IBM Watson and Cyber Security: Rapid Response Service
In our Internet era, information security is at the forefront. This can not be surprising, because there is a lot of data on the network, and users are billions. If the attackers get access to at least a small fraction of all this information, you can expect trouble (which, in fact, happens with an enviable regularity). Of course, security experts work, various companies produce tools that, theoretically, can protect themselves from interference by intruders into a normal workflow.
But, despite the measures taken, problems often arise even among the most seemingly protected companies and organizations. Recently it became known, for example, that because of the massive spread of the WCry virus in the network in some regions of Russia, even it was necessary to cancel the issuance of a driver’s license. This virus has compromised many computers that can not be used without unlocking. What happens if a network of a large commercial company blocks a virus? Such a company will suffer multimillion or even billions in losses. So it is, now stops the epidemic WannaCry was only a miracle, and no one has yet calculated losses.
Standard protection tools do not always cope with the threat, but the cognitive system can greatly simplify everything by managing the cyber security of the enterprise. IBM has such a product, it’s the Watson for Cyber Security service. More on this – below.
At the moment, information security experts have documented tens of thousands of vulnerabilities in various software. Every day a new software appears, new “holes” are detected in the existing software, attackers release viruses, create exploits, and engage in the hacking of ordinary and corporate networks. It is clear that cybersecurity specialists are not asleep. Each identified vulnerability is carefully documented, often such information is laid out in the public domain. But this does not always help because every month the authors publish a minimum of 60,000 articles relevant to this field. It is clear that no one is able to keep track of this data flow. Rather, no one except Watson – the cognitive platform is able to assimilate thousands and thousands of documents per unit of time. Almost all of these data are structureless, many materials are not connected with each other, although they can contain similar topics.
Information security, as nowhere, requires the use of machine learning and the processing of natural language. These technologies, like other related ones, are becoming more sophisticated over time. Computer systems are trained on the example of each vulnerability or problem found, becoming more and more perfect in dealing with external and internal information threats.
Based on the Watson for Cyber Security service, one of the products of the IBM QRadar platform – IBM Qradar Advisor with Watson.
The IBM Watson cognitive system helps analysts who are engaged in detecting threats to cope with their work more efficiently and efficiently. Nobody can get all the necessary information about the problem, especially about the complex, in a few seconds. But the computer system Watson can, and does it. It identifies a potential threat, searches for information on it, analyzes what is happening and acts as needed.
All data is stored so that both the person and the cognitive system can learn them later. IBM Watson can, for example, discover an anomaly in the corporate network, get to the heart of the problem, and very quickly. As a result, this problem does not have time to become actual, the threat is being destroyed still “on the way.” Data is provided to the technical support team, which acts further based on data provided by Watson. All this happens quickly, the system works with a high degree of accuracy.
The work of IBM Qradar Advisor with Watson is in the 24/7/365 mode. It consists of four key elements:
- Detect the incident and identify its cause. At the same time, the cognitive system actively works with network monitoring data accumulated by Qradar;
- Next, you search the database of the cognitive system itself, to detect information that relates to the detected anomaly or incident;
- Further, Qradar Advisor sends information about the problem to Watson for Cyber Security, to record this data and study the problem;
- The identification of the threat and the search for a suitable strategy to combat it are in progress.
By the way, in 2015 the Ponemon Institute conducted a study of the features of the work of various companies with QRadar. In the framework of this study, a survey was conducted. Representatives of companies that agreed to participate in the survey were asked if they worked with additional network security services after the introduction of Qradar. 70% of respondents answered that they did not, and 62% said that if they wanted, they would change the product without problems, but such a desire did not arise. 43% of respondents said they felt the effect of working with the service in a few days, for 27% this effect manifested itself within a week.
In general, the merits of QRadar, including cognitive service, can be highlighted in the following points:
- Unified architecture for analyzing logs, network streams, packets, vulnerabilities, user and resource data;
- Real-time correlation analysis using Sense Analytics to identify the most serious threats, attacks, and vulnerabilities;
- Prioritizing and highlighting critical incidents among the billions of data received daily;
- Forecast analysis of existing risks caused by incorrect device configuration and known vulnerabilities;
- Automatic incident response;
- Automatic compliance with regulatory requirements through the ability to collect data, determine their correlation and reporting.
According to the Ponemon Institute, an ordinary company spends more than 20,000 a year to work with network threats, both external and internal. This is a huge amount of time, and it can be saved if you automate all monitoring processes.
Watson for Cyber Security operates in its work with data from 100,000 documented software vulnerabilities contained in the IBM X-Force Exchange database. Also at the disposal of the cognitive system are more than 10,000 different documents and 700,000 entries in the blogs of information security specialists published every year. If necessary, all these data can be quickly structured and get the necessary information on a certain topic. The structured data generated by Watson for CyberSecurity is received by the IBM QRadar service, as discussed above. Speaking about the effectiveness of such a system, it can analyze thousands of incidents per day, sorting out false positives and actual security problems.
Soon, Watson for Cyber Security will become part of the new platform Cognitive Security Operations Center (SOC), which will finally unite cognitive technologies and operations in the field of network security. The key element of the platform is IBM BigFix Detect. This solution, allowing to track the attack, uses a kind of “time machine” to detect the starting point where it all began. For the end user, this means the ability to quickly, very quickly respond to emerging threats, including local networks and “clouds.” Other SOC components are IBM Security, X-Force Exchange, and i2. Access to this unified platform IBM plans to provide a service, which will be called SOC-as-a-Service.