June 21, 2023 By Jonathan Reed 4 min read

Clearly, ChatGPT has placed artificial intelligence on everyone’s radar these days. But AI in mainstream business applications has been around for decades. In cybersecurity, AI can be used for data augmentation and attack simulation. It can also help detect anomalies in network traffic or user behavior to enhance overall threat detection and response.

As per a recent report, one area where AI has made significant strides is in threat alert triage efforts. In fact, with AI assistance, alert triage timelines can be cut by more than half. And this means a lot to hard-working cyber professionals who say they spend nearly a third of their time chasing incidents that aren’t true threats. AI-enhanced solutions might even help to retain hard-to-find cybersecurity talent.

SOC teams overwhelmed

It’s no secret that security professionals are among the hardest workers in the tech space. Today’s Security Operation Center (SOC) teams must protect an ever-expanding attack surface that extends across hybrid cloud environments. The sheer size and complexity of the terrain make it increasingly difficult to keep pace with rising attack speeds and volumes. Labor-intensive alert investigations and response processes consume scarce resources. Cumbersome manual data evaluation between disconnected data, tools and interfaces wastes time. Plus, there’s a lot of cyber noise out there that can bog down security efforts.

In fact, according to a recent survey, SOC professionals say they spend nearly a third of their time investigating and validating incidents that are not real threats. More than 80% of those surveyed say that manual investigation of threats slows down their overall threat response times. And 38% say manual investigation slows them down “a lot”. Meanwhile, nearly half of those surveyed (46%) say that the average time to detect and respond to a security incident over the past two years has increased.

So more time is getting wasted on low-priority and false positive alerts. Meanwhile, incident response times are increasing. The result? Poor threat detection and weak attack resilience capabilities. This is why leaders of weary SOC teams are increasingly adopting AI-based solutions.

AI-powered cybersecurity solutions

AI-powered capabilities have been shown to significantly improve the speed and accuracy of SOC operations. For example, AI enables IBM Managed Security Services to automate more than 70% of alert closures and reduce its alert triage timelines by 55% on average within the first year of implementation, as per a recent report.

AI-powered alert triage automatically prioritizes or closes alerts based on AI-driven risk analysis. This type of triage uses AI models trained on prior analyst response patterns, along with external threat intelligence and broader contextual insights from across detection toolsets.

“In the face of a growing attack surface and shrinking attack timelines, speed and efficiency are fundamental to the success of resource-constrained security teams,” said Mary O’Brien, general manager, IBM Security. “IBM has engineered the new QRadar Suite around a singular, modernized user experience, embedded with sophisticated AI and automation to maximize security analysts’ productivity and accelerate their response across each step of the attack chain.”

AI keeps gaining traction

In a separate benchmark insight study, executives reported widespread adoption of AI for security operations, with 93% either already using or considering implementation. Also, leaders in security AI adoption have noted improved key cost performance measures. For example, by combining AI with automation, top performers increased their return on security investment (ROSI) by 40% or more and reduced data breach costs by at least 18%. These savings have helped free up funding for reinvestment in other cybersecurity needs.

By improving model precision and recall through machine learning, AI security solutions can help reduce alert fatigue for SOC analysts. This means that actual security threats (true positives) can be distinguished from ordinary events (false positives and true negatives).

AI can also enrich event analysis with contextual data insights. It also supports analyst inspection and investigation activities. With AI helping to improve the signal-to-noise ratio, analysts can focus on threats that pose the greatest risk.

AI helps retain talent

By facilitating more efficient triage, escalation, review and remediation procedures, AI enhances security governance and compliance. Also, by automating manual, time-intensive tasks, AI reduces analyst fatigue. This helps improve the analyst’s ability to make better, more informed decisions. So SOC teams can work faster and with fewer mistakes. By routing the sheer volume of events through AI-enabled automated solutions, leaders can make the most of skilled human analysts and their hard-to-find skills.

The end result is a more satisfying work environment. Instead of wasting time on repetitive, dead-end tasks (false negatives), teams get to work on things that make a real difference. This rewarding environment can even help retain hard-to-find security talent. Who wants to work on mundane chores that have no real-world value? Instead, people want to be challenged with actual problems that lead to observable, positive results.

Beyond AI-enhanced triage

Threat triage is only one area where AI can improve processes and make SOC work more rewarding. For example, IBM’s QRadar Suite features dozens of mature AI and automation capabilities that have been refined over time with real-world users and data. It also includes innovations developed in collaboration with IBM Research and the open-source security community. Beyond faster, more effective threat triage, other AI-based benefits include:

  • Automated threat investigation: Identifies high-priority incidents and automatically launches an investigation by gathering artifacts and evidence via data mining across environments. The system then generates a timeline and attack graph of the incident based on the MITRE ATT&CK framework and recommends remediation actions.
  • Accelerated threat hunting: Uses open-source threat-hunting language and federated search capabilities to help threat hunters find attacks and indicators of compromise across their environments. All this happens without moving data from its original source.

While ChatGPT has thrust AI into the spotlight, security teams have been well aware of the benefits of AI-assisted security for some time now. And the results are there to prove it.

More from News

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations. Both reports shed light on the persistent and growing threat of…

CISA launches portal to simplify cyber incident reporting

2 min read - Information sharing just got more efficient. In August, the Cybersecurity and Infrastructure Security Agency (CISA) launched the CISA Services Portal. “The new CISA Services Portal improves the reporting process and offers more features for our voluntary reporters. We ask organizations reporting an incident to provide information on the impacted entity, contact information, description of the incident, technical indications and steps taken,” a CISA spokesperson said in an email statement. “Reported incidents enable CISA and our partners to help victims mitigate…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today