IBM Watson and Cybersecurity: A Rapid Response Service That Works Round the Clock

In our Internet era, information security is paramount. This may not be surprising, since there is a lot of data in the network, and there are billions of users. If attackers gain access to at least a fraction of all this information, trouble can be expected (which, in fact, happens with enviable regularity). Of course, security experts work, various companies produce tools that, theoretically, protect themselves from intruders in a normal workflow.

But, despite the measures taken, problems often arise even among the most seemingly protected companies and organizations. Recently it became known, for example, that due to the mass distribution of the WCry virus in some regions of the network, Russia even had to cancel the issuance of driver’s licenses. This virus has compromised many computers, which are almost impossible to use without unlocking. What happens if a network of a large commercial company blocks a virus? Such a company will suffer multimillion and even billions in losses. So it is, now stopping the WannaCry epidemic was only possible by a miracle, and no one has yet counted the losses.

Standard protection tools do not always cope with the threat, but the cognitive system can greatly simplify everything by managing the cybersecurity of an enterprise. IBM has such a product, it is Watson for Cyber ​​Security service. Read more about this below.
')

At the moment, information security experts have recorded tens of thousands of vulnerabilities in various software. Every day new software appears, new “holes” are discovered in the existing software, the attackers release viruses, create exploits, hack into ordinary and corporate networks. It is clear that cybersecurity experts are not asleep. Each identified vulnerability is carefully documented, often such information is laid out in the public domain. But this does not always help, because every month the authors publish at least 60,000 articles related to this area. It is clear that no one is able to keep track of such a data flow. Rather, no one except Watson - a cognitive platform capable of assimilating thousands and thousands of documents per unit of time. Almost all these data are structureless, many materials are not related to each other, although they may contain similar topics.

Information security, like nowhere else, requires the use of machine learning and the processing of natural language. These technologies, like others associated with them, are becoming more sophisticated over time. Computer systems are trained on the example of each found vulnerability or problem, becoming more and more perfect in working with external and internal information threats.



Based on the Watson for Cyber ​​Security service, one of the products of the IBM QRadar platform, IBM Qradar Advisor with Watson, operates.

The IBM Watson cognitive system helps analysts who are engaged in detecting threats cope with their work more effectively and efficiently. No one can get all the necessary information about the problem, especially a complex one, in a few seconds. But the Watson computer system can, and does it. It identifies a potential threat, searches for information on it, analyzes what is happening and acts as needed.

All data is stored, so that both the person and the cognitive system itself can study it. IBM Watson can, for example, by finding a certain anomaly in the corporate network, get to the heart of the problem, and very quickly. As a result, this problem does not have time to become relevant, the threat is being destroyed even “on the way”. The data is provided to the technical support group that operates on the basis of data provided by Watson. All this happens quickly, the system works with a high degree of accuracy.

IBM Qradar Advisor with Watson works 24/7/365. It consists of four key elements:

1. Detect the incident and identify its causes. At the same time, the cognitive system actively works with the data of monitoring network performance accumulated by Qradar;
2. Next comes a search on the database of the cognitive system itself, to locate information that relates to the detected anomaly or incident;
3. Next, Qradar Advisor sends information about the problem to Watson for Cyber ​​Security, to capture this data and examine the problem;
4. The threat is being identified and the search for a suitable strategy to combat it


By the way, in 2015, the Ponemon Institute conducted a study of the features of the work of various companies with QRadar. As part of this study, a survey was conducted. Representatives of companies that agreed to take part in the survey were asked if they had worked with additional network security services since the introduction of Qradar. 70% of respondents answered that they did not, and 62% said that if they wanted, they would have changed the product without any problems, but this desire did not arise. 43% of respondents said they felt the effect of working with the service within a few days, for 27% this effect manifested itself within a week.

In general, the advantages of QRadar, including the cognitive service, can be divided into the following points:

• Unified architecture for analyzing logs, network streams, packages, vulnerabilities, user data and resources
• Real-time correlation analysis using Sense Analytics to identify the most serious threats, attacks and vulnerabilities
• Prioritize and highlight key incidents among the billions of data collected daily.
• Predictive analysis of existing risks caused by incorrect device configuration and known vulnerabilities
• Automatic incident response
• Automatic compliance with regulatory requirements due to the possibilities of data collection, determining their correlation and reporting



According to the Ponemon institute, an ordinary company spends more than 20,000 a year on working with network threats, both external and internal. This is a huge amount of time and can be saved by automating all monitoring processes.

Watson for Cyber ​​Security operates with data from 100,000 documented software vulnerabilities in the IBM X-Force Exchange database. Also at the disposal of the cognitive system of more than 10,000 different documents and 700,000 entries in the blogs of information security experts, published each year. If necessary, all these data can be quickly structured and get the necessary information on a specific topic. The structured data generated by Watson for CyberSecurity comes to the IBM QRadar service, as mentioned above. If we talk about the effectiveness of such a system, it can analyze thousands of incidents per day, sorting out false alarms and actual security problems.

Soon, Watson for Cyber ​​Security will become part of the new Cognitive Security Operations Center (SOC) platform, which will finally unite cognitive technologies and operations in the field of network security. The key element of the platform is IBM BigFix Detect. This solution, which allows you to track the attack, uses a kind of "time machine" to detect the starting point where it all began. For the end user, this means being able to respond quickly, very quickly to emerging threats, including local networks and “clouds”. Other SOC components are IBM Security, X-Force Exchange and i2. IBM plans to provide access to this unified platform as a service, which will be called SOC-as-a-Service.