SOC Archives - SecurIT360

It’s January 15^th, 2009. USAir Flight 1649 departs LaGuardia Airport in New York City at 3:24 p.m., destined for Charlotte International Airport. Moments after takeoff, a catastrophic bird strike occurs, causing all engines to be lost at an extremely low altitude. The flight controls are operated via automated drone capabilities, and AI calculates a 53% chance of success in returning to LaGuardia, beginning to adjust the heading accordingly. Failing to adjust for unknown variables and the ethical impact of the 47% chance of failure, Flight 1649 crashes in the Bronx, killing all 150 passengers, five crew members, and countless civilians in the heavily populated area, injuring hundreds of civilians. Damage not seen since September 11^th covers the Bronx as jet fuel-coated buildings and city streets burn.

Of course, this is not how “Miracle on the Hudson” played out in our dimension of the multiverse. Instead, Captain Chesley “Sully” Sullenberger and First Officer Jeffrey Skiles’ critical thinking went against the post-mortem simulated odds to safely avoid all the calamities and casualties that could have been. Situations like these demonstrate that AI won’t replace humans in many roles, including SOC Analysts. Humans excel in novel or uncertain situations. AI struggles when data is incomplete or contradictory, such as “save the lives of 150 onboard at the risk of killing more lives on the ground”. AI doesn’t know context or ethics. Two things needed for good security monitoring and response.

In addition to leading a DFIR team here at SecurIT360, I teach at colleges and universities in cybersecurity programs designed to train the next generation of cyber talent. This experience has given me deep insight into the education and training aspect of today’s cybersecurity workforce. Many of the faculty members I speak with are concerned about the lack of critical thinking skills among today’s college students. Critical thinking is the top skill a cybersecurity analyst needs to possess, more so than most technical skills that can be picked up along the way. These mental skills differentiate a quality security team from others. Give me a room of thinkers versus a room of “Paper MCSEs” any day.

Tactics change, but the goals remain the same. With AI, there will always be a lag between the discovery of new tactics and the implementation of detections. This is not new and aligns with other aspects of security. But in the interim, critical thinking during those gaps will keep networks safe. It’s the “second O and D” of the OODA loop. Orient and Decide. Critical thinking enables out-of-the-box ideas based on experiences gathered, whereas AI relies on patterns, past data, and predetermined desired outcomes. Humans can challenge the gap, whereas AI may reinforce the past practices, grow stale, or force false successes. Let’s not forget that if the data AI is trained on is skewed or contaminated, its value erodes exponentially.

Speaking of the accuracy of AI, a recent study from Anthropic and the Alan Turing Institute found that it only takes 250 documents of any size to poison any AI model. With AI-based security collecting thousands of records from hundreds or thousands of devices daily, 250 seems like a very fragile number of records needed to compromise trustworthiness. If these numbers are accurate, a valid AI model for security monitoring could be compromised and rendered useless in just seconds. Instant blindness, where we thought we had insight, the ultimate stealth mode. This, in turn, would cascade into the automated workflows, where AI claims to be better than humans, and ruin those as well. The whole process is broken, and cloaked Klingons are storming the galaxy unnoticed.

The adage goes, “The Threat Actor/Red Team only needs to be right once, whereas the Blue Team needs to be right every time.” AI systems are nothing more than a Golden Retriever with laser-like hunting focus. It will fetch whatever you ask and bring back needles from haystacks, but its focus is on pleasing, not being accurate. We need accuracy in almost everything cyber, especially in network security, detection, and response. In this modern era of threats, systems prone to AI hallucinations (i.e., all of them) or contaminated data can be unreliable and risky to depend on. Detection and response times could increase, potentially taking us backward in our security posture at a time when adversaries require less dwell time to cause significant harm. And speaking of potential corruption of AI data, how would any work performed by AI ever be admissible in court (civil or criminal) if you can’t prove it hasn’t been altered?

Investigating false positives while false negatives have a chance to fester is taking network security backward. You are not reducing SOC staff resources, one of the major points of the AI/CEO erotica. Even if an AI-based system achieves an accuracy rate of over 90%, a SOC analyst (or someone else) must review 100% of the events to validate the findings and provide feedback to the system to improve its accuracy rates. This isn’t the efficiencies gained as promised. It’s adding more work to existing SOC analysts. AI companies want you to think that computers from the 23rd century, as depicted in Star Trek, are here today. But it’s not the future, and we’re a long way off. Does anyone remember what happened when Mr. Scotty used automation to do the work of the entire crew of the Enterprise during the movie “Star Trek III: Search for Spock”? At first brush with real-world engagement with an adversary, Enterprise had to be scuttled. Overdependence on overly complicated implementation is a lesson we already know today and should continue to learn from.

