Thursday, March 30, 2023

What to Consider When Building an Autonomous SOC

Today’s threat landscape demands more from IT and security professionals than ever before. Schools are being forced to shut down due to ransomware attacks, major brands are falling victim to reputation-harming data breaches, and an explosion of connected devices has broadened the attack surface. At the same time, cyber-criminals are getting smarter and savvier, developing new ways to evade detection software and make money.


As cyber-criminals are getting more creative, the cybersecurity industry is improving and developing innovative solutions to protect businesses. Earlier this year, the FBI revealed it had turned the tables on the notorious Hive ransomware gang by secretly hacking the group’s systems, saving $130 million in ransomware demands for more than 300 victims. Despite our best efforts, there are still elements holding us back as an industry and continuing to make organizations vulnerable to cyber-attacks. Prevention, monitoring, and mitigation all happen in the Security Operations Center (SOC), and, right now, SOCs are facing the perfect storm for cyber-crime: lack of visibility into complex operating environments, inability to analyze cloud-scale volumes of data, and an industry-wide shortage of cybersecurity talent. As a result, security professionals are experiencing widespread burnout and unrealistic workloads, which lowers their productivity and creates higher security risks.

Autonomous SOC: Building Yours Right

A lot of the burnout security practitioners face is caused by alert fatigue. When alerts about potential cyber-attacks come in at a rate faster than SOC analysts can handle, analysts work longer hours and still miss important threats. To cut through the noise and focus on the attacks that matter most, SOCs need to take a cue from cyber-criminals and adapt to the current threat landscape: They need to start their journey to the autonomous SOC.

Understanding the Autonomous SOC

An autonomous SOC (ASOC) is composed of an artificial intelligence (AI) and/or machine learning (ML) system that receives all of the data points coming in and assists with cybersecurity monitoring and mitigation. An ASOC is ideal for threat investigation since it can automatically detect suspicious activity, learn and correlate everything about the attack quickly, and provide analysts with the context they need to detect, isolate, and neutralize the attack easily and efficiently. The ASOC also filters out false negatives, allowing analysts to direct their focus on real threats and take immediate action.

The ASOC helps alleviate many of the issues organizations face with their security posture — limited resources, overwhelmed analysts, and repetitive, monotonous tasks. AI and ML’s ability to identify patterns and outliers boosts analysts with an actionable plan of prevention and mediation. An ASOC running in the background provides a much-needed extra layer of coverage to protect organizations, especially those dealing with understaffed SOCs due to recent layoffs throughout the tech industry.

There are a lot of questions around autonomy and the SOC. Namely, will ASOCs replace human analysts? The short answer is no. Human and machine collaboration is necessary for success, especially regarding cybersecurity. ASOCs constantly evolve as they ingest data and assess new threats, which is why they will always need human analysts to create guardrails and provide feedback. ASOCs are designed to make analysts’ jobs easier, not to steal them.

What Organizations Should Consider Before Investing

The ASOC is not a passing trend. It’s where our industry is headed. IDC predicts that by 2026, 30 percent of large enterprise organizations will migrate to ASOCs for faster remediation, incident management, and response. Still, many executives misguidedly view the SOC as a department that exclusively costs the company money and does little — if anything — to drive revenue. As such, the shift to an ASOC may seem daunting or unrealistic to some organizations. Proponents of plans to build an ASOC might face pushback from others in the organization and need to justify the investment costs. The bottom line of an ASOC is to get more value out of the tools and workflows at the SOC’s disposal. In the short-term, this means SOC analysts who are less burnt out, more engaged, and stay at the company longer. In the long-term, investments in cybersecurity save the company money in terms of reputational damage and customer loss if an attack or breach occurs.

Another aspect to consider is timing. Ask yourself, “Is my organization ready for this transition?” Assess the maturity of the SOC and bring SOC analysts and leaders into the conversation. It’s also important to note that moving to an ASOC doesn’t have to be all or nothing; it’s a journey.

Keeping these elements in mind will help you to seamlessly transition to an automated SOC, the future of cybersecurity.

-- Gunter Ollmann

First Published: Solutions Review - March 30, 2023