IBM’s Watson Joins the War on Cybercrime

January 13, 2017 by Dr. Steve Arar

After months of being trained, Watson is ready to revolutionize cybersecurity.

IBM has previously tested Watson in areas such as health, finance, and education. Now the company is going to do a breathtaking experiment: allowing Watson to be in charge of cybersecurity.

40 organizations, including some companies as well as several universities, are preparing to test the beta version of Watson for cyber security in their networks.


Showing Watson the Cybersecurity Ropes

Watson, a computer system loaded up with access to massive databases and machine learning, had to be primed for this new role. In the first phase of the learning process, Watson was given a large number of technical reports, blog posts, news stories, textbooks, and social media posts, as well as notes from IBM pros.

It's important to note that searching through these resources is not Watson’s main capability. Volume is only half the battle. What Watson really needs is the ability to understand this huge amount of unstructured data­­–– data that is not easily machine-readable. To this end, it needed to combine structured data, such as specific security events, with unstructured data like white papers.

For example, in the beginning, Watson couldn't understand “ransomware” (software that holds a user's files hostage for ransom). Before IBM researchers annotated “ransomware” documents with a definition, Watson thought that “ransomware” was the name of a city! Caleb Barlow, Vice President of IBM Security, explains that this was mainly due to the fact that there are actually several cities named ‘Ransom’.

As Barlow notes, Watson’s learning process is similar to that of a small child.

Watson uses context to have a guess about whatever that is new to it; however, there are still chances of making mistakes. It takes a long time to teach an AI; however, fortunately, an AI does not forget what it learns.

Watson's First Internship

Now, after several months of training, IBM believes that Watson is ready to take part in its first "internship". The company hopes that Watson will be able to bring context to its unstructured data and help security professionals gain more insight into their decisions.

Watson has learned the basics of security but it needs to learn different vernaculars. According to Barlow, the language concerning security in the healthcare industry will differ from that of the energy sector. The company expects that while Watson enhances existing security operations, the real-world experience will further refine the AI’s capabilities.

The beta test/internship with the 40 organizations will allow Watson to get first-hand experience across a multitude of industries. This broad range of contexts will help make Watson's cybersecurity knowledge well-rounded. 

Cognitive Security in Action

Network defenders are facing a constantly increasing number of alerts and anomalies every day. They have a huge workload screening and prioritizing these threats. Watson is trained to automate the typical duties of security analysts.

Relying on machine learning and natural language processing, Watson for Cyber Security decides if a certain anomaly is a malicious threat or not. The system will use its vast amount of data to decide whether a specific security offense is related to a known malware or cybercrime campaign. Moreover, it will determine the potential vulnerabilities as well as the scope of the threat.

Watson will also serve up a background about a user’s previous activities. For example, in the case of repeatedly failed log-in attempts, the system can make guesses about whether the event is simply related to an absentminded user or if it's a break-in attempt. All of this information can lead to a fast and effective decision about suspicious behavior.


A mockup of what Watson Cyber Security looks like on a PC. Screengrab courtesy of IBM.

Watson is not necessarily going to replace humans; however, it can certainly save a lot of human effort. The main advantage of using cognitive technology in cyber security so far appears to be a rapid detection and decision-making process.

According to a Ponemon Institute study done on data breaches in 2016, a security team may consider an average of 200,000 suspicious events a day. With this heavy workload, the average data breach takes organizations an average of 201 days to identify and an average of 70 days to contain. Watson can prioritize these events and significantly reduce the required time to effectively handle a given threat.

At present, only 7% of the security professionals are using cognitive solutions. However, a study by the IBM Institute of Business Value predicts that, in the next two to three years, this number will experience a threefold increase as tools similar to Watson for Cyber Security mature and become pervasive in security systems.   

According to a survey, about 60% of security professionals believe that, in near future, cognitive technologies will have a significant impact on the result of the war against cyber crime. 

In 2020, there will be approximately 1.5 million open job positions in cyber security and there will be a shortage of talent in the industry. We can expect that Watson not only would help pros make better decisions but could also mitigate the shortage of cyber security professionals.

Barlow refuses to make a guess about when the technology will be commercially available and notes that there is still a long way ahead.


Featured image used courtesy of IBM Security.