How AI-driven threat detection and response can revolutionise security operations centres
If there is one thing to take away from the security breaches of the last year – from humanitarian organisation the Red Cross or video game manufacturer Bandai Namco – it's that the attackers are winning.
It's clear we need new ways of dealing with an increasingly complex threat landscape. Security vendors must be held accountable for reducing detection and response time so they're able to stop attacks before they escalate into major incidents. With sophisticated attacks on the rise – there's now more risk than ever for a single threat to have huge and very public consequences.
Ditching the primitive approach
Many companies still take the primitive approach to cybersecurity, with an "on-call" SOC team waiting for an alert to go off. But, once the alarm has sounded, it's generally already too late to stop an attacker, who, by then, has access to your system. As well as taking the old-fashioned approach, much of the tech currently used by SOCs is outdated and inefficient. Unsurprisingly, Vectra's recent Security Leaders Research Report shows 76% of security decision-makers admit they've bought tools that failed to live up to their promise. For instance, a typical detection process collects and rapidly analyses as many log files as possible to see if something bad is happening – generating thousands of alerts. Basic rules within a central monitoring system will determine that more than four failed login attempts, preceding one successful login, is a bad sign.
Often, instead of dealing with real threats, SOC operators spend a lot of time sifting through mountains of meaningless alerts. The volume means analysts don't end up seeing true positives, as the data sources don't provide enough internal visibility. On top of this, the model assumes you already have enough data to identify an attack without considering new or emerging threat vectors. Unsurprisingly, this approach leads to alert fatigue for many analysts, who can then end up overlooking or dismissing serious threats.
Attacking critical infrastructure
For some sectors more than others – like transport, healthcare, or oil and gas – the consequences of overloading security analysts with low-fidelity alerts can have significant consequences on human wellbeing and society. By infiltrating an organisation's digital systems, hackers can gain control of physical processes, disrupt vital services and damage specialised equipment without a 'physical' attack. Critical infrastructure attacks have skyrocketed this year, particularly since the beginning of the Russia-Ukraine conflict – where we've seen countless incidents targeting Ukrainian telecoms providers, energy facilities and more.
But it's not just major events like Russia-Ukraine that have made it harder for security pros. More broadly, the attack surface has widened in recent years thanks to cloud and mass hybrid working, which is a serious problem for organisations that have traditionally under-invested in cybersecurity. As more incidents occur – whether it's against container ships or freight planes – hackers gain a better understanding of what they can do once they've taken over a critical system. As threats continue to evolve in sophistication and frequency, SOC teams need to be evermore resourceful when identifying and responding to threats. Particularly when 69% of IT security leaders think they've already been breached and don't even know about it.
Unsurprisingly, retaining skilled analysts in this pressure cooker environment is becoming increasingly difficult. This means SOCs are forced to do more with less and are continuously putting out fires. Research shows half of security leaders feel the pressure they are now under is reaching breaking point. This exacerbates the existing global skills shortage, and SOCs are now at war over analysts – with high-performing staff frequently poached by competitors with higher salary offers.
In a perfect storm for cybercriminals, organisations are now struggling to plug security gaps while the volume of attacks increases. Enter AI. Sophisticated AI-driven security solutions can effectively be employed as an extra member of the SOC team, researching and analysing threats to give operators the information they need to neutralise threats in real time. By automating routine and repetitive processes with AI and prioritising significant alerts, security teams can dedicate their time to handling genuine threats.
Evolve, adapt, overcome
Clearly, the old ways aren't working when it comes to protecting against modern threats, and that's why we need to completely change the game when it comes to dealing with modern attackers. SOC operators are now fighting an uphill battle to perform effectively at work due to both a global skills shortage and outdated security tools and approaches. Given what is at stake, analysts need advanced technology that can spot the earliest signs of attacker activity to stop ransomware long before exfiltration or encryption.
Organisations must evolve their security strategies now. This means replacing legacy tools with AI-driven solutions that fit better with data-intensive security models, so teams can be more effective when tackling new threats and securing complex environments. Organisations must be able to leverage AI-powered solutions to detect, prioritise, investigate, and respond to cyber threats early to prevent full-scale attacks. By utilising AI tools to sift through the mountain of alerts and spot the riskiest behaviours, organisations can reduce the burden on security teams by minimising the amount of dull, repetitive tasks. This allows overburdened analysts to focus on the things that matter – halting attacks before they become breaches.