Keeping Ahead of the Threat Landscape with AI Powered Security: Sheik Sahib

um anybody seen this video before you have awesome video um yeah so hopefully this gets the blood flowing uh in terms of defect by the way I'm real according to Gino so you're not looking at a deep fake I am not no no I want to hear you again okay um so with respect to deep fake voice there's stuff on the internet there you can look at this one um go it's pretty hard to see this um it's speechify I think up at the top here right you can go look at that um there's also um a voice generator it'll take your voice and kind of mimic um other people's voices famous people's voices so this stuff is out on the

internet and last but not least um the bad guys are actually using this stuff right for for fraud so how many of you today use I I don't want to call customer names here an insurance company or a bank that uses voice authentication yeah and they authenticate you very nicely right after few sentences oh welcome Sheik uh how can I help you today uh how do you think this is going to respond in the future when we've got stuff like this out there and it's for real right um where gets more interesting is folks like this uh this gentleman here you probably know him um he made some statements and they're saying his lawyers are saying anyways that wasn't

me that was a deep fake so you you can see now the problems that were were encountering right with with this this new technology so what what is my point my point is before I get into this slide is that how many of you have one of these everyone right how many of you more than one exactly how many are using use like I just did uh facial recognition yeah touch recognition voice recognition we just talked about that how confident are you that your third factor which is so first factor is something you know second factor is something you have third factor is something that you are so my face my retina scan you know my voice my walk my

gate right how confident are you that you are really protected in a third and second Factor authentication that's the problem right so that's my point I'm trying to illustrate the challenges we have today in using this technology or this technology is being used to attack us attack our our companies that we work for attack our country attack our you know or even our personal lives as well right um I can't tell you how many times Microsoft keeps sending me um challenges MFA challenges to say that my uh somehow I I logged in I did not so somebody's you know got a got got a beat on me all right so let's look at these these

numbers um 20% these These are 2023 numbers and 2022 numbers IBM does some surveys around the world we survey about 550 customers around the world and some of this uh includes customers here in Canada so the data you're looking at is relevant to candidate as well right the numbers may be a little off in terms of the you know the $ 4.35 million but that is representative of what what our surveys have reported so as I said we've been doing this now for about 18 years The ponymon Institute in uh in Chicago Dr ponaman does this and 70% of businesses have experienced at least one Cyber attack now I'm not going to call names I know I'm in Alberta but I'll use

other names era Canada they were attacked on the weekend right um we all heard about indigo public stuff I'm telling you about right um Microsoft has about a month ago they have they had five or six zero days right apple on September 21st patch three zero days three and so far for 2023 they've got 16 zero days 16 so that's the problem that we have right these attacks are going to continue how many of you have not experienced a Cyber attack if you want to share power failure oh boy they knew I was [Laughter] coming [Music]

where's Dino they knew I was

coming test test oh yep working okay I think it just timed out right yeah yeah okay s oh okay we'll come back in a okay Micosoft okay all right no more Microsoft we'll just talk about IBM so I'm an apple Guy and um I'm really worried about the security of my Apple ecosystem right I've got Apple everywhere all right is it coming back yeah slowly okay so um yeah these numbers as I said are representative of of what you will see here in Canada right now they may surprise you gosh 4 $4 4.35 million yes that's how that's how long it takes um here's here's a illustration of the problem in another way if you look at a World War Two

fighter um which is here on the left hand side you know here's a machine gun that's the most important thing and maybe that's a ref counter or something and that's maybe a pressure altitude altimeter or something you know in World War II they had some basic rudimentary controls right to operate that fighter jet or fighter plane uh in World War Two they started to add more bells and whistles more Telemetry more uh information that the pilot the poor chap who flies this thing plus operate the gun right he has to you know manage all these different uh controls and you can see from a cyber security operations perspective where I'm going with this right so what we had to do is because

