Request Demo

News Coverage

Report: NIST to use IBM’s Watson AI system to score vulnerabilities

down-arrow

The U.S. National Institute of Standards and Technology (NIST) reportedly plans to replace its method of scoring publicly disclosed vulnerabilities with a new automated process leveraging IBM’s Watson artificial intelligence system.

The agency expects Watson to supplant its current Common Vulnerability Scoring System (CVSS) process for most bugs by October 2019, according to a report from Nextgov, citing Matthew Scholl, chief of NIST’s computer security division. IBM has confirmed this account to SC Media, which has also reached out to Scholl for additional comment.

A key advantage of using AI is that it should ease the burden of NIST analysts who are currently tasked with reviewing thousands of vulnerabilities every week.

“Artificial Intelligence is solving the manual effort problem that many organizations face. For security leaders, it’s important to know that not all AI is equal, but when the right choice is made, the benefits from a time, cost, and resource perspective can be immense,” said George Wrenn, CEO at CyberSaint Security, a company specializing in automated intelligent cybersecurity compliance. “It is no surprise NIST is delving into this area,” he added in emailed comments.

Reportedly, Watson participated in a pilot program earlier this year in which it processed hundreds of thousands of older vulnerabilities and corresponding CVSS scores, and then asked to score new vulnerabilities based on that precedent. Whenever the new bug was similar to a previously studied vulnerability, Watson fared very well, scoring the flaw similar to how a person would.

But if the bug was something unique or highly complex, like the Spectre vulnerability that was discovered earlier this year, Watson reportedly struggled. As a fail-safe for this issue, Watson will produce a confidence percentage for each score. If the AI engine’s confidence percentage falls under the high 90s, the human analyst will take over the review, and edit the risk score accordingly.

Gabriel Gumbs, VP of product strategy at STEALTHbits Technologies, said in emailed comments that NIST’s use of Watson holds even more potential.

“Applying AI, and in particular Watson to the scoring of vulnerabilities will be useful for keeping up with the increased NIST workload; however, I don’t foresee this addressing the issue of organizations still not patching their systems in time,” said Gumbs. “In theory, the ranking of vulnerabilities helps prioritize which systems in first and how soon those patches are applied. I believe this program could go a step further and score both the inherit risk, and the residual risk of vulnerabilities when other controls are in place. This would allow for real-world patch prioritization scenarios where organizations can apply controls that can be rolled out faster than a patch, and in cases where patches do not [yet] exist still reduce their exposure.”

Originally seen on scmagazine.com

You may also like

Should There Be ‘Safe Harbor’ ...
on February 20, 2019

Sometimes, you do the best you can, but things happen anyway. You follow all the best practices, all your systems are locked down, you spend twice as much as your peers on ...

Data Center Knowledge
CyberStrong Integrated Risk ...
on February 19, 2019

BOSTON--(BUSINESS WIRE)--CyberSaint Security, a cybersecurity software firm that powers automated, intelligent compliance and risk management, today announced that the company ...

Booz Allen 2019 Cyber Threat Report
on February 7, 2019

@BoozAllen @BoozAllenCyber #cybertrends #cybersecurity #cyber Find out the 8 ways threat actors can make waves in 2019 in the annual Booz Allen Cyber Threat Outlook Report: ...

It’s Time to Embrace Password ...
on February 7, 2019

Why Your Enterprise Needs Password Security Strategies Unfortunately, trusting employees to create strong passwords on their own may no longer serve as a tenable strategy. ...

Nearly Half Billion US Personal ...
on February 7, 2019

There’s good news and bad news about identity theft in 2018 according to a new report from the Identity Theft Resource Center (ITRC). The good news is the number of US data ...

News Insights: Millions Of Bank ...
on January 28, 2019

According to Colin Bastable, CEO, Lucy Security: “When US lenders offload our mortgages and loans to third parties, they offload the data too, and wash their hands of all ...