Connect with us

Hi, what are you looking for?


Incident Response

IBM’s Watson Aims its Power at Security Operations Centers

Insider IBM's Cyber Range in Cambridge MA

Insider IBM's Cyber Range in Cambridge MA

Watson for Cyber Security Integrates With IBM’s New Cognitive Security Operations Center

The power of IBM’s cognitive computing Watson has been directed at cyber security. For the last year, Watson has been absorbing the collective knowledge of a million cyber security studies, scientific reports and analyses. Now Watson is ready to stand behind the shoulders of the analysts that sift through the network alerts thrown up by the QRadar security intelligence platform in what IBM calls its Cognitive SOC.

Watson’s purpose is to advise the analysts. It gains its knowledge through parsing the free text documents that hold the greater part of the world’s security knowledge. Human analysts could never read the volume of data that is available — but it is light work for a machine. Watson takes free text documents and parses them; absorbing key knowledge and relationships. Some of the data it absorbs could be wrong; but Watson relies on the power of collective crowd knowledge to sift the wheat from the chaff. The result is a huge and accessible corpus of security expertise.

IBM LogoThe human analysts are also struggling with the sheer volume of events coming from their security intelligence platform. According to IBM, security teams must sift through up to 200,000 security events every day. Most of these are false positives that still need to be checked; but the result is up to 20,000 hours wasted every year. This is expected to double over the next five years. 

Given the dearth of analysts, and especially the sparsity of expert analysts, this is a problem that will only get worse. Security intelligence platforms, such as QRadar, can generate huge volumes of warnings — they create their own subset of Big Data. But the bloom of Big Data is wearing thin: the haystack is getting bigger, but mostly it just makes finding the needle harder.

Watson hides its own big data of knowledge within the machine, and then uses the power of the machine to direct the analyst to more targeted threat hunting in the QRadar alerts. The new app, IBM QRadar Advisor with Watson, is the first tool to tap Watson’s security insights; and is already being used by 40 IBM customers including Avnet, University of New Brunswick, Sogeti.

“Today’s sophisticated cybersecurity threats attack on multiple fronts to conceal their activities, and our security analysts face the difficult task of pinpointing these attacks amongst a massive sea of security-related data,” explains Sean Valcamp, Chief Information Security Officer at Avnet. 

“Watson makes concealment efforts more difficult by quickly analyzing multiple streams of data and comparing it with the latest security attack intelligence to provide a more complete picture of the threat. Watson also generates reports on these threats in a matter of minutes, which greatly speeds the time between detecting a potential event and my security team’s ability to respond accordingly.”

Advertisement. Scroll to continue reading.

While Watson and QRadar are the key elements of the Cognitive SOC, IBM is extending it to the endpoint with the announcement of BigFix Detect. This is an endpoint detection and response (EDR) solution designed to detect and respond to malicious behavior in endpoints. 

“The Cognitive SOC is now a reality for clients looking to find an advantage against the growing legions of cybercriminals and next generation threats,” said Denis Kennelly, Vice President of Development and Technology, IBM Security. “Our investments in Watson for Cybersecurity have given birth to several innovations in just under a year. Combining the unique abilities of man and machine intelligence will be critical to the next stage in the fight against advanced cybercrime.”

IBM is planning to improve the analyst (man) Watson (machine) interface with a new research project code-named Havyn — a voice-powered security assistant that will make Watson respond to the analysts’ verbal commands and natural language. IBM is not the only vendor seeking to use natural language as the interface between man and machine. Earlier this month Dynatrace announced Davis focused on monitoring the IT ecosystem. “It gives,” announced the firm, “non-technical teams the ability to monitor and understand network health and performance issues via familiar communication tools. ‘davis’ has effectively ‘consumerized’ IT – this is an industry first.”

Similarly, Endgame announced Artemis in late January. Artemis is a natural language chat interface between analysts and the Endgame Detect and Respond platform. The purpose behind Havyn, Davis and Artemis is to reduce the time spent by analysts in hunting out threats.

The IBM Cognitive SOC can be built on premise or built in the cloud through IBM Managed Security Services.

In November 2016, IBM Security unveiled a new global headquarters in Cambridge, Massachusetts, which features a physical Cyber Range designed to allow organizations in the private sector to prepare for and respond to cyber threats.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Artificial Intelligence

Two new surveys stress the need for automation and AI – but one survey raises the additional specter of the growing use of bring...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...