WEBVTT

1
00:00:00.030 --> 00:00:01.950
Mathew Schwartz: Hi, I'm Mathew
Schwartz with Information

2
00:00:01.950 --> 00:00:04.920
Security Media Group. And it's
my pleasure to welcome to the

3
00:00:04.920 --> 00:00:10.170
ISMG studio, Mary O'Brien, the
general manager of IBM Security.

4
00:00:10.710 --> 00:00:12.180
Mary, thanks for being here
today.

5
00:00:12.180 --> 00:00:13.500
Mary O'Brien: Thanks Matt. Nice
to meet you.

6
00:00:13.530 --> 00:00:15.900
Mathew Schwartz: So IBM
Security, love your research.

7
00:00:15.930 --> 00:00:19.440
I'm a key follower of all of
the threat intelligence, for

8
00:00:19.440 --> 00:00:22.950
example, that your X-Force group
has been doing. And one of the

9
00:00:22.950 --> 00:00:25.890
really fascinating things. I
mean, unfortunately, from a

10
00:00:25.890 --> 00:00:29.700
defense standpoint, and a health
of society standpoint, is about

11
00:00:30.000 --> 00:00:33.030
ransomware. And, you, one of
the, I guess the best place to

12
00:00:33.030 --> 00:00:36.690
start for me would be, how has
the speed that we have been

13
00:00:36.690 --> 00:00:40.440
seeing ransomware attacks happen
at changed recently?

14
00:00:40.440 --> 00:00:43.500
Mary O'Brien: It's changed
dramatically in the last couple

15
00:00:43.500 --> 00:00:46.320
of years, year on year, it's
getting faster. And in the last

16
00:00:46.320 --> 00:00:50.280
couple of years, ransomware
deployment has moved from a

17
00:00:50.280 --> 00:00:54.360
couple three months to several
days, but four days on average.

18
00:00:54.390 --> 00:00:58.110
So we're talking rapid change
and rapid acceleration in the

19
00:00:58.110 --> 00:00:59.160
deployment of ransomware.

20
00:00:59.220 --> 00:01:00.600
Mathew Schwartz: And obviously,
if you don't get that right,

21
00:01:00.600 --> 00:01:02.580
you're already on the back foot,
you're already in a place you

22
00:01:02.580 --> 00:01:03.450
don't want to be.

23
00:01:03.540 --> 00:01:06.540
Mary O'Brien: Totally, it's just
really indicative of the rate

24
00:01:06.540 --> 00:01:09.930
and pace of cybersecurity
attacks and how it's

25
00:01:09.930 --> 00:01:10.590
accelerating.

26
00:01:10.860 --> 00:01:13.140
Mathew Schwartz: So security
operations centers, that's the

27
00:01:13.140 --> 00:01:15.240
theme of what we're gonna be
talking about today. And I

28
00:01:15.240 --> 00:01:17.580
wanted to do a little ransomware
prelude just because it sets the

29
00:01:17.580 --> 00:01:21.600
tone for some of the challenges
that they're facing. But if we

30
00:01:21.630 --> 00:01:24.420
step back a little bit and look
at the SOC, what is some of the

31
00:01:24.420 --> 00:01:27.420
most significant challenges
would you say that your SOC

32
00:01:27.420 --> 00:01:29.760
analysts are seeing today, or
the SOC analysts are seeing

33
00:01:29.760 --> 00:01:29.910
today?

34
00:01:29.910 --> 00:01:34.500
Mary O'Brien: So SOC analysts
really are seeing a huge

35
00:01:34.500 --> 00:01:39.630
acceleration in the number of
threats and security incidents

36
00:01:39.630 --> 00:01:44.820
that they need to investigate.
So as businesses digitize, and

37
00:01:44.820 --> 00:01:48.810
as people are deploying cloud,
you know, applications in cloud,

38
00:01:48.810 --> 00:01:51.540
and using cloud and also,
they've got stuff on-premises,

39
00:01:51.780 --> 00:01:55.650
and they're using such a
plethora of piece parts to make

40
00:01:55.650 --> 00:01:58.890
up their business. They're what
we call their attack surface,

41
00:01:58.890 --> 00:02:02.400
that's the area or the
opportunity for the attackers to

42
00:02:02.400 --> 00:02:06.930
get in, that's increasing. And
as a result, the number of

43
00:02:07.290 --> 00:02:11.550
incidents and alerts that a SOC
analyst needs to investigate is

44
00:02:11.550 --> 00:02:15.030
increasing. We're seeing the
sophistication increase. And

45
00:02:15.030 --> 00:02:19.200
meanwhile, the SOC analyst is
under-resourced. We're seeing

46
00:02:19.200 --> 00:02:25.020
that they're trying to deal with
a plethora of different security

47
00:02:25.020 --> 00:02:28.260
tools to take information from
all of them and knit them

48
00:02:28.260 --> 00:02:33.420
together and do integrations.
And basically, yeah, they have a

49
00:02:33.420 --> 00:02:35.970
lot of manual work to do in
order to make it happen in

50
00:02:35.970 --> 00:02:37.590
today's SOC.

