About twenty years ago, antivirus, IPS and firewall were managed by security teams – mostly organizations had only one information security team, and the most important thing was getting up to date IPS signatures and antivirus database. But, SOCs are growing year by year because of new attack techniques and new security controls to prevent them. Today, an enterprise organization has more than fifty different security technologies to defend against these complex attacks. But, a SOC has two core elements: Security controls and people.
With the increasing number of devices, the logs of all these devices need to be analyzed and interpreted. And the log size that needs to be analyzed has reached enormous amounts. As data grows, human resources must also increase in direct proportion. Meanwhile, one of the biggest problems of the sector is to find trained analysts. We see that many organizations are trying to continue their SOC operations with less personnel than they need. And, these personnel is not only responsible for incident response, but also for red teaming, purple teaming, threat hunting, threat intelligence, and others.
The task of an analyst is not only to examine that log, but also to analyze the logs of other devices with the findings he/she detects after the examination. While the log size increasing day by day, it may take hours in some cases to analyze all these logs for only one incident. Because of these situations, many SOC analysts are experiencing burnout on the job and most of the organizations cannot response to alerts as fast as it should be.
At this very point, AI, the most popular technology of recent years, comes to the aid of SOCs. The use of AI powered autonomous platforms – as an example, Mandiant’s Automated Defense and DarkTrace’s Cyber AI Analyst – have become widespread and looks like it will have a bigger role in future SOCs. These devices can collect logs, analyze, determine and keep analyzing other system’s logs to decide whether the alert is false positive or a real incident. With AI, all these processes are done at machine speed and analysts can get the results in a very short time. So, this provides SOC teams to respond as fast as possible. Additionally, AI makes fewer mistakes than human analysts. In recent years, we saw many cases that although there were logs showing an attack, it was marked as false positive by analysts and closed.
AI is still evolving. As in all other fields, it is obvious that it will add a lot to us in the field of information security in the future. And with this evolving AI, in future SOCs, team member will focus on threat hunting, threat intelligence and red teaming works more. This situation will enable people to do better quality work and to educate themselves.