you know modern jets fly at Mac 3i or Mac 2 point something you know 14,500 miles an hour and the bad guys are coming you from everywhere they had to simplify the interface right and they had to you know present to the pilot only what's relevant right that's how modern jet fighters you know you can relate to that so from a cyber perspective that's exactly the problems we're facing right lots of telemetry lots of devices lots of information and we need to be able to simplify this so we need to do streamline detection triage and response if not we just can't compete we just can't you know deal with with the Avalanche of of information

coming our way so the obvious answer is artificial intelligence now I'm not going to go through the slide in detail you guys all have heard about AI you've seen and you read and looked in YouTube videos about AI but I just want to point out to you that um AI is a broad field and practically most of what we use today and I'm speaking from IBM and actually this is kind of across the board is machine learning right we'll talk a little bit about that um and you all know what deep learning is does anyone not know what so sorry anyone not know what machine learning is okay great so deep learning is a sub

setad of machine learning um the difference between the two is that in machine learning we can kind of we can we can explain the answer right in deep learning most times we can't because it's like the brain right there's neurons firing there's all kinds of things happening and so you might get to the right result but how you got there is very very difficult to explain so that's the difference between machine learning and deep learning and then these gpts generative Genera ative pre-trained Transformers right are a subset of deep learning so if you use chat GPT and who has not um you know it it it essentially it's a next word what's the next best

word predictor right how it got to that it's very difficult to explain but it it actually is pretty good let's let's not let's be care you know it's it is pretty good um and that's pretty much how the gpts work and there's tons of gpts out there there are the commercial there there are the uh open ones like Chad GPT uh worm GPT and so on um there's some gpts that you can buy for 79 Euros in Europe and it will generate malware that's a real thing um IBM we also have uh several gpts that that we've created all right so with that said here how here's how businesses are adopting at at high level um AI um we've got

about 30 according to our research about 35% of companies are using AI in their businesses is in your businesses today and I don't know if you want to raise your hands or not um are you using AI just by short of hands yeah right and increasingly so right increasingly so in some form or the other um one of the best explanations of or uses of AI I can think of there's two of them one is not so good one is pretty good so if you call into an insurance agent you know you got an car accident or something like that and you um you know you started having a conversation with the agent you know about the nature of the

accident and blah blah blah blah blah what's happening behind the scenes is an AI um that's listening to the conversation that's looking at the records and prompting the agent what's the next thing you should say so we've got an IBM something called Watson X um that's actually in in that particular example another example which I don't really like is um this thing is being recorded right is uh our HR System so IBM okay maybe you might you may not see me much after this presentation but anyways IBM decided to essentially um replace trying to find a nice word a lot of our HR staff with an AI engine a chat box so if you want to ask it

anything related a AI you get a chat box and then you have to curse it take that um scratch that you have to tell it I want to speak to an agent and eventually you'll get to speak to an agent but basically IBM has decided to essentially replace our HR systems with an AI engine so those are an examples of how we're using it um the bad guys on the other hand are using it this way um I already talked to you about deep fakes um you know they're using it to develop malware uh social engineering dark trace a month ago said that they're they have discovered um something called a multi what's the word a multiphase

attack so you remember when you all did we all did um training in terms of email fishing right look for the malform words uh you know the URLs the hidden URLs and that kind of stuff all the stuff is gone right the bad guys are using AI to essentially generate very very good emails you wouldn't tell you cannot tell that it's not from your boss or from Gino can't tell and it's a multi-stage attack so in other words they kind of build your trust and eventually they drop the malware on you and dark Trace has said theyve seen in the last July time frame uh I got the numbers here um a huge a huge uh spike in terms of these

multi- uh phase uh email attacks and that's all being they bad guys are using AI to do that in terms of social engineering and so on um how we're using it in security because we're kind of stuck in the middle we are using it uh for threat monitoring and you'll see a little bit about that later on we're using it for um obviously security itself uh employee education a lot of our training right now in IBM is AI driven right I get tons of emails that says I need to do this and I need to do that and I need to do that because the AI engine has looked at my profile and said ah he doesn't know this he doesn't

