Security operation center (SOC) analysts are overworked, yet are a crucial piece of the security puzzle. Threats are constantly evolving, leaving SOC analysts left to adapt their responses to maintain productivity and serve their key functions. However, over half of SOC analysts report that they are not properly equipped to deal with new and emerging threats or have the necessary tools to appropriately respond.
On top of ineffective resources available to SOC analysts, manual processes are commonplace and exacerbate the issue, placing more burden on the analysts. Nearly 75% of SOC analysts spend hours, even days, manually investigating a single threat1. While investing many resources into a single threat, a third of prioritized alerts fail to be investigated as additional alerts are received, while another third of alerts are false positives. On average, SOC analysts investigate as many as 25 threats per day and as threat volumes rise, it makes it difficult for analysts to keep up.
Despite the growing workload of SOC analysts, advancements in artificial intelligence and robotic technologies are poised to make their jobs easier and more productive. Just as anomaly detection is based on machine learning and critical in cybersecurity protocols, anomaly detection can be applied to physical security strategies of detecting intrusions. It is now easier than ever for organizations to integrate legacy security systems with state-of-the-art additions like autonomous drones and robots. The combination of autonomous drones and robots, PTZ cameras, and sensors into a single platform allows SOC analysts to collect quality, actionable data on events that require a response, differentiating them from false alerts, while continuous anomaly detection eliminates the need for persistent security patrols. This new technology incorporation model defines the integration of new technologies with legacy systems to enable efficient resource management.
Organizations can build a specific security approach best suited to their needs based on existing security assets and new ones they may choose to employ. With a site-specific security approach defined, data collection leads the way to prescriptive analytics. It’s not enough to predict what, when, or why something will happen, but how it will happen and what the impact of actions or events will be. This data can be used to inform artificial intelligence and machine learning, which greatly improves the workflow for SOC analysts.
Rather than manually investigating each alert, AI has the potential to, from a physical security perspective, identify anomalies and alert appropriately to declutter the immense amounts of noise a SOC analyst faces. AI can identify patterns in unstructured data (videos, images, sounds, etc) to reduce false positives and “alert fatigue” suffered by many SOC analysts. AI does not replace the human element of security, rather it eliminates redundant and time-consuming tasks, freeing time for the SOC analyst to focus on critical thinking needed to solve complex problems. Tools like AI should make the job easier for SOC analysts, supporting them so that they can do their jobs better and more efficiently. As data evolves, it can be used to retrain prescriptive models to better identify potential outcomes of a situation. Data is not a one-size-fits-all, so site-specific data is essential for creating efficient and useful AI-driven processes.
By incorporating advanced technologies into the SOC, the typical process of response can look like this:
- An autonomous drone or robot, sensor, or PTZ camera detects an anomaly.
- The system alerts SOC analysts to respond.
- Autonomous drones or robots are deployed to the location of the alert.
- The SOC analyst monitors and coordinates actions based on immediate data collected of the situation.
By the time the SOC analyst is brought in to respond to a threat, AI has already qualified the priority, collected relevant preliminary data, and researched the threat. By removing this task from the analyst’s list of duties, they can focus more on the threats that require human attention and response. Plus, SOC analysts are not burdened with the task of investigating false alarms, further reducing the burden placed on them.
With two-thirds of SOC analysts believing there are currently too few analysts to handle the volume of alerts within the SOC3, a major contributor to their feelings of being overworked, AI-driven data analysis and collection stands to improve their workflows and productivity. AI empowers SOC analysts to focus on critical tasks and monitor valid alerts to improve business outcomes, rather than chasing down false alerts instead of addressing real threats.
By identifying threats through robotic technologies, guards are kept safer when they have insight into the threat they are responding to. At the same time, SOC analysts can more effectively monitor threats with advanced threat intelligence. Together, AI and robotic technologies are changing the landscape of physical security by enabling more efficient and informed responses to threats.
Sources:
- https://awakesecurity.com/white-papers/top-4-roadblocks-to-soc-productivity/
- https://blog.paloaltonetworks.com/2020/09/secops-analyst-burnout
- https://securityintelligence.com/maximize-your-security-operations-center-efficiency-with-incident-response-orchestration
- https://securityintelligence.com/posts/ai-in-cybersecurity-addresses-challenges-soc-analysts
- https://go.forrester.com/blogs/stop-trying-to-take-humans-out-of-security-operations