The future of SOC automation is here. Salem, your future AI analyst, will be a virtual member of your SOC, investigating thousands of alerts that your SOC doesn’t have capacity to investigate today.
Cyber detection products and services use automation to identify possible threats but struggle to determine relevance in the context of your organization. Furthermore, these tools produce an overwhelming number of alerts that must be investigated, many of which are not relevant to the organization and are false positives. According to a survey by SecurityResponse, organizations employ an average of 45 security tools, resulting in an average of 11,000 escalated alerts per day, half of which are false positives.
People make great cyber analysts because of their ability to apply both industry and institutional knowledge yet they also lack the bandwidth to keep up with the volume and speed of automated threat detections. According to a report by the IDC, 23% of alerts for companies with 5000+ employees, 30% of alerts for a company with 1,500-4,999 employees and 27% of alerts for companies with 500-1,499 employees are ignored or not investigated due to budgetary or bandwidth restrictions. Ultimately, you either must assume the risk of not investigating everything your tools detect, or you’ll add a SOC automation tool, like Salem, to sift through the noise and escalate real threats.
People will always be your most important asset
As every book on business and management will affirm: people are your most important assets. So before doing anything else:
- Hire as many great SOC analysts as you can. Their value to your organization can’t be understated. Hiring Salem will allow these analysts to focus their time on high-value work instead of mundane tasks that can be automated.
- Listen to what your SOC analysts have to say. These are the people who understand the ground truth of what can happen with your technology and data.
- Understand that AI can only go so far. A great analyst will be able to provide the context necessary to allow your AI to be consistently successful.
Why you are skeptical of cyber AI
Prior underwhelming AI technology probably had industry knowledge of what a cyber threat or anomalous activity looks like but struggled to understand institutional relevance of what it observed. Furthermore, imperfect reasoning, slow processing requests, and high costs have further lead to slow acceptance of AI cyber technology.
Newer security services have started to overcome this challenge by integrating deeply with specific technologies they monitor. For example, by being integrated with an endpoint agent, you enable these providers to have access to some of your institutional knowledge. Unfortunately, this value is limited to a narrow set of use cases.
Why you need an AI SOC analyst
Your detection technology can produce an overwhelming number of cyber alerts that should be investigated. Only a few actually matter. People don’t operate at machine speed and can’t keep pace with the volume and velocity of automated detection, regardless how large you grow that team. You need an AI SOC analyst that operates 24/7, to provide increased coverage to your team and fires immediately when threats are found.
How you will use an AI SOC analyst
Your AI SOC analyst will create a connection to your people. Remember, your SOC is the team of people who know about your technology and data systems. Like any new team member, your AI SOC analyst will learn on the job by asking questions and accepting feedback. It will learn how to understand context around your unique operating environment.
Your AI SOC analyst will connect with the same alert aggregators your team uses today such as: Splunk, JIRA or ServiceNow. You’ll task it with analyzing use cases of all types of severity, while your people narrow their focus to more high-value work. Your AI SOC Analyst will perform investigations at the pace of your automated detections and report back to the handful of alerts most likely to represent actual cyber threats.
By prioritizing a people-centric integration, your AI SOC analyst won’t be beholden to a niche technology integration. It will leverage the same breadth of institutional knowledge that your team has today, and continue to learn with your team. Finally, future analysts will learn about your organization from your AI SOC Analyst, accelerating their integration into your team.