IBM Security is giving its cloud-based cognitive technology Watson a new assignment: cybersecurity.
The new Watson for Cyber Security is now in training at IBM to study the nuances of security research findings in order to more effectively discover patterns and hidden cyberattacks.
IBM’s X-Force research library will be a central part of the materials fed to Watson for Cyber Security. That information includes 20 years of security research, details on 8 million spam and phishing attacks, and over 100,000 documented vulnerabilities. As part of a year-long research project, IBM this fall will work with eight leading universities and their students to further train Watson on the language of cybersecurity.
Unlike programmable systems, cognitive technology is based on training systems that can understand, reason, and learn to sense what’s coming – then communicate that in natural language. IBM is interested in training Watson for Cyber Security to detect security events in unstructured data such as blogs, wikis, videos, transcriptions, and related events, says Caleb Barlow, vice president of IBM Security.
The average security analyst is overwhelmed with data, and the average organization typically deals with 200,000 security incidents a day, Barlow says. The vast majority of those incidents are mundane or benign such as someone forgetting a password and being locked out of an account or a lost mobile phone. “So you are looking for a needle in a stack of needles,” when it comes to detecting a real security event, he says.
In addition, enterprises spend $1.3 million a year dealing on false positives alone, wasting nearly 21,000 hours. On top of that, there are 75,000-plus known software vulnerabilities reported in the National Vulnerability Database, 10,000 security research papers published each year, and over 60,000 security blogs published each month. All of this information makes it difficult for security analysts to move with informed speed, according to IBM.
Many analytic tools now give security analysts better visibility into structured data. “What we are kind of blind to is all the security information that fits in unstructured data,” Barlow says. “What Watson for Cyber Security will do is scan through all that unstructured data and bring context to what you are seeing.”
Researchers will take those 200.000 incidents and get Watson to ask its own questions: Have I seen this before? Has anyone else seen this before? Are there any indicators on other parts of my network that are infected?
Watson will pull all these threads just like a forensic researcher would do, Barlow says. When Watson finds a problem, it will identify and prioritize it, and then alert the analyst. Watson will say, for example, “I think I found unusual botnet activity in your enterprise and here is the evidence I have to back up this conclusion,” Barlow explains.
The evidence could be that the botnet is coming from a known malicious IP address, or it appears in six different locations on your network, for example. The system will say “Here are the known indicators. I think you will have to take action right away,” Barlow explains.
IBM currently plans to process up to 15,000 security documents per month over the next phase of the training with the university partners, clients, and IBM experts collaborating, he says.
IBM will incorporate other Watson capabilities including the system’s data-mining techniques for outlier detection, graphical presentation tools, and techniques for finding connections between related data points in different documents. This means Watson can find data on an emerging piece of malware in an online security bulletin, and data from a security analyst's blog on an emerging remediation strategy.
Tackling Cyber Skill Shortage
IBM also envisions Watson for Cyber Security helping address the cybersecurity skills shortage, freeing up analysts to work on more advanced problems, Barlow says. Some reports indicate that there will be 1.5 million vacant cybersecurity jobs by 2020.
The research project will also provide university students hands-on experience in the emerging field of cognitive security, which could open doors of opportunity for them and supply organizations with potential employees with advanced security skills, according to IBM.
"We are constantly being asked by companies about availability of cybersecurity-competent students to be hired for executive positions. This is yet another way for our students to be at the leading edge of cybersecurity technologies,” says Stuart Madnick, John Norris Maguire Professor of Information Technologies for the Sloan School of Management and professor of Engineering Systems at Massachusetts Institute of Technology's School of Engineering.
“This project actually provides two complementary values to our students since it reinforces and enhances their expertise in both big data, artificial intelligence and cybersecurity,” Madnick says.
Other universities participating in the project include California State Polytechnic University, Pomona; Pennsylvania State University; New York University; the University of Maryland, Baltimore County (UMBC); the University of New Brunswick; the University of Ottawa and the University of Waterloo.
IBM also will consider offering Watson for Cyber Security as a commerical service. “Our goal is to try this on customer locations by the end of the year,” Barlow says. “In all honesty, we have to see what it can do. How it is commercialized and packaged is yet to be determined based on how good a job we can do.”