If you were to enter one of IBM’s security watch floors the first thing you would notice is the screens. Banks and banks of screens, with as many as 250 analysts hawkishly watching over them waiting for one indicator, or another to tip into the red.
“The amount of information that’s flowing into one of these watch floors is very high,” said Caleb Barlow, vice president at IBM Security.
These watch floors, dotted around the globe, are the heart of IBM’s security operation.
From here, analysts monitor the network activity of the companies that IBM looks after the security of, searching for signs that they might be under attack.
The average watch floor will oversee 200,000 events every day – the vast majority of them completely innocuous.
If Kate from marketing enters her password incorrectly ten times, the IBM analysts will know. Most of the time it means she’s left his Caps Lock on, but it could be that a hacker is trying to log in to her computer using a brute force attack.
Other signs are much more obvious, said Barlow.
“If I see that your mobile phone moves from Boston to Shenzhen in two hours that’s weird.” Once an analyst has identified suspicious activity, their next job is to work out whether there’s a rational explanation or if it means that company is being targeted by gangs of online criminals.
To do that, Barlow needs to know what your average work day looks like in the first place.
“Whether you realize it or not you fall into a very predictable pattern in terms of what you do in your particular job,” Barlow said.
If you step out of that pattern, IBM will know about it. But learning what’s out of the ordinary for a company can only take you so far.
Security experts also need to look the other way and stay on top of every emerging threat, so they can recognize it when it hits their own companies.
80% of security data, Barlow estimates, is stored in human-readable forms, in security blogs, academic papers and conference proceedings.
“This is where machine learning can be extremely powerful,” Barlow says. IBM is already experimenting with getting Watson – its quiz show-winning and recipe-creating AI – to crunch through security data to learn to recognize new threats when they appear.
Machine learning may never be able to supplant human analysts, but Barlow hopes that one day it will at least be able to give humans a helping hand when it comes to staying on top of new threats.
For all the talk of nation states and hacktivists, most of these new threats boil down to organized crime rings finding new ways to extract money from companies.
Organized crime is IBM’s bread and butter – 80% of threats that Barlow sees come from criminal syndicates looking to make a profit.
“This is an economy,” he said. Last year cyber criminals netted $450bn (£113bn) in profits. And while most of the news concentrates on attacks by nation states, companies are slowly being bled dry by attacks.
When they’re too embarrassed to fess up, or are frightened that a breach would hit their share prices, they often stay quiet about it.
We’re living in strange times, where frequent and damaging attacks by criminal gangs are shrugged off as if it’s the new normal.
“This is the first time in the history of nations that governments of the world have outsourced the protection of citizens to private enterprises,” Barlow said.
Out of sight the battle is raging on but as IBM readies itself to bring machine learning into the fray, there’s the chance that the balance might be about to shift in its favor.