As every book on business and management will affirm: people are your most important assets. So before doing anything else:
There are just too many damn alerts. Cyber threat detection and alerting is a majority automated function. Cyber incident investigation is a majority human process. People don’t operate at machine speed. A team of people can’t keep pace with the volume and velocity of automated detection, regardless how large you grow that team. You need an AI SOC analyst to backstop your team to provide scaled analysis coverage where they can’t.
There are two main skill sets you require of your SOC analysts: 1) industry knowledge and 2) institutional knowledge. Prior underwhelming AI technology probably had industry knowledge of what a cyber threat or anomalous activity looks like but struggled to understand institutional relevance of what it observed.
Newer security services have started to overcome this challenge by integrating deeply with specific technologies they monitor. For example, by being integrated with an endpoint agent, you enable these providers to have access to some of your institutional knowledge. Unfortunately, this value is limited to a narrow set of use cases.
If you insource any enterprise IT, then you also insource your cyber security. This includes organizations with one or more security services, because 1) services often place limits on the type and volume of alerts they’ll review, and 2) only your people have the full context of your technology and data systems. Your people remain responsible for alerts your service provider won’t take and verifying the accuracy of the information those services provide back to you. Also remember security services are most successful in a niche where they have the deepest technical integration, and they have the same people scale problem as you. And still, there are just too many damn alerts.
Your AI SOC analyst will create a connection to your people. Remember, your SOC is the team of people who know about your technology and data systems. Like any new team member your AI SOC Analyst will learn on the job by asking questions and accepting feedback. It will learn how to understand context around your unique operating environment.
Your AI SOC analyst will connect with the same alert aggregators your team uses today, such as: Splunk, JIRA or ServiceNow. You’ll task it with analyzing mid severity, volume and new alerts, while your people narrow their focus to high fidelity and critical activity. Your AI SOC Analyst will perform SOC-style investigations at the pace of your automated detections and report back to the handful of alerts most likely to represent actual cyber threats.
By prioritizing a people-centric integration, your AI SOC analyst won’t be beholden to a niche technology integration. It will leverage the same breadth of institutional knowledge that your team has today, and continue to learn with your team. Finally, future analysts will learn about your organization from your AI SOC Analyst, accelerating their integration into your team.