How Close Will We Get to an Autonomous SOC in the Next Decade?

If you were to evaluate the technology trends that shaped the past decade, the introduction of autonomous vehicles would likely stand out as one of the more distinguished achievements that promises to reshape modern society.

While the concept of autonomous vehicles is at once thrilling - and perhaps a little frightening - the application of self-governing systems is also taking root in other aspects across the technology landscape: most notably in the domain of cybersecurity.

As with any new technology that aims to disrupt the status quo, the notion of automated systems will typically elicit fear and uncertainty on behalf of the rank and file workers who worry that automated systems will eventually replace them. While this might indeed be true for industries like manufacturing and transportation, it’s highly unlikely that this will have much if any impact in the cybersecurity market where skilled workers remain in short supply.

Rather, the autonomous SOC holds the potential to allow security professionals to spend significantly less time performing redundant tasks and more of their time focused on higher value, strategic initiatives.

Alleviating Threat Alert Fatigue

The modern SOC was designed to fuse the many diffuse streams of data into a single place, giving security analysts a comprehensive and unified overview of a company’s systems. Those data sources typically include network logs, an incident detection and response system, web application firewall data, internal reports, antivirus, and many more.

Large companies can easily have dozens of data sources. One survey by FireEye polled C-level security executives at large enterprises worldwide and found that 37% of respondents receive more than 10,000 alerts each month. Of those alerts, 52% were false positives, and 64% were redundant alerts.

While the Security Information and Event Management (SIEM) category of tools has emerged to help security teams to triage and prioritize threat response, the sheer volume of alerts continues to overwhelm teams.

Beyond the volume of alerts is the time spent investigating each one. The CIO of Dalton State College, one of 28 colleges and universities in the University System of Georgia, estimates that their security analysts spend between 45 minutes to an hour remediating each suspected phishing email. Clearly, this is not a scalable approach.

Of course, this is precisely what threat actors are counting on – that amidst all this noise, their attempted incursion will be missed. The ability for Artificial Intelligence (AI) and Machine Learning (ML) technologies to pattern match at scale will undoubtedly go a long way towards relieving this burden.

However, it remains a relatively immature technology whose decisions are often rendered in a ‘black box’ making it difficult for security leaders to gain their full trust.

On the flip side, cyber-criminals are themselves adopting AI technologies to build and deploy more sophisticated threats such as polymorphic phishing emails that automatically implement slight and random changes to an email’s artifacts in order to evade detection.

So while we are well on the road towards the autonomic holy land, one in which real-time and defensible decisions are automatically executed, we should pause and ask ourselves: what will the autonomous SOC look like and how close are we to realizing its true potential?

Preparing for the Autonomic SOC Journey

When one imagines the autonomous SOC of the future, they might envision a scene from a sci-fi movie in which a windowless control room is covered in wall-to-wall monitors with just a single worker behind the controls. Of course, those of us who have worked in a SOC understand that this tidy model will likely never comport with reality.

No matter how much care you take to bury the cords behind the workstations, the law of entropy most certainly applies. Security is a messy business.

However, the autonomous SOC doesn’t necessarily mean that every single process is fully automated. At least not in the near term. Rather, it means automating all of the repetitive and thankless tasks that consume so much of the security analyst’s working day. To this extent, we have already made significant process.

As noted, attackers are increasingly using ML technologies to design and deploy polymorphic attacks to sidestep conventional signature-based detection engines. Conversely, SOC teams at the higher end of the maturity spectrum are applying technologies such as machine vision technologies to identify these types of attacks and can do so without requiring their security analysts to manually write rule after rule following each attack.

The journey towards the autonomic SOC will likewise be a long and challenging one, however, there are a few foundational first steps that SOC teams can establish now to set the stage for the future. These include:

  • Defining a Framework for Threat Intelligence Sharing: The ability to share and integrate threat intelligence in real-time between both systems and people is an essential criterion for a self-governing SOC, enabling an autonomic system to learn and adapt while minimizing the need for human intervention.
  • A Self Learning & Self Managing IT Infrastructure: The autonomic SOC must be integrated across facets of your IT infrastructure and should include feedback loops between all of the products and technologies in use. For instance, when a new threat is discovered in email, it should automatically relay that intelligence to the firewall so that it can automatically integrate this information to identify similar future types of attacks.
  • Embed AI/ML Capabilities Across the Technology Stack: While AI and ML technologies are still relatively young and unproven, they will undoubtedly grow more powerful and capable over time. But that doesn’t mean you should wait until these technologies are fully baked before implementing them. Start small with well-defined objectives and think about how embedded AI/ML capabilities can be deployed across any aspect of your network that generates large amounts of data that is used to inform your threat intelligence function. 

So when exactly will we realize the promise of the autonomic SOC? While it will likely be some time for this vision to fully into focus, it’s never too early to start planning for the journey ahead.   

What’s Hot on Infosecurity Magazine?