IBM has announced Watson for Cyber Security aimed at Security Operations Centres (SOC). It claims to be delivering cognitive computing to the SOC. Having spent a year feeding Watson over 1 million security documents IBM is now putting it to work. This is about giving the Security Operations (SecOps) teams access to data that their tools currently don’t have.
Denis Kennelly, VP of Development and Technology, IBM Security said: “The Cognitive SOC is now a reality for clients looking to find an advantage against the growing legions of cybercriminals and next generation threats. Our investments in Watson for Cybersecurity has given birth to several innovations in just under a year. Combining the unique abilities of man and machine intelligence will be critical to the next stage in the fight against advanced cybercrime.”
Reducing the time spent identifying complex attacks
Since IBM first deployed Watson into healthcare, it has relied on its ability to find patterns in large collections of data. Cybersecurity is a prime target for this type of analysis. Every day brings large numbers of new incidents to light that need validating. Those incidents are based on millions of underlying data points that have to be sifted. So far, IBM has done all of this through a complex set of tools sold by its security business.
What it is promising with this version of Watson for Cyber Security is a significant time saving for SecOps. IBM research claims: “..security teams sift through more than 200,000 security events per day on average, leading to over 20,000 hours per year wasted chasing false positives.” If Watson can reduce this substantially then it will deliver a Return on Investment of months for large enterprises. If it stops just one major attack or data breach it will have paid for itself immediately.
Part of a larger security platform
Watson is not acting alone. It is integrated into the new Cognitive SOC platform where it is part of IBM QRadar Advisor with Watson. What is not clear is how IBM will leverage all the data from different customers. It appears that each customer will build up their own repository of data. How they will then keep this up to date raises questions.
It would make more sense if Watson for Cyber Security were collating and anonymising data at the back end. Ideally this could be done through a two-phase process. An on-premises version that does the day to day work and then a separate process that takes the threat intelligence and feeds to the cloud-based systems. This would, in turn, update the on-premises version with new information from other customers.
IBM already shares threat intelligence data across its security tools. Collating that data and feeding it back to Watson for Cyber Security will improve the accuracy and speed of detection. Regulators for financial services have already agreed to allow companies to share threat data in a closed industry solution. It will be interesting to see if IBM introduces a parallel product for finance, as it is doing for SOCs.
IBM announced the beta for Watson for Cyber Security back in December. At the time it was just beginning to ramp up the data ingestion. We asked a number of questions back then including the sharing and anonymisation of data. IBM has still not answered them which raises eyebrows. It is likely that the product will be a major feature of the IBM InterConnect conference next month in Las Vegas. By then, IBM should have worked out some of the answers.
The product will now ship on 28th February to interested customers. Pricing information will be available then.