<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

News Coverage

Report: NIST to use IBM’s Watson AI system to score vulnerabilities

down-arrow

The U.S. National Institute of Standards and Technology (NIST) reportedly plans to replace its method of scoring publicly disclosed vulnerabilities with a new automated process leveraging IBM’s Watson artificial intelligence system.

The agency expects Watson to supplant its current Common Vulnerability Scoring System (CVSS) process for most bugs by October 2019, according to a report from Nextgov, citing Matthew Scholl, chief of NIST’s computer security division. IBM has confirmed this account to SC Media, which has also reached out to Scholl for additional comment.

A key advantage of using AI is that it should ease the burden of NIST analysts who are currently tasked with reviewing thousands of vulnerabilities every week.

“Artificial Intelligence is solving the manual effort problem that many organizations face. For security leaders, it’s important to know that not all AI is equal, but when the right choice is made, the benefits from a time, cost, and resource perspective can be immense,” said George Wrenn, CEO at CyberSaint Security, a company specializing in automated intelligent cybersecurity compliance. “It is no surprise NIST is delving into this area,” he added in emailed comments.

Reportedly, Watson participated in a pilot program earlier this year in which it processed hundreds of thousands of older vulnerabilities and corresponding CVSS scores, and then asked to score new vulnerabilities based on that precedent. Whenever the new bug was similar to a previously studied vulnerability, Watson fared very well, scoring the flaw similar to how a person would.

But if the bug was something unique or highly complex, like the Spectre vulnerability that was discovered earlier this year, Watson reportedly struggled. As a fail-safe for this issue, Watson will produce a confidence percentage for each score. If the AI engine’s confidence percentage falls under the high 90s, the human analyst will take over the review, and edit the risk score accordingly.

Gabriel Gumbs, VP of product strategy at STEALTHbits Technologies, said in emailed comments that NIST’s use of Watson holds even more potential.

“Applying AI, and in particular Watson to the scoring of vulnerabilities will be useful for keeping up with the increased NIST workload; however, I don’t foresee this addressing the issue of organizations still not patching their systems in time,” said Gumbs. “In theory, the ranking of vulnerabilities helps prioritize which systems in first and how soon those patches are applied. I believe this program could go a step further and score both the inherit risk, and the residual risk of vulnerabilities when other controls are in place. This would allow for real-world patch prioritization scenarios where organizations can apply controls that can be rolled out faster than a patch, and in cases where patches do not [yet] exist still reduce their exposure.”

Originally seen on scmagazine.com

You may also like

Booz Allen Hamilton and CyberSaint ...
on September 7, 2022

MCLEAN, Va. & BOSTON--(BUSINESS WIRE)--Booz Allen Hamilton (NYSE: BAH) and CyberSaint today announced a strategic partnership that aligns Booz Allen’s world-class ...

CyberSaint Continues to Support ...
on July 6, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, announced the addition of CMMC 2.0, allowing customers to adopt the ...

CyberSaint Makes FAIR Model ...
on June 28, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, announced the addition of the FAIR (Factor Analysis of Information ...

CyberSaint Releases CyberStrong ...
on June 21, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, announced the release of CyberStrong version 3.20 today, leading the ...

CRN® Lists CyberSaint in Its 2022 ...
on April 4, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, has been recognized by CRN®, a brand of The Channel Company, in its ...

Award-Winning Cybersecurity ...
on March 17, 2022

BOSTON--(BUSINESS WIRE)--CyberSaint, the developer of the leading platform delivering cyber risk automation, today announced that Nicole Dove, award-winning cybersecurity ...