Winning the war against hostile AI starts with AI-native SOCs

This article is part of VentureBeat’s special issue, “AI at Scale: From Vision to Viability.” Read more about the issue here.

Faced with increasingly sophisticated multi-domain attacks slipping through due to alert fatigue, high turnover, and outdated tools, security leaders are embracing AI-native Security Operations Centers (SOCs) as the future of defense.

This year, attackers are setting new intrusion speed records by exploiting the weaknesses of older systems designed for perimeter defense only and, worse, trusted connections between networks.

Over the past year, attackers have reduced their average eCrime intrusion activity by 17 minutes and reduced the average breakout time for eCrime intrusions from 79 minutes to 62 minutes in just one year. The fastest observed breakout time was just two minutes and seven seconds.

Attackers are combining generative AI, social engineering, interactive intrusion campaigns and a large-scale attack on cloud vulnerabilities and identities. With this playbook, they seek to take advantage of the weaknesses of organizations that have outdated or no cybersecurity arsenals.

“The pace of today’s cyber attacks requires security teams to quickly analyze massive amounts of data to more quickly detect, investigate and respond to threats. This is the failed promise of SIEM [security information and event management]. Customers are hungry for better technology that delivers immediate time-to-value and increased functionality at a lower total cost of ownership,” said George Kurtz, president, CEO and co-founder of cybersecurity company CrowdStrike.

“SOC leaders must find the balance in improving their detection and blocking capabilities. This should reduce the number of incidents and improve their responsiveness, ultimately reducing attackers’ dwell time,” Gartner wrote in its report. Tips for selecting the right tools for your Security Operations Center.

AI-native SOCs: The Sure Solution for Swivel Chair Integration

Visit any SOC and it’s clear that most analysts are forced to rely on “swivel chair integration” because legacy systems were not designed to share data with each other in real time.

That means analysts often turn their wheelchairs from one monitor to another, checking alerts and removing false positives. Accuracy and speed are lost in the battle against increasing attempts to cover multiple domains, which are not intuitively clear and distinct in the real-time stream of incoming alerts.

Here are just a few of the many challenges that SOC leaders want an AI-native SOC to help solve:

Chronic levels of alert fatigue: Legacy systems, including SIEMs, produce an increasingly overwhelming number of alerts for SOC analysts to track and analyze. SOC analysts speaking on anonymity said four out of 10 alerts they produce are false positives. Analysts often spend more time reviewing false positives than investigating actual threats, which seriously impacts productivity and response time. Making a SOC AI native would make an immediate dent in these times that every SOC analyst and leader faces on a daily basis.

Persistent talent shortage and turnover: Experienced SOC analysts who excel at what they do and whose leaders can influence budgets to get them raises and bonuses, for the most part, stay in their current roles. Kudos to the organizations that realize that investing in retaining talented SOC teams is core to their business. An often-cited statistic is that there is a global cybersecurity workforce shortage of 3.4 million professionals. Indeed, there is a chronic shortage of SOC analysts in the industry, so it is up to organizations to close the pay gap and double down on training to grow their teams internally. Burnout is common among understaffed teams forced to rely on swivel chair integration to get their work done.

Threats that span multiple domains are growing exponentially. Adversaries, including cybercrime gangs, nation states, and well-funded cyberterrorist organizations, are increasingly exploiting gaps in endpoint security and identities. Over the past year, non-malware attacks have increased, with an increase in the number, size and ingenuity of attack strategies. SOC teams that protect enterprise software companies developing AI-based platforms, systems and new technologies are particularly hard hit. Malware-free attacks are often undetectable, rely on legitimate tools, rarely generate a unique signature, and rely on fileless execution. Kurtz told VentureBeat that attackers targeting endpoint and identity vulnerabilities often move laterally within systems within two minutes. Their advanced techniques, including social engineering, ransomware-as-a-service (RaaS) and identity-based attacks, require faster and more adaptive SOC responses.

Increasingly complex cloud configurations increase the risks of an attack. Cloud intrusions have done just that up 75% year-on-yearwith adversaries exploiting native cloud vulnerabilities such as insecure APIs and identity misconfigurations. SOCs often struggle with limited visibility and inadequate tools to mitigate threats in complex multi-cloud environments.