know that so let's give him more education this is really going well right okay all right I want to put this up here so you you get a sense of the problem in terms of of of incidents or alerts so we have by the way in this presentation we have these QR codes and you can scan these QR codes and look for more uh information on our light boards we've got thousands of videos I'm not making stuff up like thousands of videos up there um but if you want to learn more about this cost of a data breach uh just scan this QR code and it'll take you to the report um take a look at this

it if you don't use any AI right it takes 322 days that's not Chic speaking that's research that we did with 550 odd customers around the world it takes them 322 days to identify and 85 days sorry 237 days to identify and 85 days to contain that breach and if and if they were using AI to some level they're getting a benefit so the the the gross number between the top and the bottom is 108 days so that's one of the benefits of your organizations that are using AI today um you you get you get speed of of identification and then speed of containment now we already mentioned a few of these uh in the beginning of this

presentation um but I'll just go through a few of them um you all heard about the dpack tool it learned uh SQL injection and it's actually gotten very good over the years um I mentioned to you the the um according to dark Trace dark Trace they analyze the network right so they can actually see uh what's happening over the network and so the specifics are um 50,000 more of these attacks were detected by dark Trace in July than in May indicating potential use of Automation and the speed of these attacks will likely rise to Greater Automation and a adopted and applied by attackers okay this is according to dark race and this stuff came out a few a

couple of months ago so they call us by the way quing q i s h i n g which is fishing using QR codes so I just told you about these QR codes don't worry it's all legit we're not we're not going to qu you okay um this gentleman here was able to uh this is a famous actress I'm not sure what her name was anymore um anybody knows who she is okay say that again mil geich mil geovic okay so what he did is that he 3D printed this glasses and uh you know the face recognition software recognized him as her again your your third Factor authentication is at risk here folks um right

so mentioned some of these um password crackers there's this stenography uh there's a there there's a an organization called uh citizens citizens lab from the University of Toronto and uh just what a week ago or two weeks ago they publish an article um about a different a type of an attack where and it's very targeted it's it's heavy heavy stuff but what this is is that you can get a message or an email and you don't click on it and your machine is compromised let me repeat that again zero click compromise yes and that was published by citizens lab from the University of Toronto you I'm see some faces shaking here so yeah it's it's it's it's bad

stuff that said oh by the way um you know they're not just they're not just using AI they're also stealing it as well right you know all these public apis that are out there free stuff yeah these bad guys are using it and really don't understand these types of attacks but they're there so you can go look them up afterwards okay so what are we doing with an IBM to address these problems um I'm trying to relate the next few slides in terms of the NIS framework right uh identify protect detect response remediate something recover thank you okay so about 5 years ago 5 years ago we started off with this thing called Watson cyber

security so you may remember the very famous according to IBM uh program with Jeopardy where um IBM Watson creamed uh Jennings uh what's the other guy's name anywh who um there's a bunch of guys who really were Jeopardy experts and IBM's U Watson cyber security cre these guys they won substantively so what we did it was an AI engine right so what we did is that we took Watson and we essentially created uh a cyber security version of it so we taught it cyber security we taught it the difference between a virus and a virus right a human virus versus a computer virus and so what this thing is is a gigantic Knowledge Graph it's being

fed every day from this kind of stuff it's being curated so you can't poison it right actually human beings are looking at it and validating that the information is being ingested is correct and it's basically generating who is who in the cyber security Zoo every single URL every single IP address every single hash uh users whatever right all connected in this gigantic Knowledge Graph so what that means is that if you find or if we find because it's not necessarily available for public use but if we find an anomalous behavior of a particular IP address or a URL or a DN uh we can ask Watson have you seen this before and if the answer is yes it'll tell you with

confidence 79.6 3% yes we've seen it and oh by the way it's connected to these other URLs and um you ought to be looking for these other problems potentially in your environment so that's what we've built right and it's doing it in about 2 to 3 minutes uh if you ask it these questions now that was about two years ago so it's probably seconds now in terms of the threaten management itself let me take you through some of this um we have six Global socks around the world we process 170 billion that's with the be events every day each um total in total it generates about 11,000 alerts per day so IBM is a large company

