In the rapidly evolving landscape of cybersecurity, the integration of artificial intelligence (AI) has transformed the way security operations centers (SOCs) function. Analysts in these centers are increasingly required to sharpen their skills as they navigate the complex relationship between AI recommendations and real-time decision-making. Dov Yoran, co-founder and CEO of Command Zero, emphasizes that when analysts act on the recommendations from AI tools, it is crucial that they thoroughly understand the underlying questions posed by the AI, the data sources it consulted, and the evidence that shaped its conclusions.
This understanding allows analysts to pivot seamlessly to additional data sources, pursue new artifacts, and extend the investigative timeline if necessary. Junior analysts, in particular, can significantly benefit from this approach. Traditionally, these individuals might struggle with initiating investigations from scratch; however, Yoran suggests that they can become more effective by learning how to refine and extend the output provided by AI systems. He notes that this skill set diverges from the conventional duties of SOC personnel and, in many ways, represents a more accessible avenue for analysts entering the field.
As the SOC of the future continues to evolve, the role of an analyst becomes more multifaceted. One significant focus is the necessity for analysts to serve as adversarial reviewers of AI-driven conclusions. AI systems, while powerful, are not infallible. They can be susceptible to various vulnerabilities, such as hallucinations, biases inherent in their training data, and the potential for adversaries to exploit these weaknesses. Ensar Seker, Chief Information Security Officer at SOCRadar, asserts that analysts must be well-versed in these risks to ensure that their decisions are grounded and defensible.
To achieve this goal, analysts should be trained to approach AI outputs with a critical eye. Seker insists that the traditional model of analysts as mere data processors—what he refers to as “button-pushers”—is outdated. Instead, they should develop the capacity to interrogate AI-generated insights, learning to understand how machine learning models reason and where they may fail. This includes recognizing the emergence of bias and identifying data gaps within the AI’s operational framework. Training must focus on instilling an instinct for questioning AI conclusions; analysts should ask themselves: “What would make this conclusion wrong?”
Moreover, analysts are pivotal in infusing organization-specific context into AI-driven workflows. Without this contextual understanding, AI agents risk misidentifying threats, amplifying unnecessary noise within the system, or triggering risky actions based on incomplete or misunderstood information. Yoran emphasizes that AI agents are only as competent as the context provided to them. Consequently, analysts must be proactive in annotating identities, maintaining watch lists, and documenting patterns related to recurring false positives. They should also focus on building enrichment layers that bolster the robustness of future investigations. This shift in focus signifies that the role of the analyst is becoming less about processing data and more about engaging in complex knowledge work.
The growing importance of analysts in the future SOC cannot be overstated. As threats continue to evolve and become more sophisticated, the line between machine intelligence and human expertise will become increasingly blurred. Rather than merely relying on AI to streamline operations, analysts of tomorrow need to possess an intricate understanding of the systems they work with and the rationale behind AI recommendations. This will not only enhance their effectiveness but also provide a safeguard against the potential pitfalls of over-reliance on automated systems.
In conclusion, as the cybersecurity landscape continues its rapid transformation, the need for well-trained analysts becomes crucial. By developing a keen understanding of AI’s strengths and weaknesses, while also incorporating valuable context into AI operations, analysts can ensure that their organizations are equipped to face the challenges ahead. This evolution represents not just a shift in skills but a complete rethinking of the role that human intelligence plays in collaboration with machine learning technologies in the fight against cyber threats.