Overdependence on AI also removes some of the core skill sets and institutional knowledge organizations have built and trained upon, transforming them into something else. IBM experienced this when it laid off 8,000 employees due to AI and subsequently found that it had to hire 8,000 employees to handle the resulting new AI workload. There were no cost savings, just buckets moved around.

Software engineers, sales professionals, and marketing specialists became essential as IBM pivoted toward more strategic operations requiring human creativity and critical thinking.*

Critical thinking—there are those words again. Now, studies are showing that heavy use of AI tools can erode users’ critical thinking skills over time.*

Is AI totally worthless for security operations? No. It’s another arrow in the quiver, but not the bow. The core of AI, machine learning, has been around for decades. That is nothing new. “AI” is just the updated marketing buzzword for this technology. What is new is the easier means of entering queries and retrieving results. I often refer to AI as “Search Engine 2.0”. Its search capabilities are next-level compared to traditional search engines. Those can result in meaningful and measurable efficiencies.

Speaking at a security conference a few years ago, just as OpenAI hit the scene. I was asked by several consultants from a well-known company to share my perspective, given my over 20 years of experience in IT and security. My opinions then and now haven’t changed. I told them the area where AI can benefit most is the ability to have smarter and faster search results. Earlier in my career, if I needed a script to automate a task, I would spend a significant amount of time searching a site, copying code, and then trying to modify it to suit my needs. With AI, this task goes from potentially hours to just a few minutes. Junior-level analysts can now assume more senior-level responsibilities for specific tasks. The consultants must have agreed with me, as their presentation at the same conference had the same talking points in their annual report the following year.

AI is a powerful tool, but critical thinking ensures we use it wisely. It’s the difference between having information and knowing what to do. There is no price on experience in security, which is why there are numerous information-sharing avenues—sharing experiences so we can all improve at defense. AI’s documented shortcomings and inaccurate tendencies mean that SOCs with human staff will always be needed. This is why AI won’t replace your SOC.

Notes:

Simulator Evaluations for US Airways A320 Flight 1549 Accident, Ditching in Hudson

River, 1/15/09 (NTSB # DCA09MA026)

IBM laid off 8,000 employees to replace them with AI, but what they didn’t expect was having to rehire as many due to AI.

ChatGPT’s Impact On Our Brains According to an MIT Study | TIME

It Takes Only 250 Documents to Poison Any AI Model

Businesses should consider utilizing SOC (Security Operations Center) managed services because the threat landscape for cyber-attacks continues to evolve and become more sophisticated each year, and the cost of a data breach or cyber-attack can be devastating to a business. The SecurIT360 SOC team consist of a dedicated team that provides 24/7 monitoring and analysis of an organization’s IT environment, detects and responds to security incidents, and performs regular external security assessments to identify potential vulnerabilities.

Here are 7 reasons why you should consider utilizing our SOC managed services:

Round-the-clock monitoring: Our SOC operates 24/7/365, providing real-time monitoring of your company’s IT environment (cloud, network, server, endpoints). This gives your organization a greater chance to detect and respond to any security incidents as soon as they occur, which can help prevent, mitigate, or limit any damage.
Access to expertise: Our SOC managed services provide access to a team of security analysts who have specialized knowledge and training in cybersecurity. Our team will provide security initiatives to guide you on implementing the best practices and strategies to protect your business from cyber threats.
Cost-effective: Building an in-house SOC can be expensive and time-consuming. Utilizing SOC managed services is a cost-effective alternative, allowing you to have access to expert security services without the need to invest in expensive infrastructure and personnel.
Scalability: Our SOC managed services can scale to meet the changing needs of your company. As your company grows, we can adjust the level of support provided, adding more resources or expertise as needed.
Compliance: Many regulations and standards such as GDPR, HIPAA, and PCI DSS, require businesses to implement specific security controls to protect sensitive data. A SOC managed service provider can help ensure that your company is compliant with these regulations and standards.
Business continuity: A cyber-attack or data breach can cause significant damage to a company’s reputation, financials, and customer trust. By utilizing SOC managed services, you can help ensure business continuity and minimize the damage from a security incident.
Focus on Core Business: By extending your team with our SOC services, your company can free up internal IT teams to focus on core business functions, rather than security monitoring and incident response. This allows your company to stay competitive and focus on innovation, while ensuring security needs are met by a trusted and experienced third-party provider.

Services offered under our SOC managed services umbrella:

MDR – Managed Detection and Response
EDR – Endpoint Detection and Response
Simulated Phishing Campaigns and Cybersecurity Awareness Training
You can utilize all 3 or pick and choose, pricing varies depending on your choice

Overall, our SOC managed services are an important tool for any business that wants to protect its assets, data, and reputation from the growing threat of cyber-attacks. By working with our SOC team at SecurIT360, businesses can benefit from expert security services, round-the-clock monitoring, and compliance support at a cost-effective price.