but we don't have enough folks to process 11,000 events so what we're using is AI to do triaging so about a quarter of that right is stuff that it can't preprocess automatically and the rest are sent to human beings for analysis but we're processing and it's getting it's gotten better by the way this is about a year old um we're processing more than 3/4s these days of of these alerts um by automation so automation is your friend automation IE AI right that's that's what we're talking about today so some specifics here um this slide is from our RS RSA conference uh early this year in April and we ask our stock analysts how do you how do you investigate how do you

detect how you know how do you do these things and so they said well we got to do this you got to look at the open incidents choose the highest PRI priority triage and you know each one of these got some investigations and blah blah blah and then root cost analysis and migration mitigation steps and so on they got to do all these things and this is typically how long it took them with our Automation and our AI engines that's what we're getting now roughly these these answers one screen six steps less than 10 minutes on the average right so that's how I'm sorry um I don't have the numbers off top of my head but it's it's it's in the

90s yeah yeah I don't know the exact number so that's the point here is I mentioned to you what the bad guys are doing what the problems are and how we as a company are addressing it and by extension how you can benefit from it as if you buy our stuff right it's not a sales pitch but I'm just trying to explain to you you can get this stuff so uh in terms of triage um I do work for IPM so I got to tell you that so in terms of triage um on the right hand side you you'll see that um we actually will will use the ml models right to recommend U the responses for

the threat itself we will actually do some some correlation uh with other threats and kind of either escalate the threat or you know or reduce the threat level um what present the highest uh threat threats to the analyst so that he or she could could take appropriate action um as you can see here there's some stats here using 4 million alerts from nearly a thousand customers pre-trained and then within your specific environment we're we're using um that training to enhance it for your your customer your Ben your uh individual um Enterprise so it's not we're not using it so let's say company a right is IBM customer Company B is an IBM customer we're not using custom

customers B's data to enhance customers Aid uh AI engines you know what I mean it it's separate and so we preserve the we respect the um the Integrity of of your operations okay um in the road map we've got a whole bunch of different um you know models here which which I don't already have the time to go into um but it's going to get better and better and better so in the in the future near future I.E next quarter you'll see this so a group of correlat results correlat alerts we will actually make recommendations to say how do you remediate this what what's the nature of this problem and how do you rem remediate this you'll see that in the

next quarter it's already in the labs working but this takes a while to bring it to Market um in terms of Investigations this is really really cool stuff I was talking to some of you um earlier today and trying to explain how this works so our our perspective is don't bring all the data into the IBM framework uh that's just not possible or practical or cost-wise effective right leave the data where it is so we can do Federated searches across different sear different uh repositories whether it's on the cloud or it's on Prem and we can do it both at the same time right and so we run these searches these Federated searches a thousand odd Sigma

rules here or more and then um basically we can figure out uh sorry augment the threat with more data and you can see some of that data on the right hand side here I can go here and show you some stuff so uh here's the file creation event right there's seven events related to that um in terms of the results ass set we got eight potential findings 40 different artifacts associated with this right and here's the miter attack um mapping okay if you scan the QR code um on this thing here at the booth that we have downstairs we'll do a demo in about two weeks two weeks yeah and you can actually see more of this stuff in

action okay um and last but not least would be on the response side right um we have uh playbooks that do automatic um so so within the Playbook itself it'll have multiple steps and then we could um for example you know if it's a multi-step Playbook some of it could be automatic some of it could be manual right so all that stuff runs uh again the AI models uh are are helping to um execute those things in a way that makes sense for the business so if it's rans somewhere initially but then we look at it and it's a broader attack maybe it's a data exfiltration problem as well the the paybook will pivot accordingly right and

