The goal of our research is to help security teams to manage cyber threats. We are focusing on accelerating the threat management process from detecting, investigating, to responding to emerging attacks. We move away from the current generation of reactive systems to a proactive generation of systems by leveraging AI and Automation technologies. We look at ways of distilling enormous volumes of data into information, turn these into actionable knowledge and context enabling rapid insights and reaction by security teams.
XDR: eXtended Detection and Response
While there is continuous advancement in the various security technology stacks available on the market today, the tasks of security analysts remain unchanged. They have to analyze large numbers of often quite complex security alerts that current security solutions tend to generate. The objective is quite simple but very demanding: discriminate between true and false alerts. Together with IBM Security we are developing novel solutions that allow the security analysts to focus on the most relevant alerts and empower them to more quickly and more accurately classify alerts. In our solutions we bring together a wide range of technologies such as Artificial Intelligence, Natural Language Processing, Knowledge Graphs, or Data Visualization.
We work very closely with IBM Managed Security Services (MSS) security analysts and the IBM Security product teams towards our common goal of developing accurate and easy-to-use XDR technology.
Artificial Intelligence for Cyber Defense: Blue Team Automation
Cyber Security very often is portrayed as an arms race between attackers and defenders. In the same spirit, live-fire cyber defense exercises are organized in which adversary teams (Red Teams) are attacking a given compute environment and defenders (Blue Teams) are tasked to defend it. A predefined scoring system allows to identify the most successful Red and Blue Teams. The challenge that we have set ourselves is to invent and develop an autonomous system that can take over the role of a Blue Team and successfully compete in cyber security exercises. The solution being developed heavily builds on AI technology for analyzing and reasoning on streams of security telemetry data and for automatically initiating remediation actions.
This work is performed in close collaboration with the Cyber Defence Campus of the Federal Office for Defence Procurement (armasuisse).
Cyber Security and Data Science
Over the years security analytics has become a big data challenge. Many of today’s security solutions analyze large volumes of (security) telemetry data to detect signs of suspicious activities. Looking at the many analytics solutions that have been proposed and reported on, one can state that a wide range of data analysis methods and tools have been applied to the security problem. However, for various reasons, very often newly developed solutions have not had a lasting impact.
Our objective is to bring the security and data science disciplines closer together to build sound security analytics solutions. Thanks to our collaboration with the IBM Managed Security Solutions organization, we have access to labeled security data that got collected in heterogeneous compute environments and originated from a diverse set of security tools. This data is a key cornerstone of our work. It allows us to validate and assess the progress we are making towards the next generation of AI-powered security solutions.
SysFlow: Open Telemetry Framework for Cloud Workloads
SysFlow is an open-source framework for monitoring cloud and enterprise workloads for performance and security analysis. It collects raw low-level system events and captures them in a compact object-relational format allowing detailed visibility into container-based clouds. It also features a rule-based processor pipeline for converting and enriching events and for alerting.
As part of the SysFlow community and a larger team at IBM, we further enhance the project by broadening its functionality and increasing its usability and user-friendliness. Our special focus is on cloud metadata. By enriching SysFlow records collected in individual containers with context information as retrieved from Kubernetes and OpenShift cluster environments, such as the relationship of containers to pods, namespaces, and services, we get better insights into the cloud component activities. Eventually this helps us to better describe the normal behavior of cloud applications and to more accurately spot suspicious activities.