Today’s threat landscape grows more complex by the day, with new threat actors constantly emerging to exploit the growing attack surface. While the security operations center (SOC) has been a trusted tool to defend against these attacks, it no longer stands up to the task at hand. Because of this, we need to improve the SOC to protect against growing threats. Automation and artificial intelligence (AI) offer a solution that can patch these issues quickly and effectively, but is it enough to go out with the old and in with the new? The industry needs to reevaluate SOCs because they:
- Require too much manpower: Today’s ever-expanding attack surface produces massive amounts of data. To act on this data, SOCs need strong analysis and automation capabilities that can scale with this growing dataset, capabilities that man-powered SOC teams often can’t deliver. Collecting, logging and indexing data for analysis takes a great deal of time, and every moment becomes precious during an attack. It’s not the fault of analysts, but simply no person could analyze this amount of data in an appropriate amount of time.
- Are too slow: Detection and response times for today’s threat landscape must move quicker. Today, every second counts when responding to threats. Process latency also results in SOC processes falling behind as the systems environment it’s monitoring evolves. Today’s SOC needs a faster response time and introducing artificial intelligence can reduce that response time to minutes rather than days.
- Have grown too reliant on incremental solutions: Building upon an existing SOC may feel like an easy fix, but in the long run it creates silos and won’t solve the larger issues. Piecing together incremental solutions leaves major gaps, but implementing one, robust product that covers the entire attack surface ensures these gaps are closed. Multiple security tools are difficult to monitor and manage, making it even more difficult to effectively monitor mass amounts of data across multiple sources. For example, when considering autonomous cars, we need to build them from scratch. It’s not enough to build features into an existing car, and the same goes for the SOC. We need to build an entirely new autonomous SOC with today’s threat landscape in mind to reimagine how we approach these attacks, instead of retroactively trying to use old solutions to solve new problems.
- Find it hard to manage documentation, processes and procedures: Quite often, processes and protocols aren’t regularly updated, or worse, stay stagnant, instead of continuously improving. This lapse can contribute to slower response times, ultimately putting the attack surface at greater risk.
- Have found that staying compliant causes confusion: Regulations and requirements are constantly changing, especially internationally. While it's understandable that regulations are needing to change as quickly as the threat landscape changes, this can cause a jam for analysts who need to keep up with the latest threats while juggling other responsibilities. It’s essential for the SOC to remain compliant, but it’s just another task the team needs to maintain on top of monitoring threats.
- Contribute to attrition: In addition to an industry skills shortage, making it difficult to find the right employees, high-stress levels exacerbated by SOC inefficiencies are contributing to further staff turnover. SOC analysts need to deal with all of the above hurdles, while also trying to keep their attack surface safe. This creates a staffing shortage, and overwhelms current analysts. Introducing artificial intelligence to the SOC can help relieve some of this pressure, allowing analysts to focus on larger work with the larger goal of slowing attrition rates.
Today’s SOC cannot keep up with the growing threat landscape – SOC analysts can’t keep up with massive amounts of data received daily. Introducing AI to the SOC relieves this pressure and addresses weak points. AI can respond to threats in a matter of minutes, helping analysts focus on larger issues while smaller threats are addressed. Without AI in its future many SOCs will fail.
Gonen Fink, senior vice president of Cortex, Palo Alto Networks.