Artificial Intelligence Agents Transforming Security Operations Centers through Collaboration with Humans
Artificial intelligence (AI) is set to revolutionise the work of Security Operations Centres (SOC), according to predictions. In the coming years, AI agents are expected to develop the ability to reason autonomously, deploy various tools on a network, improve and modify themselves, and even modify the specific instructions they've been given.
However, it's important to note that AI is not expected to replace humans in a SOC. The essential role of human judgment in analysing and responding to security incidents remains crucial. AI struggles with tasks that involve "tribal knowledge" or practices not formally documented, making human intervention necessary.
As AI takes on more tasks, monitoring its actions becomes increasingly complex. Humans will need to be in the loop to prevent complete autonomy in the SOC of the future. AI-written code should be subjected to robust testing processes, and AI summaries should be reviewed by employees to avoid sending incorrect information.
The Director of Information Security at Red Ventures, who participated in the Gartner conference and commented on AI agents in the SOC, is not identified in the provided search results.
AI can automate complex search queries, write code, and summarise incident reports for non-technical executives. Most AI SOC startups currently focus on using AI to analyse alerts and reduce the cognitive burden on humans.
Many analysts urge caution in deploying AI in the SOC, describing some tasks as "plausible but risky" and others that are "flat-out refused" to believe AI could accomplish in the near to medium-term future. Humans will need to monitor AI agents to ensure their actions are auditable and controlled by company policies.
AI agents' actions should be validated to ensure their decisions are effective and based on the right data. The more capable AI agents become, the more critical their security becomes. A suggestion for a solution to the complexity of monitoring AI agents is to use agents to monitor other agents, but this is further out on the time horizon.
AI might eventually be able to automate the investigation and remediation of intrusions. However, it is still unable to write threat-detection rules tailored to highly customized legacy IT environments. Trust and verification are common themes in AI discussions in the SOC. AI is not expected to be a magic solution but is expected to improve things for the SOC with careful consideration.
In conclusion, while AI is expected to transform the SOC, it's crucial to approach its deployment with caution and a focus on verification and monitoring. AI agents should be considered experimentally in the SOC, with humans maintaining a crucial role in the analysis and response to security incidents.
