The U.S. National Institute of Standards and Technology (NIST) reportedly plans to replace its method of scoring publicly disclosed vulnerabilities with a new automated process leveraging IBM's Watson artificial intelligence system.
The agency expects Watson to supplant its current Common Vulnerability Scoring System (CVSS) process for most bugs by October 2019, according to a report from Nextgov, citing Matthew Scholl, chief of NIST's computer security division. IBM has confirmed this account to SC Media, which has also reached out to Scholl for additional comment.
A key advantage of using AI is that it should ease the burden of NIST analysts who are currently tasked with reviewing thousands of vulnerabilities every week.
"Artificial Intelligence is solving the manual effort problem that many organizations face. For security leaders, it's important to know that not all AI is equal, but when the right choice is made, the benefits from a time, cost, and resource perspective can be immense,” said George Wrenn, CEO at CyberSaint Security, a company specializing in automated intelligent cybersecurity compliance. "It is no surprise NIST is delving into this area," he added in emailed comments.
Reportedly, Watson participated in a pilot program earlier this year in which it processed hundreds of thousands of older vulnerabilities and corresponding CVSS scores, and then asked to score new vulnerabilities based on that precedent. Whenever the new bug was similar to a previously studied vulnerability, Watson fared very well, scoring the flaw similar to how a person would.
But if the bug was something unique or highly complex, like the Spectre vulnerability that was discovered earlier this year, Watson reportedly struggled. As a fail-safe for this issue, Watson will produce a confidence percentage for each score. If the AI engine's confidence percentage falls under the high 90s, the human analyst will take over the review, and edit the risk score accordingly.
Gabriel Gumbs, VP of product strategy at STEALTHbits Technologies, said in emailed comments that NIST's use of Watson holds even more potential.
"Applying AI, and in particular Watson to the scoring of vulnerabilities will be useful for keeping up with the increased NIST workload; however, I don’t foresee this addressing the issue of organizations still not patching their systems in time," said Gumbs. "In theory, the ranking of vulnerabilities helps prioritize which systems in first and how soon those patches are applied. I believe this program could go a step further and score both the inherit risk, and the residual risk of vulnerabilities when other controls are in place. This would allow for real-world patch prioritization scenarios where organizations can apply controls that can be rolled out faster than a patch, and in cases where patches do not [yet] exist still reduce their exposure."