AI and automation in the SOC – a CTI-driven perspective

Every security conference I have attended this year had several talks on the application of GenAI and LLMs. The technology itself has enormous potential but will need to mature out further to truly add value and deliver on its promises. Last year, I wrote an article on the AI-driven SOC , presenting a SOC architecture utilising AI. This article further explores the application of AI in security operations.

First, we need to understand that this new application of AI in security operations (LLMs and GenAI) is still in its initial stages. If you look at the Gartner hype cycle, cybersecurity AI assistants are still in the innovation trigger stage, expected to reach a productivity plateau in 5-10 years. SOAR is indicated as being obsolete before plateau, which is another discussion for another time.

SOCs will start combining the power of GenAI and LLMs with automation to enhance security operations over the next years. Some of these functionalities are already in operation (such the AI assistant), some of these may be developed as point solutions, as open-source scripts, or as extensions of existing security platforms.

For this article , a CTI-driven perspective was taken. This approach starts with collecting structured and unstructured CTI. Structured CTI can mostly be processed automatically with existing capabilities, so the automated interpretation of unstructured CTI sources (twitter feeds, reports, mailing lists, etc.) is the primary focus. The TTPs and IoCs extracted from these sources can be utilized in many different ways, including:

• Usage for threat modelling purposes. These threat models, and any potential attack paths ,can subsequently be used as additional input for detection engineering and validation, as well as threat hunting. (StrideGPT provides an interesting take on AI-driven threat modelling)
• Usage in the threat hunting process by generating hunting hypotheses and associated queries.
• Usage in the detection engineering process by generating detection rules for identified TTPs.
• Usage in the detection engineering processing by generating attack datasets for automated validation in breach & attack simulation tools.

Subsequently, the generated detection rules can be used further for the generation of automation playbooks, that in turn can be used for automation purposes in security monitoring and incident response. For security monitoring, the SOC analyst can be supported by AI through alert analysis, results interpretation, and even automated chatting with employees to request more information on certain observed behaviour from the owner of the account to add to the investigation.

This figure shows the combination of automation and AI to augment SOC processes from a CTI perspective.

Note that this is not intended as an extensive overview of all possibilities, but rather meant as a way to think about how AI and automation can be used to enhance SOC services. What is most important here is that automation and AI are complementary in this setup. Both are required to maximize SOC performance. Also note that there is a certain level of maturity required to make use of these technologies properly. Automation works on top of standardization. This requires defined processes and a good understanding of the IT landscape in the organisation. Additionally, threat landscaping will still be necessary to determine what is most relevant to your organisation.

Making the step towards a more modernized SOC making use of these technologies may prove difficult. Having data scientists in your team can be very helpful but is not feasible for many SOCs, especially smaller SOCs. And because many of these technologies are still bleeding edge, the results are not always reliable. The SOC should make a conscient choice to either:

• Be an early adopter. Accept the unreliability of the bleeding edge and invest time and effort into adopting and adapting these technologies; or
• Be a smart follower. Wait for the field to mature and adopt when technologies become proven technologies (or come as extensions of your existing platforms). This will delay the advantages that these innovative technologies will bring, but also avoid unnecessary investments.

What the right option is for your SOC depends entirely on goals, ambitions, SOC size and capacity for change. Choose, but choose wisely. And don’t believe the hype without applying any critical thinking.

A shout-out to Kris Oosthoek , who had a refreshingly realistic take on current AI capabilities on the ONE Conference. GitHub - ksthk/one: One Conference 2024