Weissblick - Fotolia

How an MSSP scaled up its security analysts' capacity

Irish-managed security services provider Smarttech has increased its speed and capacity to analyse cyber attacks using IBM’s fledgling cognitive computing technology

Security analysts are typically coming under increased pressure to analyse and respond to alerts and organisations are facing the challenge of scaling up their analysts’ capacity during cyber attacks.

Smarttech was one of 40 companies around the world that took part in an IBM Watson for Cyber Security Beta Program and has since signed up as a customer.

Described as the first cognitive security technology, Watson has been trained on the language of cyber security to understand terms like “backdoor” in the context of cyber security.

To date, it has “ingested” more than a million carefully selected security research reports, threat intelligence reports, government advisories, blogs and news articles that have never before been accessible to security tools.

IBM Watson for Cyber Security uses an adviser app on IBM’s QRadar security intelligence platform that packages up threat actor data and sends it to IBM’s cloud-based Watson cognitive computing capability, which can store millions of pages of structured and unstructured data. It can also reason through the information, learn and answer questions posed in natural language by applying deep cognitive analysis.

The QRadar adviser app, which has some analytical capability, will feed a file hash to Watson, for example, and then Watson will use all the documents at its disposal to link that hash to a known executable file, file name, web address, malware campaign and threat actor.

“Analysts are typically under ferocious pressure to be correct all the time because if they are not it comes back on them pretty hard, so they find IBM Watson invaluable,” says Ronan Murphy, CEO of Smarttech.

“At first they felt threatened and worried that it would replace them, but now they love it, because it has increased the number of incidents they can handle significantly,” he says.

Read more about artificial intelligence

IBM Watson is not designed to replace analysts, but aimed at reducing the pressure they are under and augmenting what they can do by providing quick feedback to enable them to make faster, more accurate decisions. Reduced pressure also means more time to research and remain current on the latest threats.

In minutes, Watson produces a hypothesis and severity, relevance and credibility ratings along with the evidence used, so the analyst can see how and why Watson has reached a particular conclusion.

“What this delivers to security analysts in terms of data analysis to help make crucial decisions faster and act as a sounding board, is the most valuable thing I have seen come to market so far and is proving to be valuable in empowering Smarttech’s analysts and safeguarding their reputation,” says Murphy.  

Speed is extremely important, he says, because a quicker response can prevent a network intrusion from becoming a significant data breach.

Murphy says this is especially important in the light of the fact that companies that have the best security systems money can buy admit that more than 40% of malware attacks are still reaching their networks.

Attracting new talent

By reducing the pressure on analysts and taking away some repetitive tasks such as related searches, IBM believes the technology can help organisations not only to increase the capacity of existing analysts in the face of the shortage of experienced analysts, but also help attract and retain new talent.

The immediate business benefit for Smarttech, says Murphy, is that it has helped ensure that quality is never compromised as he works to grow the business by taking on more customers and balance that with growing Smarttech’s team of analysts.

According to Murphy, the technology has enabled Smarttech’s analysts to respond to three times as many security incidents and has also improved the quality of the analysts’ reports. It also provides an extra perspective, highlighting something the analysts have missed in about 20% of incidents.

“Customers’ eyes light up when we are able to demo Watson’s ability to analyse something in five minutes when it would take an analyst more than two hours,” he says.

This means that where business continuity is under threat of an attack, Watson’s quick analysis can enable incident response teams to take more immediate action.

Analysing key attributes of an attack

Watson typically analyses key attributes of an attack and in addition to confirming an analyst’s conclusions can provide extra context and other indicators of compromise to look for.

Watson for Cyber Security uses technologies such as machine learning and natural language processing to build an ever-increasing document database to speed up and improve the analysis process.

Murphy says it is important to understand that Watson’s cognitive security capability is being applied only to data, not to anything else.

“It is just consuming data and using proven natural language processing technology to give information that empowers analysts to make decisions.”

Murphy says he was attracted to IBM Watson because of the successes of cognitive computing for data analysis in the field of healthcare, particularly oncology.

