Role of generative AI in Concert
IBM® Concert combines traditional analytics and generative AI, powered by IBM watsonx.ai, to deliver comprehensive insights to your applications and environments.
Concert incorporates the "ask-wx" service framework to enable the connection with watsonx.ai. Based on specific user interactions, the framework is used to provide enriched contextual data to inform prompt engineering interactions with the Concert chat. For example, watsonx.ai uses contextual data to validate user-provided evidence that an environment is compliant with an assessed control.
The application topology payload is shared as part of the invocation of the watsonx.ai API prompt to help focus the model's responses during that session. For example, if you use watsonx.ai to understand the impact of a CVE, details about your applications and environments that are associated with that vulnerability are used to inform the responses.
Working with AI to mitigate vulnerabilities
A vulnerability scan file contains the results of a vulnerability scanning process including details about the scanned system, discovered vulnerabilities, the exploitability and severity of impact, and recommendations for remediation. The amount of text included in these files make them a good candidate for summarization by AI models and for producing programming language and runtime-specific guidance on remediation.
As Concert ingests vulnerability data from a scan output, it applies a series of preprocessors and algorithms to correlate vulnerability findings across application components, pinpoint the root cause, and determine the blast radius such as exposed API endpoints. Concert queries IBM X-Force Red data to understand the exploitability of a vulnerability to refine the severity level and prioritization of the CVE.
- A Site Reliability Engineer (SRE) or Security Operations Engineer can use the chat to understand vulnerabilities and remediation options in terms of patches or upgrades.
- A Developer can use the context-aware interactions to elicit guidance on how to mitigate the vulnerability risk in the source code.
Working with AI to expedite compliance
Compliance controls are notoriously vague, leaving them open to interpretation. This makes it difficult for software engineers to understand the requirements, especially for those who are not familiar with the specific regulations or standards they must meet. Concert enables you to use watsonx.ai as a compliance subject matter expert, summarizing requirements and validating evidence against the assessed controls. For example, an IT Operations Engineer or SRE can use the chat to request clarifications about a specific compliance control and methods to meet its requirements.
Compliance assessments include numerous procedural elements and most require documented proof of compliance for each control. Reviewing the evidence is time-consuming and typically requires an experience subject matter expert to validate. Concert uses generative AI to validate text-based evidence provided by end users against the compliance controls to determine and record if there is sufficient proof of compliance. This functionality is triggered automatically to produce a brief, human-readable summary, and validation status. This application of watsonx.ai in Concert reduces time-consuming efforts to record evidence and improves the efficiency and efficacy of subsequent audit procedures and compliance reviews.