Malware is a major cause of cyberattacks today, with fraudsters using targeted spear phishing emails and social engineering to distribute malicious files to unsuspecting employees at various organizations. To make matters worse, malware has evolved to avoid detection by traditional security tools and systems.

Take the CozyDuke malware campaign as an example. Attackers used spear phishing to distribute Flash videos that installed the CozyDuke executable when played on a victim’s computer. Due to the viral nature of the content, these videos got passed around between colleagues and helped spread the malware rapidly.

Given the sophistication of such malware, security analysts need to identify infected endpoints by investigating indicators and incidents that are flagged by security information and event management (SIEM) systems that monitor activity and suspicious behavior on the network. Analysts are often overwhelmed with the amount of data they need to consume to accurately investigate whether these incidents are truly malicious and, if so, determine the necessary remediation actions.

Watch the on-demand Webinar: 5 Building Blocks for a SOC That Rocks

A Trusted Sidekick for Security

We’ve all read about the famous fictional detective Sherlock Holmes and his sidekick, Watson. Sherlock has an uncanny ability to get the right information to make connections between evidence he sees and the suspect involved in the crime. Today’s security analysts have the cognitive advantage of IBM Watson for Cyber Security to help them make similar connections while investigating cyberthreats such as the CozyDuke malware.

Let’s take an example of a malware attack. IBM QRadar chains together multiple events, such as a potentially successful exploit containing an informational email message and a suspicious file download. It then compiles an offense and generates an alert in the QRadar offense dashboard.

With traditional tools, an analyst would have to take the observables in the offense and perform further threat research to qualify the incident and identify the root cause of the attack. In the process of investigating the incident, the analyst would have to access multiple threat feeds, perform basic search queries, talk to peers and superiors, and read through security bulletins to gather more information on the incident.

On average, analysts investigate 10 to 20 incidents per day. They need to keep abreast of the latest threat information as well as historical threat data to aid their investigations. This can quickly become overwhelming and cause inaccuracies to creep in.

The Power of Cognitive Security

Instead of manually investigating incidents, analysts can now harness the cognitive security capabilities of IBM QRadar Advisor and Watson for Cyber Security to perform investigations and report findings. Watson goes beyond just understanding types of malware and threat entities. It not only identifies the various threat entities, but also finds the relationship between these entities and how they interact within your environment, backed up by supporting evidence in the form of structured threat feeds and unstructured data such as security blogs, bulletins and research reports. With Watson for Cyber Security, analysts have access to millions of security documents to extract the intelligence needed to accurately identify and understand threats within minutes.

In this example, Watson identifies a known threat actor — CozyDuke — and 13 additional observables that were not part of the original offense. It also provides the complete context of all the threat entities involved in the attack and the relationships between them in the form of a knowledge graph. Analysts can explore this graph to understand the full scope of the attack and take appropriate actions for incident response.

Learn More

Who needs Sherlock Holmes when you can have your very own cognitive security sidekick to aid you in your investigations of cyberthreats? Learn more about IBM QRadar Advisor with Watson and take advantage of a free 30-day trial.

Watch the on-demand Webinar: 5 Building Blocks for a SOC That Rocks

More from Artificial Intelligence

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

Is AI saving jobs… or taking them?

4 min read - Artificial intelligence (AI) is coming to take your cybersecurity job. Or, AI will save your job. Well, which is it? As with all things security-related, AI-related and employment-related, it's complicated. How AI creates jobs A major reason it's complicated is that AI is helping to increase the demand for cybersecurity professionals in two broad ways. First, malicious actors use AI to get past security defenses and raise the overall risk of data breaches. The bad guys can increasingly use AI-based…

Trends: Hardware gets AI updates in 2024

4 min read - The surge in artificial intelligence (AI) usage over the past two and a half years has dramatically changed not only software but hardware as well. As AI usage continues to evolve, PC makers have found in AI an opportunity to improve end-user devices by offering AI-specific hardware and marketing them as "AI PCs."Pre-AI hardware, adapted for AIA few years ago, AI often depended on hardware that was not explicitly designed for AI. One example is graphics processors. Nvidia Graphics Processing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today