the AI is powering that so I mentioned to you before we had about 11,000 attacks every day 11,000 alerts I'm sorry 20 minutes thank you um that's how we're we're using this technology here behind the scenes to make this all happen okay and you can see we're using more and more AI to generate playbooks and generating and leveraging some uh large language models that are being built right now by IBM research so one last Point here um you know I I I kind of harped on the identity and access management um challenge but we our solution is um we're using we're using some AI technology it actually came from a research group in uh in hia Israel um it

was developed uh maybe 3 four years ago and so we're not looking only at the at the transaction per se but we're looking at the behavior the mouse movement right if you look at uh you know a typical person you know you've got user ID password and the mouse is here the cursor is here how you move it from here to here is different right it's kind of different so we're we're mon we're mapping 128 different data points as we move from here to here and so it can uniquely identify me and Gino so by the time it gets to here it says welcome shik how can I help you today so we're looking at Behavior right so some of the

Adaptive access stuff is using is using that the power of the identity access Management Solutions okay um I do want to leave some time here for questions and answers here's some products that we have and the specifics that we have in terms of the different models um you'll get this you'll get this presentation right you'll get this presentation okay so you'll get this presentation you can look at this all the stuff and uh there's the moneyy statement from IBM that 100% of our products you know use this use this stuff and this is kind of what we do here I'm not going to go through these in the interest of time I want to do

leave some time for questions and answers all right um what's next I did say in the agenda we were going to talk about what's next so what's next you can imagine so here's the thing with IBM yeah I can't tell you what's coming yeah I have to kill all of you I don't want to do that so you might maybe they'll kill me instead that's probably the easier thing to do there there you go so you can imagine if you're a sock analyst how many of you are sock analyst here all right you got quite a few so if you're a sock analyst and you find something anomalous in your environment you might want to know is that a problem how bad

is it where is it how pervasive it is so if you can ask a chat box right those questions I've got this what do you know about this then think about what's happening behind the scenes all our automation all our data that I talked about talk to you before right so we got to do the voice to speech translation sorry the text to text to um query translation behind the scenes we have to understand the question you you asking because it's English question go look at the data and then formulate a response back to you right all the stuff I mentioned before this will power this make sense so that's how the AI in the future will

will will help us as security uh people and there's a bunch of other things here which I don't want to get into but as you can see we we're doing automating mundane tasks and then we're going from reactive to proactive what I mean by that is that you know the bad guys Target us well we're going to Target them right we're going to find them we're going to remove them before they become a problem that's that's where this where the stuff is going okay I I'm open to questions now all I don't know test test y

questions actually it was your uh last last point that rais something interesting you mentioned about going after them yep what about the political ramifications of that if it's a state player that's a that that is a awesome question political ramifications so full disclosure I'm working on some secret stuff for our federal government that I can't talk to you about I'll have to kill everyone including myself um but let's just say that and it's no secret right this is in CBC news that our friends in friends our foes in China CH that's I'm just going to be apolitical right now China is just killing us killing us with attacks so from this man's perspective this is not

IBM speaking this is just chic the cyber security guy speaking I would love to do nothing better than to find these guys and kill them I mean from a cyber perspective so a great question I just don't know the answer you know politically how how we do this um I think governments will have to get involved um and sometimes our methods in terms of Discovery and identification and so on is secret right so you're going to have to be careful how you disclose some of that good thank you anyone else is there oh there we go ask go ahead you're in safe surroundings yeah I'm in a safe I'm a safe surrounding my my name is Michelle

balderson from I squared and you said something that raised the hairs on my back uh oh just one one thing I said one one thing in particularly is is that you mentioned that the IBM Watson data is curated yeah and you implied that it can't be hacked yes I absolutely completely disagree okay and and if we take a look at the hacks I mean IBM was recently hacked with the move it attack right the move it uh um and so if IBM was using move it to move data between data centers no we don't it's it's in it's in the Press that's what they saying that you guys are doing right and so the question then becomes

is how do you assure and honestly I don't know the answer yeah right how do you assure that Watson's data isn't going to be impeded right good question so the way it's architected it's that we've got it air gapped you cannot talk to it except through an API right

