Latest Blog
How AI is changing the future of SOC operations
March 18, 2024
How AI is changing the future of SOC operations
Total Article Read Time: 4 min
This is a technical blog for cybersecurity professionals and leaders. It and others in my series will showcase the intersection of AI and cybersecurity and explore how roles evolve in AI-led versus human-led scenarios.
Introduction: The problem we've created
In many ways, the continuing advancement of technology has made it more difficult than ever to be a security analyst. Why?
- More visibilityAnalysts have more visibility than ever before. This is a double-edged sword. Of course, it is great to reduce blind spots, but this increases the number of tools that must be deployed, configured, maintained, and monitored. A 2020 study by Oracle and KPMG reports that 78% of organizations now have more than 50 distinct security tools.
- More dataWith the increase of tools and visibility comes an inevitable increase in data and alerts. Finding the needle in the haystack is harder than ever before because the size of the haystack continues to grow disproportionately. The global growth of data has increased 60x in the last 13 years. It is estimated that 90% of the world's data was generated in the previous two years alone.
- More complexityNot only has the number of tools increased, but their features and capabilities have also kept a rapid pace in their enhancements. This makes properly using these tools more complex and difficult than ever.
AI Revolution in Cybersecurity
Could the solution for this increase in technology be more technology? In this case, the answer is actually "Yes!" Many security companies are touting AI as a game-changer in security operations. While the viability of these claims may vary depending on the implementation and objectives of the companies making the claims- the potential [end eventual inevitable] merits of the assertions remain true.
Here is a look at just five [non-exhaustive] ways that AI is disrupting traditional security operation roles and responsibilities:
- Knowledge development: I jokingly say that I have forgotten more than I now remember. I sadly confess there is probably a strong element of reality to that statement (don't tell my boss). In contrast, AI systems have the power of perfect recall- limited only by available disk space and query time. These systems continually learn from every interaction; the more they learn, the smarter they become. This is not an equal reality with most humans.
- Additionally, information learned by the AI systems is accessible to all; knowledge learned by humans must be learned by each individually. AI ultimately creates a collective knowledge library that is equal to the contributions of all system users. With the recent advances of large language models (LLMs like ChatGPT), this community knowledge library can be queried by even junior security analysts, making deep and arcane security knowledge widely available.
- Ultimately, AI's perfect recall will become widely leveraged to continuously improve threat detection and response. This will be a significant departure from traditional knowledge management, which often struggles to keep pace with modern cyber threats and often loses tribal knowledge due to staff transitions and turnover.
- Automated Threat HuntingTraditional threat-hunting processes vary significantly based on the expertise, training, and talent of the human performing the task. Some may spontaneously look at data, chasing anomalies and pursuing human intuition. More mature threat-hunting processes will develop hypotheses of what malicious activity might occur and the IOCs associated with that activity, then perform the searches to look for those IOCs. Early AI threat-hunting solutions were very good at using AI patterns to detect and raise anomalies along with the context of those anomalies. However, with continuing advances, AI systems now have the capabilities to develop potential attack scenarios, identify the list of IOCs to look for from those scenarios, and then search the data for those scenarios- all automatically. The end result is AI systems that can perform automated threat hunting faster, more exhaustively, and continuously than their human counterparts.
- Behavioral Analytics/User Behavior AnalyticsSimilar to the previous bullet, the trend continues with UEBA. AI systems are excellent at pattern recognition- and the corollary of detecting deviations from normal. While not all anomalies are malicious, they have a valuable place for augmenting the detection coverage provided (and missed) by legacy signature systems. These anomalies can be used to raise awareness of differences in network traffic, CPU/memory/disk utilization, running processes, file access, login activity, and more. The end result is early threat detection and insights into users and systems that wouldn't be possible without AI assistance.
- Automated Incident ResponseOne powerful way AI is being used is to automate incident response. AI systems are being equipped with the ability to perform actions like a human analyst would perform to gather additional data and context. These systems use this context to organize the enrichments into patterns that provide contextual understanding and to make recommendations for critical decisions (like containment or escalations). Combined with the learning and feedback of the underlying knowledge systems, they reduce false positives and unnecessary manual investigation. They perform these actions faster and more consistently than a human analyst with higher accuracy.
- Security AutomationFor quite some time, more mature teams have looked to security orchestration automation and response (SOAR) products to reduce the workload for security analysts. Even if a security operation center can automate one process a week, that is only 50 processes a year. After this, you have maintenance and upkeep to keep the automations running and adjust to changes in company processes. Combined with the cost of the software and the development costs of a senior engineer who is technically capable, the ROI for a SOAR investment can be difficult to justify- especially for smaller security shops. AI changes this by making automation as simple as using natural language to describe the automations you wish to implement. The AI systems stitch together executable code to perform the requested automation tasks.
What lies ahead
For all of history, there have been pioneers and early adopters in moments of great innovation, and there have been those who are more risk-averse and traditional. But with the great advances of history (electricity, telegraphs, automobiles, flight, telephones, computers, and an endless number of smaller advances), virtually everyone eventually participates and benefits. One significant factor that slows adoption and use is fear- and one great antidote to fear is knowledge. Reading this article is a great start, but it is still only a start. What can you do from here? Here are some free ways to keep the momentum:
- Subscribe to/follow this blog- we live in this space and want to educate and inform.
- Update your digital news feeds to notify you about artificial intelligence stories.
- Ask vendors for a demonstration - they are always looking for connections and feedback on their AI roadmap.
- Find free AI training. We'll release a future blog dedicated to this topic alone, but for now, the Internet is a useful resource.
- If you are specifically interested in using AI for knowledge development, incident response, or security automation, connect with me on LinkedIn. I'm regularly posting on these topics and sharing articles I find.
- Request a demo from AirMDR. We would enjoy the opportunity to share the benefits that our users are experiencing.
With over 25 years dedicated cybersecurity experience, Anthony specializes in SIEM, incident detection, incident response and security automation.