When we first introduced IBM Watson to the security operations team at Smarttech, the analysts’ initial reaction was suspicion. Was this new partner there to make their lives easier or to take away their jobs?
The unease melted away within the first few weeks, however, as Watson not only earned their trust, but became a valued member of our security operations center (SOC). Watson showed that it could solve in minutes problems what would take days for humans to research. Far from threatening the analysts’ jobs, Watson has enriched our technical team’s work.
Battling Alert Fatigue
Smarttech provides managed security services (MSS) to organizations of all sizes around the globe. We struggle with the same problems of hiring and retaining qualified security professionals as anyone else. Expertise is expensive, and keeping researchers motivated means maintaining the delicate balance of challenging and interesting problems without drowning them in false alarms, a syndrome we call alert fatigue.
Security researchers need to be resourceful. When new incidents surface, they must pinpoint the source, characteristics and severity of the problem. In the process, they spend a lot of time scouring websites and reading security blogs, but there are so many resources available. The smartest security analyst in the world can’t possibly stay on top of all of them.
Taking Watson for a Test Drive
We decided to become a beta test site for Watson for Cyber Security because we thought we could meaningfully change the way our SOC works. Watson can vacuum up unstructured information from thousands of sources, including alerts, government and academic publications, blog posts and even tweets.
It then combs through all this human-generated information to look for patterns. For example, we can give Watson the signature of a new malware infection, and within minutes, it delivers a detailed report on the origins of a threat, how far it has spread, what other organizations have done to combat it and how embedded it is in a customer’s infrastructure.
That last point is important. The number one question customers ask us after they detect an intrusion is whether we excised the entire threat and shut down the attacker. Prior to bringing Watson for Cyber Security on board, it was difficult for us to answer that question with confidence. Thanks to Watson’s remarkable ability to ingest and analyze millions of server log entries, we can now provide a more definitive response. The customer gains peace of mind, and that’s good for our business.
An Eager Student
It took time to bring Watson up to speed. IBM began training last spring, collecting and curating human-generated knowledge that we entered into the database. Watson is based on machine learning and natural language processing. That means that it embarks upon a new knowledge domain knowing very little, much like a child entering elementary school. Frankly, we weren’t even that impressed with the first iteration of Watson for Cyber Security.
But we got excited when we saw how fast Watson was learning. IBM trained the system by giving it questions that have unambiguous answers. Then they tested Watson by querying it on similar topics and looked to see if the answers matched the control set. When they didn’t, IBM went back and tuned the engine.
Over the course of several months, Watson progressed from a toddler to a college student. Our security team continues to conference with Watson’s developers twice a week, sharing our impressions of Watson’s output so that they can continue refining the engine.
A Trusted Adviser
Our security analysts now consider Watson to be a trusted adviser. It gives them leverage to understand context, something that is nearly impossible for a human researcher to do, given the vast amount of information that needs to be considered. Our analysts tell us that a full incident forensic report that would take a week for a human researcher to complete can be wrapped up by Watson in a couple hours.
We also use the system to conduct deeper research when we need to better understand a threat. For example, if our analysts want to dig into the origins of a new kind of ransomware, Watson can scour external sources to look for IP addresses, file names, geographic origins and other factors that contribute to their understanding. They can then make more informed decisions.
Some customers mistakenly believe that Watson is a cure-all solution that can eliminate the need for human analysts. Nothing could be further from the truth. Watson excels in two areas: context and speed. It is not a decision-making engine, although it can offer recommendations. The experience and intuition of human analysts is still critical. We see no reason that should ever change.
Contrary to eliminating jobs, Watson is making our security experts more productive, focused and fulfilled. Much of the drudgery of security analysis has been removed from their shoulders, enabling them to think creatively. Morale has improved, and so has customer satisfaction.
What really gets us excited is thinking about the future. Many of the tasks we deal with every day in IT involve using well-defined processes to yield predictable answers, such as querying a database.
Watson is a different kind of animal. Like a teenager, it has boundless potential and the capacity to learn continuously. We don’t know what it will be when it grows up, but we can’t wait to find out.