Amid an ever-expanding attack surface, coupled with the growing sophistication of attacks, GCC cybersecurity teams, from the CISO on down, face an overwhelming number of security alerts and incidents. But unfortunately, most teams are ill-equipped to respond — Trellix’s recent “Mind of the CISO” report reveals that two-thirds (66 per cent) of security leaders in the United Arab Emirates and Saudi Arabia believe their organisations still do not have the right people and processes to be cyber-resilient. And almost three-quarters (74 per cent) believe the same of their current technology setup. Respondents spoke of a lack of control of their environment and a lack of understanding from their non-cybersecurity colleagues.
An overwhelming number of security alerts requires an overwhelming response. Security orchestration, automation, and response (SOAR) platforms fulfil this role. They streamline security operations by automating simple, repetitive tasks, and they support collaboration between security team members. But in recent times, another player has emerged that can supercharge SOAR to make it even more effective. Artificial intelligence (AI) can be integrated into SOAR to revolutionise incident response and greatly mitigate potential threats. This transformative technology combo is set to bring new life to regional SOCs, helping in six main areas.
1. Incident summary
When machine learning and advanced analytics get together, AI systems gain the ability to paint a rich picture of incidents — a visual flow that uses natural-language understanding and intelligent contextualisation to present the findings of investigation. AI sifts through data sources such as logs, alerts, and threat intelligence, and delivers the one thing that empowers an SOC most: actionable insights. Now, analysts and responders can get a comprehensive view of an incident, including its possible impact, and recommended steps for its mitigation. This is what SOAR is good at. It provides easy-to-understand descriptions of cyber incidents, which helps SOCs with skills gaps as more technical, text-based information could be non-actionable for them. AI in SOAR therefore empowers organisations to make quicker, more effective decisions based on rich information. And it allows them to take the action more quickly, leading to decreased dwell times for threat actors.
2. Remediation recommendations
AI is a leaner learner than any human. Pulling on incident histories and past remediation reports, it can improve remediation action over time. SOAR-integrated AI analyses current and past incidents by comparing their characteristics to find similarities. Drawing on global best practices, the AI can then suggest remediation steps, including specific actions such as the deployment of additional controls, the installation of available patches, the reconfiguration of assets, or the isolation of compromised systems. AI can process large volumes of data very quickly. It is this ability that allows it to find insights that would go unseen by even the most seasoned team of security analysts.
3. Recommendations for protections
AI can go further than real-time guidance. Based on international playbooks, it can advise on how to improve the entire security posture. This is a significant benefit. Companies around the world pay security consultants tens of billions (One estimate for 2022 puts the global figure at US$27 billion) to come up with similar advice. AI analyses incident data to identify vulnerabilities, misconfigurations, and control gaps. Its recommendations range from implementing cybersecurity solutions to simply conducting user-awareness training. Each recommendation represents an iterative step in the cyber-maturity of an organisation and helps to mitigate the risk of future attacks.
4. Multilingual support
The UAE and other GCC countries are home to large expat populations, many of whom work in or around an SOC. Multi-language support is child’s play to AI and when integrating it with SOAR platforms, security teams no longer need to be fully conversant in a single language. Collaboration between diverse teams becomes easier as reports can be viewed in the native language of the analyst. And the ingestion of information from outside the enterprise also becomes easier. The end result is that knowledge accumulation and incident response become more effective.
5. Data extraction and transformation
When extracting indicators of compromise (IOCs), analysts traditionally use regular expressions (regex). This is an arduous process that is prone to error. AI algorithms are more sophisticated. They deploy advanced techniques such as natural-language processing and machine-learning to harvest IOCs more accurately. Data from different sources, such as network traffic, application logs, and user behavior is sifted to extract IOCs more reliably. When AI is on the job, it reduces false positives and false negatives. This leads to a less noisy SOC, where analysts pursue only high-probability targets. AI also enables automatic data transformation, taking a range of formats and mapping the key attributes to a homogeneous template. It cleans the data too and applies normalisation techniques. AI thereby simplifies data integration, allowing seamless correlation and analysis across different sources. Enriched, standardised data ups the SOC’s game and boosts the effectiveness of incident response.
6. Automated decision making
When conditions allow, the AI can even be allowed to make some decisions on its own. This leads to further optimisation of incident response processes. The AI has, for reference, a list of possible response actions along with their potential outcomes. Human security teams often have the same at their disposal — quarantine a device, end a session, block an IP address, launch a forensic investigation — but AI can leverage historic incident data, threat-intelligence feeds, and machine learning models in a single moment. This gives it a leg up in rapidly taking the optimal response action.
Get ready to SOAR
SOAR is battle ready. But AI fits it with a suit of armor and puts an electrified lance in its hand. SOAR eases the SOC’s daily burden — finding the elusive, flagging the suspicious, and blocking the dangerous. Together, AI and SOAR make environments safer.
