8 minute read

IBM’s new AI-infused security technologies help defenders speed response to cyber attacks

In our day and age, warding off hackers without using AI and automation is like trying to hold back a tsunami of ransomware with an actual dollar bill.

In our day and age, warding off hackers without using AI and automation is like trying to hold back a tsunami of ransomware with an actual dollar bill.

IBM’s latest data breach cost report shows that using AI and automation is the single most impactful factor in reducing the time to detect and respond to cyberattacks, as well as the ensuing cost.

Organizations with fully deployed security AI and automation experienced breach costs of $2.9 million, compared to $6.71 million at organizations without security AI and automation.

The difference of $3.81 million, or nearly 80%, represents the largest gap caused by any one particular cost factor upon a data breach. Security AI and automation was associated with a faster time to identify and contain the breach.

As our report suggests, security operators struggle to keep pace with the malicious actors that crowd cyberspace. There seems to be no better remedy than proactively closing any security gaps and equipping security teams with machine learning and automation tools to level the playing field.

With more and more alerts popping up on their dashboards—a good share of which turn out to be false alarms—cyber defenders are increasingly plagued by alert fatigue and end up ignoring warning signals. As a consequence, the fear of missing an incident looms large and keeps security managers up at night.

IBM QRadar XDR Connect to the rescue

IBM’s new XDR Connect technology offers an unprecedented set of cross-correlation and automation capabilities as a result of more than six years of joint efforts and close collaboration between our security research and product teams, as well as our clients: from the curation of threat intelligence information; creation of new system-level telemetry; proactive cyber threat hunting; and most recently the investigation of threats with open technology.

Announced today as part of IBM’s new QRadar XDR suite of extended detection and response technologies, XDR Connect pulls many of these innovations together under a single umbrella to cover the entire lifecycle of a cyber security threat—from detection, to investigation, to countermeasures. The goal is to reduce the reaction time, by orders of magnitude.

We are convinced that this can be achieved by applying machine learning and automating many steps: the curation of internal and external data; establishment of relevant contextual information; automated reasoning in the same way security analysts hypothesize about root causes and impact and extent; and machine learning-based decisioning of courses of actions and remediations.

Within a short time (from seconds to just a few minutes), the relevant information for a potential incident can be automatically enriched and contextualized across multiple data sources—a laborious task that normally takes extensive time and efforts by human analysts.

Learning from the daily routines of first-line cyber security analysts

The first step on our journey to develop XDR Connect was to identify the main points faced by cybersecurity analysts. We observed that they spend most of their time on repetitive work to pull internal and external information that keeps them from decision-making tasks that actually require human intelligence. The problem is further compounded by an acute shortage of specialists with the right set of skills and the growing complexity and diversity of security tools.

We learned a great deal from sitting side-by-side with Managed Security Services (MSS) teams from IBM Security, who perform security services for some of our largest clients. We realized that their day-to-day job entails many manual steps to extract, curate, and combine relevant information from multiple data sources for a given alert.

In fact, they typically spend up to three hours to investigate and decide on the relevance and possible courses of action for an alert—mostly to establish meaningful content to make decisions. Valuable analyst time is being invested on mundane tasks while the important step—the decision and conclusion—only take a fraction of the entire time spent.

Let the detectives decide, and the AI do the busywork

We engaged on several projects to remove the busywork bottleneck by infusing AI and automation into various steps of alert enrichment and investigation. This included automatically establishing the context around a threat; assessing how mission critical it may be; reconstructing the sequence of events and the root causes, including the attack steps and techniques employed by attackers; and finally coming up with relevant mitigation measures.

If we think of a security operations center (SOC) analyst as a detective investigating cases, the reality of today’s threat information overload means that our detective is bogged down under an enormous amount of data that they need to sift through in order to calibrate the severity of a threat. XDR Connect offers a kind of smart wingman, using a curated and combined security knowledge graph. This AI assistant taps into IBM Security products such as Watson for Cyber, speeding up the gathering and enrichment process of threat intelligence information.

Another tool we developed to increase efficiency in cybersecurity operations is our threat-hunting language, Watch an introduction and demo of Kestrel: The Threat Hunting Language from Open Cybersecurity AllianceKestrel, which was open sourced earlier this year as a unified language to expedite threat hunting operations.

The third major innovation component in XDR Connect is the IBM Threat Investigator, built on IBM's Cloud Pak for Security platform, which eases the detective work of connecting the dots during a cyberattack. Within minutes of an incident being deemed relevant, this automation agent provides security analysts with detailed information on the source, structure, and scope of the threat at hand. This means a significant improvement with respect to the current state of the art, as it typically takes hours to deliver that information. Now it can be done minutes time.

XDR Connect combines all of these novelties and provides highly automated threat management workflows with continuously updated threat detection and response content.

In view of growing cybercrime activity and an overwhelmed IT security workforce, it’s apparent that there is no way around upgrading our cyber defense systems with AI and automation.

In a world under constant cyber threat, we need to give our first-line cyber defenders the most innovative tools if they are to stand a chance against cybercriminals. And that’s exactly what we are doing with the release of XDR Connect.

What's next?

Clearly, the announcement of IBM QRadar XDR Connect marks only the beginning. Our Research team continues to work closely with practitioners and our product teams from IBM Security to invent new technologies and methodologies, many of which are already underway, and soon may be enhancing the feature set of IBM QRadar XDR Connect and IBM Cloud Pak for Security. Stay tuned!

Watch the video to learn more about AI and automation innovations from IBM Research that are part of XDR Connect:

Security and privacy: Managing threats and protecting passwords

Learn more about:

Security: We’re designing systems to secure the hybrid cloud and AI for sensitive datasets to ensure organizations can continue to operate safely and securely.

Security Analysis at Scale: We're working to build trusted systems that can proactively help organizations defend against attacks, by identifying bugs and vulnerabilities in code and systems, securing them, and preventing them from being exploited.


  1. Note 1Watch an introduction and demo of Kestrel: The Threat Hunting Language from Open Cybersecurity Alliance ↩︎