intel data
 Had to manually go through hundreds of thousands of unstructured phishing reports

IBM Security i2 EIA

During a robust POC, i2 was able to rapidly ingest about 1M unstructured documents and discover a
previously unseen targeted phishing attack against senior executives at the company. The rapid
ingestion, correlation, and visualization within i2 made this campaign stand out.

25 IBM Security IBM INTERNAL USE ONLY

 Value of threat hunting and threat intelligence…
Intel driven detection and response model

Intelligence Detect Respond

The ‘as is’ in many organizations…

• Intelligence likely to be based on low level information (e.g. Host & Network Artifacts and Atomic
Indicators).
• May be gathering lots of existing intelligence feeds but find it hard to consume it or understand it.
• May be missing critical information – that are non-obvious or buried in the data that only a human
can identity.
• Using existing visualization tools that don’t scale or provide multi-dimensional analytical
capabilities.
• Unable to store, share or easily disseminate new threat intelligence.
The ’to be’ with i2…

• Improve detection through improving intelligence on Techniques, Tools, Procedures (TTPs), Strategy
and Goals of threat actors.
• Empower the SOC analyst with multi-dimensional analysis and visualization tools.
• Create their own Intelligence database and share/disseminate with others internally and/or externally
• Fuse and enrich traditional threat intel data with information from across the enterprise, open source,
dark web and other external sources.

26 IBM Security
 Where do we sit in the Security eco-system?
An integrated and intelligent security immune system

Indicators of compromise
IP reputation Threat sharing
Network forensics and threat management
Endpoint patching
and management Firewalls
Antivirus Sandboxing
Malware protection Virtual patching
Network visibility and segmentation

Threat and anomaly detection Threat hunting and investigation

Transaction protection
Vulnerability management Incident response Fraud protection
Device management
Criminal detection
Content security Cognitive security User behavior analysis

Data monitoring Privileged identity management

Data access control Entitlements and roles
Application scanning Access management
Cloud access Workload
Application security management security broker protection Identity management

27 IBM Security
 Additional links and enablement…

• Learn more about Intelligence Analysis and our users:

• http://www.securitydegreehub.com/what-is-intelligence-analysis/

• http://www.softwarecareertoday.net/faq/what-is-an-intelligence-analyst-in-cyber-security/

• https://www.interpol.int/INTERPOL-expertise/Criminal-Intelligence-analysis

• For a whole heap of other useful information:

̶ Understanding Threat Hunting Blog: https://securityintelligence.com/understanding-cyber-threat-hunting/
̶ The Art of Threat Hunting Cyber Beat Live video cast https://www.youtube.com/watch?v=9smYbvkIYI0
̶ Why you need to be Threat Hunting webinar: https://securityintelligence.com/events/orchestrate-your-security-defenses-why-
you-need-to-be-hunting-cyber-threats/
̶ Understanding a Different Dimension of Security video cast: https://www.youtube.com/watch?v=QHyAAIUIzzg
̶ Whitepaper: The awakening of cyber threat analysis: https://www-01.ibm.com/common/ssi/cgi-
bin/ssialias?subtype=WH&infotype=SA&htmlfid=YTW03437USEN&attachment=YTW03437USEN.PDF
̶ Threat Hunting Top Priority for 2017 blog: https://securityintelligence.com/news/threat-hunting-is-a-top-security-priority-for-
2017/
̶ EIA for Cyber Threat Hunting Solution Brief: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=ZZS03196USEN&
̶ i2 Navigator: https://ibm.biz/i2_navigator
̶ EIA Learning Plan: https://ibm.biz/EI_training
̶ i2 Perspectives (1H 2017) Learning Plan (contains many videos and demos): http://ibm.biz/i2-Perspectives

• IBM Cyber Beat Live (many YouTube videos):

https://www.youtube.com/results?search_query=ibm+cyber+beat

28 IBM Security
 Q&A

Preparedness
Response

Mitigation Recovery

29 IBM Security 10/27/20