Winning the war against adversarial AI starts with AI-native SOCs

Faced with increasingly sophisticated multi-domain attacks slipping through due to alert fatigue, high turnover and outdated tools, security leaders are embracing AI-native security operations centers (SOCs) as the future of defense.

This year, attackers are setting new speed records for intrusions by capitalizing on the weaknesses of legacy systems designed for perimeter-only defenses and, worse, of trusted connections across networks.

Attackers trimmed 17 minutes off their average eCrime intrusion activity time results over the last year and reduced the average breakout time for eCrime intrusions from 79 minutes to 62 minutes in just a year. The fastest observed breakout time was just two minutes and seven seconds.

Attackers are combining generative AI, social engineering, interactive intrusion campaigns and an all-out assault on cloud vulnerabilities and identities. With this playbook they seek to capitalize on the weaknesses of organizations with outdated or no cybersecurity arsenals in place.   

“The speed of today’s cyberattacks requires security teams to rapidly analyze massive amounts of data to detect, investigate and respond to threats faster. This is the failed promise of SIEM [security information and event management]. Customers are hungry for better technology that delivers instant time-to-value and increased functionality at a lower total cost of ownership,” said George Kurtz, president, CEO and cofounder of cybersecurity company CrowdStrike.

“SOC leaders must find the balance in improving their detection and blocking capabilities. This should reduce the number of incidents and improve their response capabilities, ultimately reducing attacker dwell time,” Gartner writes in its report, Tips for Selecting the Right Tools for Your Security Operations Center.

AI-native SOCs: The sure cure for swivel-chair integration

Visit any SOC, and it’s clear most analysts are being forced to rely on “swivel-chair integration” because legacy systems weren’t designed to share data in real time with each other.

That means analysts are often swiveling their rolling chairs from one monitor to another, checking on alerts and clearing false positives. Accuracy and speed are lost in the fight against growing multi-domain attempts that are not intuitively obvious and distinct among the real-time torrent of alerts streaming in.

Here are just a few of the many challenges that SOC leaders are looking to an AI-native SOC to help solve:

Chronic levels of alert fatigue: Legacy systems, including SIEMs, are producing an increasingly overwhelming number of alerts for SOC analysts with to track and analyze. SOC analysts who spoke on anonymity said that four out of every 10 alerts they produce are false positives. Analysts often spend more time triaging false positives than investigating actual threats, which severely affects productivity and response time. Making an SOC AI-native would make an immediate dent in this time, which every SOC analyst and leader has to deal with on a daily basis.

Ongoing talent shortage and churn: Experienced SOC analysts who excel at what they do and whose leaders can influence budgets to get them raises and bonuses are, for the most part, staying put in their current roles. Kudos to the organizations who realize investing in retaining talented SOC teams is core to their business. A commonly cited statistic is that there is a global cybersecurity workforce gap of 3.4 million professionals. There is indeed a chronic shortage of SOC analysts in the industry, so it’s up to organizations to close the pay gaps and double down on training to grow their teams internally. Burnout is pervasive in understaffed teams who are forced to rely on swivel-chair integration to get their jobs done.

Multi-domain threats are growing exponentially. Adversaries, including cybercrime gangs, nation-states and well-funded cyber-terror organizations, are doubling down on exploiting gaps in endpoint security and identities. Malware-free attacks have been growing throughout the past year, increasing in their variety, volume and ingenuity of attack strategies. SOC teams protecting enterprise software companies developing AI-based platforms, systems and new technologies are being especially hard-hit. Malware-free attacks are often undetectable, trading on trust in legitimate tools, rarely generating a unique signature, and relying on file-less execution. Kurtz told VentureBeat that attackers who target endpoint and identity vulnerabilities frequently move laterally within systems in under two minutes. Their advanced techniques, including social engineering, ransomware-as-a-service (RaaS), and identity-based attacks, demand faster and more adaptive SOC responses.

Increasingly complex cloud configurations increase the risks of an attack. Cloud intrusions have surged by 75% year-over-year, with adversaries exploiting native cloud vulnerabilities such as insecure APIs and identity misconfigurations. SOCs often struggle with limited visibility and inadequate tools to mitigate threats in complex multicloud environments.

