AI: End of the SOC as We Know It vs. A SOC That's Staying Put

Written by

Carsten Maple argues that tech advances will lead to the end of the current SOC, while Milad Aslaner counters that the SOC will become more relevant than ever.

Carsten Maple, Professor of Cyber Systems Engineering, University of Warwick's Cyber Security Centre (CSC) and fellow at the Alan Turing Institute
Carsten Maple, Professor of Cyber Systems Engineering, University of Warwick's Cyber Security Centre (CSC) and fellow at the Alan Turing Institute

End of the Soc as We Know It

Security operations centers (SOCs) are becoming increasingly important as organizations aim to mitigate an exponential increase in attacks. Statista forecast that the total addressable market for the SOC will amount to $45bn by 2024 (up from $25bn in 2020). However, for several reasons, the SOC as we know it cannot survive in the age of advanced artificial intelligence and machine learning (AI/ML).

The first SOCs were deployed in the mid-1970s by governments and large defense organizations. Today they are used in a vast array of sectors, including automotive manufacturers and the entertainment sector, and operated in-house or by third parties as virtual SOCs. Much smaller companies also used these latter incarnations.

SOCs have changed considerably, particularly in the last 20 years, having responded to increasingly complex attacks launched by an increasingly diverse set of actors from all parts of the world. As such, the requirements of SOCs have changed – needing to detect and respond to viruses and attacks launched throughout the internet, handling the actions of bot armies and adapting to advanced persistent threats (APTs). This has led to SOCs gathering and analyzing vast amounts of data and intelligence to detect, understand and respond to increasingly frequent attacks.

The current cyber battlefield is enormous and complex. In a world with billions of connected devices, supported through a largely unregulated internet of things (IoT) ecosystem, the perimeter for an organization is porous – if indeed it can be defined. The availability of low-cost compute and attack launch facilities has made the job of cyber-attackers much easier. We also see AI and ML used in cyber-attack campaigns. While AI has been used to modify and enhance malware so that it can evade detection and withstand security defenses, ML is being used to identify and analyze vulnerabilities in networks across the world.

A SOC is considered to have three core elements:

  1. People (including analysts, engineers and architects)
  2. Tools and data for security operations, including threat intelligence
  3. Processes and methodologies  for identifying and responding to cyber-attacks

These elements combine to create a capability to monitor, analyze and triage events and lastly, create a response. Given the volumes of data being generated by modern networked systems, the role of the SIEM in filtering and providing basic analysis of event data is well-established. Automation is also increasingly used in the gathering and early analysis of threat intelligence. However, unless automation, AI and ML are more widely utilized in future SOCs, they will simply not be able to respond to the volume of cyber-attacks. For example, the FBI states that there are more than 4000 ransomware attacks taking place each day and Web Arx Security estimates 300,000 new pieces of malware are created daily. These trends require an overhaul of the role of personnel and procedures to accommodate changes in AI and ML technology.

While AI has been increasingly used to identify cyber-threats and attacks, and features in the analysis elements of a modern SOC, it has yet to be used to any significant extent in response to cyber-attacks. Until now, cyber-defense responses have been largely undertaken by security operations staff. However, given the changes in the attack environment, such restricted use of AI will have to be relaxed. There are, and will increasingly be, too many attacks needing response for human-initiated responses to be sufficient.

AI will allow faster and more accurate analysis of events to provide actionable information to operators. Rather than the operator considering all of the information and triage cases, technology supported by reinforcement learning can learn from the operator’s actions and prioritize cases. The operator only needs to confirm the suggested ordering.

With all these changes, new procedures will be required as people’s roles in the SOC change. People and processes will be needed, not to undertake the operations, but rather to oversee, audit and generally govern the actions of automated agents charged with securing a system and ensuring its resilience. Thus, while the future will see the end of the current SOC, it will usher in intelligent cyber-resilience centers that are much more suitable for the emerging environment.