and you have to have let me add something let me add said something because you just mentioned the air gap right I'm an OT security expert with industrial controls yes sir and and and really air gapping is and can be compromised I know so I know all right um there's there's some other controls which I'm not privy to um and I don't really want to get into the details because I don't know them all um what I've been told and what I've understand is that the security of this system for obvious reasons right is Paramount if you poison this then it's game over so we we take a we have about a 100 people working on this worldwide and their job

is to make sure that this thing is secure so the data coming in the data that we um that you know we we we we use is is constantly being maintained um if you try to poison the well there guys and gals and systems and so on that are looking for that uh and in terms of uh attacking it good luck I I I just don't know how you can get to it I can give get to it I defense would be I no no no yeah yeah agre agreed yeah agreed um so far it has not been hacked that we know of and that includes loog for J by the way um we we saw some pretty nasty

things with log for J um but at this point in time according to my knowledge my information it has not been hacked and it's being used um as I said in what I showed you right some of the stats it's being used today in production any but thank you you for that question question the audience I really do I didn't even want to ask no no it's fine go you know what as you can tell I I'm a bit of a free spirit in terms of what I say so so at the very beginning you were pointing to World War I aircraft World War II and you know then showing a modern fighter jet as you

know we need to simplify so there's less things to go on considering the debacle of the F35 has become the absolute waste of money uh the things randomly falling out of the sky I don't think that's the best example because you're trying to simplify things by making them incredibly complex so they fail in more and interestingly spectacular ways yeah so it no we I I think we've got some part of ter terms of the software but I I don't know exactly what uh what we built in it I know for the Canadian Armed Forces some of our ships um there's some IBM Tech behind the scenes especially on the networking side if anyone of you is

ex DND or CAF you or CN sorry Canadian Navy you all know that but yeah I agree with you I mean the F35 is it's the best fighter out there period does it is it is it perfect no it's not perfect and Canada is to buy 88 of them right all right any other questions Security based question security questions is security session just saying but you understand the the the analogy I was making right in terms of simplifying the interface and just a very poor specific choice I didn't say F35 let's let's pick let's pick another plane cf18 can I say that oh boy I'm dgg I'm digging myself deeper go ahead so the ml models that you guys are using um

is there somebody monitoring to see that it doesn't actually turn on the other side and yeah you know behave yeah for bias and so on yeah yeah yeah uh gentleman's brought up some very good points here um one of one of the big problems with uh machine learning and and and and even deep learning and and so on is bias right uh how do you remove bias from from the models so um there are a bunch of smart folks all phds from IBM research and that's what they're they're looking into exactly that problem how do you detect it and how do you correct it right and so the guys who build these models um you know there's a lot of work being

done behind the scenes to validate that the biases are being removed and ongoing uh detection of of bias as the models kind of tip towards one way if everything starts to become ransomware then it's a problem right so it there there's safeguards Within These models um and we're constantly tuning them and updating

them okay let me ask you a question how many of you are confident that you have not been hacked

today right now right now so I'm I'm going to be a little on the aggressive side here how many of you are confident you have not been hacked today and and so so yeah how how do you find hacked hack um you have suffered a breach uh that is either public the FBI or the CIS or somebody like that has told you you've got a problem are your data is being sold on the dark web that's what I mean by I breach yeah you yeah I don't work for I'm a student so oh so you're confident okay I don't have an organization all right all right all right all right okay all right okay it's folks um the purpose of the

session was to kind of let you know where we are right um I did this presentation uh two three months ago in in Winnipeg and I'm going to do it again in two months in uh Calgary um and I guarantee you that some of the data got here is going to change right so it's fast it's evolving very very quickly um drop by sorry just want to give a little plug uh if I could um scan this QR code um and you'll see because I talk a lot but let's show you what we've built right you can actually see some of the stuff in action you don't have to buy it but at least you're

aware of what's what's out there and where we are today