eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
When IBM launched its X-Force Red security testing team a year ago, the stated purpose was to help organizations improve security with better testing. Today, IBM X-Force Red is expanding its offerings with new connected car and internet of things security services.
The size and broad scope of IBM’s overall business provides X-Force Red with significant opportunities to improve both automotive and IoT security, according to Charles Henderson, global head of IBM X-Force Red. Henderson joined IBM in October 2015 after nearly a decade working for security firm Trustwave, running the company’s penetration testing business.
IBM has a facility in Germany that is specifically dedicated to working with automotive companies to help design connected cars, Henderson said. “At IBM, we have so many people that work with car vendors, so when we have a question for a specific car brand, we can deal with the people that designed the car,” he told eWEEK. “If we find a vulnerability, we can help to get it fixed much more quickly than you could if you were outside of IBM.”
At the RSA security conference in February, Henderson detailed security issues with connected cars related to ownership changes and used cars. Previously, X-Force Red treated connected cars as just another IoT device when it comes to security. However, the new service is a formalization of connected car security as a formal practice within X-Force Red.
“A connected car is much more than just another IoT device,” he said.
Henderson said the automotive industry has its own terminology and product life cycle, such that it’s important for IBM to have a dedicated, focused service that meets the needs of the industry. The knowledge collected from connected car security assessments is further aided by the X-Force Red portal, which is a collaboration tool for security testing. The X-Force Red portal first debuted in February 2017 and has been steadily improved since then.
“With cars, there are a lot of different third-party vendors that build components,” Henderson said. “With the X-Force Red portal, we can get hundreds of automotive component builders on the same page to improve collaboration and security. “
Watson IoT
X-Force Red is also launching a new service to help further improve the security of connected IoT devices. IBM launched its Watson IoT services platform in November 2016 as a way to help organizations build IoT devices and services with a standardized framework.
“Often at X-Force Red we have been engaged with IoT vendors late in the development process,” Henderson said. “The problem is if we find something really bad, it often goes to the heart of the device’s design.
“We can now give our IoT clients that use the Watson IoT framework the ability to bake testing in from a very early stage,” he added.
If the IoT security design choices are made properly early on, it’s easier and faster to ensure that a device will be more secure, he said. IBM X-Force Red will also work with IoT devices that are not built with the Watson IoT platform.
Watson has a broad array of security capabilities and cognitive analysis features that X-Force Red will be able to benefit from. Henderson said the plan for X-Force Red is to take data collected on the X-Force Red portal and make use of Watson’s cognitive insights. Often what happens after security testing is that if an organization finds a specific vulnerability, it will fix that vulnerability, rather than gaining a better understanding of the overall risk, he said.
“To the degree that we can leverage Watson to start learning about not just software, but the vulnerability life cycle, we can make testing more powerful,” Henderson said. “With Watson, we can move past the simple one-to-one relationship of finding the vulnerability and then fixing the vulnerability, and that’s where we’ll start to really win the security game.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.