IBM’s Watson supercomputer can now consult with the company’s security information and event management (SIEM) platform to deliver well researched responses to security events and do so much faster than a person.
Called IBM Q Radar with Watson, the new offering is the introduction of IBM’s push for a cognitive security operations center (SOC) that will be built around Watson contributing to decisions made in tandem with other security products from the vendor. IBM announced the service at the RSA Conference 2017.
In the case of Q Radar, when the SIEM catches a security event, human security analysts can choose to enlist Watson’s help analyzing the event to determine whether it fits into a known pattern of threat and put it a broader context, IBM says.
To do this, Watson has been fed relevant security research that is continually being updated as analysts publish more blogs and research. That’s more information than a human analyst could hope to keep up with, IBM says. The advantage is that Watson doesn’t forget any of what it has learned and it can sift through its knowledge faster than a person, IBM says. How fast? It can come up with an analysis in 15 minutes that might take a person a week.
In its investigations, Watson can interact with Q Radar to zero in on the scope of attacks. For example, Watson might find that a security event includes indicators of an attack and compromise that add up to a possible advanced persistent threat from the cyber attack group known under the names CozyDuke, CozyBear, CozyCar or Office Monkeys. Watson can review other data gathered by Q Radar to determine whether there are additional indicators of compromise that point to a broader attack from the group that goes beyond the initial incident being investigated, IBM says.
The company says that the more Watson reads, the more it builds out an understanding of threat intelligence that it can apply to particular events. Underlying its analysis are probability ratings, weighting of incidents and algorithms to sort it all out.
Human analysts can drill down on incidents Watson has researched via descriptions of the threats written in natural language.
Customers have Q Radar on premises and the platform consults with Watson in the cloud.
The service isn’t a replacement for human analysts, but rather a tool for them to work more efficiently and thoroughly, IBM says.
Current customers of Q Radar can get the Watson integration as an add-on application, as can new customers.
In addition to Q Radar with Watson, IBM plans to add other tools to its Cognitive SOC including IBM BigFix Detect, which makes for quicker detection of endpoint threats and reduces the time to response. This can tie in to IBM’s incident response platform, Resilient, to jump start and orchestrate remediation of incidents. It also includes IBM’s threat intelligence sharing X-Force Exchange and its threat-hunting platform, i2.