Time is the most important factor in detecting network breaches and, consequently, in containing cyber incidents and mitigating the cost of a breach.
“Security event investigations can last hours, and a full analysis of an advanced threat can take days, weeks or even months. Even large security operations center (SOC) teams with more than 10 skilled analysts find it difficult to detect, confirm, remediate, and verify security incidents in minutes and hours,” says Chris Morales, Vectra Network’s head of security analytics.
“However, the teams that are using artificial intelligence to augment their security existing analysts and achieve greater levels automation are more effective than their peers and even SOC teams with more than 10 members who are not using AI.”
Human-machine teaming is crucial
Vectra Networks has polled 459 Black Hat attendees on the composition and effectiveness of their organizations’ SOC teams.
The group – a mix of security architects, researchers, network operations and data center operations specialists, CISOs and infosec VPs – were asked whether their SOCs are already using AI in some form for incident response, and 153 (33%) said Yes.
The size of these teams, the time it takes them to detect and confirm a threat, and to remediate the incident and verify its containment varies.
But, when comparing the time it takes SOC teams of over 10 analysts to do all those things with or without the help of AI, the former group is consistently more speedy.
Take for example the time it takes for them to detect a threat:
Or how long it takes for them to remediate an incident:
“There is a measurable trend with organizations that have implemented AI to automate tedious incident response tasks to augment the SOC manpower, enable them to focus on their artisan skills and empower decision making,” Morales noted. “When man and machine (AI) work together, the result is always better than man or machine alone.”
These results fit together with those of a McAfee survey that tried to get to the bottom of what makes some threat hunters and SOCs more successful than others. The answer was: the automation of many tasks relating to threat investigation, so that they can spend more time on the actual threat hunting.