51
00:02:37.950 --> 00:02:39.990
Mathew Schwartz: What as you say
with this move, this digital

52
00:02:39.990 --> 00:02:43.260
transformation, if you will,
that especially happened in

53
00:02:43.260 --> 00:02:46.110
recent years due to the great
unpleasantness having all of

54
00:02:46.110 --> 00:02:50.070
these things suddenly get into
the cloud? I'd imagine you have

55
00:02:50.070 --> 00:02:52.140
many more applications you're
trying to keep track of

56
00:02:52.170 --> 00:02:52.620
Mary O'Brien: Of course.

57
00:02:52.650 --> 00:02:56.220
Mathew Schwartz: Yes, and so
this is also I mean, both in the

58
00:02:56.280 --> 00:02:59.370
SOC that you're managing for
people and also in the SOCs that

59
00:02:59.370 --> 00:03:02.580
people are running using your
products, how many challenges?

60
00:03:02.610 --> 00:03:07.530
Mary O'Brien: So yeah, we sell
security technology to vendors

61
00:03:07.530 --> 00:03:10.680
who create and run their own
security operations centers. But

62
00:03:10.680 --> 00:03:13.320
we have several very
sophisticated security

63
00:03:13.320 --> 00:03:17.970
operations centers around the
world. And we run managed

64
00:03:17.970 --> 00:03:21.330
security services in those
security operations centers for

65
00:03:21.330 --> 00:03:22.410
hundreds of clients.

66
00:03:22.890 --> 00:03:26.100
Mathew Schwartz: So what role
are you seeing AI and automation

67
00:03:26.100 --> 00:03:30.180
play when it comes to SOC
operations, not new terms for

68
00:03:30.180 --> 00:03:33.480
SOC operations, but I think
we're seeing maybe greater

69
00:03:33.480 --> 00:03:37.260
applicability or greater,
hopefully, takeaways or benefits

70
00:03:37.260 --> 00:03:37.500
from it.

71
00:03:37.500 --> 00:03:42.810
Mary O'Brien: Certainly, well,
after many years of the security

72
00:03:43.740 --> 00:03:48.690
fraternity talking about
adopting AI and automation, I

73
00:03:48.690 --> 00:03:52.740
think we finally reached a point
where AI in particular has

74
00:03:52.740 --> 00:03:58.770
become proven and has
become sophisticated enough to

75
00:03:59.580 --> 00:04:03.450
be demonstrating some real value
to the SOC analysts. So what

76
00:04:03.450 --> 00:04:06.720
we're using AI and automation
for is to take noise out of the

77
00:04:06.720 --> 00:04:11.700
system, to allow machines to do
what machines do well, as in,

78
00:04:12.390 --> 00:04:16.860
you know, clear out and also
disposition, the low-priority

79
00:04:17.250 --> 00:04:20.160
security alerts. And the way
we've done that is we've

80
00:04:20.160 --> 00:04:25.050
actually taught the machine how
an analyst would disposition

81
00:04:25.050 --> 00:04:31.380
those like low risk, you know, I
suppose low-priority alerts.

82
00:04:31.410 --> 00:04:33.000
Mathew Schwartz: Things you'd
rather not have to ever deal

83
00:04:33.000 --> 00:04:33.090
with.

84
00:04:33.810 --> 00:04:36.810
Mary O'Brien: Yes, and we have a
shortage of security analysts

85
00:04:36.810 --> 00:04:39.540
and the world has a shortage of
security analysts. So we need to

86
00:04:39.540 --> 00:04:43.500
let machines clear out the noise
and let the analysts just focus

87
00:04:43.530 --> 00:04:46.020
on what they're good at and what
they need to focus on, which is

88
00:04:46.020 --> 00:04:47.250
the stuff the machine can't do.

89
00:04:47.850 --> 00:04:50.580
Mathew Schwartz: So IT
environments, everyone is

90
00:04:50.580 --> 00:04:53.160
unique. They're constantly
changing. Seems like nothing is

91
00:04:53.160 --> 00:04:57.240
static. So when you're trying to
make life easier, bring more

92
00:04:57.240 --> 00:05:00.900
automation, for example, to
bear, bring AI to bear and make

93
00:05:00.900 --> 00:05:03.870
everything easier for people.
What is the impact that you're

94
00:05:03.870 --> 00:05:08.100
seeing then of these various,
oftentimes perhaps disconnected

95
00:05:08.340 --> 00:05:11.100
tool sets? Making sense of it
all.

96
00:05:11.190 --> 00:05:16.170
Mary O'Brien: Absolutely. So
disconnected tool sets and the

97
00:05:16.410 --> 00:05:21.120
proliferation of security tools
has made the SOC analyst job

98
00:05:21.210 --> 00:05:24.540
really difficult because, you
know, I actually have sat in

99
00:05:24.540 --> 00:05:27.630
security operations centers
watching an analyst cut and

100
00:05:27.630 --> 00:05:31.740
paste and manually move stuff
around between various tools in

101
00:05:31.740 --> 00:05:33.300
order to progress our
investigation.

102
00:05:33.300 --> 00:05:34.950
Mathew Schwartz: And here's not
a low-stress environment.

