Here are thoughts from two cybersecurity experts in response to recent news that the National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce, has partnered with IBM to use AI to rate the severity of publicly reported cyber vulnerabilities.
Gabriel Gumbs, VP of Product Strategy at STEALTHbits Technologies:
“Applying AI, and in particular Watson to the scoring of vulnerabilities will be useful for keeping up with the increased NIST work load, however, I don’t foresee this addressing the issue of organizations still not patching their systems in time. In theory, the ranking of vulnerabilities helps prioritize which systems are patched first and how soon those patches are applied. I believe this program could go a step further and score both the inherit risk, and the residual risk of vulnerabilities when other controls are in place. This would allow for real world patch prioritization scenarios where organizations can apply controls that cab be rolled out faster than a patch, and in cases where patches do not [yet] exist still reduce their exposure.”
George Wrenn, CEO at CyberSaint Security:
“Artificial Intelligence is solving the manual effort problem that many organizations face. For security leaders, it’s important to know that not all AI is equal, but when the right choice is made the benefits from a time, cost, and resource perspective can be immense. For example, our large enterprise customers adopt the NIST Cybersecurity Framework (CSF) with great agility because of the AI-powered automation we incorporate and avoid misdirecting time and resources. Similar to this new AI application for bugs, dynamic threat intelligence is identified and ‘injected’ into any compliance program, on a control by control basis. This is a level of risk analysis that can only be done through the use of breakthrough tech and AI. It is no surprise NIST is delving into this area.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.