“The amount of data required to make decisions in healthcare is vastly greater than that required for security,” he says.

A competitive advantage

As an MSSP, Smarttech is using the support of the IBM technology as a selling point to its customers, who in turn are claiming as a competitive advantage the ability to analyse attacks faster.

One Smarttech customer, which has around €1m invested in traditional security systems, is getting breached seven times a week on average, says Murphy.

“These are threats that could potentially halt business, but with IBM’s QRadar security intelligence combined with Watson, these threats are being caught before they can do any harm,” he says.

However, Murphy points out that IBM Watson is not something that any company can use and deploy. It is aimed at organisations with a fairly high level of maturity in security.

Martin Borrett, chief technology officer of IBM Security Europe, confirms that the target market includes any organisation that has its own security operations centres (Socs) or team of security analysts such as MSSPs and banks.

The potential of Watson

As an example of what IBM Watson can do, Murphy cites an incident in which Smarrtech was able to alert a utilities company that it was under attack.

Smarttech became involved because one its customers, a business process outsourcing (BPO) firm, was hit by sophisticated malware that was traced to the utility company, one of the BPO’s customers.

“We analysed the malware and got the feedback from Watson, which was really helpful in this instance because we had never seen this malware before, and it would otherwise taking us a day to get our heads around what was going on.

“Watson came back with a ton of information, which we sent straight through the utility company, telling them the malware was attacking our client’s network and that they were in serious trouble. And they were blown away,” says Murphy.

In the next two days Smarttech conducted a thorough analysis of the malware involved, including reverse engineering it, but found the feedback from Watson was 100% accurate.

The quick response from Watson also had a positive effect on Smarttech’s business because it resulted in the utility company becoming a customer.

Gaining insight from historical information

Because Watson gains insight from historical information, it is not able to identify true zero-day attacks that, by definition, have never been seen before.

However, Borrett points out that Watson is updated in near real time with data from IBM’s X-Force Exchange threat intelligence service. It can also provide insights into zero-days because attackers tend to re-use code. “Attackers tend to re-use code or use variants of things they have used before, so malware is rarely 100% new code, which means Watson may be able to spot it if there is any trace from the past.”

In the case of true zero-day malware, Borrett says ideally organisations should be using other technologies that have been designed specifically to spot and block zero-days.

Murphy reports that IBM Watson’s ability to provide meaningful and useful support increased rapidly as the database of knowledge documents began to build.

The completion of the beta testing phase meant that enough data had been collected for IBM Watson for Cyber Security to be fully functional at a reasonable speed and level of effectiveness for general release.

As a result, IBM announced a partnership on 24 March 2017 with SIX, the operator of the infrastructure underpinning the Swiss financial sector.

They plan to use IBM Watson for Cyber Security in a new cognitive Soc to strengthen SIX’s cyber defences and to enable SIX and IBM to offer security monitoring and advanced services and technology for compliance with Swiss privacy regulations.

Adding new capabilities

The project will add new capabilities to a traditional Soc infrastructure as well as develop a new, highly collaborative IBM – SIX framework for the multi-tenant, next generation Soc.

The new Cognitive Soc services will be extended to customers of both companies, who are looking for a Swiss-based security partner, focussing initially on banking industry customers. According to the companies, they will jointly define the evolution of a new generation of Socs.

Looking ahead, IBM Security plans to infuse more of the cognitive capability is has developed so far around security into other products in its portfolio such as endpoint protection. This includes mobile devices such as smartphones, but also potentially devices making up the internet of things (IoT).

These devices typically lack security protections and represent various potential security risk, particularly as they can be hijacked to become part of IoT botnets and used to carry out devastating distributed denial of service (DDoS) attacks.

The Mirai IoT botnet is responsible for the most powerful DDoS attacks to date, but security researchers warn even bigger ones may be on the way. “Even if IoT devices become more secure by design in future, there are still hundreds of thousands of legacy IoT devices that attackers could use,” says Murphy.

Next Steps

Read about companies offering managed detection and response services

Read more on Hackers and cybercrime prevention