June 21, 2023 By Jonathan Reed 4 min read

Clearly, ChatGPT has placed artificial intelligence on everyone’s radar these days. But AI in mainstream business applications has been around for decades. In cybersecurity, AI can be used for data augmentation and attack simulation. It can also help detect anomalies in network traffic or user behavior to enhance overall threat detection and response.

As per a recent report, one area where AI has made significant strides is in threat alert triage efforts. In fact, with AI assistance, alert triage timelines can be cut by more than half. And this means a lot to hard-working cyber professionals who say they spend nearly a third of their time chasing incidents that aren’t true threats. AI-enhanced solutions might even help to retain hard-to-find cybersecurity talent.

SOC teams overwhelmed

It’s no secret that security professionals are among the hardest workers in the tech space. Today’s Security Operation Center (SOC) teams must protect an ever-expanding attack surface that extends across hybrid cloud environments. The sheer size and complexity of the terrain make it increasingly difficult to keep pace with rising attack speeds and volumes. Labor-intensive alert investigations and response processes consume scarce resources. Cumbersome manual data evaluation between disconnected data, tools and interfaces wastes time. Plus, there’s a lot of cyber noise out there that can bog down security efforts.

In fact, according to a recent survey, SOC professionals say they spend nearly a third of their time investigating and validating incidents that are not real threats. More than 80% of those surveyed say that manual investigation of threats slows down their overall threat response times. And 38% say manual investigation slows them down “a lot”. Meanwhile, nearly half of those surveyed (46%) say that the average time to detect and respond to a security incident over the past two years has increased.

So more time is getting wasted on low-priority and false positive alerts. Meanwhile, incident response times are increasing. The result? Poor threat detection and weak attack resilience capabilities. This is why leaders of weary SOC teams are increasingly adopting AI-based solutions.

AI-powered cybersecurity solutions

AI-powered capabilities have been shown to significantly improve the speed and accuracy of SOC operations. For example, AI enables IBM Managed Security Services to automate more than 70% of alert closures and reduce its alert triage timelines by 55% on average within the first year of implementation, as per a recent report.

AI-powered alert triage automatically prioritizes or closes alerts based on AI-driven risk analysis. This type of triage uses AI models trained on prior analyst response patterns, along with external threat intelligence and broader contextual insights from across detection toolsets.

“In the face of a growing attack surface and shrinking attack timelines, speed and efficiency are fundamental to the success of resource-constrained security teams,” said Mary O’Brien, general manager, IBM Security. “IBM has engineered the new QRadar Suite around a singular, modernized user experience, embedded with sophisticated AI and automation to maximize security analysts’ productivity and accelerate their response across each step of the attack chain.”

AI keeps gaining traction

In a separate benchmark insight study, executives reported widespread adoption of AI for security operations, with 93% either already using or considering implementation. Also, leaders in security AI adoption have noted improved key cost performance measures. For example, by combining AI with automation, top performers increased their return on security investment (ROSI) by 40% or more and reduced data breach costs by at least 18%. These savings have helped free up funding for reinvestment in other cybersecurity needs.

By improving model precision and recall through machine learning, AI security solutions can help reduce alert fatigue for SOC analysts. This means that actual security threats (true positives) can be distinguished from ordinary events (false positives and true negatives).

AI can also enrich event analysis with contextual data insights. It also supports analyst inspection and investigation activities. With AI helping to improve the signal-to-noise ratio, analysts can focus on threats that pose the greatest risk.

AI helps retain talent

By facilitating more efficient triage, escalation, review and remediation procedures, AI enhances security governance and compliance. Also, by automating manual, time-intensive tasks, AI reduces analyst fatigue. This helps improve the analyst’s ability to make better, more informed decisions. So SOC teams can work faster and with fewer mistakes. By routing the sheer volume of events through AI-enabled automated solutions, leaders can make the most of skilled human analysts and their hard-to-find skills.

The end result is a more satisfying work environment. Instead of wasting time on repetitive, dead-end tasks (false negatives), teams get to work on things that make a real difference. This rewarding environment can even help retain hard-to-find security talent. Who wants to work on mundane chores that have no real-world value? Instead, people want to be challenged with actual problems that lead to observable, positive results.

Beyond AI-enhanced triage

Threat triage is only one area where AI can improve processes and make SOC work more rewarding. For example, IBM’s QRadar Suite features dozens of mature AI and automation capabilities that have been refined over time with real-world users and data. It also includes innovations developed in collaboration with IBM Research and the open-source security community. Beyond faster, more effective threat triage, other AI-based benefits include:

  • Automated threat investigation: Identifies high-priority incidents and automatically launches an investigation by gathering artifacts and evidence via data mining across environments. The system then generates a timeline and attack graph of the incident based on the MITRE ATT&CK framework and recommends remediation actions.
  • Accelerated threat hunting: Uses open-source threat-hunting language and federated search capabilities to help threat hunters find attacks and indicators of compromise across their environments. All this happens without moving data from its original source.

While ChatGPT has thrust AI into the spotlight, security teams have been well aware of the benefits of AI-assisted security for some time now. And the results are there to prove it.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today