During Wimbledon 2017, 200 million cybersecurity events were detected, resulting in 3.5 million attack signatures. Eleanor Dallaway went behind the scenes in the tech centre and operation room at Wimbledon to see just how IBM is securing one of the world’s most popular sporting events
Throughout the years, Wimbledon’s focus on digital platforms has increased, and as a result, the need for cyber resilience has, of course, intensified. During Wimbledon 2017, the website had 436 million page views, a 10% increase on 2016.
As its long-standing tech partner, IBM is tasked with delivering a flawless technical experience for Wimbledon fans around the world. For the first time, IBM Watson for Cybersecurity – an IBM supercomputer that combines artificial intelligence with sophisticated analytical software – aided this mission.
As information security ‘events’ were collated in the IBM QRadar threat matrix, the information security team selected particular threats to be analysed in greater detail by Watson. Brian Jensen, Site Reliability Engineer, ibm.com, told Infosecurity that “we choose to submit certain offences to Watson. A few seconds later, it will send back additional information, pulled in from across the internet. It’s interesting to get a different view and additional context regarding whether others are seeing this”. He described Watson as “a shortcut for doing the initial research.”
Throughout the tournament, the security team were provided with a threat description and a recommended set of actions based on the IBM Watson’s analysis of a threat. Brian Jensen said it gave him “a head-start in figuring out the scope of the problem.” Watson can identify whether a security event is associated with known malware and provide relevant background, as well as identify suspicious user behavior.
The QRadar threat matrix has a dashboard which reports where in the world the highest quantity of attempted cyber-attacks are coming from at any one time. During the tour of the operations room, Russia, China and the US consistently topped the chart. This, said Jensen, is mainly indicative of places that “either have a large number of compromised machines, or ISPs that are friendly to non-legitimate users.”
Interestingly, Jensen reported that the majority of attacks were not intentional targeted cyber-attacks, and instead are “compromised machines across the internet, botnets scanning for vulnerabilities. We see persistent vulnerability scanning over and over again”, he said. “The majority of incidents are just probing, looking for vulnerabilities, automated attacks. The majority are not people actively trying to attack this website.”
During Wimbledon 2017, 200 million cybersecurity events were detected, resulting in 3.5 million attack signatures
In a blog, IBM’s Jonathan Van Houten, writes about the “low and slow coordinated attack” that was noticed at Wimbledon 2017. “It began with a specialized form of distributed denial-of-service, which is not meant to decrease the availability of the platform like so many relatives of the method. Instead, it remained below the radar over a short span (10 minutes, in this instance), thus piling log data into a massive stream of similar entries without raising the alarm. It limited the number of active connections to prevent the image of an actual threat.
“The value is in the masquerading effect”, he continued. “While their bots are performing this task, cybercriminals use the cover of darkness to attempt other nefarious acts, such as malware injection. An analyst would be forced to slog through thousands of log entries — or, if they were fortunate to have a decent security information and event management (SIEM) solution, could attempt to correlate the entries. It is a time-consuming and error-prone task. Enter Watson”
The Watson for Cybersecurity system conducted the analysis and was able to show the cause-and-effect relationship between the two attacks. In this instance, the IPS system reacted and thwarted the attempt.
An event on the scale of Wimbledon, with the global stage that it has, is bound to be targeted. “Well, yes, it is a visible event, but we don’t talk about specifics”, Jensen said.
Worst-case scenario, Jensen says, would be a true DDoS attack. “They are the most difficult attacks to mitigate and it would require working with network partners.” Has it happened in the history of Wimbledon? “No”, he said slowly and deliberately.
To learn more about the Wimbledon 2017 technology challenges and achievements, visit https://www-03.ibm.com/press/uk/en/pressrelease/52728.wss