<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

News Coverage

Report: NIST to use IBM’s Watson AI system to score vulnerabilities

down-arrow

The U.S. National Institute of Standards and Technology (NIST) reportedly plans to replace its method of scoring publicly disclosed vulnerabilities with a new automated process leveraging IBM’s Watson artificial intelligence system.

The agency expects Watson to supplant its current Common Vulnerability Scoring System (CVSS) process for most bugs by October 2019, according to a report from Nextgov, citing Matthew Scholl, chief of NIST’s computer security division. IBM has confirmed this account to SC Media, which has also reached out to Scholl for additional comment.

A key advantage of using AI is that it should ease the burden of NIST analysts who are currently tasked with reviewing thousands of vulnerabilities every week.

“Artificial Intelligence is solving the manual effort problem that many organizations face. For security leaders, it’s important to know that not all AI is equal, but when the right choice is made, the benefits from a time, cost, and resource perspective can be immense,” said George Wrenn, CEO at CyberSaint Security, a company specializing in automated intelligent cybersecurity compliance. “It is no surprise NIST is delving into this area,” he added in emailed comments.

Reportedly, Watson participated in a pilot program earlier this year in which it processed hundreds of thousands of older vulnerabilities and corresponding CVSS scores, and then asked to score new vulnerabilities based on that precedent. Whenever the new bug was similar to a previously studied vulnerability, Watson fared very well, scoring the flaw similar to how a person would.

But if the bug was something unique or highly complex, like the Spectre vulnerability that was discovered earlier this year, Watson reportedly struggled. As a fail-safe for this issue, Watson will produce a confidence percentage for each score. If the AI engine’s confidence percentage falls under the high 90s, the human analyst will take over the review, and edit the risk score accordingly.

Gabriel Gumbs, VP of product strategy at STEALTHbits Technologies, said in emailed comments that NIST’s use of Watson holds even more potential.

“Applying AI, and in particular Watson to the scoring of vulnerabilities will be useful for keeping up with the increased NIST workload; however, I don’t foresee this addressing the issue of organizations still not patching their systems in time,” said Gumbs. “In theory, the ranking of vulnerabilities helps prioritize which systems in first and how soon those patches are applied. I believe this program could go a step further and score both the inherit risk, and the residual risk of vulnerabilities when other controls are in place. This would allow for real-world patch prioritization scenarios where organizations can apply controls that can be rolled out faster than a patch, and in cases where patches do not [yet] exist still reduce their exposure.”

Originally seen on scmagazine.com

You may also like

CyberSaint Recognized as a Leader ...
on December 5, 2023

BOSTON, December 5, 2023 — CyberSaint, the leader in cyber risk management, today announced that the company has been recognized as a leader for risk and compliance in the ...

CyberSaint Security Appoints Matt ...
on November 20, 2023

BOSTON, MA — CyberSaint, the leader in cyber risk management, today announced the appointment of Matt Alderman as Chief Product Officer (CPO). In this role, Alderman will lead the ...

CyberSaint and ACSC Research Sheds ...
on October 29, 2023

BOSTON--(BUSINESS WIRE)--CyberSaint, the leader in cyber risk management, in collaboration with the Advanced Cyber Security Center (ACSC), has conducted a comprehensive focus ...

CyberSaint Debuts New Remediation ...
on September 6, 2023

BOSTON--(BUSINESS WIRE)--CyberSaint, the leader in cyber risk management, is proud to announce the launch of the Remediation Suite within the CyberStrong platform. With the ...

STRONGER 2023 Conference ...
on July 19, 2023

BOSTON--(BUSINESS WIRE)--CyberSaint, the leader in cyber risk management, today announced that attendee registration is now open for its annual STRONGER conference, the ...

CyberSaint Security Recognized in ...
on December 3, 2023

BOSTON, MA – CyberSaint, the leader in cyber risk management, is pleased to announce its inclusion in the latest Gartner® report, "Innovation Insight: Cybersecurity Continuous ...