The traditional security operations model is rapidly succumbing to the challenges and dynamics inherent in today’s cybersecurity market. Over the last few years, organizations have deployed a myriad of security technologies to combat specific threats, and as a result have inherited a collection of point product solutions with very little interoperability. This has made it difficult for operation teams to leverage these technologies as a common fabric for threat identification, correlation, detection and remediation activities.
This has also increased the amount of time it takes to detect and remediate a security breach. On average, it takes organizations nearly 6 months to detect a breach and another 2 months to remediate it. While organizations continue to operate in a reactive mode to security threats, the goal is to move to a model that is much more proactive and predictive in nature.
Compromising this goal is the lack of skilled security expertise needed to perform identification, detection and remediation activities. The talent shortage is most pronounced for Level 1 analysts in the security operations center (SOC), the “first responders” that must sift through volumes of data and determine which alerts require immediate action.
Attackers are using sophisticated approaches to exploit vulnerabilities, and the volume and velocity of known and unknown attacks continue to rise. Organizations still demand “eyes on glass” to detect and respond to security threats, but the volume of attacks originating from multiple threat vectors, and the skills challenge they face has created a scale issue where level 1 SOC analysts are overwhelmed with the amount of data that must be analyzed. In some cases, SOC analysts are dealing with petabytes of data. In addition to the scale problem, the incoming data lacks context, which makes the task of prioritizing suspicious behavior for further investigation another challenge for SOC analysts.
The Business Benefits of AIRO
To effectively address these challenges, organizations must adopt a new approach for SOC operations that addresses the need to handle the volume of data and alerts more effectively. A move toward an intelligent SOC that utilizes AI, Automation, Incident Response and Orchestration (AIRO) to increase productivity and efficiency of SOC analysts and accelerate the time to detect and contain a security breach is directionally where the market is headed. AIRO consists of the following components:
- Analytics: Driving contextual insight into threat dynamics
- Intelligence: Collecting and indexing sources of information
- Response: Initiating the proper response based on the nature of the security threat
- Orchestration: Coordinating multiple toolsets to mitigate a threat and harden the network
Using AIRO tools, organizations can better leverage existing investments in security technologies by utilizing APIs to interconnect various platforms and correlate data from firewalls, IDS sensors, endpoint devices, and external threat intelligence feeds. AIRO tools complement an existing security information and event management (SIEM) tool by acting as middleware to integrate with existing tools and provide greater visibility into indicators of compromise. This becomes increasingly important as corporate data moves from endpoint devices to on-premise infrastructure and multi-cloud environments.
AIRO tools ingest alerts from the SIEM and automate the responses to repetitive alerts, freeing up security analysts for the more challenging alerts that require human intervention. The tool should also provide valuable contextual information — such as asset information and threat enrichment data — to effectively improve the security analyst’s decision-making ability by prioritizing threats that represent the most risk to the organization.
In today’s complex environment AIRO tools can make security analysts’ work more efficient, less burdensome and more accurate by leveraging automation, analytics and orchestration. By ensuring proper integration and interoperability with existing security technologies and centralizing visibility on a security platform, security operations teams can gain greater insight and move from a reactive security posture to a more predictive and preventative approach.