As IT environments become more dynamic, hybrid, and complex, it's becoming increasingly difficult for security operations center (SOC) teams to quickly detect and address critical threats with traditional tools. SOC staff must process and analyze a massive--and growing--amount of data, as they face ever more sophisticated cyber attacks. To respond effectively, SOC leaders can't keep adding rules-based tools to their already large and often unwieldy security stack. Instead, they need AI technology that analyzes data at scale and in real time and that uses machine learning to spots any anomalies that could signal a breach. That way, SOC teams detect unknown, fast-evolving threats missed by rules-based products configured to spot known attacks.

Lately, we can't help noticing an endless cycle where the more enterprises invest in threat prevention; the more hackers adapt and continue to penetrate enterprises. To make things worse, detecting these penetrations still takes too long with an average dwell time that exceeds 100 (!) days. To keep the enterprise protected, IT needs to figure out a way to break this endless cycle without purchasing complex security and data analysis tools and hiring the right (skilled and expensive) security professionals to operate them. Enter MDR An advanced security service, Managed Detection and Response (MDR), provides ongoing threat detection and response, leveraging AI and machine learning to investigate, alert, and contain threats. MDR is becoming popular and gaining traction.

Machine learning has the power to transform your security operations, but as with any powerful technology, it needs to be approached strategically. Through our first-hand experience with helping organizations across the world implement and operationalize machine learning in their SOCs, we have identified four best practices that are critical for achieving success. Terms like artificial intelligence (AI) and machine learning are popular in our industry, but there's a lot of snake oil with vendors claiming to use these technologies. Do your homework to understand what type of machine learning a vendor uses and whether or not that type of machine learning meets your security team's needs. Knowing just a little bit about how machine learning works can help you ask better questions when evaluating a vendor, like "What threats are not covered with existing tools and techniques?" or "Which data feeds contain valuable information but are currently underutilized?"

Innovation in business IT systems never stands still. New technologies constantly emerge as organizations seek to modernize and improve business systems, but this constant change has a price. Every alteration and new system added widens the attack surface giving hackers new ways of compromising business-critical data. It stands to reason, then, that security teams need to respond by adding new layers of security, giving them more eyes to see potential hackers. In an effort to identify potential risks, the Security Operations Centre (SOC) casts as wide a net as possible, but this can result in teams being flooded with alerts; many of which are false positives.

Time is the most important factor in detecting network breaches and, consequently, in containing cyber incidents and mitigating the cost of a breach. "Security event investigations can last hours, and a full analysis of an advanced threat can take days, weeks or even months. Even large security operations center (SOC) teams with more than 10 skilled analysts find it difficult to detect, confirm, remediate, and verify security incidents in minutes and hours," says Chris Morales, Vectra Network's head of security analytics. "However, the teams that are using artificial intelligence to augment their security existing analysts and achieve greater levels automation are more effective than their peers and even SOC teams with more than 10 members who are not using AI." Vectra Networks has polled 459 Black Hat attendees on the composition and effectiveness of their organizations' SOC teams. The group – a mix of security architects, researchers, network operations and data center operations specialists, CISOs and infosec VPs – were asked whether their SOCs are already using AI in some form for incident response, and 153 (33%) said Yes.