By John P. Mello Jr.
Feb 16, 2017 8:45 AM PT
IBM this week announced Watson for Cyber Security, a powerful new ally for organizations that want to protect their data from Net marauders.
The new offering bolsters the ability of information security pros to analyze the flood of information from the roughly 200,000 events that pour into their Security Operations Centers, or SOCs, every day.
About 20 percent of that flood is comprised of structured data that can be analyzed with database tools, but as much as 80 percent of it is unstructured data such as security blogs, white papers, Twitter feeds and forum threads. It’s data that contains valuable nuggets, but finding them is difficult.
“What Watson does is take all that information — structured, unstructured, as well as other information from the operations center — and put it in a cognitive system,” explained Denis Kennelly, vice president of development and technology at IBM Security.
“There it can be used to help the SOC operator to triage the security events,” he told TechNewsWorld.
While Watson can speed the analysis of data, its threat detection potential is limited, maintained Scott Miserendino, chief data scientist at BluVector.
“It’s primarily an enrichment service,” he told TechNewsWorld.
Betting on Cognitive Tools
“Today’s sophisticated cybersecurity threats attack on multiple fronts to conceal their activities, and our security analysts face the difficult task of pinpointing these attacks amongst a massive sea of security-related data,” noted Sean Valcamp, chief information security officer at Avnet, an early tester of the Watson for Cyber Security system.
“Watson makes concealment efforts more difficult by quickly analyzing multiple streams of data and comparing it with the latest security attack intelligence to provide a more complete picture of the threat,” he said.
“Watson also generates reports on these threats in a matter of minutes, which greatly speeds the time between detecting a potential event and my security team’s ability to respond accordingly,” Valcamp added.
Only 7 percent of security pros currently use cognitive tools in their workflow, but that is changing, according to IBM, which expects usage to triple in the next two to three years.
That’s because as more and more devices come online, they create a burden on security teams they won’t be able to handle without the help an AI like Watson.
“The attack surface for the attacker is mushrooming,” Kennelly said. “Tools like Watson can help defend against those expanding attack patterns.”
Voice-Powered Security Assistant
IBM also announced the Havyn Project, which is developing a new voice-powered security assistant to work with Watson’s data.
The assistant will use Watson APIs, BlueMix, and IBM’s cloud to provide real-time responses to verbal requests and commands. It will draw on information from open source security intelligence, including IBM X-Force Exchange, as well as client-specific historic data and security tools.
Further, IBM introduced a Watson-powered chatbot to support its IBM Managed Security Services customers.
“I hope that doesn’t mean you go into a chat channel and you talk to someone you think is an IBM security analyst who’s actually Watson,” said Misha Govshteyn, chief security officer at Alert Logic.
“I don’t think that’s a viable approach,” he told TechNewsWorld. “Customers want to talk to a human being.”
Although artificial intelligence has advanced rapidly in some areas — self-driving cars, for example — it has lagged in security.
“In terms of what can be accomplished, we’re just scratching the surface,” Govshteyn said. “In the next 10 years, AI will be used at every level of the security industry.”
AI is a necessary thing for security, added BluVector’s Miserendino.
“As threats become more complex, you need more advanced human analysts to analyze them,” he explained. “They’re a very limited resource, so being able to apply machine learning and automation to that process is going to be critical moving forward.”
AI is relevant for cybersecurity, but it will have limited impact if applied only to a specific solution, vendor or silo, maintained Tony Ayaz, CEO of Gemini.
“The way we need to leverage AI is across security silos and existing investments. The ability to extract meaning for analysts to conduct faster investigations is by connecting dots between all solutions,” he told TechNewsWorld.
“IBM Watson is a great business intelligence play, but adding an app or lightweight bot on top of QRadar to collect event data and leverage patch management with open source threat intelligence are methods that are in play already with other solutions,” Ayaz said. “I think IBM is attempting to leverage Watson to integrate their solutions, and that is something that is probably needed,” he added, “but this not a game changer.”