How will AI change the security operations center?

Cyberattacks are scaling up. That means security operations center (SOC) teams are overwhelmed by the volume of alerts they must analyze and how to sort out real threats vs. system noise.

The good news? Artificial intelligence (AI) is poised to supercharge SOC modernization efforts with unprecedented automation, proactive threat detection, and relief for overstressed security teams. The bad news is AI is going to find its way into the hands of attackers.

Britain’s GCHQ spy agency recently warned that AI would lead to an increase in cyberattacks and lower barriers to entry for less sophisticated attackers.

Shailesh Rao, president of Cortex at Palo Alto Networks, says that “the pace and scale of attacks is just mind-boggling.” Two years ago, the company was analyzing approximately a billion events and 20,000 alerts daily, he says, but that has increased to 36 billion events daily.

Not surprisingly, Foundry’s Security Priorities Study 2023found that “88% of security leaders believe their organizations are falling short when it comes to addressing cyber risk.” They aim to address the challenges by increasing spending, investing in new technology, and adopting AI.

Palo Alto Networks has been investing heavily in AI to address this problem and achieve better security outcomes. Their SOC team has been able to handle billions of events per day without any staffing increase – and drive down mean time to detect from one day to 10 seconds – due to its AI-driven security operations platform, Cortex XSIAM.

Analytics and Data

Cybersecurity is primarily an analytics and data problem, says Rao. “If I can analyze every piece of data I have and compare it against what I know is bad and look for anything that doesn’t fit a known pattern, I can detect a new attack that might be in progress,” he notes.

But there is simply too much data for SOC teams to keep up with. “We’re talking terabytes or petabytes of data on a daily basis, and the only way you can analyze that effectively is using the latest advances in AI and machine learning to crunch through all that data,” Rao adds.

In many SOCs, he says, teams are overwhelmed by the need to look for patterns outside the norm in large volumes of data.. “This is what machines are supposed to do. Those teams don’t have the time to look at everything, and so they create manual rules to search for the proverbial needle in a haystack. But these rules only work for what’s known today – not tomorrow. This is why we want SOC teams to be defenders, not detectors.”

Addressing this data problem, Cortex XSIAM analytics provide technique-based intelligence, allowing large volumes of data and alerts to be stitched and grouped into a smaller number of incidents. These incidents are fully enriched with relevant context and are either resolved with automation or presented to an analyst with an appropriate severity classification (critical, high, low, etc.) and recommended actions.

In an environment where AI washing of software is rampant, Rao says the biggest adoption risk is that SOCs will “start using AI tools that aren’t truly vetted for solving a problem that requires a high degree of precision.” The good news is that precision is attainable when organizations have the right data and technology powering their team.

Click here to learn more about AI-driven SOC transformation