The Current AI Revolution Will (Finally) Transform Your SOC – Source: securityboulevard.com

Artificial intelligence (AI) is profoundly transforming cybersecurity, reimagining detection through remediation. While AI’s value across cybersecurity workflows has been inconsistent, recent breakthroughs in machine learning will significantly decrease organizational risk and become necessary in defense operations to keep up with constantly evolving threats. Modern AI technology requires less specialized data to build capabilities, making it accessible for enterprises of every size and creating a more competitive technology ecosystem. 

We have seen AI technology go through four major transitions over the past few decades, all of which have made their way into the cybersecurity ecosystems. 

Rule-Based Systems 

In the early days of AI, rule-based systems were used for simple detections of anomalies, code signatures and event patterns. These systems rely on predefined sets of rules and logic, created by human experts, to make decisions and solve problems. Detection engineering is still primarily based on rules written in declarative languages, such as YARA.  

While effective in certain cases, these systems have significant limitations. Rules must be constantly updated to account for new threats, and they struggle with ambiguous or complex situations. Rules are fully explainable but can be easily evaded by someone who knows or can figure out what the rule is. As cyberattacks grow in sophistication, rule-based systems remain necessary but fall short in modern, fast-changing threat landscapes, as they require constant updates, often tuned manually based on past examples. 

Machine Learning (ML)  

The next major leap in technology came with the introduction of ML, which revolutionized AI by allowing systems to learn from data instead of relying on static rule sets. ML models analyze vast amounts of data to identify patterns without manual tuning. Companies with large amounts of continuous data were best positioned to derive value from ML, and as such the bulk of the benefits we have seen from the major industry products. However, most SOC teams were unable to specialize in this technology for their specific environment and risk profile. 

Supervised learning models, for instance, can be trained on labeled data to distinguish between legitimate activity and malicious behavior, while unsupervised learning models can identify similarities in code fragments and behaviors. Unlike rule-based systems, which require constant manual updates, ML systems evolve with each new piece of data, providing a more scalable and efficient solution for threat detection. 

Deep Learning (DL) 

Building on the success of ML, DL introduced neural networks capable of handling far more complex tasks. Modeled after the human brain, these deep neural networks process large volumes of data through interconnected layers, allowing them to extract intricate patterns and correlations that would be imperceptible to traditional ML models.  

DL has been used only sparingly in cybersecurity. In theory, it has the potential to detect advanced threats, such as zero-day attacks or sophisticated malware, which often require the analysis of subtle, hard-to-detect behaviors. However, DL models are also very data-hungry, requiring significant computational resources and large datasets for training—typically an order of magnitude more than classical machine learning. They are more commonly used for tasks involving unstructured data, such as images, videos and text, but we have even seen limited value increase in applications towards threat intelligence, which is more text-heavy. 

Large Foundation Models (LFMs) + Generative AI 

The most recent revolution in AI has happened in the last few years around foundation models, which include large language models (LLMs). Unlike previous approaches, which require large amounts of data, experienced developers and a large volume of security expertise to train, LLMs are trained on massive amounts of generalized text data from across the internet, which includes security-related topics. These models are then tuned, or guided, towards specific security use cases, significantly reducing the data and expertise requirement. Models such as these are particularly accessible to smaller organizations, allowing them to adopt AI technology within their IT and products. The breakthrough that led to these models was the development of more scalable model architecture, scalable training processes and advancements in hardware specialized for this level of scale. 

In modern SOCs, LLMs are playing a critical role by automating key functions and assisting analysts in decision-making. For example, LLMs can operate as intelligent SOC “agents,” capable of writing queries to investigate incidents, summarizing logs and even suggesting remediation steps based on historical data. This helps analysts quickly identify relevant patterns, freeing up time for more complex analyses. This capability is also extending into anomaly detection, where AI tools can sift through vast amounts of network traffic and system logs that may signal a breach.    

The Future of AI in Security 

Generative AI capabilities are quickly working their way into both cyber offensive and defensive operations, such as faster response times, playbook automation and accelerated reporting. Many security products have introduced “Copilots” to improve their effectiveness, and we are also seeing LLMs used to create malware. However, this technology is still in its early days and will continue to evolve.  

We are anticipating and already starting to see significant breakthroughs in agentic AI, which involves an AI that can produce and execute plans. Planning capabilities are key to generalizing explainability, auditability and human-AI collaboration, and I expect this to be one of the key innovations that unlocks a more scalable security operation and risk management strategy. 

We are seeing a stepwise increase in AI investment across all industries in the past two years.  New capabilities that have been unlocked are showing tremendous promise in terms of the ability to increase efficiency, reduce costs and drive revenue and growth. Like all technology revolutions, the technology takes time to mature and reach its full potential, but the investment in this technology today will ultimately yield high returns for adaptable organizations.