The overload of data and proliferation of tools create gaps in the defense that SOC teams must fill. Older perimeter-based systems, including many decades-old SIEM systems, struggle to process and analyze the massive amount of data generated by today’s infrastructure, endpoints, and telemetry data sources. Asking SOC analysts to maintain multiple sources of alerts and reconcile data from different tools slows their effectiveness, leads to burnout, and prevents them from achieving the necessary accuracy, speed, and performance .

How AI improves SOC accuracy, speed and performance

“AI is already being used by criminals to bypass a number of cybersecurity measures around the world,” warns Johan Gerber, executive vice president of security and cyber innovation at MasterCard. “But AI must be part of our future, of the way we attack and approach cybersecurity.”

“It is extremely difficult to do anything when AI is seen as a complement; you have to think about it [as integral]”, Jeetu Patel, EVP and GM of Security and Collaboration for Cisco, told VentureBeatwith reference to findings from the 2024 Cisco Cybersecurity Readiness Index. “The key here is that AI is used natively in your core infrastructure.”

Given the many accuracy, speed, and performance benefits of moving to an AI-native SOC, it’s understandable why Gartner supports this idea. The research firm predicts that multi-agent AI in threat detection and incident response (including within SOCs) will increase from 5% to 70% of AI deployments by 2028 – mainly expanding, not replacing, staff.

Chatbots make an impact

At the core of the value that AI-driven SOCs bring to cybersecurity and IT teams is the accelerated detection and triage of threats based on improved predictive accuracy using real-time telemetry data.

SOC teams report that AI-based tools, including chatbots, provide faster turnaround times on a broad spectrum of queries, from simple analysis to more complex anomaly analysis. The latest generation of chatbots designed to streamline SOC workflows and assist security analysts include CrowdStrike’s Charlotte AI, Google’s Threat Intelligence Copilot, Microsoft Security Copilot, Palo Alto Networks’ series of AI Copilots, and SentinelOne Purple AI.

Graph databases are at the heart of the future of SOCs

Graph database technologies help defenders see their vulnerabilities the way attackers do. Attackers think in terms of traversing a company’s system graph, while SOC defenders traditionally rely on lists they use to traverse deterrent actions. The graph database arms race aims to put SOC analysts on par with attackers when it comes to tracking threats, intrusions, and breaches across the graph of their identities, systems, and networks.

AI is already proving effective in reducing false positives, automating incident responses, improving threat analysis, and continually finding new ways to streamline SOC operations.

Combining AI with graph databases also helps SOCs track and stop attacks across multiple domains. Graph databases are at the heart of the future of SOC because they excel at visualizing and analyzing interconnected data in real-time, enabling faster and more accurate threat detection, attack path analysis, and risk prioritization.

Underscoring the critical importance of graph-based thinking for cybersecurity, John Lambert, corporate vice president of Microsoft Security Research, explained to VentureBeat: “Defenders think in lists, cyber attackers think in graphs. As long as this is true, attackers win.”

AI-native SOCs need people at the center to reach their potential

SOCs that purposefully design human-in-the-middle workflows as a core part of their AI-native SOC strategies are best positioned for success. The overarching goal should be to strengthen the knowledge of SOC analysts and provide them with the data, insights and intelligence they need to excel and grow in their roles. Also implicit in a human-in-the-middle workflow design is retention.

Organizations that have created a culture of continuous learning and see AI as a tool to accelerate training and on-the-job results are already ahead of the competition. VentureBeat continues to see SOCs placing a high priority on enabling analysts to focus on complex, strategic tasks, while AI manages routine operations and retains their teams. There are many stories of small victories, such as stopping a burglary or a breach. AI should not be seen as a replacement for SOC analysts or experienced human threat hunters. Instead, AI apps and platforms are tools that threat hunters need to better protect enterprises.

AI-powered SOCs can significantly reduce incident response times, with some organizations reporting up to a 50% reduction. This acceleration allows security teams to address threats faster, minimizing potential damage.

The role of AI in SOCs is expected to expand, with proactive simulations of adversaries, continuous monitoring of the health of SOC ecosystems, and advanced endpoint and identity security through zero-trust integration. These developments will further strengthen organizations’ defenses against evolving cyber threats.