Currently, the operators of Security Operations Centers (SOC) often find themselves overwhelmed by a large amount of data and alerts, making it difficult to gain timely insights into truly threatening security vulnerabilities. In this context, some security vendors have begun to invest heavily in the development of an “autonomous SOC.” Compared to traditional SOC solutions, autonomous SOC applications can operate efficiently with fewer security personnel, thereby reducing the operational difficulties faced by enterprise security teams.

Goals of Autonomous SOC

When enterprises embark on the journey of security operations automation, they should first clarify the security operation goals that automation technology aims to achieve, and then develop the key processes for automated operations based on these goals.

A core goal of autonomous SOC is to aggregate and classify various security alerts, achieving automation in all stages of alert handling while minimizing human intervention.

The goal of autonomous SOC is not to replace existing security teams and personnel with AI technology, but to better protect organizations by integrating personnel, processes, and technology. Professional talent is an indispensable factor in security operations. Autonomous SOC allows security professionals to spend less time on redundant tasks and focus more on higher-value strategic planning.

Autonomous SOC should provide more services and support for existing security teams and use technologies suitable for organizational processes to make personnel’s work easier and enhance their capabilities.

Through autonomous SOC, organizations can integrate all data sources to provide a unified, automated classification experience, improve investigations, support analysts, and shorten response times. Therefore, autonomous SOC needs to possess some advanced technical capabilities, mainly including:

1. SOAR Products: This is a mature category of products that many SOC teams use to automate task handling through Security Orchestration, Automation, and Response (SOAR) tools. However, this process is quite challenging, as SOAR often involves high technical content or requires building complex playbooks. Some innovative SOAR products integrate AI tools or provide pre-built playbooks and no-code tools to simplify the automation of certain processes.

2. Autonomous SOC Tools: This is a newer category of products that use native automated workflows and AI to ingest, investigate, and classify alerts. The latest startups in this field were established in 2023 or 2024, using generative AI-based technology. More mature autonomous SOC products have integrated generative AI to complement core technologies such as genetic analysis or machine learning.

3. AI Assistant Products: This is the latest category, emerging in 2023. New assistant tools can use generative AI to assist analysts, allowing them to easily query systems for answers during investigations. These tools may integrate with other tools to speed up incident response or take autonomous actions, but it is currently unclear how effective or popular these AI assistants will become.

Key Processes of Autonomous SOC

Autonomous SOC does not mean that every process of security operations is fully automated; achieving this in the short term is not realistic. The key to autonomous SOC is to automate some of the large volume of repetitive and labor-intensive tasks that often consume a significant amount of security analysts’ time.

1. Continuous Monitoring

Autonomous SOC requires 24/7 continuous monitoring and collection of alert information from various security tools to ensure that no potential threats are overlooked.

2. Evidence Collection

Upon receiving alert information, autonomous SOC also needs to collect relevant log data associated with that alert, including files, processes, command lines, evidence from process parameters, URLs, IPs, parent processes/child processes, and memory images, etc.

3. Alert Investigation

Autonomous SOC should use AI and various advanced technologies to analyze each piece of evidence collected. This includes sandboxing, genetic password analysis, static analysis, Open Source Intelligence (OSINT), memory analysis, and reverse engineering. Then, using generative AI models, summarize the results of these individual analyses to prepare for incident assessment.

4. Alert Classification

Autonomous SOC can classify the risks associated with each alert and decide how to report based on the investigation results. Additionally, autonomous SOC should reduce noise by automatically correcting false positives detected in the system, thereby minimizing the impact of false positives on operational teams.

5. Incident Response

For all confirmed significant threats, autonomous SOC needs to provide assessment analysis and disposal recommendations, creating work orders in the case management system. This includes detection content and readily available search rules to guide the response process.

6. Analysis Reporting

Autonomous SOC needs to generate reports to inform the operational team about the status of threat disposal and provide follow-up optimization suggestions for continuous improvement of the organization’s security protection strategy.

Through the above steps, autonomous SOC can efficiently filter massive alerts and progressively escalate those that truly require human analysis by security experts. This helps improve the efficiency of security operations and significantly reduces the time spent on false positives.

Application Examples of Autonomous SOC

The journey towards autonomous SOC will be long and challenging; however, enterprise security operation teams can start with some foundational scenarios to lay the groundwork for broader applications in the future. Here are several examples of autonomous SOC applications, demonstrating how different types of security teams or organizations can implement autonomous SOC strategies.

Example 1: Automation Linkage with SOAR

In this scenario, the security team still needs to handle many manual tasks and faces a large number of false positives. To shorten the average response time, such enterprises cannot achieve more process automation by building and maintaining more complex incident response playbooks. They decided to use an autonomous SOC platform that can integrate with detection tools.

In the diagram above, the autonomous SOC product achieves automated processes, which will be a key part of enhancing the team’s operational capabilities. In practical application, the organization first integrates it with endpoint security products to monitor and classify these alerts. Once the autonomous SOC system for endpoint alerts proves effective, SOAR can be used for alert escalation and case management. With this system, the classification time for endpoint alerts averages less than 2 minutes. Once analysts are satisfied with the effective implementation of the autonomous SOC processes, the team will integrate autonomous SOC products to ingest and classify user-reported phishing emails and SIEM alerts.

Example 2: Empowering MDR Service Providers

The MDR team views the AI-based strategy as a competitive advantage for improving customer service and increasing revenue. They need to monitor and classify alerts from many clients, each using different tools for detection and response.

By implementing an autonomous SOC strategy, including using autonomous SOC products that can integrate with any customer tool, they will be able to effectively monitor, investigate, and classify each alert from multiple customer environments, providing AI and automation-based rapid classification times. By enhancing capabilities through AI and automation, the MSSP team can onboard more clients and handle a larger number of alerts without needing to recruit and hire additional analysts. After implementing autonomous SOC products, they will also be able to enrich customer offerings and provide new services, such as handling user-reported phishing emails.

Example 3: Independent Autonomous SOC Application

Finally, envision a SOC team that has formulated an autonomous SOC strategy. The autonomous SOC product can investigate and classify alerts from all integrated detection systems and use SOAR for progressive escalation and case management. Once these tools are fully implemented, the team can also add AI detection assistants to help the security team query more information; however, currently, due to the novelty of tools like AI assistants, few teams have effectively utilized them.

Reference Links:

https://thehackernews.com/2024/05/how-to-build-your-autonomous-soc.html