Solutions Review’s Expert Insights series is a collection of contributed articles authored by industry experts in the enterprise software category. Devo’s Gunter Ollmann provides a crash course on Autonomous SOCs, laying the groundwork for what to consider when building an Autonomous SOC.
Today’s threat landscape demands more from IT and security professionals than ever before. Schools have been forced to close due to ransomware attacks, major brands have suffered reputation-damaging data breaches, and the explosion of connected devices has expanded the attack surface. At the same time, cybercriminals are getting smarter and smarter, developing new ways to evade detection software and make money.
As cybercriminals become more creative, the cybersecurity industry is improving and developing innovative solutions to protect businesses. Earlier this year, the FBI turned the tables on the notorious Hive ransomware gang by secretly hacking into their systems, saving him $130 million from ransomware claims for more than 300 victims. clarified. Despite our best efforts, there are still factors that hold us back as an industry and continue to leave organizations vulnerable to cyberattacks. Prevention, monitoring, and mitigation all happen in Security Operations Centers (SOCs), which now face the perfect storm of cybercrime. Lack of visibility into complex operational environments, inability to analyze large amounts of cloud-scale data, and more. , and there is a shortage of cybersecurity talent across the industry. As a result, security professionals are experiencing widespread burnout and unrealistic workloads, resulting in lower productivity and higher security risks.
Autonomous SOC: Building the Right SOC
Much of the burnout that security personnel face is caused by alertness fatigue. When alerts about potential cyberattacks arrive faster than SOC analysts can handle them, they work long hours and miss important threats. To block the noise and focus on the attacks that matter most, the SOC must take cues from cybercriminals and adapt to the current threat landscape. That means we need to start moving towards autonomous SOCs.
Understanding Autonomous SOCs
Autonomous SOCs (ASOCs) consist of artificial intelligence (AI) and/or machine learning (ML) systems that receive all incoming data points and assist in cybersecurity monitoring and mitigation. ASOC automatically detects suspicious activity, can quickly learn and correlate all information about an attack, and analyzes the context needed to easily and efficiently detect, contain, and neutralize attacks. Ideal for threat research as it can be provided to a list. ASOC also filters out false positives, allowing analysts to focus on real threats and take immediate action.
ASOC helps alleviate many of the problems organizations face in their security posture, such as limited resources, overwhelmed analysts, and repetitive and monotonous tasks. The ability to identify patterns and outliers in AI and ML enables analysts to develop actionable plans for prevention and remediation. ASOCs running in the background provide a much-needed additional layer of protection to protect organizations, especially those dealing with understaffed SOCs due to recent job cuts across the technology industry.
There are many questions regarding autonomy and SOC. So, will ASOC be replaced by human analysts? The short answer is no. Success requires human-machine collaboration, especially when it comes to cybersecurity. ASOC is constantly evolving as it ingests data and assesses new threats. As such, a human analyst is always needed to create guardrails and provide feedback. ASOC is not designed to steal the analyst’s job, it is designed to make the analyst’s job easier.
What organizations should consider before investing
ASOC is not a passing trend. Our industry is heading there. IDC predicts that by 2026, 30% of large enterprise organizations will move to his ASOC for faster remediation, incident management and response. Yet many executives erroneously view the SOC as exclusively costly to the company and contributing little to the bottom line. As such, his move to ASOC may seem daunting or impractical for some organizations. Proponents of an ASOC establishment plan may face pushback from other members within the organization and will have to justify the investment costs. The ultimate goal of ASOC is to extract more value from the tools and workflows at the SOC’s disposal. In the short term, this means her SOC analysts will burn out less, be more proactive, and stay with the company longer. In the long run, cybersecurity investments save companies money in terms of reputational damage and customer losses in the event of an attack or breach.
Another aspect to consider is timing. Ask yourself, “Is my organization ready for this transition?” Assess SOC maturity and bring SOC analysts and leaders into the conversation. It’s also important to note that the move to ASOC isn’t necessarily all or nothing. it’s a journey.
With these factors in mind, you can seamlessly transition to the automated SOC, the future of cybersecurity.
Gunter Ollmann drives product and security strategy as Devo’s CTO. He will lead product management, security research, data science and cybersecurity operations teams. He has over 30 years of information security experience through several cybersecurity consulting and research roles. Prior to joining Devo, Gunter spent more than four years as his CSO, where he protected customers for Azure, Microsoft’s cloud and he led cross-cutting security strategies for the AI Security Group. Prior to joining Microsoft, he served as CSO at Vectra AI, driving new threat research and innovation in machine learning and AI-based insider threat detection. Gunter is IBM’s chief security strategist, where he built and led the famous and acclaimed X-Force team. Previously, he served as Chief Technology Officer at cybersecurity companies such as NCC Group, IOActive and Damballa.
