In today’s digital lexicon, efficiency and automation are essentially the same thing. It’s hard to achieve one in a modern enterprise without getting the other.
As SOCs continue to face large-scale problems – made larger by AI-based threats, the as-a-Service economy, polymorphic malware, and more – the chances of them winning risk whac-a-mole go way down. So, they turn to automated solutions to help. But there’s problems there, too. And when automation gets tricky, teams usually struggle on with subpar outcomes (because it still beats doing things by hand).
However, artificial intelligence (AI) and machine learning (ML) (particularly Large Language Models (LLMs)) are now stepping in to fill even those rough spots in automation, letting SOCs run the smooth, seamless operations they always wanted to. Here’s how a little AI/ML implementation can make all the difference in SOC productivity today.
Why Typical Automation Tools Fall Short for SOCs
We have to use the best at our disposal, and up until now, those options have consisted of SOAR tools or homegrown products. While they both work in part, here’s why they present long-term challenges.
- Integrations are trickier than they look | While a product can accurately state that it integrates with your SOAR tool, the reality might be a bit more nuanced than that. As Grant Oviatt, Head of Security Operations at Prophet Security, states, “Depending on your team skillset, the engineers responsible for building your integrations are likely not the same detection engineers responding to the investigations they produce. This forces your security engineers to pull away from security tasks and become pseudo-product managers to build requirements for the automation pipeline – which isn’t ideal for net productivity.” With the help of an AI/ML-informed solution, integrations don’t have to take so much spared people-power.
- All hands on deck to improve and maintain | The point of automation is to give your SOCs more time, not less. While any automated solution ostensibly does more work faster than humans alone, these technological mammoths often require the whole team just to run or maintain. Bugs need to be fixed, updates installed, and improvements made. If you can spare the human resources and people hours, great. But with AI/ML, there could be a way to get even some of that back.
- Not welcoming to change | Once you have these systems all set up, you’re hoping that everything rides smoothly because you just spent a lot of time establishing your rules, and it’s going to take a lot of time adjusting them all to new inputs. What about when a new alert comes along? It’s hard to keep up with the rate of change (especially when AI is making that pace faster and faster) when each adjustment requires bespoke tuning, new runbooks, and additional enrichments. It would be nice to have a system smart enough to account for all of that for you, comparing new inputs to old patterns and crafting corresponding new investigations to match them.
How AI/ML Change the Game for SOC Efficiency
AI and LLMs (just another form of ML) can help alleviate these automation pain points and let SOCs have the efficiency they though they were getting all along. Here’s how.
- Scale to new threats without downtime | With current automation tools, SOCs often need to build out playbooks by hand for each variant of an investigation. Using modern public LLMs, traditional classifiers can be enhanced so that variations can be handled with surprising accommodation, and custom investigations can be built out for alerts that don’t require expert oversight.
- Go beyond simple conditions | Using modern LLMs, teams can take full advantage of AI capabilities with a tool that is capable of making more complex decisions. The traditional “if this, then that” conditions still apply but do not bind LLMs to only that parameter. The more complex and nuanced the threat decisions, the more SOCs can start to trust these solutions to supplement their workloads with some heavy-lifting help.
- Find weaknesses faster | AI algorithms scan networks in search of vulnerabilities, and they can do it faster and better than even traditional automated vulnerability management tools. By scanning for anomalies and (outdated software and application bugs) they can catch more than SOCs with automation tools on their own; plus, they have the ability to prioritize those weaknesses (often thanks to AI-enhanced investigations) and let your SOC know where to focus first.
All of these enhancements help contribute to the kinds of plusses security experts expected from AI as early as three years ago. According to research by Gartner, the main perceived benefits of AI were increased detection speed (74%), prediction capabilities (67%), and reduced errors (53%). These are all outcomes that AI-improved automation helps deliver to SOCs via more agile customization, more complex decision making, and a greater ability to detect bad, known and otherwise.
A New Day for AI/ML
As noted in Dark Reading, “While security teams have historically been hesitant to use automation, AI enables a new level of fidelity that allows speed and efficiency without compromising accuracy.” As AI, ML, and specifically LLMs are increasingly put into the mix, not replacing automation but enhancing it, SOCs can begin to reap some of the benefits these technologies have always had to offer.
About the Author:
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.