Step onto one of IBM’s security watch floors and the first thing you’ll notice is the screens. Banks and banks of screens, with as many as 250 analysts hawkishly watching over them waiting for one indicator or another to tip into the red.
“The amount of information that’s flowing into one of these watch floors is very high,” says Caleb Barlow, vice president at IBM Security. These watch floors, dotted around the globe, are the heart of IBM’s security operation. From here, analysts monitor the network activity of the companies that IBM looks after the security of, searching for signs that they might be under attack.
The average watch floor will oversee 200,000 events every day – the vast majority of them completely innocuous. If Kate from marketing enters her password incorrectly ten times, the IBM analysts will know. Most of the time it means she’s left his Caps Lock on, but it could be that a hacker is trying to log in to her computer using a brute force attack.
Other signs are much more obvious, says Barlow, who was among the speaker at WIRED Security 2017. “If I see that your mobile phone moves from Boston to Shenzhen in two hours that’s weird.” Once an analyst has identified suspicious activity, their next job is to work out whether there’s a rational explanation or if it means that company is being targeted by gangs of online criminals.
Read more: The Krack vulnerability is another good reason to ditch public Wi-Fi
To do that, Barlow needs to know what your average work day looks like in the first place. “Whether you realise it or not you fall into a very predictable pattern in terms of what you do in your particular job,” Barlow says. If you step out of that pattern, IBM will know about it.
But learning what’s out of the ordinary for a company can only take you so far. Security experts also need to look the other way and stay on top of every emerging threat, so they can recognise it when it hits their own companies. Eighty per cent of security data, Barlow estimates, is stored in human-readable forms, in security blogs, academic papers and conference proceedings.
“This is where machine learning can be extremely powerful,” Barlow says. IBM is already experimenting with getting Watson – its quiz show-winning and recipe-creating AI – to crunch through security data to learn to recognise new threats when they appear. Machine learning may never be able to supplant human analysts, but Barlow hopes that one day it will at least be able to give humans a helping hand when it comes to staying on top of new threats.
For all the talk of nation states and hacktivists, most of these new threats boil down to organised crime rings finding new ways to extract money from companies. Organised crime is IBM’s bread and butter – 80 per cent of threats that Barlow sees come from criminal syndicates looking to make a profit. “This is an economy,” he says. Last year cyber criminals netted $450 billion (£113 billion) in profits.
And while most of the news concentrates on attacks by nation states, companies are slowly being bled dry by attacks. When they’re too embarrassed to fess up, or are frightened that a breach would hit their share prices, they often stay quiet about it.
We’re living in strange times, where frequent and damaging attacks by criminal gangs are shrugged off as if it’s the new normal. “This is the first time in the history of nations that governments of the world have outsourced the protection of citizens to private enterprises,” Barlow says. Out of sight the battle is raging on but as IBM readies itself to bring machine learning into the fray, there’s the chance that the balance might be about to shift in its favour.
This article was originally published by WIRED UK
