Winning the war against hostile AI starts with AI-based SOCs

Faced with increasingly sophisticated multi-domain attacks creeping in due to alert fatigue, high turnover, and outdated tools, security leaders are embracing AI-based Security Operations Centers (SOCs) as the future of defense.

This year, hackers set new records for the speed of intrusions, exploiting weaknesses in legacy systems designed to protect only the perimeter and, worse, trusted network connections.

Attackers reduced their average eCrime activity time scores over the past year by 17 minutes and reduced their average breach time for eCrime intrusions from 79 minutes to 62 minutes just for a year. The fastest observed break-in time was just two minutes and seven seconds.

Attackers combine generative AI, social engineering, interactive penetration campaigns, and an all-out attack on cloud vulnerabilities and identity. With this playbook, they seek to exploit the weaknesses of organizations with outdated or no cybersecurity arsenals.

“The speed of today’s cyberattacks requires security teams to rapidly analyze vast amounts of data to detect, investigate and respond to threats faster. This is the failed promise of SIEM (Security Information and Event Management). Customers are hungry for better technologies that deliver instant time-to-value and increased functionality at a lower total cost of ownership,” said George Kurtz, president, CEO and co-founder of the cybersecurity company CrowdStrike.

“SOC leaders must find the balance of improving their detection and blocking capabilities. This should reduce the number of incidents and improve their ability to respond, ultimately reducing attacker downtime,” Gartner wrote in its report. Tips for choosing the right tools for your security operations center.

AI-based SOCs: The surefire cure for swivel chair integration

Visit any SOC and it’s clear that most analysts are forced to rely on “swivel chair integration” because legacy systems weren’t designed to share real-time data with each other.

This means analysts are often wheeling their swivel chairs from one monitor to another, checking signals and cleaning up false positives. Accuracy and speed are being lost in the fight against growing multi-domain attempts that are not intuitively obvious and distinct amid the flood of real-time alerts that are pouring in.

Here are just a few of the many challenges SOC leaders expect an AI-based SOC to help solve:

Chronic levels of anxious fatigue: Legacy systems, including SIEMs, produce an increasing number of alerts for SOC analysts to track and analyze. SOC analysts, who spoke anonymously, said four out of every 10 alerts they produce are false positives. Analysts often spend more time sorting through false positives than investigating actual threats, severely impacting productivity and response time. Making the SOC an AI place will make an immediate breakthrough in this time that every SOC analyst and leader has to deal with on a daily basis.

Continuing talent shortages and departures: Experienced SOC analysts who are good at what they do and whose leaders can influence budgets to get raises and bonuses, for the most part stay in their current positions. Kudos to organizations that realize that investing in retaining talented SOC teams is core to their business. An often-cited statistic is that there is a global cybersecurity workforce shortage of 3.4 million professionals. There really is a chronic shortage of SOC analysts in the industry, so it’s up to organizations to close the pay gap and double down on training to grow their teams internally. Burnout is rampant in understaffed teams that are forced to rely on swivel chair integration to get their work done.

Multidomain threats are growing exponentially. Adversaries, including cybercrime gangs, nation states and well-funded cyberterrorist organizations, are doubling down on exploitation endpoint and identity security vulnerabilities. Attacks without malware have grown over the past year, increasing the variety, volume and ingenuity of attack strategies. SOC teams that protect enterprise software companies developing AI-based platforms, systems and new technologies especially hard hit. Non-malware attacks are often undetectable, rely on trusting legitimate tools, rarely generate a unique signature, and rely on fileless execution. Kurtz told VentureBeat that attackers who target endpoints and identity vulnerabilities often move sideways into systems in less than two minutes. Their advanced techniques, including social engineering, ransomware as a service (RaaS), and identity-based attacks, demand faster and more adaptive SOC responses.

Increasingly complex cloud configurations increase the risks of attack. Cloud penetrations have grew 75% year-on-yearwith adversaries exploiting native cloud vulnerabilities such as insecure APIs and identity misconfigurations. SOCs often struggle with limited visibility and inadequate threat mitigation tools in complex multi-cloud environments.

