Published: November 28th, 2018

Today, IBM Security announced new capabilities for the company’s AI-based security platform, QRadar Advisor with Watson.

IBM Watson is a flexible cognitive computing system that can be trained to learn and predict pretty much anything, including cyber threats. The initial release of QRadar Advisor with Watson allowed the platform to gather, read and understand structured and unstructured security data from external sources. But now, IBM Security is teaching Watson how to learn and contextualize the behavior of threats, in addition to an organization’s responses to them. This will be done with the help of two new capabilities for QRadar Advisor: Threat disposition models and cross-investigation analytics.

Threat disposition models are a new set of algorithms that build a model for specific threats, based on the actions and outcome of similar events from an organization’s past. When a new investigation comes in, this model can be used to help rule out false positives, or help analysts decide whether the threat should be escalated as malware, data exfiltration, or something else. Cross-investigation analytics allows QRadar Advisor to find similarities across investigations and automatically group them together to avoid duplication.

“IBM has developed new analytic and learning models which enable QRadar Advisor to identify long and slow attack patterns and adapt to the local client environment. This learning loop gets smarter with time based on additional interactions and engagement with analysts, allowing the tool to provide stronger recommendations on how to respond, as well confidence ratings based on how incidents align with historical data,” the company said in a press release. “Watson will be used to help QRadar Advisor build better threat disposition models for specific threats based on actions and outcomes of previous similar security events. Better models mean more accurate detection and fewer false positives.”

Even before Watson, the QRadar Advisor security platform was already receiving development efforts from over 2,000 prominent security organizations through X Force Exchange. Major contributors include Carbon Black, BrightPoint Security, Exabeam and Resilient Systems.

IBM has also implemented the MITRE ATT&CK framework – which according to this whitepaper, is a useful tool across many cyber security disciplines that helps “convey threat intelligence, perform testing through red teaming or adversary emulation, and improve network and system defenses against intrusions” – to help both Watson and analysts see how attack patterns evolve using real-world security incidents. The data is used to predict security trends, prepare countermeasures, and pinpoint the stage of attack. In addition, the ATT&CK model database also uses data from lab-emulated adversary scenarios to test and verify the effectiveness of defenses.

“Combining the ATT&CK framework of known adversary tactics with Watson for Cyber Security’s ability to stay current on the latest security research, QRadar Advisor can help arm analysts of all levels with the knowledge needed to better respond to the threats they’re facing,” said Chris Meenan, director of IBM security intelligence offering management and strategy.