“`html
AI is among the most disruptive technologies of our time. While AI/ML has been around for decades, it has become a hot topic with continued innovations in generative AI (GenAI) from start-up OpenAI to tech giants like Microsoft, Google, and Meta. When large language models (LLMs) combined with big data and behavior analytics, AI/ML can supercharge productivity and scale operations across every sector from healthcare to manufacturing, transportation, retail, finance, government & defense, telecommunications, media, entertainment, and more.
Within the cybersecurity industry, SentinelOne, Palo Alto Networks, Cisco, Fortinet and others are pioneering AI in Cybersecurity. In a research report of the global markets by Allied Market Research, AI in Cybersecurity is estimated to surge to $154.8 billion in 2032 from $19.2 billion in 2022, rising at a CAGR of 23.6%.
Challenges of the traditional SOC
SIEM
One of the challenges with the traditional Security Operations Center (SOC) is SOC analysts are overwhelmed by the sheer number of alerts that come from Security Information Event Management (SIEM). Security teams are bombarded with low fidelity alerts and spend considerable time separating them from high fidelity alerts. The alerts come from almost any sources across the enterprise and is further compounded with too many point solutions and with multi-vendor environment.
The numerous tools and lack of integration across multiple vendor product solutions often require a great deal of manual investigation and analysis. The pressure that comes with having to keep up with vendor training and correlate data and logs into meaningful insights becomes burdensome. While multi-vendor, multi-source, and multi-layered security solutions provides a lot of data, without ML and security analytics, it also creates a lot of noise and a disparate view of the threat landscape with insufficient context.
SOAR
Traditional Security Orchestration and Automation Response (SOAR) platforms used by mature security operations teams to develop run playbooks that automate action responses from a library of APIs for an ecosystem of security solution is complex and expensive to implement, manage, and maintain. Often SOCs are playing catch up on coding and funding development cost for run playbooks making it challenging to maintain and scale the operations to respond to new attacks quickly and efficiently.
XDR
Extended Detection and Response (XDR) solves a lot of these challenges with siloed security solutions by providing a unified view with more visibility and better context from a single holistic data lake across the entire ecosystem. XDR provides prevention as well as detection and response with integration and automation capabilities across endpoint, cloud, and network. Its automation capabilities can incorporate basic common SOAR like functions to API connected security tools. It collects enriched data from multiple sources and applies big data and ML based analysis to enable response of policy enforcement using security controls throughout the infrastructure.
AI in the modern next gen SOC
The use of AI and ML are increasingly essential to cyber operations to proactively identify anomalies and defend against cyber threats in a hyperconnected digital world. Canalys research estimates suggest that more than 70% of businesses will have their cybersecurity operations supported by generative AI tools within the next five years.
AI-powered XDR platforms and tools
As XDR evolves to incorporate integrated complex SOAR functions powered with AI, the underlying AI model used and required computing resources to enable the next generation SOC is necessary. The depth of AI and ML experience that goes into building the foundation of the XDR technology platform is just as important as the ability to operate, manage, and maintain in a SOC powered by an AI system.
- Leverage AI-driven decision-making to help navigate the threat landscape
- Profile users, machines, and entities with User and Entity Behavior Analysis (UEBA) and detect Indicators of Behavior (IoBs)
- Detect the most sophisticated or unknown threats in real time with extensive knowledge of attack details so that incident response is streamlined with in-depth understanding to prevent similar future attacks
- Target specific functions and apply security controls from multiple security tools automatically to execute routine tasks and multi-stage playbooks
- Accelerate security orchestration, automation, and response to incidents more accurately
- Invoke endpoint detection and response (EDR), network detection and response (NDR), and cloud detection and response (CDR) through ML and behavior threat alerts
- Improve investigation quality and reduce business and security risk at machine speed
At the intersection of AI/ML and cybersecurity, is the transformation of the traditional Security Operations Center (SOC) to the evolution of the modern next generation SOC experience empowering SOC analysts to respond to critical and more sophisticated attacks. AI-powered and human-led, these powerful automation capabilities can save human time on performing repetitive, low-level activities so analysts can focus on more strategic initiatives such as threat hunting and proactively improving overall security posture.
Cybersecurity benefits from advanced analytics, ML, and GenAI to quickly turn raw threat data into curated cyber threat intelligence and network surveillance to proactively defend against adversaries. GenAI could provide better DDoS protection and mitigation by analyzing massive data collected, network flows, usage patterns, and other telemetry metrics that provide better security context to respond with greater speed and accuracy.
A GenAI model trained to learn from patterns found in cyber threats and vulnerabilities could predict future threats. Rather than reacting to thousands of alerts and suffer from alert fatigue, SOC analysts could leverage GenAI for proactive threat detection, anticipate potential threats, and take a proactive approach with existing security tools to respond before an actual attack occurs.
