From Discovering Rock Patterns to Detecting Cyber Threats


IBM scientist Marc Ph. Stoecklin has always been fascinated by discovering unusual patterns as long as he can remember. Even as a child, during family hikes in the Swiss Alps, he was looking for crystals and special patterns of rocks.

An IBMer since 2006, this past summer Marc joined the next wave of IBM millennial managers, and today he leads a team of experts working on cyber security analytics with a particular focus on advanced threat detection and cyber security data visualization. In simple terms, he helps security analysts detect, understand, and counter sophisticated cyber security attacks.

“I’ve always enjoyed analyzing data and mining them for unusual changes and deviations from expected behavior," says Marc.


When traditional security solutions use signature-based detection (knowing what unwanted events to look for, i.e., a strict pattern), Marc’s team looks into how machine learning, data mining, and statistical modeling can be applied to learn the behavior of laptops and mobile devices on the network.

“We look for the unknown and unexpected, like an irregular heartbeat. Research in behavioral analytics has become crucial, particularly when it comes to detecting advanced threats and targeted attacks. Attacks which an organization cannot anticipate, nor has adequate protection mechanisms for, simply because they do not know what to expect in advance, and attackers exploit zero day vulnerabilities – these attacks were crafted just for this specific organization, and no signature or blacklist will catch them,” Marc said.

“The last resort is to be constantly on the watch for any unusual behavior patterns, which reveals the presence of an attacker.”

“On top of that, data visualization is very important as the human brain is brilliant at exposing abnormal patterns, but it has to be pre-processed and condensed, especially when there is so much data as in security. Scrolling through lines of a spreadsheet isn’t nearly as effective as looking at a heat map, which is why visual design is so important to our tools,” Marc said.

Goodbye Zurich. Hello New York!

“I had the opportunity to do my PhD thesis here at IBM Research-Zurich. The IBM lab is really one of the few places in the world where you can join an industrial PhD program. It was a truly great experience both being in an academic program as well as conducting research which had direct industry impact,” Marc says.

As a member of IBM's AURORA project, Marc and the team created a flow-based network traffic monitoring and visualization system where he was responsible for the design and development of the anomaly detection and user interface components; the system has since been commercialized by other IBM businesses.

“It was really a rewarding experience as a young graduate creating software, which was sold to IBM clients worldwide,” Marc said with a proud smile.

In 2011 he left Zurich to join the IBM T.J. Watson Research Center in Yorktown Heights, NY. Here, he participated in the development of the IBM Cyber Security Analytics and Intelligence research platform.

“I didn’t have any second thoughts moving from Switzerland to New York. Sometimes you have to make decisions when you know this is the right thing to do,” Marc said.

He continues, “For me it was a chance to go into a new field and to start exploring something completely different. And I was fortunate that IBM offered me this opportunity.”

“A Needle in a Haystack” 

Still collaborating intensively with the scientists in Yorktown Heights, Marc returned to Zurich in 2012 and last summer was promoted to manager of a global team.

“It is an absolute pleasure to work with such a talented team. Most of the team members are millennials, all of whom have PhDs in data mining, machine learning or behavioral modeling in areas like big data security analytics and malware analysis. So, we speak the same jargon and relate to each other,” Marc said.

Coming from the millennial generation and being “digital natives,” Marc believes his team has an almost innate capability of understanding the minds and strategies of today’s hackers.

“You have to think in a multidisciplinary way about how things are connected and how the attacker may capitalize on different attack vectors. If you look at how enterprises and organizations have changed in the recent few years, as they embrace new technologies such as cloud services, mobile -- and employees are allowed use their own devices (BYOD) for business purposes -- the traditional perimeter-based security defense mechanisms become drastically less effective,” Marc said.

“Building curtain walls around a castle will not protect crown jewels that get distributed outside the castle.”

He continues, “One of the biggest challenges we face is that many of the attacks today are not discovered, and only a small fraction are eventually disclosed to the public. So how can anyone understand the latest trends? This is like looking for the needle in a haystack without even knowing what the needle looks like. There are only a few known examples out there and we need to study them carefully and extrapolate. The methodologies we devise have to be able to catch variants thereof as well as new types of variations.”

Looking Forward

Marc sees a number of interesting technologies over the next five years as being the real breakthroughs in cyber security.

“Understanding where the crown jewels are and who accesses them, how, when, and why will be a major focus for the future. This involves contextual models, and adaptive data protection by building fine-grained perimeters around the data, as well as real-time, historical, and predictive behavior monitoring using advanced machine learning analytics, such as techniques used in IBM Watson,” Marc said.

Searching for crystals in the Swiss mountains as a young boy Marc could never have dreamed of having such a successful career.

Marc had this advice for other young researchers.

"Whichever path you take, it is important to be innovative, and constantly questioning the state-of-the art. And most of all: start identifying missing bits, which you should embrace to make a difference"

Labels: , ,