IBM Watson and Cybersecurity: A 24-hour rapid response service
In our Internet era, information security is paramount. You should not be surprised at this, since there is a lot of data on the network, and billions of users. If attackers gain access to at least a small fraction of all this information, one can expect trouble (which, in fact, happens with enviable regularity). Of course, security experts work, various companies release tools that, theoretically, protect themselves from intruders in the normal workflow.
But, despite the measures taken, problems often arise even for the most seemingly protected companies and organizations. Recently it became known, for example, that due to the massive spread of the WCry virus in some areas of Russia, even the issuance of a driver’s license was necessary. This virus has compromised many computers that are almost impossible to use without unlocking. What happens if the network of a large enough commercial company is blocked by a virus? Such a company will suffer multimillion-dollar or even billion-dollar losses. So it is, now the WannaCry epidemic was stopped only by a miracle, and no one has yet calculated the losses.
Standard protection tools do not always cope with the threat, but the cognitive system can greatly simplify everything by managing the cybersecurity of the enterprise. IBM has such a product, it is a Watson for Cyber Security service. More on this below.
At the moment, information security specialists have recorded tens of thousands of vulnerabilities in various software. Every day new software appears, new “holes” are discovered in existing software, cybercriminals issue viruses, create exploits, and hack conventional and corporate networks. It’s clear that cybersecurity experts are on the alert. Each identified vulnerability is carefully documented, often such information is posted in the public domain. But this does not always help, since each month the authors publish at least 60,000 articles related to this field. It is clear that no one is able to keep track of such a data stream. Rather, no one but Watson - a cognitive platform capable of absorbing thousands and thousands of documents per unit of time.
In information security, like nowhere else, the use of machine learning and natural language processing is required. These technologies, like others associated with them, are becoming more sophisticated over time. Computer systems are trained on the example of each vulnerability or problem found, becoming more sophisticated in working with external and internal information threats.
Based on the Watson for Cyber Security service, one of the products of the IBM QRadar platform is working - IBM Qradar Advisor with Watson.
The IBM Watson cognitive system helps analysts who engage in threat detection manage their work more efficiently and efficiently. No one can get all the necessary information about a problem, especially a complex one, in a few seconds. But the Watson computer system can, and does. It identifies a potential threat, searches for information on it, analyzes what is happening and acts as necessary.
All data is stored, so that it can be studied by both a person and the cognitive system itself subsequently. IBM Watson can, for example, by detecting some kind of anomaly in the corporate network, get to the core of the problem, and very quickly. As a result, this problem does not have time to become relevant, the threat is still being eliminated “on the way”. The data is provided to the technical support team, which operates further, based on the data provided by Watson. All this happens quickly, the system works with a high degree of accuracy.
IBM Qradar Advisor with Watson operates 24/7/365. It consists of four key elements:
1. Detecting an incident and identifying its cause. At the same time, the cognitive system actively works with network monitoring data accumulated by Qradar;
2. Next is a search in the database of the cognitive system itself to detect information that relates to a detected anomaly or incident;
3. Next, Qradar Advisor sends information about the problem to Watson for Cyber Security, to record this data and study the problem;
4. The threat is being identified and a suitable strategy to combat it is being sought.
By the way, in 2015, the Ponemon Institute conductedstudy of the features of the work of various companies with QRadar. A survey was conducted as part of this study. Representatives of companies that agreed to take part in the survey were asked if they worked with additional network security services after the implementation of Qradar. 70% of respondents said no, and 62% said that if they wanted, they would have changed the product without problems, but there was no such desire. 43% of respondents said they felt the effect of working with the service in a few days, for 27% this effect manifested itself within a week.
In general, the advantages of QRadar, including the cognitive service, can be distinguished in the following points:
• Unified architecture for analyzing logs, network flows, packets, vulnerabilities, data about users and resources
• Real-time correlation analysis using Sense Analytics to identify the most serious threats, attacks and vulnerabilities
• Prioritization and highlighting of the most important incidents among billions of data items received daily
• Predictive analysis of existing risks caused by incorrect device configuration and known vulnerabilities
• Automatic response to Incidents
• Automatic compliance with regulatory requirements through data capture, correlation and reporting
capabilities. Estimated e of the Ponemon Institute, an ordinary company spends more than 20,000 a year to work with network threats, both external and internal. This is a huge amount of time, and it can be saved if you automate all monitoring processes.
Watson for Cyber Security operates on data from 100,000 documented software vulnerabilities contained in the IBM X-Force Exchange database . The cognitive system also has over 10,000 different documents and 700,000 information security blog posts published each year. If necessary, all this data can be quickly structured and necessary information obtained on a specific topic. The structured data generated by Watson for CyberSecurity enters the IBM QRadar service, as discussed above. If we talk about the effectiveness of such a system, then it can analyze thousands of incidents per day, sorting out false positives and current security problems.
Soon, Watson for Cyber Security will become part of the new Cognitive Security Operations Center (SOC) platform, which will finally integrate cognitive technologies and network security operations. A key element of the platform is IBM BigFix Detect. This solution, which allows you to track the attack, uses a kind of "time machine" to detect the starting point where it all began. For the end user, this means the ability to quickly, very quickly respond to emerging threats, including local networks and “clouds”. Other SOC components are IBM Security, X-Force Exchange, and i2. IBM plans to provide access to this unified platform as a service, which will be called SOC-as-a-Service.