Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/13/2017
02:00 PM
Connect Directly
Twitter
RSS
E-Mail
0%
100%

IBM Brings Watson Cognitive Computing To The SOC

Technology known for a Jeopardy stunt six years ago is now powering question answering within IBM Security's QRadar system.

IBM hopes to elevate artificial intelligence and cognitive computing way beyond party tricks and game show supremacy and as a part of that push, Big Blue picked cybersecurity as a prime market to explore the possibilities. Today, IBM announced that it's officially marrying up its cybersecurity portfolio with the vaunted Watson questioning answering system.

Known best for its performance as a "contestant" on the game show Jeopardy in 2011, Watson was engineered to ingest vast quantities of data on any given subject in order to receive and answer questions in a conversational fashion. A system specifically developed to tackle Jeopardy, this cognitive technology uses natural language processing and machine learning to sift through data sources, synthesize information contained within, find and rank hypotheses and come up with a precise answer to the user's questions.

In the ensuing six years since Watson's success in winning a $1 million first prize in Jeopardy against two human champions, IBM has not only refined Watson's engine but al so been on the look out for ideal business cases to put the technology to use. The firm has achieved early successes in medical decisioning technologies, tracking customer and social media sentiment, and analyzing satellite and municipal data to track water use for drought mitigation.

With the growing problem of alert fatigue and a shortage of skilled security analysts, the industry seemed like it was crying out for Watson's help. The idea is to pair security operations center (SOC) technologies with Watson's processing capabilities so that analysts can ask the system questions about their data and existing threat posture, and receive meaningful advice on further action.  

The announcement follows a year of learning for Watson, which for the past 12 months has been trained on the language of cybersecurity, ingesting over 1 million security documents in the process.

"We've been teaching it for basically about a year, and it’s learned a lot along the way and it’s got a lot smarter along the way. It can read a ton more than it ever could before," says Caleb Barlow, vice president of threat intelligence for IBM Security. "And now we're at the point where it’s kind of graduated college and it’s time to go get that first real job."

According to Barlow, IBM's intent is to take the strain off of teams who can't afford or find enough skilled operators to manage the volume of advanced threats that barrage enterprise networks. Not only will they be able to make faster decisions, but they should be able to do it with more complete data. For instance, he referenced one competition a customer created during beta where they pit a team of experienced analysts against a team of junior analysts armed with Watson. They were given a certain security incident and an hour to look into it. The skilled analysts were able to confirm that attackers were testing the  network with an attempt at brute force password attacks, but believed that nothing further had occurred. Meanwhile, the Watson team identified those attempts but also were able to connect it with a form of malware, and then identify that the malware was actually on the network tied to the same threat actor.

"So, as you can imagine, that’s a very exciting find for that security team," Barlow says, "because now they know exactly how to go to address it, and they know, 'Wait a minute, this isn’t somebody who’s knocking at the door, this entity’s actually already in the door; they're just trying to get more access.'"

The centerpiece of what IBM calls its Cognitive SOC paltform will be IBM QRadar Watson Advisor, which brings together Watson with its QRadar security intelligence platform. The natural language processing capabilities will sift through a variety of security sources, including security blogs, websites, research papers and combine that with threat intelligence and security data from users' QRadar systems.  IBM will also be bringing cognitive tools to its global X-Force Command Center network and has rolled out a Watson-powered chat bot for IBM Managed Security Services customers.  Additionally, the company has a new project codenamed Havyn, which plans to also add voice-activated capabilities so that analysts can query the system by speaking plain-language questions aloud.

Related Content:

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Security_Sifu
50%
50%
Security_Sifu,
User Rank: Apprentice
2/13/2017 | 5:43:15 PM
Watson focused on Information Security SOC Work
Very insteresting read.  I find many organizations utilizing "Big Data", "Neural Networks", and "Machine Learning" to be little more than signatures based on behaviors.  It will be interesting to see how this competes with Cylance in identifying positive and negative payloads.
WyattR
50%
50%
WyattR,
User Rank: Apprentice
9/5/2017 | 7:55:00 AM
Thoughts on Watson
Very interesting. Watson was revolutionary when it won Jeopardy. I remember thinking, Wow this thing is going to only grow and become more advanced, and be able to help companies all over the world become way more efficient. Looks like now that is finally starting to take place, in security measures. Pretty cool stuff.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.