It’s hard to remember a time when cyber-based security threats were so few and far between that they could be easily identified and countered by well-trained IT security experts. Today, the volume and diversity of potential threats long ago outstripped the ability of human professionals to evaluate them unaided. Today, security pros rely heavily on a multiplicity of highly automated threat intelligence feeds and analytical systems.
Still, even sophisticated security incident and event management (SIEM) solutions can struggle to separate actual cyber threats from the millions – if not billions – of potentially relevant IT and networking events that even moderate-sized organizations log each day. To increase their odds of success, SIEM systems and other security monitoring and analytics tools are increasingly turning to a variety of artificial intelligence (AI) technologies.
Just how does it work? Security teams can “teach” machines known cyberattack patterns, and the systems can then extrapolate from that foundation to automatically identify and flag new forms of potential attacks.
But SIEMs and other security information management systems (SIMS) aren’t just leveraging machine learning to augment their capabilities. The attack patterns used by machine learning are structured data that is relatively easy to identify and match. Another AI tool, natural language processing, can help security systems sort through unstructured data sources such as research articles, security bulletins, and blog posts for relevant information.
One SIEM solution that taps a range of AI technologies is IBM QRadar Advisor with Watson. This solution uses IBM Watson to apply cognitive reasoning to identify relationships among discovered threat entities, and to help bring high priority risks to the attention of security analysts.
Among its capabilities, the IBM SIEM solution uses natural language processing technology to find meaningful information from more than two million unstructured documents in Watson’s security database, according to Rohan Ramesh, senior product marketing manager for Watson for Cybersecurity.
IBM QRadar Advisor with Watson correlates unstructured information with the structured information the solution also collects, and uses a reasoning algorithm to build a hypothesis. “The system might tell a security analyst, ‘I believe this event is related to ransomware, and here’s the underlying evidence I’ve used to reach this conclusion,’” Ramesh explains.
Given the speed and volume of cyber threats today, and the significant business risks they pose, cybersecurity defenses must often act automatically to mitigate those risks until human analysts can weigh in. Well-designed AI-powered systems should be able to help reduce the danger of false positives, ultimately giving organizations greater confidence in their automated security solutions.