When we first introduced IBM Watson to the security operations team at Smarttech, the analysts’ initial reaction was suspicion. Was this new partner there to make their lives easier or to take away their jobs?

The unease melted away within the first few weeks, however, as Watson not only earned their trust, but became a valued member of our security operations center (SOC). Watson showed that it could solve in minutes problems what would take days for humans to research. Far from threatening the analysts’ jobs, Watson has enriched our technical team’s work.

Battling Alert Fatigue

Smarttech provides managed security services (MSS) to organizations of all sizes around the globe. We struggle with the same problems of hiring and retaining qualified security professionals as anyone else. Expertise is expensive, and keeping researchers motivated means maintaining the delicate balance of challenging and interesting problems without drowning them in false alarms, a syndrome we call alert fatigue.

Security researchers need to be resourceful. When new incidents surface, they must pinpoint the source, characteristics and severity of the problem. In the process, they spend a lot of time scouring websites and reading security blogs, but there are so many resources available. The smartest security analyst in the world can’t possibly stay on top of all of them.

Taking Watson for a Test Drive

We decided to become a beta test site for Watson for Cyber Security because we thought we could meaningfully change the way our SOC works. Watson can vacuum up unstructured information from thousands of sources, including alerts, government and academic publications, blog posts and even tweets.

It then combs through all this human-generated information to look for patterns. For example, we can give Watson the signature of a new malware infection, and within minutes, it delivers a detailed report on the origins of a threat, how far it has spread, what other organizations have done to combat it and how embedded it is in a customer’s infrastructure.

That last point is important. The number one question customers ask us after they detect an intrusion is whether we excised the entire threat and shut down the attacker. Prior to bringing Watson for Cyber Security on board, it was difficult for us to answer that question with confidence. Thanks to Watson’s remarkable ability to ingest and analyze millions of server log entries, we can now provide a more definitive response. The customer gains peace of mind, and that’s good for our business.

An Eager Student

It took time to bring Watson up to speed. IBM began training last spring, collecting and curating human-generated knowledge that we entered into the database. Watson is based on machine learning and natural language processing. That means that it embarks upon a new knowledge domain knowing very little, much like a child entering elementary school. Frankly, we weren’t even that impressed with the first iteration of Watson for Cyber Security.

But we got excited when we saw how fast Watson was learning. IBM trained the system by giving it questions that have unambiguous answers. Then they tested Watson by querying it on similar topics and looked to see if the answers matched the control set. When they didn’t, IBM went back and tuned the engine.

Over the course of several months, Watson progressed from a toddler to a college student. Our security team continues to conference with Watson’s developers twice a week, sharing our impressions of Watson’s output so that they can continue refining the engine.

A Trusted Adviser

Our security analysts now consider Watson to be a trusted adviser. It gives them leverage to understand context, something that is nearly impossible for a human researcher to do, given the vast amount of information that needs to be considered. Our analysts tell us that a full incident forensic report that would take a week for a human researcher to complete can be wrapped up by Watson in a couple hours.

We also use the system to conduct deeper research when we need to better understand a threat. For example, if our analysts want to dig into the origins of a new kind of ransomware, Watson can scour external sources to look for IP addresses, file names, geographic origins and other factors that contribute to their understanding. They can then make more informed decisions.

Some customers mistakenly believe that Watson is a cure-all solution that can eliminate the need for human analysts. Nothing could be further from the truth. Watson excels in two areas: context and speed. It is not a decision-making engine, although it can offer recommendations. The experience and intuition of human analysts is still critical. We see no reason that should ever change.

Boundless Potential

Contrary to eliminating jobs, Watson is making our security experts more productive, focused and fulfilled. Much of the drudgery of security analysis has been removed from their shoulders, enabling them to think creatively. Morale has improved, and so has customer satisfaction.

What really gets us excited is thinking about the future. Many of the tasks we deal with every day in IT involve using well-defined processes to yield predictable answers, such as querying a database.

Watson is a different kind of animal. Like a teenager, it has boundless potential and the capacity to learn continuously. We don’t know what it will be when it grows up, but we can’t wait to find out.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…