Data overload and tool proliferation are creating security gaps that SOC teams are called upon to fill. Legacy perimeter-based systems, including many decades-old SIEM systems, struggle to process and analyze the vast amount of data generated by modern infrastructure, endpoints, and telemetry data sources. Requiring SOC analysts to maintain information on multiple alert sources and correlate data between different tools slows their efficiency, leads to burnout, and prevents them from achieving the accuracy, speed, and productivity they need.

How AI improves SOC accuracy, speed and performance

“AI is already being used by criminals to overcome some of the world’s cybersecurity measures,” warns Johan Gerber, executive vice president of security and cyber innovation at MasterCard. “But AI has to be part of our future, the way we attack and deal with cyber security.”

“It’s extremely difficult to go out and do something if artificial intelligence is considered sudden; you have to think of it (as an integral part),” Jeetu Patel, EVP and GM of Security and Collaboration for Cisco, said VentureBeatciting findings from Cisco Cybersecurity Readiness Index 2024. “The operative word here is that AI is used natively in your core infrastructure.”

Given the many accuracy, speed and performance benefits of moving to an AI-based SOC, it’s understandable why Gartner supports the idea. The research firm predicts that by 2028 multi-agent AI in threat detection and incident response (including within the SOC) will increase from 5% to 70% of AI deployments—primarily by augmenting, not replacing, personnel.

Chatbots are making an impact

At the core of the value AI-driven SOCs bring to cybersecurity and IT teams is accelerated threat detection and triage based on improved predictive accuracy using real-time telemetry data.

SOC teams report that AI-based tools, including chatbots, provide faster execution of a wide range of queries, from simple analysis to more complex anomaly analysis. The latest generation of chatbots designed to streamline SOC workflows and assist security analysts include CrowdStrike’s Charlotte AI, Google’s Threat Intelligence Copilot, Microsoft Security Copilot, Palo Alto Networks’ AI Copilots series, and SentinelOne Purple AI.

Graph databases are the foundation of the future of SOC

Graph’s database technologies help defenders see their vulnerabilities as attackers do. Attackers think in terms of traversing the system graph of a business, while SOC defenders traditionally rely on lists that they use to traverse deterrents. The graphic database arms race aims to put SOC analysts on par with attackers when it comes to tracking threats, intrusions, and graph breaches of their identities, systems, and networks.

AI is already proving effective in reducing false positives, automating incident responses, improving threat analysis, and continually finding new ways to streamline SOC operations.

Combining AI with graph databases also helps SOCs track and stop multi-domain attacks. Graph databases are at the heart of the future of SOC because they excel at visualizing and analyzing interconnected data in real-time, enabling faster and more accurate threat detection, attack path analysis, and risk prioritization.

John Lambert, corporate vice president of Microsoft Security Research, emphasized the critical importance of graph-based thinking for cybersecurity, explaining to VentureBeat, “Defenders think in lists, cyberattackers think in graphs. As long as this is true, the attackers win.

AI-based SOCs need people in the middle to realize their potential

SOCs that intentionally design human-in-the-middle workflows as a core part of their own SOC AI strategies are best positioned for success. The main goal should be to strengthen the knowledge of SOC analysts and provide them with the data, insights and intelligence they need to excel and grow in their roles. Also implicit in the man-in-the-middle workflow design is retention.

Organizations that have created a culture of continuous learning and see AI as a tool to accelerate learning and workplace outcomes are already ahead of the competition. VentureBeat continues to see SOCs placing a high priority on allowing analysts to focus on complex, strategic tasks while AI manages routine operations, keeping their teams safe. There are many stories of small wins, such as stopping a penetration or breakthrough. AI should not be seen as Deputy SOC Analysts or for experienced human threat hunters. Instead, AI applications and platforms are tools threat hunters need to better protect enterprises.

AI-driven SOCs can significantly reduce incident response times, with some organizations reporting up to a 50% discount. This acceleration allows security teams to address threats faster, minimizing potential damage.

The role of AI in SOC is expected to expand to include proactive adversary simulations, continuous health monitoring of SOC ecosystems, and advanced endpoint and identity security through zero-trust integration. These enhancements will further strengthen organizations’ defenses against evolving cyber threats.