AI benefits/risks

Three ways to create a SOC powered by AI

The security operations center (SOC) plays one of the most important roles in the organization: safeguarding the business against an endless flow of evolving threats. Yet, despite the significance of this function, a SOC professional’s job only gets harder every day.

Multiple factors contribute to this complexity: the rising sophistication of attack tactics, budget cuts, and the narrowing skills gap in our field. The result has been that SOC productivity has taken a hit over the last couple years.

Despite all these challenges, a high-performing SOC has become crucial for the health of any organization, which means new approaches are needed to help them regain their productivity. And in the year ahead, I expect that SOC teams will lean into AI and automation more than ever.

AI and automation aren’t new concepts. Security teams have been deploying these technologies as ancillary tools within their SOCs for years. The difference now: AI has improved at an exponential rate – just look at how transformative generative AI became in the last year alone, creating new use cases and opportunities for streamlining security operations. In 2024, the SOCs that lead with an AI-powered strategy will secure their organizations against the modern threat landscape.

Why it’s time to bring AI into the SOC

We know that cybercriminals are savvy and are continuously shifting their tactics to evade detection by security teams. But last year, threat actors got a major leg up with the commercialization of generative AI. Tools like ChatGPT made it even easier for cybercriminals to launch advanced attacks, including email attacks like business email compromise and vendor fraud.

Our research from last year showed that 98% of cybersecurity leaders are concerned about the cybersecurity risks posed by ChatGPT, Google Bard, WormGPT, and similar tools—especially around how generative AI could help attackers create highly precise and personalized email attacks based on publicly available information. As these attacks become increasingly difficult to distinguish and detect, even by secure email gateways, SOC teams will have their hands full with a growing load of incidents to identify, investigate, and remediate.

Another motivation for amping the use of AI in the SOC has been caused by the increasing demand for skilled cybersecurity professionals. The U.S. Bureau of Labor Statistics predicts the cybersecurity field will grow by 32% through 2032, a rate “much faster than average,” with no signs of slowing. This scenario gets complicated by the fact that there’s also a skills shortage that’s persisting across the industry—not to mention, many companies were forced to shrink their security teams over the last year due to budget constraints.

Until the cyber workforce stabilizes, organizations will need to bolster their lean teams with products that promote efficiency, are easy to maintain, can lower overhead, and don't require significant upskilling, which will turn a lot of security teams towards tooling that leverages AI.

Use cases for AI in the SOC

AI-driven algorithms can analyze vast amounts of data in real time, identifying patterns and anomalies that might go unnoticed by human analysts. AI goes hand in hand with automation—in this case, streamlining repetitive tasks to let SOC teams focus on the more complex aspects of threat detection and response.

So, where’s the best place to start with AI in your SOC? There are a few different areas of the SOC’s scope that could see quick productivity gains through the use of AI:

  • Detect social engineering threats across SaaS applications. Use behavioral AI to learn typical user behaviors across email and collaboration apps – like their login and device usage patterns, how they typically write their messages, or who they ordinarily interact with. Teams can establish a baseline of known behaviors and flag up deviations signaling a potential attack. This helps overcome the limitations of many traditional security solutions that rely on detecting known indicators of compromise – something many attackers have learned to omit through social engineering techniques.
  • Sift through user-reported phishing emails. Manually triaging user-reported phishing emails can consume hours of skilled analyst time, even though the majority of user-reported phishing emails are ultimately deemed safe. Using automation to inspect and evaluate user-reported emails (and to automatically remove emails deemed a legitimate threat) can accelerate this workflow and free up SOC analyst time for more strategic tasks.

  • Identify configuration drifts. As attackers increasingly exploit misconfigurations across the cloud email environment, many security teams struggle with gaps in visibility and the time-consuming manual efforts to address those misconfigurations that can be identified. By mapping against profiles of each vendor, third-party application, employee, and email tenant in your organization’s cloud environment, AI can help security teams understand and take action on risky configuration gaps and drifts—including privilege escalations and new third-party app integrations.

These are just a few areas where applying AI and automation can empower the SOC to focus on higher-priority tasks, like investigating high fidelity alerts or threat hunting. It can make a substantial difference in how a SOC tackles today’s dynamic and complex threat landscape.

Whenever there’s discussion about using AI and automation to improve efficiency, a natural curiosity arises around whether AI will start to replace human workers – in this case, cybersecurity practitioners. 

While AI can automate the correlation of data events, and even triage those events, we still need human beings to make the cognitive leaps required to accurately analyze anomalous activity. Ultimately, AI and automation may shrink the amount of manual tasks in the SOC, which could lead to certain types of security roles being transformed. We may even see the elimination of low-level roles like Tier 1 SOC analysts. But by increasing overall efficiency, whether for initial threat detection, investigations, or response, we’ll have a greater capacity to combat threats more strategically – and that’s good for the people currently in these roles, the candidates seeking these roles, as well as the organizations these roles protect.

Mike Britton, chief information security officer, Abnormal Security

Mike Britton

Mike Britton, chief information officer at Abnormal Security, leads the company’s information security and privacy programs. Mike builds and maintains Abnormal Security’s customer trust program, performing vendor risk analysis, and protecting the workforce with proactive monitoring of the multi-cloud infrastructure. Mike brings 25 years of information security, privacy, compliance, and IT experience from multiple Fortune 500 global companies.

LinkedIn: https://www.linkedin.com/in/mrbritton/

X: https://twitter.com/AbnormalSec

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds