How Has AI Revolutionized SOC?

The battle for artificial intelligence is underway in cybersecurity. Between cyberattackers and defenders in organizations, it is a question of who will best use AI technologies to carry out more targeted and sophisticated cyberattacks and better predict and react to attacks.

As everyone knows, the primary interest of AI is the ability to collect and process colossal and ever-increasing masses of data. AI helps automate and improve attacks for attackers, making defense increasingly complex. Fortunately, AI has also considerably enhanced the capabilities of defense services and, in particular, offers extraordinary perspectives to SOCs and security operational centers, whether internal to a company or managed, i.e., provided in service mode by an integrator or managed service provider (MSP).

The first revolution brought by AI in SOC is naturally the ability to automate the processing of a very large amount of data to considerably improve threat detection. This task is made much more difficult by the AI ​​techniques used by attackers and by the continued increase in attack surfaces within companies (through extended networks, the Cloud, IoT, mobility and teleworking, etc.).

What are the main fields covered by AI in SOC?

One of the first developments of AI and machine learning in cybersecurity a few years ago was the ability to create algorithms to analyze human behavior. Thus,  thanks to machine learning, so-called UBA or UEBA technologies  (User Behavior Analytics and User & Entity Behavior Analytic) could understand the functioning of an information system and detect all abnormal or unusual human behavior. Within this IS (in summary, anomaly detection). 

Today, this UBA technology has become a commodity and is integrated into most detection technologies.

More recently,  the appearance of Large Language Model (LLM) technologies, which gave rise to ChatGPT from OpenAI, Copilot from Microsoft, and even Google Bard, has revolutionized a whole part of cybersecurity, and in particular, three main fields valuable for analysis SOC: 

1– Natural Language Processing (NLP), or Natural Language Processing, simplifies query languages  ​​by offering the ability to process data in natural language. In the SOC, this allows analysts to avoid learning complex languages ​​(e.g., the Kusto query language (or KQL) from Microsoft, SPL from Splunk, etc.) to make queries, for example, in databases. Where the logs are consolidated.

2—Improving detection rules: Analysts know that creating effective detection rules that do not generate too many false positives is a complex and critical task. AI can now help write and improve these detection rules by making refinement recommendations, thus considerably increasing detection effectiveness.

3—The ability to handle incidents and increase the analyst’s value. LLM technologies are extraordinary aids in diagnosing alerts consistently and quickly and providing an alert score to define whether a threat is real or just a false positive. 

The AI-augmented analyst

This exceptional contribution of AI and LLM to analysts’ work also raises questions about the future of the analyst profession. We often hear that if AI is capable of detecting attacks alone and effectively, the analyst role will become obsolete. 

This is, in fact, already the case for the profession of level 1 analyst, which has already disappeared in certain so-called modern SOCs. However, AI ultimately covers and improves a scope that could be more attractive for professionals who suffer from a global shortage. On the contrary, automating the less noble part of the analyst’s job allows investigation teams to spend less time on “noise” to avoid “alert fatigue” and focus on tasks that provide much more value.

For example, we process nearly 900,000 security alerts within our managed SOC (for 30 clients over a quarter). Thanks to AI technologies and cutting-edge technologies from XDR and SOAR, the number of alerts requiring in-depth analysis is now only 17,000, then finally, 23 real incidents after requalification by level 2 analysts 3.

AI allows SOC to focus on support.

A good SOC must effectively prevent and detect attacks. However, the main added value of a SOC is, above all, its ability to investigate and remedy attacks. By relieving analysts of a large part of the detection work, AI allows them to concentrate on these qualitative tasks, which are valuable for the client and much more reliable than a machine. 

Indeed, the investigation requires in-depth investigative work that only a human can carry out because they have studied the attackers’ methods, will show intuition to trace the traces, get under the skin, and into the attacker’s psychology.

Better yet, in a modern SOC,  analysts can be more proactive and take the time to monitor – what we call hunting  – that is, to learn about the methods and groups of attackers. Their specific targets and clients analyze logs in depth to detect indicators of compromise and upstream attacks. 

Finally,  the remediation work is also based on people and strong interactions with the customer. Indeed, once the attack is isolated, the analysts will work with the client to implement all actions to restore and reconfigure the systems, recover data if it has been affected, and deploy countermeasures to mitigate the attack to future attacks.

The SOC has transformed, thanks to AI, to move from an operational center whose primary purpose is the continuous detection of threats to a center for monitoring and reacting to attacks. AI is not yet at risk of “killing” the managed SOC—quite the contrary. Thanks to AI, the modern SOC delivers a more human-focused service, supporting companies that need it to be reassured and better prepared in the face of more insistent cyberattacks that generate more and more damage. More considerable.

Also Read : Artificial Intelligence And NLP In The Legal Sector