AI in the SOC – Source: securityboulevard.com

Is there a more talked about topic than AI right now? Generative AI took the world by storm when ChatGPT was introduced to the public, and it seems like everyone discovered at once that AI impacts, well, just about everything.

People in the security world know this, of course, but this new visibility has put a spotlight on how AI is used in cybersecurity. Where in other industries there is fear that AI will make jobs obsolete, in cybersecurity, AI is used in partnership with humans. And that is most evident in the security operations center (SOC).

How AI Benefits the SOC

The SOC’s role in an organization is to provide 24/7/365 detection of potential threats in real-time. The main responsibilities of the SOC include incident response, monitoring, log management, threat detection, recovery and mediation and compliance management.

A breakdown in any of these responsibilities could result in a data breach, a ransomware attack or other cybersecurity incident that results in downtime, loss of reputation and customer dissatisfaction and/or financial repercussions.

The human power in the SOC comes from security analysts and engineers, as well as threat hunters and other specialists, depending on the size of the organization and the SOC. But with a shortage of security workers, as well as the high levels of burnout caused by the repetitive nature of the SOC’s responsibilities, the SOC needs to rely on AI and ML to be effective. AI and ML automate many of these tasks, freeing up analysts to perform other duties that are necessary, yet often pushed aside, to keep the SOC operating at peak efficiency.

“Current (SOCs are usually based on rule sets,” said AgileBlue’s president Tony Pietrocola, in an email interview. “ML focuses on the ability of machines to interact with data, learn and even change an algorithm as it consumes more data. But AI brings the cognitive ability to grow, learn and carry out tasks based on algorithms. AI empowers you by continually becoming more knowledgeable as it gathers information from a near-infinite variety of sources.”

AI as SOC Gamechanger

AI does what humans can’t do alone, even with a SOC—defend against dynamic and progressive cyberattacks.

But it isn’t just the good guys in the SOC who are relying on AI. Threat actors are using AI for their benefit—to write more convincing phishing email, to develop malware and launch attacks. The best defense against AI-driven attacks is AI in the SOC.

“As AI-based SOC and managed EDR platforms use more AI, they can determine a potential cybersecurity breach and then take automated actions such as isolating devices, disabling accounts, blocking IPs and stopping an executing command, etc.,” said Pietrocola. Speed is of the essence in combating a cyberattack and mitigating risks to the organization, and that’s where AI shines.

As mentioned earlier, AI isn’t competition to security analysts; when used right, it becomes a partner in the fight against cybercrime.

“Current security analysts are overworked, burnt out and are not in abundant supply,” said Pietrocola. “AI gives SOC analysts tremendous technology to fight and win.”

Some examples of how AI assists humans include:

• AI excels at root-cause analysis automation

• Drives consistent and deeper investigations, every time

• AI can read both unstructured and structured data—more than is humanly possible to read

• AI gives you the information you need to reduce mean-time-to-detect and mean-time-to-respond (MTTD and MTTR)—with a quicker, more decisive escalation process

• Adapts to cyberattacks on the fly, during the attack

• Have a robust and automated incident response (IR) workflow that spans people, process and technology

Generative AI Enters the SOC

It’s time to stop thinking of the AI models and tools that have been used for years as the same type of tool as generative AI. There are key differences between them.

“AI includes a number of techniques including machine learning, natural language processing and behavior analytics, with the goal of deploying intelligent applications that can perform specific tasks,” explained Pietrocola. “Generative AI focuses on the creation of new content, not directly derived from the input data, to learn the underlying patterns and structures in the data and then generate new content that is similar in style or characteristics.”

In the SOC, generative AI can offer customer support. By providing quick and accurate responses to customers, analysts and engineers are now freed up to focus on escalations and response activities.

“This makes everything more efficient, reduces employee burn-out, hiring delays and makes the SOC a formidable piece of the overall defense of an organization’s cybersecurity strategy,” said Pietrocola.