Paranoia is not generally thought of as a character trait to aspire to. But in security operations (SecOps), the optics are rather different. Sitting on the front line in a ceaseless battle with faceless cyber adversaries, Security Operations Centre (SOC) analysts know first-hand the advantage of continuous monitoring and situational awareness. And those that can match this paranoia with sophisticated automation have a great opportunity to claw back the initiative from their opponents, writes Martin Jakobsen, Managing Director, of the platform Cybanetix.
With ransomware threatening huge losses, reputational damage and business disruption, the stakes couldn’t be higher. That’s why the right approach to Security Orchestration Automation and Response (SOAR) can make all the difference.
SOCs under pressure
The odds are increasingly stacked against the SOC. According to one estimate, the average enterprise now runs 61 security tools, monitored with 58 dashboards. Many if not all of these point solutions will spit out alerts that need managing by the SOC. Yet because they don’t always work in a coordinated manner, there are blind spots too. It means analysts are both submerged with data but also at risk of dangerous gaps in their awareness — amplified by endless swivel chairing and hard-to-correlate data.
All of which helps to explain why alert fatigue is a top challenge for SecOps teams. It’s why 90 per cent of teams feel overwhelmed by backlogs, and two-thirds (66 per cent) say they’re unable to keep pace with alerts. A further 70pc of junior analysts are estimated to leave their roles within three years, such is the pressure. It threatens to create a vicious cycle where stressed-out analysts resign, leaving fewer colleagues to deal with the tsunami of alerts, which in turn forces more to leave.
Threat landscape evolves
Threat actors have no such problem. They can choose when to strike, and have access to ample tools, skills and know-how to achieve their goals. The cybercrime economy has matured to the point that certain tools and services have become commoditised. Initial access is offered by specialised brokers. Compromised credentials are available to buy in their billions. Ransomware and phishing attacks are enabled by easy-to-consume services. And there’s a growing target to aim at, as enterprises continue to build out their digital infrastructure.
That attack surface includes the perennial weak point, corporate employees. And a growing number of suppliers which are often woefully under-protected, providing a ready-made pathway to corporate networks and/or data.
A combination of compromised credentials and fileless attacks can make it even easier for threat actors to fly in under the radar. Then there’s the growing challenge presented by AI. According to the National Cyber Security Centre (NCSC), the technology will “almost certainly” make intrusions more effective over the coming two years, “leading to an increase in frequency and intensity of cyber threats.” It cites vulnerability research and exploit development, social engineering, basic malware generation, victim reconnaissance, and processing of exfiltrated data as areas set to get an uplift. The NCSC didn’t even mention agentic AI, but already observers are seeing agents deployed to automate and orchestrate various parts of the kill chain.
Spotlight on threats
As threat actors harness the power of emerging technologies and slick criminal supply chains, network defenders in the SOC continue to struggle with manual processes that add friction and human error to triage, investigation, enrichment and containment. Crucially, they also lack threat intelligence and business context when assessing alerts, making it difficult to prioritise what matters.
Yet the bottom line is they need to capture as many alerts and indicators of compromise as possible, in order to spot and contain threats early on in the kill chain. Most attacks are best identified by combining a multitude of smaller indicators. In isolation, none of these would raise the alarm, but when viewed together, they bring malicious activity into focus. The trick is to ensure this “paranoid” approach to capturing signals doesn’t result in alert fatigue.
This is where AI and automation come in. Automation can be used to enrich every alert with threat intelligence and organisational context, and correlate it with other similar events and related SIEM/XDR data. Next comes advanced playbook logic. This either facilitates automated analysis, investigation and possibly even remediation, such as via containment of users and devices, or empowers level 1 analysts to work more effectively. In this way, the SOAR platform does most of the heavy lifting. It might be able to fully handle alerts that meet predefined criteria, from start to finish. Or at the very least, take on a large chunk of the investigative grunt work that normally falls to the analyst.
SecOps teams might want to create scores of these playbooks to deal with the most common scenarios they’re likely to encounter. In our experience, MSSPs following this model can process as many as 10 times the number of alerts their teams are usually capable of reviewing.
Human plus machine
To be clear, AI and automation are not a panacea. They must be aligned to the cybersecurity needs of the business. Automated remediation should only be allowed when the logic behind it is bulletproof, to avoid cases being closed that should actually be escalated to human teams. And a careful balance may need to be struck in terms of the SOC’s use of AI, to ensure it is commercially viable. For certain tasks, simpler automation might be able to do the same job at lower cost.
However, there’s no doubt that AI can be a force multiplier for SOC productivity, supporting free text hunting, natural language explanations, trend analysis and playbook and detection engineering. By upskilling Level 1 analysts, SecOps managers can keep them engaged in their work while also freeing up more senior members of the team for higher value tasks.
This is good news for MSSPs struggling to compete for a dwindling pool of experienced analysts. And it’s good news for their customers, their security posture, and their bottom line. But we should never lose sight of the importance of human oversight and skill. AI and automation will only get us so far. SOC teams still need to know the right questions to ask. Yet if they stay paranoid, and have the right set of tools and technologies to back them. There’s light at the end of the tunnel.
