AI Agents in a Semi-Autonomous Security Operations Center (SOC)
Cybersecurity Analyst burnout is real and stakes are higher than ever as all the data is stored completely digitally and threat actors are always after it. In detection and response, detection is not easily achieved and response is not fast. Chances are high that before an alert hits the SIEM/SOAR, some form of Machine Learning and Artificial Intelligence is already been used by the suite of cyber defense products in the SOC.
This presentation digs deeper into using AI Agents to help in the SOC workflow. AI Agents are typically built to do specific tasks. AI Agents are great at automating simple, repetitive tasks. The real challenges of this implementation are beyond the issues seen in GenAI and LLMs like prompt injection, hallucinations, etc. For a pseudo-anonymous AI agent to close or escalate a security event, the organization has to trust the AI Agent platform by allowing access to the logs required to make a decision. AI agents must also be integrated with other infrastructure to take actions like Block IP / scan device / block domain / isolate device/ quarantine file/ password reset / raise a new case, etc. At this stage, human oversight is required for all AI agent actions and these AI models should continuously learn the decision-making logic from the human expertise.
Multiple AI Agents must work together to respond to threats at scale and super high speed. One way of achieving potential Autonomous SOC is having multiple agents dedicated to doing one task. One AI Agent (AI Receiver Agent) can be deployed to receive the alert and enrich it so that enough information is present about the user, endpoint, network indicators, and data involved in the alert. This information is now passed to another AI Agent ( AI Hunt Agent) whose function is to combine all the data points hunt for the suspicious indicator in the entire infrastructure and pull that details for enterprise-wide visibility. Lastly, the AI Response Agent decides based on the playbook and remediates the threat.
As a Cyber Security Practitioner, working as a Sr. Intrusion Analyst and Cybersecurity Researcher, I believe it is required to shed some light on the automation illusion and discuss how AI Agents must be integrated in a compliant way. This involves overcoming challenges of Black Box AI, Trust Issues, Integration with Security Stack, etc.