The latest guidance from National Cyber Security Centre (NCSC) for organisations responsible for “vitally important services and activities” includes the need for proactive security monitoring and event discovery.
This is pushing many public sector organisations to look at building a Security Operations Centre (SOC), or outsourcing that function to a third party. With the very recent release of the Scottish Government’s whitepaper: Scotland’s Artificial Intelligence Strategy, it’s a pertinent time to ask; how AI can assist in enabling proactive IT security operations? As chief scientist at Sophos, I have written a whitepaper on this subject, and I’d like to outline some of the main considerations for cybersecurity professionals.
There are two kinds of user-facing software products: products that use machine learning and automation to adapt to and help realise users’ intentions, and products that are friction-ridden, requiring carefully memorised and repetitive interactions. Google Search, Siri, and Spotify are in the former category of products. Today’s SOC platforms are in the latter, non-adaptive, friction-ridden category.
In the next five years, this will change. Successful security products will become as savvy as Google and Facebook in recommending relevant security information, and as precise as Alexa and Siri in anticipating the intent behind security-oriented natural-language requests. They will also combine artificial intelligence technologies with the kinds of system integrations smart-home ecosystems have achieved, updating security policies just as smart homes turn on security cameras and lock doors at user request.
This new “AI-assisted SOC” will feel as dramatically superior to today’s SOCs as today’s Google search feels compared to 1990s-era Altavista. With AI enhancement distilling the wisdom of a global “crowd” of SOC analysts into a kind of co-pilot for security workflows, auto-completing SOC analyst workflows and anticipating SOC analyst intent, security personnel will be dramatically more effective.
Of course, this change will not emerge from a vacuum; it will be the result of the confluence of multiple technology trends occurring today. The first of these is the increasing integration of all relevant security data across entire customer bases by extended detection and response (XDR) vendors providing for the first time the necessary training data for the future AI-assisted SOC’s supporting machine learning models.
The second trend is the AI innovation occurring across tech, in which the research community continues to produce better machine learning (ML) algorithms, tools, and cloud AI infrastructure, providing opportunities for the AI-assisted SOC’s ML capabilities.
The third trend is programmable security posture, in which IT, cloud, and security products increasingly expose robust management APIs. As more of the IT landscape becomes controllable via API, opportunities will continue to emerge for AI-assisted SOC to provide security orchestration, automation, and response (SOAR) capabilities that behave like smart home ecosystems, updating organisations’ security postures and remediating incidents via push-button automation.
A key conclusion is that the evolution of user interfaces points towards a seamless and sophisticated integration of AI-models with user intent, that the most sophisticated areas of tech have already achieved this, and that in the next five years, SOC software product vendors will either achieve this within security or become increasingly irrelevant. In effect, we will achieve a “security operations recommendation engine” that rivals the utility we’ve come to expect from Google, Amazon, and Netflix.
How developments in XDR, AI innovation, and programmable security posture will come together to produce the AI-assisted SOC, and what the AI-assisted SOC of the future will look like, is the subject of this whitepaper. Full content including details of developments Sophos are making to deliver on their vision can be read here.
