IBM announced on Nov. 28 that it is expanding the capabilities of its QRadar Advisor with Watson platform to help organizations more rapidly understand attacker behaviors.
The IBM QRadar Advisor with Watson 2.0 release is an artificial intelligence (AI) platform that enables organizations to collect and make sense of security data. With the 2.0 update, IBM is now supporting the MITRE ATT&CK framework, which is an open-source playbook that details cyber-criminal behaviors. The platform is also set to benefit from several new learning models that help to provide additional context to security data.
"QRadar does a great job taking event and flow data and running correlation to generate a meaningful alert and offense for the SOC [Security Operations Center] to investigate," Chris Meenan, director of security intelligence offering management and strategy at IBM, told eWEEK. "The learning models for threat disposition and cross investigation analytics are brand new capabilities being added to QRadar Advisor with this release."
IBM announced the QRadar Advisor with Watson platform in February 2017. Meenan said the original release focused on bringing external knowledge on threats and security research to analysts to help speed their investigations with less manual, time-intensive research.
Since the initial 2017 release, IBM has added new features that improved the efficiency of the SOC and expanded how Watson for Cyber Security has augmented threat investigations. In 2018, IBM added integrations through its Security Operations and Response portfolio by allowing investigations to start from User Behavior Analytics and Resilient.
"Additionally, Watson for Cyber Security's knowledge base continues to grow and gets smarter with time, increasing its understanding of the security landscape as it is continually gathering and digesting data that is being published in the security community," he said.
QRadar Advisor With Watson 2.0
Meenan said QRadar Advisor 2.0 uses its new data algorithms to get an accurate perspective on relationships between investigations.
Among the new data models is a threat disposition one that is able to make a determination based on the outcome of previous similar events. Additionally, the new Cross-Investigation Analytics enables security analysts to find similarities across different investigations using cognitive reasoning.
"QRadar Advisor 2.0 uses these new data algorithms to get a pinpoint perspective on relationships between investigations—not only those that are discovered using QRadar alerts, but also our ‘Search Watson’ capability and through those investigations that begin from investigation entry points such as User Behavior Analytics and even Resilient," Meenan said. "Additionally, this analysis is looking at historical security analysts’ behavior to help give the SOC a jump-start into the types of actions that were taken previously on similar investigations so they know the potential outcome at a glance."
MITRE ATT&CK Framework
The open-source MITRE ATT&CK Framework is now also being supported by IBM. Meenan said that security analysts often tell IBM that once an incident occurs, one of the first things they want to know is what stages of the attack have occurred, so they can respond more quickly and understand what might happen next.
"By aligning Advisor with Watson's automated incident investigation output to the MITRE ATT&CK framework, users can now visualize what stages of the attack have occurred, how it is progressing [and] uncover what tactics could possibly still occur," he explained. "Using the MITRE ATT&CK framework also allows customers to benefit from the collective knowledge of the security community that is contributing to the framework to understand how an attack may evolve."
Looking forward, Meenan said IBM will continue to focus on using Watson as a "force multiplier" for security analysts, helping alleviate the skills shortage by allowing analysts to do their jobs more effectively and increasing their ability to respond quickly and reducing dwell times for attacks.
"We are actively working on new AI models that will help the SOC determine which investigations are ones that need the most attention and ones that are false positive and don’t need focus immediately," he said. "Additionally, we are working to simplify the investigation workflow from start to finish with a deeper, more integrated experience into QRadar."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.