For many years, security operations centers (SOCs) have struggled to identify and respond to threats. These difficulties include, but are not limited to, separating real security signals from noise, a lack of end-to-end automation, workflow bottlenecks, alert fatigue, and insufficient context for alert inquiry.
Cyber threat management
Experts have been saying for years that security operations, or cyber threat management in any form, need to evolve significantly, much like commercial airlines did in the middle of the 20th century. Pilots now only interfere in certain instances, while machines fly commercial aero planes. In a similar vein, the new SOC would operate autonomously with little assistance from humans.
After that, the SOC analysts would take on the role of SOC pilots, deciding when and when to get engaged while the virtual machine managed routine tasks.
What is threat management?
Cybersecurity experts employ threat management as a procedure to stop cyberattacks, identify cyberthreats, and address security events.
Why is threat management important?
Information fragmentation affects the majority of security teams and can result in blind spots in security operations. Furthermore, blind spots undermine a team’s capacity to recognize, defend against, and quickly address security problems wherever they may be found.
More than antivirus software can manage, today’s risks include insider threats, mutating malware, advanced persistent attacks (APT), and vulnerabilities related to cloud-based computer services. Businesses are continuously confronted with new, complicated hazards and security threats due to the ever-disappearing perimeter of a protected IT infrastructure and remote workforce.
Security experts operate under the presumption that breaches have happened and will happen again in light of the changing threat landscape and the move to the cloud.
A cyberthreat management system that is enhanced with automation and informed by AI can assist in thwarting the sophisticated attacks that cybercriminals launch today. It provides security teams with the visibility they require to be successful. Security teams may detect data at risk and vulnerabilities across networks on thousands of endpoints and between clouds by combining security data.
Within the field of cybersecurity, internal threats pose a special risk. Additionally, organizations incur higher costs from insider assaults than from external threats.
Using human SOC pilots to address uncertainties
Cybersecurity is unique in its struggle with the mysterious “0-day” phenomena, which refers to recently discovered flaws in hardware or software that the security community was unaware of. This idea captures the uncertainty of when the next danger may materialize, as well as its source, timing, and approach.
SOC pilots, or human analysts, take over when uncertainties arise and use their knowledge to neutralize and fight these new risks.
Why don’t IBM already have SOCs that require little human involvement to operate? Security software providers have been incorporating automation into their solutions for years. To speed up and improve the effectiveness of threat detection and response, SOC teams have pushed the limits of automation and occasionally created complex, in-house solutions. However, SOCs require more than just automation. They require digital independence.
Human insight meets AI: Moving from automation to autonomy
Human decision-making can be replicated by artificial intelligence (AI). This technology has the potential to revolutionize cybersecurity operations, especially in everyday security operations.
Machine learning (ML) and other AI capabilities are already used in threat detection. Thanks to integration by key software providers, ML is used by a variety of SOC technologies for duties ranging from recognizing threats to classifying alarms. However, there are several limitations to automating security processes.
The majority of security operations teams have engagement rules that demand some level of confidence prior to implementation. Because of this confidence, closed systems like endpoint detection and response (EDR) systems frequently use automation. The console and the endpoint software are both capable of efficiently automating answers and are knowledgeable about all pertinent aspects.
A real-world example is given by a security expert at a significant hyperscaler. Because their organisation has a thorough grasp of every technology and asset in its stack, they need little help from SOC. Since its configuration essentially operates as a closed system, a great deal of automation is possible.
The situation is different for companies without such closed systems, especially those that use security information and event management (SIEM) systems. Automation in this case is managed by a security orchestration, automation, and response (SOAR) application playbook.
For example, if a host isn’t a server and is engaging in known harmful activity, an auto-response plan may be set up to quarantine it. However, without knowing the asset’s identity for example, whether it’s a workstation or a vital server this automation cannot start.
When it comes to automating security activities, context is crucial, which is where human SOC analysts excel. They offer the context required for automation to function well in open systems through human, “swivel chair” data collecting, judgement, and analysis. The new paradigm of multi-agentic autonomous operations must replace swivel-chair operations.
Agentic AI drives true autonomy
The multi-agentic, autonomous framework comes next. AI is used by IBM cybersecurity services to recognize context, collect information, make decisions, and permit automation to finish or fully manage automation even avoiding the SOAR.
The autonomous threat operations machine (ATOM), the digital labour orchestrator, creates a task list for an alert’s inquiry. Other AI agents are used by ATOM to collect missing data if it finds that the asset context is insufficient.
In keeping with the swivel-chair example, ATOM takes action when it discovers a missing asset context. To obtain that context, it actively engages with agents connected to exposure management, vulnerability management, configuration management databases (CMDBs), and extended detection and response (XDR) or EDR systems.
After that, ATOM believes that a particular asset is a workstation as it matches typical workstation patterns based on its hostname and network location. This kind of reasoning is identical to the logic used by a human analyst.
Following the contextual decision, ATOM creates a special reaction to that particular alert. For instance, it can decide whether a process should return to the SOAR system or whether an application programming interface (API) call to an EDR console is the best option.
It’s yet unclear if AI will enable SOC staff to take over the pilot role. However, compared to other technologies it have used at IBM, coordinated multi-agentic digital labour skills are more in line with what is required for autonomous SOC operations. Although the complete shift to completely autonomous SOCs has not yet occurred, the development of agentic AI has made substantial progress towards this effective, minimally human interaction SOC architecture.
This significant shift has the potential to completely transform threat management by freeing security personnel from tedious activities and allowing them to focus on strategic projects. To anticipate a time when the SOCs are not only automated but fully autonomous, prepared to take off and leave the routine to the machines as AI develops further.
