When we first introduced IBM Watson to the security operations team at Smarttech, the analysts’ initial reaction was suspicion. Was this new partner there to make their lives easier or to take away their jobs?

The unease melted away within the first few weeks, however, as Watson not only earned their trust, but became a valued member of our security operations center (SOC). Watson showed that it could solve in minutes problems what would take days for humans to research. Far from threatening the analysts’ jobs, Watson has enriched our technical team’s work.

Battling Alert Fatigue

Smarttech provides managed security services (MSS) to organizations of all sizes around the globe. We struggle with the same problems of hiring and retaining qualified security professionals as anyone else. Expertise is expensive, and keeping researchers motivated means maintaining the delicate balance of challenging and interesting problems without drowning them in false alarms, a syndrome we call alert fatigue.

Security researchers need to be resourceful. When new incidents surface, they must pinpoint the source, characteristics and severity of the problem. In the process, they spend a lot of time scouring websites and reading security blogs, but there are so many resources available. The smartest security analyst in the world can’t possibly stay on top of all of them.

Taking Watson for a Test Drive

We decided to become a beta test site for Watson for Cyber Security because we thought we could meaningfully change the way our SOC works. Watson can vacuum up unstructured information from thousands of sources, including alerts, government and academic publications, blog posts and even tweets.

It then combs through all this human-generated information to look for patterns. For example, we can give Watson the signature of a new malware infection, and within minutes, it delivers a detailed report on the origins of a threat, how far it has spread, what other organizations have done to combat it and how embedded it is in a customer’s infrastructure.

That last point is important. The number one question customers ask us after they detect an intrusion is whether we excised the entire threat and shut down the attacker. Prior to bringing Watson for Cyber Security on board, it was difficult for us to answer that question with confidence. Thanks to Watson’s remarkable ability to ingest and analyze millions of server log entries, we can now provide a more definitive response. The customer gains peace of mind, and that’s good for our business.

An Eager Student

It took time to bring Watson up to speed. IBM began training last spring, collecting and curating human-generated knowledge that we entered into the database. Watson is based on machine learning and natural language processing. That means that it embarks upon a new knowledge domain knowing very little, much like a child entering elementary school. Frankly, we weren’t even that impressed with the first iteration of Watson for Cyber Security.

But we got excited when we saw how fast Watson was learning. IBM trained the system by giving it questions that have unambiguous answers. Then they tested Watson by querying it on similar topics and looked to see if the answers matched the control set. When they didn’t, IBM went back and tuned the engine.

Over the course of several months, Watson progressed from a toddler to a college student. Our security team continues to conference with Watson’s developers twice a week, sharing our impressions of Watson’s output so that they can continue refining the engine.

A Trusted Adviser

Our security analysts now consider Watson to be a trusted adviser. It gives them leverage to understand context, something that is nearly impossible for a human researcher to do, given the vast amount of information that needs to be considered. Our analysts tell us that a full incident forensic report that would take a week for a human researcher to complete can be wrapped up by Watson in a couple hours.

We also use the system to conduct deeper research when we need to better understand a threat. For example, if our analysts want to dig into the origins of a new kind of ransomware, Watson can scour external sources to look for IP addresses, file names, geographic origins and other factors that contribute to their understanding. They can then make more informed decisions.

Some customers mistakenly believe that Watson is a cure-all solution that can eliminate the need for human analysts. Nothing could be further from the truth. Watson excels in two areas: context and speed. It is not a decision-making engine, although it can offer recommendations. The experience and intuition of human analysts is still critical. We see no reason that should ever change.

Boundless Potential

Contrary to eliminating jobs, Watson is making our security experts more productive, focused and fulfilled. Much of the drudgery of security analysis has been removed from their shoulders, enabling them to think creatively. Morale has improved, and so has customer satisfaction.

What really gets us excited is thinking about the future. Many of the tasks we deal with every day in IT involve using well-defined processes to yield predictable answers, such as querying a database.

Watson is a different kind of animal. Like a teenager, it has boundless potential and the capacity to learn continuously. We don’t know what it will be when it grows up, but we can’t wait to find out.

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read