Artificial intelligence (AI) is making inroads into the cyber security space, but ‘grey matter’ still matters more when it comes to running security operations centres (SOCs) that proactively defend, detect and respond to threats.
The human element, comprising experienced and knowledgeable security and operations teams, is crucial for successful SOCs. However, the human element is often lacking, or not deployed to its full potential.
In many modern organisations, we find security leaders with vast amounts of knowledge and experience, but they are typically tired, overworked and spend their time meeting onerous requirements. They may make sound recommendations on building security into systems, but operational teams push back due to time constraints, and business signs off on the risk.g
If businesses hire highly-qualified security skills at significant expense, they need to give them the power to drive security.
Balancing humans and technology
While AI and machine learning are being touted as the solution to the cyber security skills gap, these technologies cannot yet replace human experience and knowledge. However, they can take on some of the heavy lifting in the SOC.
Within our own organisation, we are starting to use automation and AI to evaluate current deployments and identify shortcomings − for example, in vulnerability management reports and to assist with things like hardening.
In addition to theoretical knowledge and qualifications, cyber security professionals should have a massive depth of curiosity.
Analytical AI models also offer excellent support in areas such as anomaly detection.
Large language models also offer the potential to ingest complex policies, procedures and tech documents, and summarise them to simplify key requirements. We are currently working to use AI and automation to build frameworks that enhance our detection and alert rules within our SOC.
Because you can’t enable half a million rules in a SIEM, we are reviewing tactics and techniques in previous case studies and other online sources, and using AI to help correlate and aggregate them to build a simplified database of the most pertinent rules.
To date, we have reduced the number of rules by about 20%. We guesstimate that this work could result in a 25% improvement in detection capability and a 25% reduction in rules.
Upskilling to enhance security
Skilled security resources are few and far between, so any strong and capable resources should be effectively utilised to provide upskilling and guidance to junior team members. This can be achieved by using strong resources to provide the processes and procedures, as well as a buddy system to support less experienced individuals.
It should be noted that industry is reverting to a requirement for individuals to have broad rather than deep knowledge, as evidenced by qualifications such as CISSP and CISM.
This broad knowledge is important because security teams need to understand business requirements across the board and must know what impacts their actions will have on systems throughout the enterprise.
This does not mean each senior security practitioner needs to know everything – building cross-functional teams and infusing security knowledge into operational teams achieves the same goal.
Finding the right people
Another cyber security skills challenge is that it’s well known that cyber security can be a lucrative career. As a result, many people are entering the profession for the money − not because they are passionate about cyber security. This unfortunate development may mean SOC resources are not as thorough as they should be.
In addition to theoretical knowledge and qualifications, cyber security professionals should have a massive depth of curiosity. They need to be the type of people who look at rules and question what it does, and how they can refine it to make it better.
This curiosity drives people to stay on top of trends, keep learning and upskilling, and even set up labs at home where they run scenarios and get their hands dirty. The old police saying that ‘you need to think like a crook to catch a crook’ applies in cyber security, and this is a mindset many modern SOCs are lacking.
Organisations seeking the right skills and attitudes should make candidate selection much more than a tick-box exercise focused only on qualifications, and should let CISOs and IT managers grill candidates on their real-world knowledge and experience.
It should also be noted that theoretical knowledge only goes so far: practical knowledge takes you further. In addition to theoretical knowledge, SOCs need operational insights from experienced operational teams. Collaboration and cross-functional teams, supported by AI and ML, bring together the best of all worlds and strengthen SOCs.
Share