Security analysts are typically coming under increased pressure to analyse and respond to alerts and organisations are facing the challenge of scaling up their analysts’ capacity during cyber attacks.
Smarttech wasone of 40 companies around the world that took part in an IBMWatsonfor Cyber Security Beta Program and has since signed up as a customer.
Described as the first cognitive security technology , Watson has been trained on the language of cyber security to understand terms like “backdoor” in the context of cyber security.
To date, it has “ingested” more than a million carefully selected security research reports, threat intelligence reports, government advisories, blogs and news articles that have never before been accessible to security tools.
IBM Watson for Cyber Security uses an adviser app on IBM’s QRadar security intelligence platform that packages up threat actor data and sends it to IBM’s cloud-based Watson cognitive computing capability, which can store millions of pages of structured and unstructured data. It can also reason through the information, learn and answer questions posed in natural language by applying deep cognitive analysis.
The QRadar adviser app, which has some analytical capability, will feed a file hash to Watson, for example, and then Watson will use all the documents at its disposal to link that hash to a known executable file, file name, web address, malware campaign and threat actor.
“Analysts are typically under ferocious pressure to be correct all the time because if they are not it comes back on them pretty hard, so they find IBM Watson invaluable,” says Ronan Murphy, CEO of Smarttech.
“At first they felt threatened and worried that it would replace them, but now they love it, because it has increased the number of incidents they can handle significantly,” he says.
IBM Watson is not designed to replace analysts, but aimed at reducing the pressure they are under and augmenting what they can do by providing quick feedback to enable them to make faster, more accurate decisions. Reduced pressure also means more time to research and remain current on the latest threats.
In minutes, Watson produces a hypothesis and severity, relevance and credibility ratings along with the evidence used, so the analyst can see how and why Watson has reached a particular conclusion.
“What this delivers to security analysts in terms of data analysis to help make crucial decisions faster and act as a sounding board, is the most valuable thing I have seen come to market so far and is proving to be valuable in empowering Smarttech’s analysts and safeguarding their reputation,” says Murphy.
Speed is extremely important, he says, because a quicker response can prevent a network intrusion from becoming a significant data breach.
Murphy says this is especially important in the light of the fact that companies that have the best security systems money can buy admit that more than 40% of malware attacks are still reaching their networks.Attracting new talent
By reducing the pressure on analysts and taking away some repetitive tasks such as related searches, IBM believes the technology can help organisations not only to increase the capacity of existing analysts in the face of the shortage of experienced analysts, but also help attract and retain new talent.
The immediate business benefit for Smarttech, says Murphy, is that it has helped ensure that quality is never compromised as he works to grow the business by taking on more customers and balance that with growing Smarttech’s team of analysts.
According to Murphy, the technology has enabled Smarttech’s analysts to respond to three times as many security incidents and has also improved the quality of the analysts’ reports. It also provides an extra perspective, highlighting something the analysts have missed in about 20% of incidents.
“Customers’ eyes light up when we are able to demo Watson’s ability to analyse something in five minutes when it would take an analyst more than two hours,” he says.
This means that where business continuity is under threat of an attack, Watson’s quick analysis can enable incident response teams to take more immediate action.Analysing key attributes of an attack
Watson typically analyses key attributes of an attack and in addition to confirming an analyst’s conclusions can provide extra context and other indicators of compromise to look for.
Watson for Cyber Security uses technologies such as machine learning and natural language processing to build an ever-increasing document database to speed up and improve the analysis process.
Murphy says it is important to understand that Watson’s cognitive security capability is being applied only to data, not to anything else.
“It is just consuming data and using proven natural language processing technology to give information that empowers analysts to make decisions.”
Murphy says he was attracted to IBM Watson because of the successes of cognitive computing for data analysis in the field of healthcare, particularly oncology.
“The amount of data required to make decisions in healthcare is vastly greater than that required for security,” he says.A competitive advantage
As an MSSP, Smarttech is using the support of the IBM technology as a selling point to its customers, who in turn are claiming as a competitive advantage the ability to analyse attacks faster.
One Smarttech customer, which has around 1m invested in traditional security systems, is getting breached seven times a week on average, says Murphy.
“These are threats that could potentially halt business, but with IBM’s QRadar security intelligence combined with Watson, these threats are being caught before they can do any harm,” he says.
However, Murphy points out that IBM Watson is not something that any company can use and deploy. It is aimed at organisations with a fairly high level of maturity in security.
Martin Borrett, chief technology officer of IBM Security Europe, confirms that the target market includes any organisation that has its own security operations centres (Socs) or team of security analysts such as MSSPs and banks.The potential of Watson
As an example of what IBM Watson can do, Murphy cites an incident in which Smarrtech was able to alert a utilities company that it was under attack.
Smarttech became involved because one its customers, a business process outsourcing (BPO) firm, was hit by sophisticated malware that was traced to the utility company, one of the BPO’s customers.“We analysed the malware and got the feedback from Watson, which was really helpful in this instance because we h