Request Demo

News Coverage

Report: NIST to use IBM’s Watson AI system to score vulnerabilities

down-arrow

The U.S. National Institute of Standards and Technology (NIST) reportedly plans to replace its method of scoring publicly disclosed vulnerabilities with a new automated process leveraging IBM’s Watson artificial intelligence system.

The agency expects Watson to supplant its current Common Vulnerability Scoring System (CVSS) process for most bugs by October 2019, according to a report from Nextgov, citing Matthew Scholl, chief of NIST’s computer security division. IBM has confirmed this account to SC Media, which has also reached out to Scholl for additional comment.

A key advantage of using AI is that it should ease the burden of NIST analysts who are currently tasked with reviewing thousands of vulnerabilities every week.

“Artificial Intelligence is solving the manual effort problem that many organizations face. For security leaders, it’s important to know that not all AI is equal, but when the right choice is made, the benefits from a time, cost, and resource perspective can be immense,” said George Wrenn, CEO at CyberSaint Security, a company specializing in automated intelligent cybersecurity compliance. “It is no surprise NIST is delving into this area,” he added in emailed comments.

Reportedly, Watson participated in a pilot program earlier this year in which it processed hundreds of thousands of older vulnerabilities and corresponding CVSS scores, and then asked to score new vulnerabilities based on that precedent. Whenever the new bug was similar to a previously studied vulnerability, Watson fared very well, scoring the flaw similar to how a person would.

But if the bug was something unique or highly complex, like the Spectre vulnerability that was discovered earlier this year, Watson reportedly struggled. As a fail-safe for this issue, Watson will produce a confidence percentage for each score. If the AI engine’s confidence percentage falls under the high 90s, the human analyst will take over the review, and edit the risk score accordingly.

Gabriel Gumbs, VP of product strategy at STEALTHbits Technologies, said in emailed comments that NIST’s use of Watson holds even more potential.

“Applying AI, and in particular Watson to the scoring of vulnerabilities will be useful for keeping up with the increased NIST workload; however, I don’t foresee this addressing the issue of organizations still not patching their systems in time,” said Gumbs. “In theory, the ranking of vulnerabilities helps prioritize which systems in first and how soon those patches are applied. I believe this program could go a step further and score both the inherit risk, and the residual risk of vulnerabilities when other controls are in place. This would allow for real-world patch prioritization scenarios where organizations can apply controls that can be rolled out faster than a patch, and in cases where patches do not [yet] exist still reduce their exposure.”

Originally seen on scmagazine.com

You may also like

CyberSaint user, Silverside ...
on December 6, 2018

    Cutting edge nuclear detection company, SilverSide Detectors, partnered with MassMEP and CyberSaint to become DFARS compliant as they expand their business. Congratulations to ...

100 Million Quora Customers Hit By ...
on December 11, 2018

Quora, one of the largest Q&A internet portals, said hackers breached its servers and obtained information of about 100 million users, almost half of the its entire customer base. ...

Boston-Based Cybersecurity ...
on December 5, 2018

According to the Privacy Rights Clearinghouse, there have been approximately 11.2 billion records exposed in the more than 8,800 data breaches that have been publicly disclosed ...

CyberSaint Closes the ...
on December 3, 2018

BOSTON--(BUSINESS WIRE)--CyberSaint Security, a cybersecurity software firm that powers automated, intelligent compliance and risk management, today released significant new ...

Alison Furneaux
Data Breach Hits 2.6 Million ...
on November 29, 2018

Hospital network Atrium Health informed patients on Tuesday that their personal information was compromised following a breach at technology solutions provider AccuDoc. Atrium ...

2.65 Million Records Exposed in ...
on December 3, 2018

Another massive data breach announcement has made headline, this time for healthcare and wellness program provider Atrium Health, formerly known as Carolinas HealthCare Systems, ...