AI / Machine Learning
-
December 3, 2021

Artificial Intelligence & its impact on the SOC (Security Operations Center)

Cyberattacks are now everyday occurrences where businesses are being hit with thousands and often millions of Personal Identifiable Information (PII) records being compromised and stolen.  

One of the possible solutions to mitigate this is through the use of automated tools, with artificial intelligence (AI) being a prime example. We've previously looked at how AI works, and here we will provide an overview of its effective impact on security operations centers.  

How AI impacts Security Operation Centers

It is the SOC where an entire cybersecurity threat landscape is monitored on a 24/7 x 365 basis, and where any attack vectors can be countered and mitigated.  

As sophisticated as it sounds, SOCs are faced with one big problem: the IT security staff that mans this fortress are often overworked and fatigued with having to keep track of everything, especially constant daily warnings.

Security hacker
Security hacker

This struggle also derives from the lack of cybersecurity workers in the job market today. This is highlighted in a recent study showing the average cost of security breaches rising from $3.62 to $3.86 million, a 6.4% increase.  

This report also showed that 30% of IT security teams ignored the bulk of the warnings they received, while 4% of them turned off their notifications altogether. Equally as alarming, 56% of the IT security teams ignored any type of alert based on their experiences of dealing with false positives.

These findings paint a worrying picture for the SOC and display a trend that is now becoming known as “Alert Fatigue”. This is where the use of AI can make a most positive impact on SOCs in the following areas:

1. AI can automate incident analysis

For every alert and warning that comes in, the SOC must sort through each one and label them based on their level of threat i.e. High”, “Medium”, or “Low”. The highest-ranked levels will get first priority. 

As touched on, because of the sheer amount of daily alerts, it is near impossible and costly for IT security teams to go through this regularly. This is where effective AI systems can help as they can quickly learn what alerts are legit.

2. AI can augment existing staff

The possibility of AI systems eventually replacing IT security teams can translate into fear of job loss. But this is not a foregone conclusion as AI tools are not perfect, and it remains to be seen if they can eventually 100% mirror humans.

But, AI can be used to supplement existing teams, especially with the aforementioned cybersecurity labor crunch. An effective AI system can instantly find any common denominators that exist in alerts, and provide alternatives and suggestions in minutes.

AI technology
AI technology

3. AI can reduce dwell time

Dwell Time is not a popular metric for a lot of IT security teams. It reflects the time that a threat actor has gained covert and unauthorized access to a particular IT asset until they are noticed and purged. A study by Mandiant shows the average dwell time is 101 days.  

This amount of time can lead to all sorts of damage occurring. In this aspect, a specially trained AI system can greatly help in the automation of threat hunting exercises to help reduce this dwell time period.

What to take away

This article provided a general sense of the benefits of artificial intelligence, and the three key areas it can be used in the Security Operations Center. But there are other potential uses for AI, especially when it comes to:

  • The analysis of network traffic on a real time basis, in order to filter and discard any malicious data packets that may be present;
  • The analysis of source code in order to quickly detect any backdoors that have not been shut down yet;
  • Further augment the tools that are used in endpoint security;
  • Model end user behavior to determine any profiles that can be deemed as anomalous or malicious. The outputs gained here can be used to portray a more accurate picture of the future cyber threat landscape.