Milad Aslaner, senior director of cyber defense strategy, SentinelOne
Milad Aslaner, senior director of cyber defense strategy, SentinelOne

A SOC That's Staying Put

There are several challenges facing the modern security operations center (SOC). A constantly evolving threat landscape requires a proactive security posture across an entire organization. However, the volume of security alerts has doubled in the last five years, and a typical enterprise can no longer get to every new security alert within 24 hours of detection. Often, SOC analysts are facing alert fatigue and are at high risk of burnout. In addition, SOC teams are finding it too difficult to fight through the white noise and identify threats. There are too many indicators of compromise (IOCs) to track, too much internal traffic to compare against IOCs, too many false positives and a lack of internal resources to tackle the overwhelming amount of information from a vast range of endpoints.

Key performance indicators that inform a SOC’s effectiveness are nearly all to do with time: detection time; time from discovery to remediation; the time between threats and incidents and so on. Proactive protection necessitates an always-on approach to detection and response, but humans don’t work that way. This is where machine learning and automation can step in to help. 

Unburdening the SOC

While it is true that today without artificial intelligence (AI) and automation incorporated into its cybersecurity strategy, a SOC can no longer operate as effectively, this doesn’t mean this function can, or should, be entirely replaced by advanced technologies. Instead, AI accelerates the process and fills the gaps, enhancing the overall efficacy of the SOC. Even if an organization has an unlimited cybersecurity budget, the reality is that with a skills gap that continues to widen, there isn’t enough talent to solve this problem by simply hiring more analysts. Instead, companies have to become smarter and more efficient with the resources at hand. 

An AI-powered autonomous platform can support a SOC team in the same way as adding dozens of new colleagues. The technology can constantly monitor every endpoint and automatically detect and block threats in real-time, relieving the pressure on analysts to track every IOC. Crucially, it also provides enriched intelligence ready to be analyzed and acted upon. Automatic real-time threat modeling, incident correlation and tactics, techniques and procedures (TTP) analysis immediately deliver the complete context of an attack or potential attack to the SOC, accelerating the investigation process. Meanwhile, this holistic picture of the detection and response process simultaneously democratizes the data across the SOC and the organization. Further, it helps to unify security operations management and mitigate the chances of human error.

Automated Attack Mitigation and Forensic Investigation

An organization’s incident response process includes automatic attack mitigation processes and forensic investigation to operate effectively. Forensic investigation is where SOC teams come into their own and prove how vital they are in an organization’s overall cybersecurity strength. Unburdened by the threat hunting problem thanks to automated detection and response, analysts are freed up to perform complex analysis. It also allows them to use their in-depth expertise in areas such as digital forensics, proactive threat hunting and activities like red vs. blue teaming that help them increase security maturity.

Too often, we see SOC teams prioritizing responding to cyber-threats but then not having the time to carry out an effective post-mortem analysis. AI can allow analysts to actively search for vulnerabilities and patch them before adversaries have a chance to spot and exploit them. Incorporating machine learning finally allows the SOC team to transcend the tedious ‘whack-a-mole’ dynamic of cybersecurity and prevent potential attacks before they can occur.

The Modern SOC Won’t Be Redundant

The primary function of the SOC is not only to investigate active cyber-threats and respond to them, but also to be actively on the lookout for any potentially suspicious activity. As organizations start to adopt AI-powered autonomous platforms, SOC teams can shift focus to proactive threat hunting exercises. In the past, cybersecurity platforms could only perform a ‘just-in-time’ sweep of the environment. Moreover, by using AI-powered autonomous platforms, SOC analysts can create custom detection logics and, crucially, define how AI should respond to specific cyber-threats. This allows the SOC team to maintain good technology interoperability and ensure it is constantly evolving alongside sophisticated adversary techniques.

The SOC and the technology it implements must evolve together to tackle threats today, but neither can work effectively without the other. A centralized, AI-powered autonomous platform in which all events from various security components across an organization are being processed will bring huge benefits to an organization. This includes accelerating preventative protection, triggering remediation in real-time and enabling SOC analysts to use their valuable skills for proactive forensic investigation. In this way, the technology should not replace the SOC, but enhance centralized human-powered cybersecurity to render it superhuman.

What’s hot on Infosecurity Magazine?