SOC Analysts
Tier 1 – Triage
Tier 1 analysts are tasked to identify true positives and filter out false positives from the volume of alerts. Their primary focus is to triage, categorize threats, and assess urgency of threats to be handed off to Tier 2 for incident handling. ML and User and Entity Behavioral Analytics (UEBA) enables a SOC to
- Learn dynamically what is normal vs. abnormal behavior and automatically trigger an alert when anomalous activity is detected
- Augment static already known Indicators of Compromise (IOCs) with dynamic Indicators of Behavior (IoBs) that provides context and intent of a threat earlier
- Detect insider threats and invisible threats like zero-day and threat indicators missed by other techniques
- Minimize the manual workload of security teams by using automation and ML to identify and validate threats and assign risk scoring.
GenAI enables a SOC to
- Understand the identified anomalous activity, sequences of events, and make better decisions to escalate an alert
- Detect actual attacks more accurately than humans with fewer false positives
- Identify suspicious and malicious emails from phishing campaigns
- Reduce the potential for cyberattacks by reducing the overall attack surface
In fact, GenAI could automate a massive portion of these activities including vulnerability scans and reporting so that analysts can focus on responding to prioritized real threats.
Tier 2 – Incident response
Tier 2 analysts validate true positives, gather relevant data, review real-time threat intelligence, investigate incidents, and develop incident case reports. AI-powered SOC platforms enable analysts to
- Ask GenAI questions through data prompts to understand the sequence of events that transpired over a timeline, the threat vector, and vulnerabilities and its risk posed to a specific organization environment
- Analyze emerging threat intelligence, IoBs, identify and predict which systems and devices are targeted by an adversary, and assess the scope of the affected systems, devices, and files in the environment
- Remediate automatically and recover swiftly from attacks to minimize response and dwell times
- Automate the collection of artifacts and documentation of the investigation report, allowing analysts to dive into the next incident.
Tier 3 – Threat hunting
Tier 3 analysts focus on threat hunting. They proactively assess vulnerability and asset discovery data to uncover more complex and covert threats in an environment. GenAI enables real-time LLM-based languages so that threat hunters using AI-powered SOC tools can
- Perform AI tradecraft analysis and proactive AI threat hunting using telemetry logs across endpoints, cloud, and network
- Investigate proactively on emerging AI-detected anomalies and recommend response actions to prevent future attacks faster
- Simulate social engineering attacks to identify vulnerabilities
- Automate penetration testing to probe defenses to identify weakness and improve security posture.
In short, GenAI significantly improves key performance metrics including Mean Time to Detect (MTTD), Mean Time to Investigate (MTTI), and Mean Time to Resolve (MTTR). GenAI brings tremendous benefits to the modern next gen SOC and its analysts:
- Focus on critical alerts and actual threats with high confidence rather than reacting to large volume of alerts and false positives
- Speed to detect and respond to anomalies, misconfigurations, malware, and cyber threats with automation capabilities
- Efficiency gained with AI-powered cyber threat detection and response abilities to learn and adapt
- Analysis of incidents and threat assessments from large datasets and multiple data sources to help summarize and prepare reports for incidents, RCAs, security posture assessments, and recommended next steps
- Proactive response to dynamic threat vectors based on learned patterns and predicted threats
- Optimize human capital with current skills gap and the cybersecurity talent shortage
AI systems and trained data
The quality, accuracy, and reliability of the trained data used in AI systems is critical. The more good data used for training the better the analysis and response. The ability of AI systems to quickly learn and adapt to curated data from global sources to sort known good data from bad is also crucial.
The selected AI model and the quality of AI-trained data used to automatically analyze and correlate integrated threat intelligence for better context across network, endpoint, cloud workload, applications, and data centers can make a SOC more effective and is a key differentiator. AI introduces other provocative topics around privacy, bias, and ethical questions.
Combatting AI-powered criminals with AI-powered SOCs
The rise of AI-powered criminals will certainly make cybercrime harder to fight. Cybercriminals are leveraging AI to execute TTPs to infiltrate networks, exfiltrate sensitive data, generate dynamic ransomware attacks, and perform more targeted and distinct nation state attacks on our national critical infrastructure.
AI-powered cyber sentinels for good and AI-powered cybersecurity analysts in the modern next gen SOC will accelerate the response to phishing attacks, malware investigations, zero-day exploits, remote provisioning, and proactively managing threats more efficiently to stay ahead of cybercriminals. The mean time to resolve (MTTR) critical incidents can be reduced from days and weeks to seconds and minutes.
Evolving from a manual security ops model which is reactive to a proactive AI-powered SOC that is intelligent, adaptive, machine-driven, and human-led with minimal analyst involvement will be critical in the transformation journey to the modern next generation SOC. Adopting AI is a critical innovation for the modern-day SOC. It is paramount to reducing and mitigating cybersecurity risks for an organization and achieving resiliency.
To learn more
“`