The definition of a Security Operation Center (SOC) is always structured around the PPT (People, Process, Technology) which is constantly evolving to respond to uses, purposes and adapt its posture accordingly. This perpetual transformation continues to move from an operational center based on the continuous detection of threats to a center for supervision and reaction to attacks. Beyond uses and purposes, the posture has evolved to move from availability monitoring to reactive monitoring, then proactive and even to include its automation.
The challenges of responsiveness
Besides the shortage of cyber resources, the main challenges for SOCs and end customers are focused on responsiveness: achieving the fastest possible time to detection (MTTD) and response (MTTR) to contain attacks and mitigate damage.
To address this, many SOCs use Colonel John Boyd’s OODA ( Observe, Orient, Decide, Act ) loop, which is a decision-making model considering the advantage of experience. The latter has also adapted to technologies to be more efficient in SOCs by initially relying on SIEM, improved with EDR and boosted with AI.
The place of AI and humans in SOCs
To quote Dr Aurélie JEAN during her speech, Work in the era of AI, it would be relevant to speak of Intelligences in the plural (Triarchic Theory of Robert Sternberg). It is necessary to rethink the specific tasks to take advantage of these intelligences: those done by AI, those helped by AI, and those only humans can do. ” We must rethink work, continue learning throughout our lives, and adapt to innovations .”
AI is not new in SOCs because it has already brought its share of developments via machine learning by modelling human behaviour (UBA and UEBA). This adds capabilities to SIEM alone to detect abnormal human behaviour on the information system and thus reduce false positives.
The recent AI revolution makes it possible to use GPT algorithms and LLMs that reshape the analyst profession (at least its tasks). The first Tier, consisting of sorting and qualification, has almost disappeared from SOCs in favour of AI covering and improving this less rewarding, time-consuming, and repetitive scope.
Natural Language Processing makes it possible to free oneself from data or log query interfaces (KQL, SPL, …) like a request to one’s colleague. Always in the hunt for false positives, these technologies, capable of processing complex, voluminous and varied data, diagnose alerts very precisely and quickly, providing a scoring system to decide between a false positive or a real threat by bringing out the essential.
Towards a qualitative improvement of SOC analyses
Freed from these non-strategic tasks, the Security Operation Center teams can focus on tasks with higher added value (support, threat hunting, proactive search for indicators of compromise, remediation) and qualitatively improve analyses. Investigation, like legal investigations, requires intuition, putting yourself in the attacker’s shoes, or changing your angle of attack if the reasoning reaches an impasse. Remediation work is also heavily based on humans due to the strong interactions with the various stakeholders.
Managed SOCs have understood these aspects well, and to realize this, you just need to consult the MSSP quotes of the Micro SOC / MSSP type: a very attractive entry price with automated features and 24/7 processing.
What is most expensive is generally the human work that does not appear directly (such as customer exchanges for the build of the EDR implementation, asking them the right questions, what is feasible in the event of a cyberattack, all personalized for their organization or sector of activity, the initial processing of false positives and the human time spent, and generally billed, on incident response, etc.). Finally, the managed SOC has a bright future thanks to AI because humans are truly the added value, focused on supporting companies that need to be reassured and better prepared for cyberattacks.
Humans will always have their place in the SOC, even if AI influences the PPT triptych (certainly to a greater degree than previous technological developments, new regulatory requirements, or posture). In conclusion, a collaboration between humans and “intelligences” is essential to getting the most out of AI.
” We need to rethink work, continue learning throughout our lives, and adapt to innovations .”