Data overload and tool sprawl create defense gaps that SOC teams are called on to fill. Legacy perimeter-based systems, including many decades-old SIEM systems, struggle to process and analyze the immense amount of data generated by modern infrastructure, endpoints, and sources of telemetry data. Asking SOC analysts to keep on top of multiple sources of alerts and reconcile data across disparate tools slows their effectiveness, leads to burnout and holds them back from achieving the necessary accuracy, speed and performance.

How AI is improving SOC accuracy, speed and performance

“AI is already being used by criminals to overcome some of the world’s cybersecurity measures,” warns Johan Gerber, executive vice president of security and cyber innovation at MasterCard. “But AI has to be part of our future, of how we attack and address cybersecurity.”

“It’s extremely hard to go out and do something if AI is thought about as a bolt-on; you have to think about it [as integral],” Jeetu Patel, EVP and GM of security and collaboration for Cisco, told VentureBeat, citing findings from the 2024 Cisco Cybersecurity Readiness Index. “The operative word over here is AI being used natively in your core infrastructure.”

Given the many accuracy, speed and performance advantages of transitioning to an AI-native SOC, it’s understandable why Gartner is supportive of the idea. The research firm predicts that by 2028, multi-agent AI in threat detection and incident response (including within SOCs) will increase from 5% to 70% of AI implementations — primarily augmenting, not replacing, staff.

Chatbots making an impact

Core to the value that AI-driven SOCs bring to cybersecurity and IT teams are accelerated threat detection and triage based on improved predictive accuracy using real-time telemetry data.

SOC teams report that AI-based tools, including chatbots, are providing faster turnarounds on a broad spectrum of queries, from simple analysis to more complex analysis of anomalies. The latest generation of chatbots designed to streamline SOC workflows and assist security analysts include CrowdStrike’s Charlotte AI, Google’s Threat Intelligence Copilot, Microsoft Security Copilot, Palo Alto Networks’ series of AI Copilots, and SentinelOne Purple AI.

Graph databases are core to SOCs’ future

Graph database technologies are helping defenders see their vulnerabilities as attackers do. Attackers think in terms of traversing the system graph of a business, while SOC defenders have traditionally relied on lists they use to cycle through deterrent-based actions. The graph database arms race aims to get SOC analysts to parity with attackers when it comes to tracking threats, intrusions and breaches across the graph of their identities, systems and networks.  

AI is already proving effective in reducing false positives, automating incident responses, enhancing threat analysis and continually finding new ways to streamline SOC operations.

Combining AI with graph databases is also helping SOCs track and stop multi-domain attacks. Graph databases are core to SOC’s future because they excel at visualizing and analyzing interconnected data in real time, enabling faster and more accurate threat detection, attack path analysis, and risk prioritization.

John Lambert, corporate vice president for Microsoft Security Research, underscored the critical importance of graph-based thinking for cybersecurity, explaining to VentureBeat, “Defenders think in lists, cyberattackers think in graphs. As long as this is true, attackers win.”

AI-native SOCs need humans in the middle to reach their potential

SOCs that are deliberate in designing human-in-the-middle workflows as a core part of their AI-native SOC strategies are best positioned for success. The overarching goal needs to be strengthening SOC analysts’ knowledge and providing them with the data, insights and intelligence they need to excel and grow in their roles. Also implicit in a human-in-the-middle workflow design is retention.

Organizations that have created a culture of continuous learning and see AI as a tool for accelerating training and on-the-job results are already ahead of competitors. VentureBeat continues to see SOCs that put a high priority on enabling analysts to focus on complex, strategic tasks, while AI manages routine operations, retaining their teams. There are many stories of small wins, like stopping an intrusion or a breach. AI should not be seen as a replacement for SOC analysts or for experienced human threat hunters. Instead, AI apps and platforms are tools that threat hunters need to protect enterprises better.

AI-driven SOCs can significantly reduce incident response times, with some organizations reporting up to a 50% decrease. This acceleration enables security teams to address threats more promptly, minimizing potential damage.

AI’s role in SOCs is expected to expand, incorporating proactive adversary simulations, continuous health monitoring of SOC ecosystems, and advanced endpoint and identity security through zero-trust integration. These advancements will further strengthen organizations’ defenses against evolving cyber threats.