In the fight against cyber-attacks, time is money. According to the Ponemon institute, the average cost of a data breach is $3.62 million. Reducing the time to detect and time contain an incident can significantly mitigate the cost of a breach, and possibly prevent it.
Maturity level and effectiveness are two of the most important measurements of SOC performance. Maturity reflects an enterprise’s development level regarding its approach to managing cybersecurity risk, including risk and threat awareness, repeatability, and adaptiveness. Effectiveness is a measurement of the SOC’s ability to detect and respond to an incident as it happens.
We conducted a survey.
To better understand the maturity and effectiveness of security operations teams, we conducted a survey at Black Hat to understand their response times and capabilities. This includes how long it takes the SOC to detect, triage, report, and contain a threat or incident.
Who took the survey?
Black Hat is filled with the people who spend their day threat hunting, and managing or building security operations centers tasked with responding to threats and attacks. It is the perfect audience. We had a cross section of chief information security officers, security architects, security researchers, and network and data center operations staff invest the time to share their experience.
If you were one of the 459 people who took the time to provide us with this information, thank you!
What did we learn?
Time is the most important factor in detecting network breaches. To protect key assets from being stolen or damaged, cyber attackers must be detected in real time. To build the fastest and most efficient processes, it makes sense to combine man and machine allowing each to focus on what they do best.
Investigations require a broad and specialized set of skills, including malware analysis, forensic packet and log analysis, as well as the correlation of massive amounts of data from a wide range of sources.
Security event investigations can last hours, and a full analysis of an advanced threat can take days, weeks or even months. Even large SOC teams with more than 10 skilled analysts find it difficult to detect, confirm, remediate, and verify security incidents in minutes and hours. However, the teams that are using artificial intelligence to augment their security existing analysts and achieve greater levels automation are more effective than their peers and even SOC teams with more than 10 members who are not using AI.
Of the 459 respondents at Black Hat that took the survey, we found the teams that are augmenting their security programs with AI could detect, confirm and remediate incidents more quickly than those trying to do everything manually without AI.
Who is already using AI in their SOC?
We found that 33 percent of SOC teams are already using AI in some form for incident response. Of the 33 percent of respondents using AI for security, those with the largest number of people on their incident response teams (>10) are the biggest adopters of AI at 44 percent.
It may seem logical that large teams would be better able to handle SOC workloads without a need for AI, but using AI to automate tedious work enables everyone to focus on smart work. In cybersecurity, this is especially important because all levels of the job are challenging, so removing the tedious rote work enables anyone to be better at their job.
Time to Detect
The first step is to detect the presence of a threat. Thirty-seven percent of SOC teams with more than 10 people not using AI detect a threat in minutes. However, 34 percent of SOC teams of any size can detect a threat in minutes, demonstrating that manpower alone is not the only approach to reducing the time to detect. The sweet spot appears to be combining man power and AI, with 50 percent of SOC teams with more than 10 people that have deployed AI being able to detect a threat in minutes. That’s a 35 percent improvement over similar size teams that aren’t using AI.
Time to Confirm
Once a threat is detected, an analyst needs enough information to confirm that threat is real and if it is a high risk or critical threat to the organization needing immediate attention. Forty-two percent of teams with more than 10 analysts using AI could confirm a threat is a critical or high risk in minutes, as opposed to only 14 percent of similarly-sized teams not using AI. Twenty-nine percent of all teams using AI said the same.
Time to Remediate
Remediation tends to be more manually intensive since the response is dependent on the type threat, but even here we still see a benefit from leveraging AI to help define what those responses should be. Twenty-three percent of large teams using AI could remediate incidents within minutes, as opposed to seven percent of similarly-sized teams not using AI. We also see again that all teams using AI performed better than large teams not using AI, with 13 percent confirming an incident in minutes.
Time to Verify
Even after remediation and a threat is contained, security analysts need to verify the threat has indeed been eliminated and learn how to increase their readiness for the next incident. Without proper verification, an organization risks reinfection. This type of work can take hours or days, and AI continues to reduce the time to verify for SOC teams of all sizes and large teams benefiting the most.
What is next?
There is a measurable trend with organizations that have implemented AI to automate tedious incident response tasks to augment the SOC manpower, enable them to focus on their artisan skills and empower decision making.
When man and machine (AI) work together, the result is always better than man or machine alone. This also explains why Terminator 2 (man and machine) will always be a better movie than Terminator (man vs. machine).
To learn how artificial intelligence can enable enterprise SOC teams to overcome obstacles in detecting, containing and verifying cyber-attacks in real time, download this whitepaper on how to automate security operations using AI.
Christopher Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs with nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles.Author profile and blog posts