Throughout the US Open Tennis Championship, the infrastructure for and the mobile apps can see upwards of 3 million security events. While the vast majority of events are not serious, security analysts must quickly determine which are concerning to take immediate action. However, with such a large volume and variety of data, security analysts need to know where to focus their attention.

As the host of the digital platforms and official digital innovation partner for the US Open Tennis Championship over the past three decades, IBM maintains and secures the platforms. The 256 singles players on the court in the main draws, 850,000 spectators in the stands and 13 million fans watching at home are counting on IBM to ensure that a cybersecurity attack does not interrupt the premier tennis tournament.

Securing Data and Infrastructure

Every year, IBM iX, the experience design arm of IBM Consulting™, partners with the U.S. Tennis Association to create an exceptional experience. By using hybrid cloud technology and artificial intelligence (AI), IBM turns large amounts of data — from every shot on the court to player statistics — into insights that help fans feel more a part of the experience and increase their knowledge of the game.

IBM helps the US Open provide two key insights to fans via IBM Power Index and Match Insights with Watson. IBM Power Index uses 25 factors, such as player performance factors including win-loss ratio, win margin, rank differential, court surface, injury status, number and level of tournaments played, and round progression, to quantifies player momentum. Match Insights with Watson uses natural language processing, AI and statistical analysis to creates fact sheets for each singles match. Spectators both in the stands and at home can then understand why a specific player is predicted to win and which Win Factors attributed to that prediction.

However, providing these critical experiences does not happen with a single tool and network. The IBM team uses multiple environments, data types, devices, clouds and platforms to collect, analyze and report the vast amounts of data. A security incident can occur in any of these areas and disrupt the tournament experience. Throughout the US Open, the IBM team prioritizes cybersecurity with its world-class team and latest technology.

Determining the Most Urgent Security Issues

IBM turns to its IBM Security QRadar platform to guard the entire US Open technology environment — including endpoints, networks and cloud platforms. The cloud-based interface makes it easy for the security team, which is spread around the globe, to see real-time data on what is happening on the court as well as in the infrastructure. QRadar helps security teams detect, prioritize and respond to threats across the enterprise.

When IBM Security QRadar detects a threat, it flags the issue and assesses the threat based on parameters, such as threat type and magnitude, and the platform then assigns a threat level. The security analysts then automates the management of these threats. For example, an incident reported on the mobile app may simply be a cybercriminal looking for cracks in the armor and assigned a level 3 threat. IBM Security QRadar prioritizes the security event accordingly and does not take up analysts’ valuable time if it is deemed as inconsequential. However, if the platform suspects stolen credentials, then it assigns a level 10 threat, and security analysts are immediately notified.

Detection in Action

So what does it actually look like when security analysts are sniffing and sussing out threats with QRadar?

Recently, the security team had been hit with an increasing volume of established and fly-by-night wannabe penetration testing scanners of the freelance variety. The US Open was no exception, experiencing scans from all the usual suspects and a handful of new ones, including a popular capture and statistical analysis organization.

Traditionally, the analysts had ignored these. They wouldn’t try to exploit anything; they would simply scan fervently, looking for open services. That was until a day after the US Open officially kicked off.

One security architect noticed a huge spike in scanning, topping at nearly 1,500 events within a minute and a half. Something seemed off. When he dug deeper, he found that contained within the larger spike was a smaller one, targeting specifically trivial file transfer protocol (TFTP) exploits.

The timing was so precise as to be concealed within the scan, he figured they had to be coordinated. The scan was the capture and statistical analysis site, but the exploit attempt was another IP. It was a VPS service, offering virtual machines for use.

Upon further investigation, he found more similarities. Both had the same cipher specs on the SSH port and both were running Zero MQ, a brokerless message controller, on Port 9002. It was too much of a coincidence.

As a result, the architect blocked the statistical analysis organization, to help lessen the number of US-based attacks against the US Open. Ultimately, QRadar allowed the analyst to dig into oddities to discover the truth.

Providing Remediation Insights for Security Events

It’s clear from the example above that, with time of the essence and the entire tennis world watching, the security analysts must quickly and effectively manage threats that IBM Security QRadar determines are severe. Another tool used to help analysts act fast is IBM Cloud Pak for Security, which provides millions of security blogs, articles and resources at their fingertips.

Based on the information provided by IBM Security QRadar, the IBM Cloud Pak for Security uses AI and natural language processing technology to recommend the specific steps and resources to remediate the cybersecurity threat. By saving valuable time, IBM reduces the risk of the spectator or fan experience being interrupted by a security issue.

As more technology elements, such as the IBM Power Index and Match Insights, have been added to the US Open spectator experience, the importance of security continues to increase. By using tools such as IBM Security QRadar and IBM Cloud Pak for Security, the security team makes sure that the focus of the tournament remains where it should be — on the court.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…