Empowering SOC analysts with cognitive security
Several years ago, Sogeti Luxembourg and IBM developed an alliance in the Luxembourg marketplace to provide companies with a security operations center (SOC) that could help uncover advanced persistent threats. In this joint IBM-Sogeti SOC, IBM Security Services staff work alongside Sogeti personnel to help protect organizations from threats.
“By bringing together top-notch expertise from Sogeti and IBM, along with superior innovation, we are helping our clients improve and fortify their cyber security,” says Vincent Laurens.
IBM® QRadar® Security Intelligence Platform is used to provide advanced sense analytics to help the SOC analysts rapidly detect threats, identify vulnerabilities and prioritize risks. The platform manages on average 10,000 events per second per client and 50,000 flows per minute per client, with larger clients seeing substantially higher volumes.
“One of QRadar’s differentiators is that it enables us to create business context use cases,” explains Vincent Laurens. “For example, an insurer we work with was concerned hackers were performing quote requests against their online quoting apps to change their pricing model. Using QRadar, we can easily build a use case to detect this type of activity.”
To gain even greater intelligence, speed and accuracy in detecting threats, Sogeti participated in the IBM QRadar Advisor with Watson beta test program.
The IBM QRadar Advisor with Watson harnesses the power of Watson for Cyber Security while investigating offenses and incidents in the QRadar SIEM system. Watson for Cyber Security uses core IBM Watson® technology to understand, reason and learn about security topics and threats. It harvests volumes of structured and unstructured security knowledge, which has been elusive to SOC analysts, so they can respond to threats more rapidly and with greater confidence.
Instead of conducting the beta in a test environment, Sogeti worked with one of its large insurance clients to test the platform in a real-world environment. The organization split the SOC team serving the client into two groups to accurately measure the benefit. One group served as the control group, while the second benefitted from the power of cognitive security to help connect the information more rapidly.
“Every time we saw an offense, the second team could push the offense to Watson to gain more context, and Watson delivered top-notch results,” says Vincent Laurens.
The benefit was so obvious that analysts who weren’t part of the beta began asking how they could participate.
The power of cognitive security is the speed and accuracy in which information is curated and disseminated for the analyst. As the IBM-Sogeti SOC team fed more information into Watson’s corpus of knowledge, the more precise Watson’s analysis became.
“Our experience has been great,” says Vincent Laurens. “I was pleased with how smoothly the process went, and our analysts were amazed by the contents of the Watson corpus. We’ve managed to gain everything we’ve wanted on day one, and we can evolve it on a day-to-day basis.”
Accelerating analysis by 50 percent
According to Vincent Laurens, the use of cognitive security with Watson has provided a “breakthrough” for both Sogeti and its customers, dramatically accelerating threat detection and response.
The SOC analysts that used the cognitive security capabilities were more productive and could more accurately identify false positives—a critical step to reduce the “noise” SOC analysts must sift through to identify threats.
“We were able to accelerate the analysis process by 50 percent,” says Vincent Laurens. “Our analysts were surprised. They could obtain answers in as little as two to three minutes, whereas the same result would have taken them two to three hours in the past.”
For example, Watson could much more quickly detect “twin threats”—two threats that often appear as separate threats using different names, IP addresses and patterns, but have the same origin and target. Additionally, Watson’s foreign language corpus enabled it to detect threats from foreign hackers.
The use of Watson is also helping the SOC analysts better keep pace with the continually changing threat landscape.
“We always learn in this domain,” says Vincent Laurens. “Putting so much information easily in the hands of an analyst helps them grow their knowledge base and generate a reaction so much faster. That’s one of the key benefits.”
For Sogeti, this is only the beginning.
“Cognitive is transforming cyber security as we speak,” says Vincent Laurens. “What we’re going to see in the next ten years will be even more transformative. IBM QRadar Advisor with Watson is a real breakthrough for us and for our clients.”