Another Wimbledon has come and gone. To the victors, the accolades and the trophies: Roger Federer’s eighth win and Garbine Muguruza’s first. For the IBM team located in the media center’s ground floor at SW19, the fortnight concludes with an opportunity to break from the constant vigilance ensuring the availability of Wimbledon.com and the integrity of the data consumed.
I spent 15 English summers abroad in that basement, staring at screens, looking for cracks and garnering a love for English tea that consumes me to this day. While, sadly, I was unable to venture across the pond for this year’s tournament, our on-site team did have Watson for Cyber Security to assist them in protecting the pinnacle of tennis achievement.
Quantity Versus Quality
Every analyst is regularly asked to quantify threats, which usually involves delivering a numeric set of values to signify some preponderance of significant events, thus showcasing the ability to withstand an onslaught. These values are both daunting and impressive to the casual observer and security analyst alike.
Growth is systemic, much akin to the rise in popularity of the online portal for all things Wimbledon. Likewise, similarly trending growth occurs in potentially viable threat vectors. In short, attention increases, in both positive and negative ways, along a synchronous path.
The numbers for this year are equally significant, with just short of 200 million events during the tournament alone. Aside from the seemingly insatiable tide, there were many interesting, coordinated actions that could easily become mired in the morass of never-ending scripted attacks.
“Interesting” is not an expression the executives like to hear emanating from the mouth of a security analyst, since that implies something outside the norm — and therefore, potentially damaging. However, we had more than our share during the tournament. The numbers are impressive, but looking deeper, so is the content, even if that is far more difficult to measure qualitatively.
How to Win at Wimbledon
Let us be clear about something: Threat actors are smart. They are diligent, persistent and dedicated, continually pushing the boundaries of their knowledge. They force us to alter the paradigm for managing security on an ongoing basis. They also understand one unequivocal fact: They outnumber the analysts and see the potential in overwhelming the individual to be successful.
For example, this year we noticed a “low and slow” coordinated attack. It began with a specialized form of distributed denial-of-service, which is not meant to decrease the availability of the platform like so many relatives of the method. Instead, it remained below the radar over a short span (10 minutes, in this instance), thus piling log data into a massive stream of similar entries without raising the alarm. It limited the number of active connections to prevent the image of an actual threat.
The value is in the masquerading effect. While their bots are performing this task, cybercriminals use the cover of darkness to attempt other nefarious acts, such as malware injection. An analyst would be forced to slog through thousands of log entries — or, if they were fortunate to have a decent security information and event management (SIEM) solution, could attempt to correlate the entries. It is a time-consuming and error-prone task. Enter Watson.
The Watson for Cyber Security system understands, innately, the relationships between threat vectors and attack types and maintains an evolving set of lists that contain known data accumulated over a vast network of devices across the internet. Analysis is conducted at the press of a button, and Watson returns correlative evidence to show the cause-and-effect relationship between two seemingly disparate attacks.
Digging further down the proverbial rabbit hole depends on the potential for success of the individual. In this instance, there was little opportunity, since the intrusion prevention systems reacted and thwarted any attempt at each action. Still, it piqued my curiosity, and I was glad to have Watson in my toolbox.
Now, if you will excuse me, it’s time for a nice cuppa.