Increased digitalisation and the resultant explosion of data means that organisations rely on complex infrastructure for their day-to-day functioning and needs it to be always connected and secure.
A natural corollary of this is the importance of security operations centres (SOCs), as the vital gatekeeper as well as guardians of the network, has gone up manifold.
The SOC will continue to evolve during the next decade, as its core mission will become even more vital in the increasingly digital world and automating processes is the only way that they remain relevant in an environment of sophisticated cyberattacks.
SOCs are configured to detect even the slightest anomalies. This often results in a dramatic increase in false-positive alerts, which in turn contribute to more noise for SOC analysts to cut through.
Research by Devo shows that SOCs waste an average of 10,000 hours (in financial terms that works out to around US$500,000) annually to validate unreliable and incorrect vulnerability alerts.
Organisations also report an average of 53 alerts a day with nearly half being false positives.
Understandably this often has a negative effect on SOC teams with more than one-third of IT security managers and SOC analysts ignoring threat levels when the queue is full.
Given these conditions, it’s not surprising that 70 percent of organisations report understaffed teams, and 60 percent say their workloads have spiked recently.
This comes at a time when it has become increasingly difficult for organisations to attract and retain skilled SOC analysts.
Despite the vital role that SOCs play in protecting complex infrastructure, they remain cost centres.
SOCs don’t generate revenue and on top of that, it is exceedingly difficult to quantify the true cost of mitigating cybersecurity risk even after a breach occurs.
As a result, organisations often find it difficult to justify hiring new SOC staff.
Autonomous SOCs driven by advanced technologies like artificial intelligence (AI) and machine learning (ML) can provide proactive risk reduction by managing petabytes of data analytics, automatic incident triaging, and response while keeping a check on manpower costs.
These SOCs can integrate seamlessly with security and IT tools and allow cybersecurity professionals to perform fast, effective detection and incident response to resolve threats on large-scale, cloud-first infrastructures.
They can also plug into community-powered investigation within a combined endpoint and cloud infrastructure in order to understand the nature of the threat and the best course of action in almost real-time.
As in the case of digital transformation or a shift to the cloud, moving from a people-centric SOC to an autonomous one is not just about slapping in new pieces of technology.
It requires a cultural shift in thinking within the organisation right from the actual cybersecurity experts all the way to the company board.
Those organisations that understand this and implement this cultural shift usually have better protected critical infrastructure with less downtime and financial risk.
It is useful to remember that technology is an arms race.
SOCs can automate incident investigations and provide better context for alerts by filtering out the noise, and the volume of raw security alerts will decrease to a manageable number of concise, clearly categorised warnings.
Analytics in the autonomous SOC would include:
- Collecting data at any scale to support massive query loads.
- AI and ML provide analysts with new insights into the enterprise and its security.
- Using integrated threat enrichments and data lakes to apply new threat intelligence to external sources.
- Applying automation orchestration to reduce workloads and pressure on Tier-1 and Tier-2 analysts.
- The ability to sift through all data quickly and thoroughly to detect issues before they become incidents, and to identify attacks before they cause damage.
An autonomous SOC can provide automated AI/ML-based analytics to empower analysts to perform incident response on large-scale, cloud-first infrastructures.
These next-generation analytics seamlessly integrate with security and IT tools to accelerate incident response, including detection, triage, investigation and hunting.
The journey to transform traditional SOCs into autonomous SOCs is a process.
As it occurs, analysts will move from reacting to alerts and trying to determine which alerts represent serious threats and become value-added hunters who use AI and ML to protect the organization.
When completed, the autonomous SOC will have a flexible, scalable data fabric to ingest data from all sources and formats.
It will be interconnected, making it easy for SOC teams to access and apply the latest community expertise and content across the entire threat management lifecycle.
It provides effective and timely protection against today’s — and tomorrow’s — threats.
The author is responsible for assisting Devo customers in their autonomous SOC journey and enabling enterprises to tackle large-scale digital transformation problems. Devo is the only cloud-native SIEM pioneering the autonomous SOC vision, allowing organisations to focus on security improvement projects through false positive reduction and increase in enterprise visibility.