The Journey to Autonomous SOC: The Current State of Automation and What’s Next

What does the future of autonomous security operations centers hold?

The Journey to Autonomous SOC: The Current State of Automation and What’s Next

January 25, 2023

To focus on the attacks that matter most, security operations centers need to transition to become more autonomous. Gunter Ollmann, CTO at cybersecurity firm Devo, discusses the future of the autonomous SOC and what technology is needed to achieve it.

Security operations centers (SOCs) are facing the perfect storm. Lack of visibility into complex operating environments, inability to analyze cloud-scale volumes of data and the struggle to enhance team performance are all lowering productivity and creating higher security risks. According to the 2022 Devo SOC Performance ReportOpens a new window , only 26% of respondents rated their SOC as being “very effective.”

In today’s fast-evolving threat landscape with increased volumes of sophisticated attacks, ineffective SOCs are opening the door to cyber criminals. According to industry researchOpens a new window , 75% of organizations disclosed at least one ransomware attack in the past year, and more than half of these organizations said they think potential cyber attacks would likely be a disaster for their organization. 

An ineffective SOC places strain on analysts, causing even more cybersecurity talent to burn out and leave their jobs. It leaves businesses’ systems vulnerable to potentially debilitating attacks like data leaks, which could permanently damage a company’s reputational and financial standing. To cut through the noise and focus on the threats that matter most, modern organizations need to transition their SOCs to embrace autonomy.

See More: How Intelligent Automation and AI Address Key Problems Facing the SOC

What Does Autonomy Mean for the SOC?

Over the past decade, cyber attackers have become more sophisticated and creative. The cyber industry has answered by creating more technologies and platforms to detect intrusions or malicious activity. Coupled with increased cyber activity (especially during the work-from-home movement), this led to an explosion of data, coming in at an unsustainable pace for SOCs to deal with effectively. 

Security teams are also ingesting data from an increasing number of sources, including applications, IoT devices, mobile devices, transactions, and the resident cloud environment, just to get visibility on the full attack surface. But even then, it is difficult to see the full picture when that surface is continuously changing.

That’s where autonomy comes in. Some may feel a jolt of apprehension when they think of bringing more automation into the workplace, so it is appropriate to lay out what autonomy really means for the SOC. Despite outdated perceptions, autonomy doesn’t mean replacing humans altogether. An autonomous SOC can holistically understand the full attack story and evolve as its conditions change, continuously learning from situations using artificial intelligence (AI) and data science. It augments analysts with a “second brain” and equips them with an actionable approach. 

This method is ideal for threat investigation. When suspicious activity is detected, the autonomous SOC gathers everything on the attack and generates the context analysts need to detect, isolate, and neutralize the attack quickly and easily without wasting time on irrelevant alerts. It stems from the barrage of information that is currently overwhelming analysts and delivers more purpose and value to the notifications. Therefore, security teams will take those notifications more critically – knowing the intelligent system has already vetted them – and will have the ability to address them with confidence.

The impact this will have on employee bandwidth cannot be overstated. According to Devo’s SOC Performance Report, 71% of security professionals are on the verge of quitting due to a combination of challenges in the SOC, primarily burnout caused by growing workload and information overload, insufficient downtime, lack of tool integration, and alert fatigue. Seventy-eight percent of SOC staff work overtime, working seven hours over their normal working hours each week on average.

When employees are freed from redundant, tedious tasks and have more time to focus on an alert without being constantly pulled in different directions, they can think more critically and creatively about the attack patterns they’re seeing.

How Do We Get There?

Today’s SOCs have not been able to keep up with cyber criminals in terms of technology. Many legacy tools are outdated and do not have the advanced analytics needed to extract value from the amount of data being ingested. At the same time, new government regulations are heightening compliance concerns. A difficult economic forecast is causing chief information security officers and other leaders to fight for every dollar of their SOC budget. A quarter of cybersecurity leaders surveyed in the SOC Performance Report reported pain points associated with limited budgets.

SOCs need to bring in more powerful AI and machine learning (ML)-based automation to build on top of the AI embedded in the existing security stack, allowing analysts to get a full view of threats across the organization’s infrastructure in a way that is more efficient and cost-effective. The sum of these parts provides a guiding light for SOC analysts to follow. An ideal autonomous SOC will have the ability to ingest, correlate, analyze, conceptualize, prioritize, act, resolve, audit, and learn.

An autonomous SOC that delivers on augmenting the analyst to bring greater efficacy to the SOC should be able to provide scalable data collection and powerful analytics through a single dataset without silos or data replication. It should provide autonomous alert investigations and threat hunting utilizing attack-tracing AI, taking on the bulk of the work burdening SOC analysts. Once a detailed, evidence-based narrative of a detected attack is built out, the platform takes action to remediate the attack or alerts an analyst to take action and provide feedback to the AI. This partnership allows the autonomous SOC to learn continuously and become more seamless. 

Those on the ground working day-to-day on a security team are ready to embrace an autonomous SOC. When asked in Devo’s report how organizations can improve the SOC, 37% pointed to ML, advanced analytics, and automation. Additionally, IDC reported in their “Top 10 Predictions for the Future of TrustOpens a new window ” that “by 2026, 30% of large enterprise organizations will migrate to autonomous security operations centers accessed by distributed teams for faster remediation, incident management, and response.” 

Leaders should listen to their teams and turn to the autonomous SOC to streamline operations and support the often overworked and undervalued security teams that work hard to protect a company’s data and the stability of its business. 

What are your thoughts on autonomous SOCs? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

MORE ON SOC (Security Operation Center)

Image Source: Shutterstock

Gunter Ollmann
Gunter Ollmann drives Devo’s product and security strategy; leading product management, security research, data science, and cybersecurity operations teams. He has more than three decades of information security experience from several cybersecurity consulting and research roles. Prior to Devo, Gunter spent more than four years as CSO protecting Azure customers and leading cross-pillar security strategy for the Cloud and AI security groups at Microsoft. Prior to Microsoft, he was CSO at Vectra AI, driving new threat research and innovation into machine learning and AI-based threat detection of insider threats. Gunter also served as chief security strategist at IBM, where he built and led the well-known and highly regarded X-Force team. He previously held chief technology officer roles at cybersecurity companies including NCC Group, IOActive, and Damballa.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.