The SOC revolution: How AI can end alert fatigue and detect the undetectable

Picture this - a security analyst sits in the glowing haze of monitors in the Security Operations Center (SOC), juggling a deluge of alerts. Among them, 20% are false positives, but the analyst doesn’t know which. Time ticks by, resources drain, and morale falters. This is the reality for SOC teams worldwide.

False positives not only frustrate and exhaust security teams but also put organisations at risk of missing genuine threats. Alarmingly, the UK Cyber Security Breaches Survey 2024 reported that over 70% of medium-sized businesses and 74% of large businesses suffered cyberattacks in the past year. Many of these breaches occurred because the SOC struggled to see the forest for the trees.

However, as threats evolve, so too must the SOC. A new frontier in security detection, led by AI and advanced threat prioritisation, offers a glimmer of hope.

The false positive plague

Analysts may have to triage, investigate and escalate in excess of 100 alerts during a 12-hour shift, which can dramatically deplete time and resources and fuel "alert fatigue." This state of chronic overload often results in missed or deprioritised legitimate threats, compounding the risks.

Traditional solutions like Security Orchestration Automation and Response (SOAR) tools were introduced to alleviate these challenges but largely failed to deliver on their promise. These tools struggle to integrate disparate security signals across tools, leaving organisations vulnerable to sophisticated threats like Living off the Land Binaries and Scripts (LoLBAS). These attacks fly under the radar and bypass traditional malware detection by exploiting legitimate system features.

The issue is further exacerbated by the SOC’s linear workflow. Analysts handle incidents ticket by ticket, unable to connect seemingly unrelated events into a broader pattern. It’s like reading chapters of a mystery novel out of order, resulting in critical clues being lost.

Enter AI: A new approach to detection

To combat these challenges, AI offers a transformative approach. Unlike the simplistic use of Large Language Models (LLMs) for summarising reports, AI in its broader sense, incorporating machine learning, hypergraphs, and heuristic models, has the power to revolutionise threat detection.

AI connects hundreds of observations into likely chains of events by scoring individual observations and the relationships between them. For instance, detections from a particular workstation or shared observables such as user IDs or transaction identifiers are scored and correlated.

Using hypergraphs, this data is visually mapped to reveal patterns that human analysts might miss. These graphs can track an attacker’s progress along the kill chain by mapping events to the MITRE ATT&CK framework. This approach provides a comprehensive view of how an attack unfolds and which systems are at risk.

Augmenting analysts, not replacing them

The beauty of AI lies in its ability to augment analysts rather than replace them. Instead of grappling with hundreds of daily alerts, analysts can rely on AI to string together related events, presenting a clear picture of the threat landscape. Early adopters report up to a 90% reduction in alert volumes, freeing analysts to focus on high-priority incidents.

Machine learning further enhances this process by prioritising chains of events. The AI not only identifies threats requiring immediate attention but also suggests courses of action for remediation. This ensures a consistent and proportional response, preventing miscommunication and inefficiencies. It’s a significant advance for AI in that it sees the technology act in a semi-autonomous fashion – an evolution that is now being called ‘agentic AI’.

The SOC of tomorrow

Integrating AI into the SOC isn’t just a technological shift; it’s also a cultural one. It requires organisations to acknowledge that traditional SOC workflows are failing and to embrace the untapped potential of AI.

The stakes are high. With ransomware attacks becoming more sophisticated and advanced threats slipping under the radar, CISOs must act now. Hypergraph-based detection models and agentic AI could mean the difference between catching a breach in its early stages and dealing with a full-scale crisis.

A brave new era

AI isn’t a magic bullet, but it is a powerful tool in the hands of prepared teams. It requires imagination and an openness to challenge outdated assumptions about what the SOC can achieve. The solution to alert fatigue and elusive threats is here; it’s time for the security industry to seize it.

By embracing this technology, organisations can turn the SOC from a place of constant firefighting into a command centre for strategic, intelligent defence. It’s a bold vision, but one that promises to transform security operations.