IBM’s Watson supercomputer hardly needs any more resumé-padding. It’s already won Jeopardy, written a cookbook, and dabbled in revolutionizing healthcare. The next stop in its storied career? Tackling cybercrime.

Today, IBM announced that Watson is taking its cognitive learning chops to the cloud, where it'll apply them to analyzing, identifying, and (hopefully) preventing cybersecurity threats. But first, it’s going to have to learn. Fast.

Playing Defense

There are already plenty of computer-enhanced approaches to combating cybercrime, most of which involve identifying outliers or abnormalities—like when a user logs a few too many failed password attempts—and determining whether those constitute some sort of threat.

Collecting and analyzing this type of data can and does work. It’s not ideal, though. First, there’s simply too much of it; according to a recent IBM report, the average organization sees over 200,000 pieces of security event data every single day. There’s simply no way to keep up with it all. And while solutions like 2MIT’s recent AI2 can trim down the number of incidents a human researcher needs to sift through, there’s still the fact that the data points being considered are only a small part of the picture.

“This is about interpreting and learning and bringing in unstructured data, bringing in things like blogs, white papers, and research reports,” says Caleb Barlow, vice president at IBM Security. “[Those] other forms of analysis that are not well-structured, or easily read by a machine, and bringing that in to add further contextual insight into what potentially is going on.”

Watson, then, is uniquely positioned to handle both the volume of information, and also discern the crucial context that determines what sort of threats exist. While a human security researcher might not have a firm command of all 75,000 known software vulnerabilities, or have read all 60,000 security-related blog posts that are written every month, Watson will.

“Companies have teams where their job is to look at all the sources of news, and from that news try to identify the risk, and then actually connect it with their infrastructure, their computers, and ask if the risk is applicable to their system," says Dr. Kevin Du, computer security professor at Syracuse University. "It takes a lot of manual effort." Effort that could, if all goes well, be offloaded to machine learning.

Barlow, who spent time in his early career in emergency medicine, likens Watson to a paramedic coming on the scene of a potential head injury. “People that have been drinking too much and people that have had head injuries often present the same symptoms,” says Barlow. “It’s up to the paramedic to figure out which he’s got.”

A paramedic looks at structured data—blood pressure, heart rate, respiration and so on—but also takes into account unstructured data, like the verbal response, or what kind of accident the patient was involved in. In other words, paramedics consider all of the things that don’t fit in a data field, but that give them a much better sense of what actually happened. They’re able to work through all available information, to provide the physician at the hospital with a prognosis. “That’s what Watson’s going to do for security operations centers,” says Barlow.

Du notes that this isn't a new idea; there have been research papers and small-scale studies arguing the effectiveness of unstructured data collection. Watson, though, gives IBM the distinction of being the first to be able to try it at scale. "I think the technology is there. Due to the lack of computing power and investment, nobody's actually proven that this can be very useful," says Du. "If this machine is trained well, it could replace a lot of human effort."

Which is not to say Watson will necessarily replace human jobs; as it is, the industry has a significant talent gap. “Even if the industry was able to fill the estimated 1.5 million open cyber security jobs by 2020, we’d still have a skills crisis in security,” said Marc van Zadelhoff, General Manager of IBM Security. One that Watson should help mitigate.

IBM

Feeding the Beast

Of course, before that can happen, Watson needs to learn how cybersecurity works.

It doesn’t yet, or at least not very well. While IBM has already started the process of feeding Watson security documents, Watson has a ways to go until it’ll be ready for field operations. Given the complexity of the cybersecurity—and the importance of getting it right—that’s no easy feat.

“This isn’t like a normal software job,” says Barlow. “It’s not like you show up one day and the software is released. You have to train it.”

IBM’s extensive research library will make it easier to give Watson this critical training. But it’s not quite as simple as just showing Watson a bunch of articles and research papers. You have to teach it what everything means, before it can teach itself how they interplay.

“Think of the things it’s got to do when it’s looking at a document. It’s got to understand what some of these terms mean. What’s a campaign? What’s an exploit target? What’s an incident? What’s an indicator of an incident?” says Barlow. “This is the vernacular of security. And it’s got to understand the relationships. A piece of malware comes from an organization, targets another organization, has certain indicators.”

And that’s before you even get to all the acronyms that the cybersecurity world trades in.

To help Watson get started, IBM researchers manually annotate the documents that go into its system—for now, they are hand-picking documents and sources. As Watson begins to master certain concepts, and demonstrates that it’s able to annotate on its own, they’ll ramp up the process, with the help of students at eight universities across the US. In this first phase of training, Watson will ingest up to 15,000 security documents per month, connecting to various libraries and news feeds to ensure it stays current. If any supercomputer can do it, Watson can.

"This is a true breakthrough," says Andras Cser, principal analyst with Forrester Research. "Watson's probabilistic decision-making AI techniques are far beyond what any other vendor can do. It can rely on orders of magnitude greater sets of data and use orders of magnitude faster processing and machine learning algorithms."

What’s Cooking

Watson’s worked in high-stakes environments, such as healthcare, before. Still, its misadventures in the kitchen might make one wonder: Can you trust the creator of the world’s worst burrito with your security infrastructure?

Barlow, who cooks Watson recipes regularly and acknowledges that not all are successes, says there’s an important distinction between some of Watson’s earlier adventures and its security skills.

“A lot of the earlier work started with, ‘I have a question, and Watson, can you analyze it for an example?’” says Barlow. “The difference in our case is we’re not asking it questions. We’re going to feed it thousands of indicators, and we’re going to ask it to ask its own questions.”

That may sound like a bit of a zen koan, but in practice, it means that this time around, Watson is learning not how to combine a bunch of ingredients, but how to ask the right questions. To make a clumsy analogy, it doesn’t need to cook; it just needs to know where it might have seen an ingredient before, and if it’s in season.

“We’re teaching Watson to be a bit forensic in what it does,” says Barlow. “We want it to come to us with a conclusion, based on two things: Is it urgent, and what did you learn about it that makes this actionable?”

Assuming it gets up to speed, Watson should deploy to enterprise customers later this year. And while it’s intended to identify threats that have already occurred, Barlow sees its preventative potential as well. Some cyberattacks can take days, weeks, or months; ideally, Watson would be able to identify signals of a prolonged attack, and help cut it off mid-stream.

That’s a big ask of a supercomputer that’s still trying to tell its noun from its verbs. But it's a real possibility.

“The fascinating difference between teaching Watson and teaching one of my children,” says Barlow, “is that Watson never forgets.”