There’s no shortage of cybersecurity tools for today’s Security Operations Centers (SOCs). As it turns out, however, that’s part of the problem in addressing the overwhelming task of monitoring, detecting, and responding to potential threats. This is the hangover from layered security strategies that have evolved as computer environments expanded from mainframes to encompass client-server and now cloud and the edge.
Layered security strategies rely on each layer or system managing its own security. Organizations that follow such strategies typically employ a portfolio of firewalls, threat intelligence systems, intrusion protection systems, network access controls, endpoint protection, and antivirus protection solutions.
If the enterprise were architected like the layers of an onion, that might be fine. But today’s enterprise is a smorgasbord of networks, applications, data, users, and locations. That creates gaps and overlaps that can confound the efforts of security teams who are expected to monitor and respond to alerts across the entire organization.
Typically, organizations have relied on a proliferation of point solutions in the SOC to address new challenges as the environments have changed. A survey of security leaders for Foundry’s Security Priorities Survey 2023 found that over the course of the year, organizations added more security tools, technologies, and services than they retired.
“SOCs have one tool for each point solution and that’s what has gotten us into this mess,” says Shailesh Rao, President of Cortex at Palo Alto Networks. “Attackers are able to get through the gaps among all those point solutions.”
SIEMS are overwhelmed
Central to most SOCs is a security information and event management (SIEM) solution. Intended to provide an enterprise-wide view of network activity, the SIEM aggregates data from multiple sources and utilizes data analytics to try and identify likely threats.
SOC analysts must configure endpoints and security solutions, create rules aimed at detecting attacks automatically, and review thousands of alerts that tip off the security team that something may be amiss. With today’s enterprise, analysts are likely working non-stop to determine which alerts are real threats and which may be false-positive detections. Much of the data feeding into the SIEM can be untrustworthy and security teams can be overwhelmed by the volume of false positives to the point they overlook real threats.
“Existing technologies for data analysis in a SOC context are fundamentally software solutions relying on the most optimum database the vendor could find,” says Rao. “That allows you to organize data so that you can comb through it and look for bad things, but today that’s like looking for a needle in a haystack.”
AI-driven platforms that manage the entire security operation centrally can simplify management and provide a more consistent approach against bad actors. Such a platform coupled with integrated threat intelligence and robust intrusion protection, provides timely responses to emerging threats.
“Now we have machine learning that powers systems to comb through huge datasets to spot the anomalies that indicate a threat,” says Rao. “The old system had people involved at every step of the process, but now, with our AI-powered Cortex XSIAM platform, people’s attention is only called for in the case of the most critical incidents and decisions. The system automates the response and orchestrates changes that need to happen, with the permission of the human experts.”
While it is true that many organizations continue to rely on a multitude of tools, the emergence of AI-powered security operations platforms paves the way for a new approach to security operations. In times when security teams face a growing number of threats and unprecedented complexity, being able to do more with less could be the kind of innovation that we need the most.
For more information about AI-driven SOC transformation, click here.