Kathy Gibson at the IBM Watson Summit 2017 in Kyalami – Cybercrime is out of control, it is a systemic problem and it is getting worse.
In fact, it is estimated that about 4-billion records were breached last year because of cyber-attacks.
But why is it happening, asks Kevin Skapinetz, director of strategy and product design at IBM Security.
“If you look back to how people stole things in the past, it was about grabbing a weapon and taking what they want. Over time, attackers became more organised and smarter and we saw organised attackers looking for that one train that was carrying money.
“As technology advanced even more, telephones became a way for organised criminals to social engineer people out of their information and money.
“But nothing is like cybercrime right now. Criminals have given up their guns in favour of sitting behind their keyboards.”
It is estimated that the cybercrime economy is worth as much as $445-billion; and the vast majority of cybercrimes are carried out by organised criminals.
The Dark Web has become the marketplace for cybercriminals to buy and sell information or malware. These marketplaces have become so sophisticated they are rated, and even offer support for malware.
Skapinetz explains that botnets are still used to gain access to information, and there are literally millions of machines around the world that are infected with malware.
The average cost of each breach is a massive R46-million, according to IBM and the Ponemon Institute. In South Africa it comes in at a little less – R35-million.
This includes the cost of detecting and containing an infection, the cost of reputational damage, and legal costs.
Out of all the countries surveyed, South Africa has the biggest risk of a major breach, losing millions of records, within the next 24 months.
In South Africa, it takes an average of 199 days to detect and contain a breach – 144 days to detect it, and often it is another company that actually detects it; then 55 days to contain it.
“What if you could reduce that time?” asks Skapinetz. “If you could get it down to three months, you could save R5-million.”
Technology is available to do this, he adds. When there’s a security breach, security analysts have to examine masses of data – literally having to go through terabytes of data.
“This is also an enormous skills base,” Skapinetz says. “There are simply not enough skilled people in the area of cybersecurity. It’s estimated there will be 1,5-million unfilled security jobs by 2020.”
A tremendous amount of time gets wasted in following false positives, he adds, with literally millions of dollars wasted.
All of this creates huge opportunities for companies, Skapinetz adds. “We have combined the power of Watson and IBM Security. We have spent a lot of time identifying where Watson can help us with cybercrime.”
At least a year was spent teaching Watson about cybersecurity, to help people to make smarter, faster decisions.
To do this, Watson had to learn the language of cybersecurity, and learn to parse what’s going on beyond the words, Skapinetz explains.
The next step was to add structured threat feeds to this unstructured data, adding 10-billion elements initially and another 4-million per hour, building a massive corpus of knowledge.
Coupling Watson to Q-Radar Advisor enriches the context that security analysts work within,
This increases the speed that analysis can happen at, allowing analysts to investigate 60-imes faster than using complex manual systems.
It is more accurate as well, simply because there is more information. Adding 10-times for actionable indicators means analysts can uncover new threats.
“This kind of thing still needs a human, but the human has to be smarter and have access to more information,” Skapinetz says. This is what Watson does, adding intelligence to the analysis.
“We’ve had customers who have enriched data with Watson; not only has it confirmed the attacker, but has also uncovered other threats.
“That allows companies to eliminate the threat fully.”
Importantly, Watson will increase its corpus of knowledge over time, and will become more accurate and more valuable, Skapinetz adds.
A big issue facing the chief information security officer (CISO) is the number of security tools – as many as 85 from 45 different vendors – they have to work with.
“That in itself is a security risk,” Skapinetz says. “You have to drive integration.”
IBM has been working to make security a connected immune system. “The han immune system is a multi-layered intelligent system.”
IBM’s integrated and intelligent security immune systems has cognitive analytics at the centre to connect all the different systems together, and add the human element as well.