default_blue.png

Automation and reasoning in threat management

Overview

The goal of our research is to help security teams to manage cyber threats. We are focusing on accelerating the threat management process from detecting, investigating, to responding to emerging attacks. We move away from the current generation of reactive systems to a proactive generation of systems by leveraging AI and Automation technologies. We look at ways of distilling enormous volumes of data into information, turn these into actionable knowledge and context enabling rapid insights and reaction by security teams.

threatm1.png

Detection

Use machine learning and AI technologies to process billions of telemetry and log data generated every day to identify outliers and suspicious behavior patterns.

Investigation

Apply automated reasoning, graph theory, and machine learning to analyze alerts, enrich with contextual and threat intelligence information, correlate, and assess severity and priority.

Response

Identify the root cause of an incident to define containment, eradication, and remediation actions as well as mitigation strategies to prevent future, similar incidents.

threatm2.jpg

Featured Projects

XDR: eXtended Detection and Response

IBM Security

While there is continuous advancement in the various security technology stacks available on the market today, the tasks of security analysts remain unchanged. They have to analyze large numbers of often quite complex security alerts that current security solutions tend to generate. The objective is quite simple but very demanding: discriminate between true and false alerts. Together with IBM Security we are developing novel solutions that allow the security analysts to focus on the most relevant alerts and empower them to more quickly and more accurately classify alerts. In our solutions we bring together a wide range of technologies such as Artificial Intelligence, Natural Language Processing, Knowledge Graphs, or Data Visualization.

We work very closely with IBM Managed Security Services (MSS) security analysts and the IBM Security product teams towards our common goal of developing accurate and easy-to-use XDR technology.

Learn more about IBM QRadar XDR Connect

Artificial Intelligence for Cyber Defense: Blue Team Automation

Client project

Cyber Security very often is portrayed as an arms race between attackers and defenders. In the same spirit, live-fire cyber defense exercises are organized in which adversary teams (Red Teams) are attacking a given compute environment and defenders (Blue Teams) are tasked to defend it. A predefined scoring system allows to identify the most successful Red and Blue Teams. The challenge that we have set ourselves is to invent and develop an autonomous system that can take over the role of a Blue Team and successfully compete in cyber security exercises. The solution being developed heavily builds on AI technology for analyzing and reasoning on streams of security telemetry data and for automatically initiating remediation actions.

This work is performed in close collaboration with the Cyber Defence Campus of the Federal Office for Defence Procurement (armasuisse).

Cyber Security and Data Science

Research

Over the years security analytics has become a big data challenge. Many of today’s security solutions analyze large volumes of (security) telemetry data to detect signs of suspicious activities. Looking at the many analytics solutions that have been proposed and reported on, one can state that a wide range of data analysis methods and tools have been applied to the security problem. However, for various reasons, very often newly developed solutions have not had a lasting impact.

Our objective is to bring the security and data science disciplines closer together to build sound security analytics solutions. Thanks to our collaboration with the IBM Managed Security Solutions organization, we have access to labeled security data that got collected in heterogeneous compute environments and originated from a diverse set of security tools. This data is a key cornerstone of our work. It allows us to validate and assess the progress we are making towards the next generation of AI-powered security solutions.

Security analyst workflow

threatm-analyst-workflow.png