In a recent CRA webcast, Enterprise Security Weekly host Adrian Sanabria and Palo Alto Networks Solution Strategy Architect Dan Brostron explored one of the defining challenges facing modern security operations centers (SOCs): how to respond to AI-driven threats at machine speed without disrupting legitimate business activity.Their conversation focused on the growing gap between increasingly automated attackers and security teams that must balance rapid response with operational continuity.While artificial intelligence is accelerating attacks, Brostron and Sanabria agreed that speed alone is not the top problem. After all, attackers long before AI relied on automation, scripts, and well-established techniques such as credential theft, privilege escalation, and lateral movement.The real challenge for defenders today is making accurate decisions quickly enough to contain threats without unnecessarily isolating users or shutting down business processes.One ongoing development is the evolution from blunt-force incident response to more granular, risk-based, "surgical privilege" controls. Brostron argued that traditional responses such as quarantining endpoints or disabling accounts can be highly disruptive when detections prove incorrect.Instead, he said, modern SOCs should leverage automated playbooks that reduce privileges, require step-up authentication, or place endpoints into controlled "risk states" while analysts investigate.This approach, which Brostron said is practiced by Palo Alto Networks' Cortex EDR and the associated Idira Endpoint Privilege Manager, lets defenders mitigate the attack without immediately halting business operations."We don't have to fully quarantine the box right away," Broston explained. "Reducing the risk gives that response technician the ability to investigate while stopping the bleeding."Least-privilege policies and application control are important preventative measures, Sanabria and Brostron said. Rather than granting users broad administrative rights and attempting to monitor everything afterward, organizations should minimize privileges by default and require additional authentication when elevated access is needed.Brostron noted that even if users temporarily receive elevated rights through just-in-time access mechanisms, automated playbooks can rapidly revoke those privileges when suspicious activity is detected. This capability creates a more resilient environment in which attacks are less likely to succeed even if credentials are compromised.Another significant topic was reducing attack surface area. Both speakers argued that organizations often permit unnecessary software, tools, and privileges that create opportunities for attackers. Standardizing applications, eliminating redundant software, and restricting the execution of unapproved programs can dramatically reduce risk."The less amount of titles we have executing on the endpoint, the more we're lowering the attack surface," Brostron said.The speakers pointed to common examples such as unauthorized remote-access tools, alternative PDF readers and web browsers, and unapproved software downloads, all of which can increase exposure without providing meaningful business value.The conversation also addressed how security teams should think about detection engineering. Rather than creating endless alerts, SOC analysts should focus on breaking common attack chains.Examples that Brostron and Sanabria cited included preventing browsers from launching PowerShell, blocking Microsoft Office applications from spawning command shells, and restricting content-handling applications from executing scripts. These controls directly target the techniques attackers repeatedly use to gain persistence and move laterally."We break those common attack vectors just through the simple logic," said Brostron. "We don't allow content handlers to use shells."Ultimately, Brostron and Sanabria agreed that effective SOC operations require a combination of prevention, automation, and intelligent response. Organizations should not simply react faster; they should create environments where attacks encounter friction at every stage.By reducing privileges, minimizing attack surfaces, automating risk-based playbooks, and focusing on common attack paths, the two concurred, defenders can slow down attackers and create more opportunities for detection and response.In an era of increasingly automated threats, the most successful SOCs will be those that combine speed with precision rather than relying on disruptive, all-or-nothing defensive actions.
SOC, Incident Response, AI/ML
Stay ahead in the SOC: Contain threats with confidence and control
Credit: Adobe Stock Images
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Paul Wagenseil
Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds