Building an AI strategy for the modern SOC

Artificial intelligence (AI) holds significant promise to increase productivity across business functions, and cybersecurity is no exception. Arguably no area of the security operation is more poised to benefit from AI than the security operations center (SOC). Today’s SOC teams manage a constant onslaught of attacks while navigating a complex and fragmented tooling landscape, an immense volume of data, and a shortage of security expertise. Within this environment, a generative AI (GenAI) assistant, purpose-built as a security platform, presents a significant opportunity to enable security teams to operate at the speed necessary to turn the tables on would-be attackers.

But AI is only as good as the data it operates upon. Fortunately, a modernization of SOC operations is already well underway, delivering unprecedented visibility to security-related events across the enterprise. The emerging combination of this visibility paired with an AI-powered assistant to the SOC has security leaders taking notice.

XDR and AI combine to drive unprecedented visibility and high-speed response

The increasing adoption of extended detection and response (XDR) platforms is at the foundation of the SOC modernization effort. XDR solutions correlate security telemetry across security domains, including identities, endpoints, software-as-a-service (SaaS) apps, email, and cloud workloads to provide detection and response capabilities in a unified platform.

XDR platforms can use AI to correlate cross-domain security signals that take the entire attack into account and identify threats with a high degree of confidence. This is in stark contrast to traditional automated detection and blocking solutions that often rely upon just a single indicator of compromise. The increased fidelity that AI brings to the table significantly improves the signal-to-noise ratio and results in fewer false positives to manually investigate and triage.

Notably, the more data available for the AI to analyze, the more effective it will be. Thus, it is critical to consider how to best achieve the widest breadth of XDR coverage to fully unlock AI’s capabilities.

A purpose-built GenAI assistant to transform the SOC

The use of GenAI in the SOC has the opportunity to be transformative for security analysts. They can use GenAI to summarize an incident, assess its impact, provide actionable recommendations for faster investigation and remediation, and generate a post-response activity report. Guided assistance can also help unlock new skills that allow analysts at all levels to complete complex tasks like threat hunting, reverse engineering of malware, and more. With AI-driven threat intelligence, analysts can inquire in natural language about emerging threats and their organization’s exposure and gain contextualized insights to help them respond.

In randomized controlled trials of its own Copilot for Security, Microsoft found that security professionals were an average of 22% faster across tasks when using Copilot. Further, it found that 97% of participants wanted to use Copilot the next time they completed the same task.

The opportunity is endless, but the execution must be grounded in the principle that AI will not replace human talent in the SOC—it will amplify it. This requires a thoughtful, user-friendly approach to integrating GenAI into existing workflows, as well as ensuring high levels of accuracy and transparency. SOC teams must have complete control when investigating, remediating, and bringing assets back online.

Moving AI forward in the SOC

In this rapidly evolving environment, a thoughtful, future-aware implementation strategy can help innovative security organizations confidently take advantage of today’s AI capabilities and lay the groundwork to seamlessly adopt tomorrow’s innovations.

An effective AI strategy will ideally identify and account for the highest risk areas, cybersecurity maturity, existing architecture and tools, and budgetary constraints among other factors. While implementation should be phased to minimize operational disruption, organizations must also consider how to ensure a wide breadth of XDR coverage to optimize their AI investments.

In addition, the most successful organizations will take a human-first approach to AI implementation that centers on the needs of analysts. AI’s impact in the SOC should also be tracked and measured to help refine use cases and maintain a positive user experience. For example, organizations can compare team metrics for the six months prior to using GenAI against the metrics for the first six months of full team usage. Top metrics to consider would be: mean time to respond (MTTR); incidents worked per day; and average incident resolution time.

AI is already transforming how knowledge workers around the world tackle their to-do lists. It is no surprise to see cybersecurity professionals take notice, especially those in the SOC where ingesting, analyzing, and reporting information is a big part of the daily workflow. But the fast pace of AI development and adoption can make it difficult to discern what is just marketing from what can offer tangible improvement to your cybersecurity defense. This challenge is unlikely to fade in the near-term, but rest assured that grounding AI strategy in a deep understanding of the needs of your security team is a good place to start.

To learn more, visit us here.

Recent Articles

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here