AI SOC Automation isn't the right problem to solve

We should focus on better detection engineering

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Photo by Rudi Endresen on Unsplash

Another week, another post about AI. I’ve been writing more about the intersection of AI and security for those who might be new or haven't been following recently. There are several interesting topics to explore, and I believe there aren’t enough substantial conversations about how AI and security can productively exist.

In a previous newsletter, I mentioned that many companies are working on applying AI to the SOC, and that was a topic for another newsletter. I’m delivering on that promise here!

How to use AI in security

I’ve spent some time thinking about the SOC and how AI could possibly modernize it. I have also talked to the founders of some AI SOC Analyst companies, such as Prophet Security, Culminate, and Dropzone AI, to learn more about their products and thinking.

My thoughts on security operations centers (SOCs)

Before, I dive deeper. I’m still pretty bearish on the concept of a security operations center. I’ve written in the past that most companies should probably have much smaller SOCs (or no SOCs at all!). Most companies are likely fine with an MDR (or MSSP) and some custom rules. Even if they need a more built-out SOC, it won’t look the same, specifically a SOC with many analysts looking at and triaging events. It would focus more on detection engineering and likely have fewer analysts, which would be closer to how modern data teams operate.

Is it managed detection and response (MDR)'s time to shine?

In other words, SOCs are already moving toward having fewer humans doing operational work and focusing more on automated tooling. As a result, in the next few years, we will see two trends for SOCs.

The up-and-coming companies, e.g. tech startups, will likely not build a SOC. A SOC is too much of a risk — it’s a large investment, which takes years to mature before you can see measurable ROI. On top of that, SOCs have high variances in terms of effectiveness. It seems that the money is better spent elsewhere!

I’ve predicted that cybersecurity is going to face a reckoning around efficiency, so for companies with existing SOCs, it seems that they are an obvious candidate for efficiency gains. As a result, security leaders will likely outsource tier 1 or even tier 2 support to an MDR or MSSP. We are already seeing this with the rise of Expel and Arctic Wolf as well as people using Crowdstrike’s endpoint MDR functionality. The insight here is that these companies will be more efficient in determining false positives, etc. given that they have insights from their other customers. Unless you’re a very large company, you are unlikely going to be the first target for an attack. The SOC will focus on more advanced threats, and over time, I would imagine these would be replaced with more detection engineering-focused tools that focus on custom detections specific to your business and product. As a result, the size of the in-house SOC would shrink.

What’s the problem with AI SOC agents?