Security analysts today are drowning in data. Even the most talented, knowledgeable and efficient analysts are overwhelmed with hundreds more alerts and anomalies than they can reasonably address, and the problem is only getting worse.
This is one of the main reasons why IBM recently announced the Cognitive Security Operations Center (SOC). An industry first, the Cognitive SOC uses Watson for Cyber Security to improve analysts’ ability to fill gaps in intelligence and act with speed and accuracy.
Watson Powers the Cognitive SOC
George Mina, program director of Watson for Cyber Security, recently sat down with Chris Meenan, director of QRadar product management and strategy, to discuss the Cognitive SOC and how it will revolutionize security operations.
Mina: For those who haven’t heard about it, what exactly is a cognitive SOC?
Meenan: A cognitive SOC is all about helping organizations utilize structured and unstructured data from internal and external sources to better detect and respond to threats across networks, endpoints, users and cloud. And because the cognitive SOC is powered by Watson for Cyber Security, it’s a system that continuously learns, reasons and understands.
Mina: There’s a lot of buzz in the marketplace around artificial intelligence (AI). Is this AI?
Meenan: This is absolutely AI, although we are redefining it as augmented intelligence. What we’re doing is helping security analysts with a trusted advisor. Today in security operations, analysts have an extremely tough job. Not only are they inundated with alerts, but they have to be increasingly knowledgeable because the threats are evolving so quickly, and there are always new types of malware and new threat actors.
So analysts have a lot on their plates just to keep up with, and on top of that they’ve got to triage all these alerts and incidents, so they need help. The Cognitive SOC is intended to help these analysts do their job, to make them more effective and less likely to miss threats.
Preparing for the Cognitive Revolution
Mina: I recall the cognitive security study IBM did last year showed that in the next three years the adoption rate of cognitive solutions will triple, and I’m sure it’s very much due to these reasons you’ve just cited. Now, let’s talk a bit about the type of information we’re feeding Watson for Cyber Security.
Meenan: This has actually been a momentous project. We have been feeding Watson with threat intelligence data, blog posts, forums, Wikipedia articles, threat research … all being absorbed on a real-time basis. In addition, people, of course, publish new indicators, new behaviors, new attack patterns, new malware all the time, and Watson is continually reading and learning from these new insights as well.
This information is available to all of our Cognitive SOCs, so as soon as one of our Cognitive SOCs spots a new behavior or pattern, Watson for Cyber Security connects the dots instantly to help us understand what we’re dealing with. Needless to say, this all happens much more quickly than it’s ever been able to before.
Teaching Watson the Language of Security
Mina: So there’s a vast volume of information that we’re tapping into with Watson. Tell me more about the machine learning elements and how we’re training Watson.
Meenan: There are two major types of data: structured and unstructured. Structured data is straightforward — it’s a known quantity. But unstructured data in the form of imprecise human language is where so much of the value is. This value is found by joining documents together, by understanding what type of malware, for example, is exploiting what type of vulnerability that’s used by what types of threat actor.
These are the sorts of things that appear a lot in unstructured data. But to get to this point, we actually had to teach Watson how to read and how to understand not just natural language, but also the language of security so that we could give it a threat report and it could read it and identify who’s the threat actor, what’s the malware, what are the vulnerabilities, what are the attack vectors. So we actually spent a lot of time teaching Watson how to do all that and now that we’ve done it, Watson is literally reading tens of thousands of articles every day on the internet and it’s pulling in all that information and it’s learning and growing.
The Cognitive SOC in Action
Mina: So Watson isn’t simply ingesting this data, but there’s an actual sense of deep learning, of making sense of this information and truly understanding the language of cybersecurity. It’s this unstructured data that’s most valuable. Remembering that that data was unintelligible before, you can really start to see the value of Watson and its ability to connect the dots.
Meenan: We launched our beta program for this a couple of months ago and we have some fantastic use cases of support. Just as an example, one of our beta customers was using QRadar Advisor with Watson, and it had a distributed denial-of-service (DDoS) attack on its network. So it gave this to its level 1 and 2 analysts to analyze using their traditional, structured threat intelligence feed and their other best practices.
Sure enough they said yes, it’s a DDoS attack, they looked it up, it’s well-known as a source of DDoS. The threat was mitigated, they were blocking it and they put the IP addresses on a watchlist, and all this took about an hour and a half.
Then they sent it to Watson for Cyber Security via QRadar and it came back in two minutes and said, yes, this is a DDoS, but actually this source is associated with other threat campaigns and those threat campaigns use XYZ attack vectors and indicators of compromise. And they actually found they’d been compromised by those other attacks vectors, and they would have completely missed it without Watson. That’s a perfect example of what Watson is able to do, because it’s connecting the dots that structured data isn’t able to provide and that analysts don’t always have the time or resources to work out. This is where augmented intelligence can dramatically improve security.
Connecting the Dots
Mina: This story perfectly illustrates the three gaps that cognitive security aims to solve and why we’ve made this huge investment in Watson for Cyber Security.
First, the intelligence gap — being able to tap into that large corpus of knowledge to uncover the relationships and patterns multiple steps beyond what a security analyst would likely see. Second is the speed piece — being able to do all this and draw these conclusions in a matter of minutes. And then, finally, accuracy — having the confidence from evidence-based findings that, for instance, this DDoS attack is related to other attack vectors that the analysts alone could have missed.
Tell me now how our readers can actually access Watson for Cyber Security.
Meenan: When we set about building this product, we wanted it to be accessible by everyone in minutes. We wanted to use the power of the cloud, so we built a Watson for Cyber Security cloud service and then we created a lightweight QRadar app available on our IBM App Exchange that users can download and install into QRadar in minutes. It doesn’t need any extra infrastructure whatsoever; it just plugs straight into QRadar and connects to the Watson for Cyber Security cloud service.
Then, when there are incidents and anomalies that users want analyzed, they simply click a button and literally a minute later they get their results. Many of our beta customers were actually getting their first results within 10 or 15 minutes of installing the app, and that’s information that previously would have taken days to compile.
The main use case is just getting a much better picture of the whole threat environment. What we’re seeing is that users who submit incidents for analysis are getting more knowledge back because they’re getting a fuller picture of the entire threat environment — they’re actually identifying threats that they’d previously missed because Watson is connecting the dots that their existing data feeds were not catching or they didn’t have the time to research and investigate.
Fundamentally, they’re just getting through more work more effectively because they’re don’t have to spend so much time digging, pivoting, searching, looking up sources — Watson is doing all that work for them and then just presenting the results. With this app, Watson becomes a trusted advisor sitting by your side to help uncover new insights.