IBM Watson for Cyber Security goes into beta

IBM Watson for Cyber Security has finally moved from a research programme to formal beta. The press release announcing the beta phase said that 40 different organisations have agreed to be beta partners. They span a range of industries and educational establishments.

Sandy Bird, Chief Technology Officer, IBM Security
Sandy Bird, Chief Technology Officer, IBM Security

According to Sandy Bird, Chief Technology Officer, IBM Security: “Customers are in the early stages of implementing cognitive security technologies. Our research suggests this adoption will increase three fold over the next three years, as tools like Watson for Cyber Security mature and become pervasive in security operations centers. Currently, only seven percent of security professionals claim to be using cognitive solutions.”

Rebekah Brown, ‎Threat Intelligence Lead at Rapid7 commented: “It is very encouraging to see new, innovative methods for analysing and detecting cyber attacks, especially one of this magnitude with so many great minds working together. …..We have to be careful, however, not to rely exclusively on automation and machine operations to combat a thinking, changing adversary. While machine-learning algorithms are effective at identifying and predicting attack patterns based on what has previously been observed, it is always possible that an attacker will take actions that are not predictable or that do not fit with previous behaviour patterns.”

AI assistant or Robocop wannabe?

It was back in June when IBM first announced Watson for Cyber Security. Six months on and IBM and its university partners have finally taught Watson how to detect a cyber attack. It is intended to work in a similar way to the initial Watson medical application for doctors. In that scenario Watson provided doctors with a set of possible diagnosis and a probability score. It then left the doctor to decide which or none of the possibilities was the most likely.

The same is being done here. Watson will filter very large volumes of data looking for a set of indicators it has learned during its training. When it discovers an indicator it then looks for other markers that could indicate a cyber attack. For example it may find a file that is known to be a piece of malware or an IP address that is associated with a command & control server. The results are then flagged to a security analyst with more information on the type of attack and the severity. It is then up to the analyst to decide what to do.

The latter is the key point here. Watson will not be initiating any action of its own such as removing files or terminating the source of the infection. For the sci-fi geeks in the IT security teams the chance to dress as RoboCop and dish out retribution won’t be happening anytime soon.

Behavioural analytics more to Watson’s liking

Another scenario will be Watson ingesting large amounts of logs and other data from around the organisation. It will use its cognitive analytics to determine the context of that behaviour and whether it indicates a security risk. This is similar to existing IBM behavioural analytics products except with a wider set of data and the ability to learn in real-time. The learning phase is critical as it may take time to decide if the behaviour of an app, device or individual is suspicious.

One area where this is challenging is mobile users. A user logging on in different offices in different countries in a short period of time is a risk factor. However, it could also indicate a user logging on to a local office and then opening a VPN to connect to their home office. A security researcher is unlikely to pick this up in real-time.

Watson, by comparison, would be able to detect the logons through the real-time data feeds from multiple sources. It could then compare that activity to the travel plans of an individual to see if there is a possible reason for the behaviour. The results of that could then be quickly routed to a security team to validate the individual. As the solution matures, Watson could gain the power to initiate a temporary blocking of an individual pending a multi-factor authentication with a member of the support team.

How will Watson continue to learn?

This is a much bigger question and one it has been difficult to get an answer to. Watson works best by continuing to evolve its knowledge. If this is to be 40 separate instances of Watson without a means to combine the knowledge, how will Watson evolve?

The more likely scenario is that there will be a way for all of the instances to contribute to the improvement of Watson. How will this be done? Will data be anonymised before being transmitted? If so, who will decide on what is a suitable level of anonymisation? Will Watson make its own decisions? That would send a flag up for any security team.

In the press release IBM said it will work with the beta customers to continuously improve Watson. Maybe what we have here is not 40 separate instances of Watson but 40 users on a multi-tenanted version of Watson. This would certainly make it possible to keep customer data separate but ensure that the core Watson for Cyber Security corpus of data is able to learn from attacks across all the customer sites.


As with the original launch of Watson for Cyber Security, IBM is cautious about what it is saying. There are a lot of questions to answer and nobody really rushing to answer them. That said, anything that can improve the ability to spot complex indicators of attack is to be welcomed.


Please enter your comment!
Please enter your name here