How will AI Disrupt SOC Services?

SOC services have historically been reserved for the corporate “elite”, and considered outside of the budget limitations of small and medium-sized organizations. Not only is there expense related to the ongoing collection of the data required for meaningful analysis, even with the advent of machine learning and its positive impact on the effectiveness of SIEM products and services, we still typically consider log analysis alone to be resource intensive. Looking at the broader spectrum of services that may fall within the scope of a SOC—threat detection and response, predictive analytics, and security orchestration, to name a few—the systems employed today to support these functions haven’t eliminated the need for skilled teams to maintain and leverage them.

Are we about to see a change? How will the concepts enabling the highly celebrated arrival of practical generative AI models from companies like OpenAI and Anthropic be leveraged in the data center to not simply lower labor costs, but to fundamentally transform the nature of SOC services? Is the SOC going to become accessible to a wider swath of organizations thanks to greater affordability.

I think it’s not a matter of if, but when, and I don’t think we’ll have to wait long to see a disruption in a space that hasn’t changed all that much since its early days.

I recall seeing the first SOCs emerge in the late nineties, as organizations recognized the need for centralized security monitoring and incident response. Early SOCs were small operations by today’s standards—really not much more than a box collecting log data—and were primarily focused on network security and perimeter defense. But by the turn of the millenium, cyberattacks had already reached a new level of sophistication, and SOC roles grew, shifting from just monitoring activity to detecting and responding to actual threats. Along with new regulatory requirements like HIPAA and GDPR, the arrival of 2010 also ushered in some standardization of security practices and protocols. And more recently, we’ve seen significant impact from the integration of AI and automation in SOC operations, enhancing detection, reducing response times, and automating routine tasks. Some obvious trends I’ve witnessed in the brief history of SOC:

1. Cyberattacks continue to become more frequent, more difficult to detect, and more costly to deal with.
2. SOC tools and practices keep getting better.
3. Cyber defense seems only to become more and more expensive.
4. Hiring, training, and retaining skilled SOC analysts—who seem to exhibit a relatively high propensity for burnout—only gets more challenging with time.

But I think we’re on the cusp of something bigger than a continuation of the trends we’ve witnessed up to now, maybe even a change of course. And I have a suspicion that AI will be at the center of it. What I can’t answer, though, is exactly where and how the disruption is going to happen.

I’m reminded of a Youtube channel featuring videos exclusively of a guy picking locks. He’ll often use what might be considered a “traditional” lock pickers’ set of tools to quickly exploit a lock’s vulnerabilities. The lock might be made of titanium, and it might have so-called “sophisticated” tumbler features to foil just such an attempt, but despite these features this guy typically is able to open a lock in mere seconds. In one video in particular, however, I was struck by the guy’s ability to think outside the box and bypass conventional picking methods altogether by quickly cutting a shim from a coke can, and using it to make pretty quick work of opening a lock.

I reflect on that video when I consider where SOC services–and cybersecurity in general—might go from here. On the one hand we might see disruption take a positive form, leading to benefits like these:

1. Lower labor costs related to securing an organizations systems and data, and perhaps as a result, greater affordability of quality SOC services for small and medium-sized businesses
2. Incredibly powerful security systems benefiting from analytical capabilities enabled through the effective application of AI. Imagine the benefits that would come from compressing threat detection and response times down from minutes to mere seconds.
3. While a SOC analyst might disagree, if AI can take over the work that’s currently being done by skilled analysts, I’m sure that organizations would universally agree that we’ve solved a pretty big problem related to human resources.

On the other hand, I worry about what happens if—something like the “outside-the-box” lock picker—the bad guys move more quickly, or more creatively, than the good guys. and use their advantage to cause damage on a scale we still haven’t had to witness.

This is a fast-moving war, and we know there’s no end in sight. Where do you think it’s headed? Hit me up on LinkedIn if you care to comment or discuss it.