The AI SOC Analyst, your next cyber tool…

October 16, 2022

Your future AI analyst will be a virtual member of your SOC, investigating 1000’s of alerts that your SOC doesn’t have capacity to investigate today.

  • People make great cyber analysts because of their ability apply both industry and institutional knowledge.
  • Cyber detection products and services use automation to identify possible threats but struggle to determine relevance in the context of your organization.
  • An expanding threat landscape means accelerating demand for cyber detection and analysis
  • It’s not possible for a team of people to keep up with the volume and speed of automated threat detections.
  • Ultimately, you either must assume the risk of not investigating everything your tools detect, or you’ll add AI technology to sift through the noise and identify threats most worthy or your people’s time.

People will always be your most important asset

As every book on business and management will affirm: people are your most important assets. So before doing anything else:

  1. Hire as many great SOC analysts as you can. Their value to your organization can’t be understated.
  2. Listen to what your SOC analysts have to say. These are the people who understand the ground truth of what can happen with your technology and data.
  3. Understand that a great analyst will almost always provide more thoughtful analysis than an AI.

Why you need an AI SOC analyst

There are just too many damn alerts. Cyber threat detection and alerting is a majority automated function. Cyber incident investigation is a majority human process. People don’t operate at machine speed. A team of people can’t keep pace with the volume and velocity of automated detection, regardless how large you grow that team. You need an AI SOC analyst to backstop your team to provide scaled analysis coverage where they can’t.

Why you are skeptical of cyber AI

There are two main skill sets you require of your SOC analysts: 1) industry knowledge and 2) institutional knowledge. Prior underwhelming AI technology probably had industry knowledge of what a cyber threat or anomalous activity looks like but struggled to understand institutional relevance of what it observed.

Newer security services have started to overcome this challenge by integrating deeply with specific technologies they monitor. For example, by being integrated with an endpoint agent, you enable these providers to have access to some of your institutional knowledge. Unfortunately, this value is limited to a narrow set of use cases.

Why you need an AI SOC analyst

If you insource any enterprise IT, then you also insource your cyber security. This includes organizations with one or more security services, because 1) services often place limits on the type and volume of alerts they’ll review, and 2) only your people have the full context of your technology and data systems. Your people remain responsible for alerts your service provider won’t take and verifying the accuracy of the information those services provide back to you. Also remember security services are most successful in a niche where they have the deepest technical integration, and they have the same people scale problem as you. And still, there are just too many damn alerts.

How you will use an AI SOC analyst

Your AI SOC analyst will create a connection to your people. Remember, your SOC is the team of people who know about your technology and data systems. Like any new team member your AI SOC Analyst will learn on the job by asking questions and accepting feedback. It will learn how to understand context around your unique operating environment.

Your AI SOC analyst will connect with the same alert aggregators your team uses today, such as: Splunk, JIRA or ServiceNow. You’ll task it with analyzing mid severity, volume and new alerts, while your people narrow their focus to high fidelity and critical activity. Your AI SOC Analyst will perform SOC-style investigations at the pace of your automated detections and report back to the handful of alerts most likely to represent actual cyber threats.

By prioritizing a people-centric integration, your AI SOC analyst won’t be beholden to a niche technology integration. It will leverage the same breadth of institutional knowledge that your team has today, and continue to learn with your team. Finally, future analysts will learn about your organization from your AI SOC Analyst, accelerating their integration into your team.

So, why do you need an AI SOC analyst?

  • To reduce the risk of threats flying below the radar.
  • To help keep your people from burning out on repetitive and mind-numbing alerts.
  • To unlock the full value of your cyber detection products and services.
  • And, ultimately, you’ll have an AI SOC analyst on your team because it’s the future of cyber defense

Friends of Salem Newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.