Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Essential Guide: AI and the SOC—5 key takeaways for SecOps teams

Christopher Null Freelance writer

Artificial Intelligence (AI) and advanced analytics-specific tools are a critical part of the changing tech landscape. TechBeacon's Special Report, an Essential Guide to AI in the SOC, is full of insights about how AI can strengthen your SOC’s efforts—and what you should consider before implementing AI-enabled tools.

The report explains why AI is critical, looks at key trends in AI and how it's being applied to Security Operations (SecOps) teams, and provides best practices for considering AI-powered tools for your SOC.

Here are five key takeaways your SecOps team should understand about AI in the SOC.

1. AI is essential for shifting the balance of power back to the good guys

SOCs are facing a perfect storm. They’re being asked to defend an expanding attack surface at the same time that cybersecurity threats are growing more sophisticated and automated. But as SOCs adopt a growing array of often disjointed security tools that spit out a barrage of alerts, it's becoming harder to monitor all the data these environments generate.

Add in the fact that 40,000 US cybersecurity jobs go unfilled each year due to a lack of qualified candidates, and it's easy to see that SOCs face an uphill battle, Mario Daigle, VP of products at Micro Focus Interset, said in the report.

"It's guaranteed someone is going to find a way in. When they do, your only hope is having machines help your humans be more efficient; otherwise, you're not going to find them."
Mario Daigle

2. AI isn't a single technology

It's a mistake to think of AI as one tool you can apply uniformly across the SOC. There are many different technologies under the AI umbrella, each replicating a different aspect of human intelligence.

Natural-language processing (NLP), for example, allows computers to understand and interpret human languages, while pattern recognition allows them to identify groups of similar objects. Machine learning (ML), which can autonomously process and learn from high volumes of data, currently has the strongest foothold in security, but there are subtypes to ML, as well.

Security analysts don't necessarily need to be AI experts, said Daniel Kennedy, research director of information security and networking at 451 Research. They should, however, be sufficiently aware of AI techniques to understand the benefits being provided and to be able to distinguish them from other, existing, approaches.

3. You need different approaches to defend against a variety of threats

Different types of AI are better suited for detecting different security events. ML drives popular security applications such as malware detection via entity and user behavior analytics (EUBA), and it's what most SOC team members think of as AI, Interset CTO Stephan Jou said in the report.

But the capabilities of AI go well beyond just identifying and learning patterns, he said. NLP, for example, may also soon be used to help threat hunters investigate suspicious activity in their environment.

"The threat hunter has made a hypothesis in his head, then he's having a dialogue with the data he has around him to try and figure out what might be happening in the organization. I would love for that dialogue to be a much more natural interface, almost like a conversation with the data as opposed to building a query syntax."
Stephan Jou

4. AI should replace tasks, not people

AI supports, rather than replaces, human analysts, and it allows the SOC to reallocate resources. It can take over monitoring and prioritizing security alerts, for example, allowing the Tier 1 analyst normally responsible for those duties to move into Tier 2 roles, such as incident analysis and response.

In effect, this increases the security team's capabilities without inflating its budget, an important consideration given that cost-cutting will be on the table for many enterprises in the coming year.

The idea that ML techniques, or even automation, will result in a lowering of people costs is too superficial a view on the way these teams actually function and the challenges they're facing, 451's Kennedy said.

"It takes additional project time to implement more advanced ways of doing things in the short term, and the resulting efficiencies allow security operations folks to concentrate on higher-level tasks in the SOC."
Daniel Kennedy

5. You have to identify your problem before you look for an AI solution

While there are many things to consider when looking for AI tools, the starting point should always be the problems you want to solve. Malware issues will warrant a different solution than employees stealing data. Trying to fix a problem with the wrong tool will waste resources and time and likely leave you with a bigger problem than you started with.

"When I talk to SOC team members, I start by asking, 'What are you most concerned about right now? What are you being asked to report to the board?'" Jou said. Just start with the use case, and then everything flows from there. A lot of times, the solution isn't even the most sophisticated AI, he said. 

"[The] best AI in the world doesn't matter if you're applying it in the wrong place.”
—Stephan Jou

Take a deeper dive with TechBeacon's Special Report, Essential Guide: AI and the SOC.

Keep learning

Read more articles about: SecurityInformation Security