103
00:05:35.520 --> 00:05:38.730
Mary O'Brien: You know, it is
not low stress. And we did a

104
00:05:38.730 --> 00:05:44.190
survey recently, for 81%, I
believe, of SOC analysts

105
00:05:44.220 --> 00:05:47.610
identified that manual
intervention is slowing down

106
00:05:47.610 --> 00:05:51.540
their ability to do their job.
So, you know, what we're

107
00:05:51.540 --> 00:05:56.430
endeavoring to do here is use
open source, use an open

108
00:05:56.430 --> 00:06:02.190
approach to be able to take
security alerts from all kinds

109
00:06:02.190 --> 00:06:07.770
of tools - IBM's and third
parties - into a platform with a

110
00:06:07.770 --> 00:06:12.000
unified analyst experience. So
no matter what the underlying

111
00:06:12.000 --> 00:06:15.810
technology is, we can help the
analysts just stay in the one

112
00:06:15.810 --> 00:06:19.650
screen and, you know, accelerate
their workflow so that they get

113
00:06:19.830 --> 00:06:24.540
to the outcomes. And they get to
the speed of finding, you know,

114
00:06:24.540 --> 00:06:26.670
the alerts they're looking for,
and investigating them and

115
00:06:26.670 --> 00:06:27.450
responding to them

116
00:06:27.450 --> 00:06:29.700
Mathew Schwartz: And helping
eliminate the busy work that the

117
00:06:29.700 --> 00:06:32.580
administrative side of things,
as opposed to the analytical

118
00:06:32.610 --> 00:06:33.510
which is what you appoint them
for

119
00:06:33.510 --> 00:06:36.300
Mary O'Brien: Taking away the
integration work that they've

120
00:06:36.330 --> 00:06:38.730
spent all of their time doing in
this manual work that they've

121
00:06:38.730 --> 00:06:42.000
spent their time doing now add
automation and artificial

122
00:06:42.000 --> 00:06:44.430
intelligence to that. And you
end up with a much more

123
00:06:44.430 --> 00:06:48.210
streamlined security operations
center and analyst's workflow.

124
00:06:48.300 --> 00:06:51.600
Mathew Schwartz: So really a
unifying security tool set

125
00:06:52.020 --> 00:06:56.490
approach to things. Where do
people start? What can they make

126
00:06:56.490 --> 00:06:59.970
happen soonest in this approach
do you think? What's your advice

127
00:07:00.060 --> 00:07:00.840
for getting going?

128
00:07:00.870 --> 00:07:05.460
Mary O'Brien: I think that, you
know, you've got to look for the

129
00:07:05.490 --> 00:07:12.270
opportunity to have a unified
workflow, and to look for

130
00:07:12.900 --> 00:07:16.380
opportunities to make your the
SOC analyst job, not about

131
00:07:16.380 --> 00:07:19.050
technology, but about what the
outcome they're trying to

132
00:07:19.050 --> 00:07:21.960
achieve. And look for the
capability that will assist

133
00:07:21.990 --> 00:07:28.260
that. So we'll give you or
enable you to progress a

134
00:07:28.260 --> 00:07:31.950
workflow from a single pane of
glass, irrespective of what

135
00:07:31.950 --> 00:07:33.300
technology you're trying to use.

136
00:07:33.330 --> 00:07:35.340
Mathew Schwartz: So sitting down
with your SOC analysts, seeing

137
00:07:35.430 --> 00:07:36.900
what they need, how they need it
...

138
00:07:36.930 --> 00:07:37.380
Mary O'Brien: Exactly.

139
00:07:37.380 --> 00:07:39.570
Mathew Schwartz: And trying to
better deliver to them what that

140
00:07:39.570 --> 00:07:39.810
is.

141
00:07:39.810 --> 00:07:41.400
Mary O'Brien: Totally, yeah.

142
00:07:41.430 --> 00:07:43.800
Mathew Schwartz: Excellent.
Well, it's fascinating to talk

143
00:07:43.800 --> 00:07:47.160
not just ransomware, but also
how we can get the SOC better

144
00:07:47.160 --> 00:07:50.580
configured, I think, so that the
right people who stop it can do

145
00:07:50.700 --> 00:07:53.160
more of the analysis and less of

146
00:07:53.220 --> 00:07:54.840
Mary O'Brien: Yeah, more
efficient, more productive.

147
00:07:55.380 --> 00:07:56.730
Mathew Schwartz: And that's what
we need, obviously, as the

148
00:07:56.730 --> 00:07:59.880
attacks are increasing as IBM
continues to document. So thank

149
00:07:59.880 --> 00:08:02.460
you very much for all of your
insights today, Mary.

150
00:08:02.520 --> 00:08:03.210
Mary O'Brien: Thank you, Matt.

151
00:08:04.440 --> 00:08:05.820
Mathew Schwartz: I've been
speaking with Mary O'Brien of

152
00:08:05.820 --> 00:08:09.000
IBM Security. I'm Mathew
Schwartz with ISMG. Thanks for

153
00:08:09.000 --> 00:08:09.570
joining us.