Transform Your Security Operations Center With AI

By Rob Lefferts, Corporate Vice President of The Threat Protection organization at Microsoft

Do you know the feeling when you come back from vacation and see an overwhelming number of emails and chats waiting for you? Imagine if that was your life every morning, except you are an analyst in the security operations center (SOC). It's not emails but security alerts, and each alert is a potential threat that could put your organization at risk.

That is the reality for many security analysts. On average, security teams spend three hours a day manually triaging alerts, while attackers often successfully compromise an organization within 30 minutes. And if you factor in financially motivated attacks like ransomware and business email compromise, every second counts. So how can you respond quickly without compromising effectiveness? What if the alert spans multiple areas in the organization?

To make matters even more complex, as employees settle into using artificial intelligence (AI), so do attackers. AI is becoming a powerful tool for both good and evil. Attackers are using AI to perfect their algorithms, refine malware to make it harder to detect, and personalize phishing emails to seem legitimate — using any tactics available to find that single point of entry into an organization's environment. And here's the truth, attackers need to be successful only once. This is why security teams need to bet on solutions that implement AI to automate responses effectively.

The Evolution of Modern Security

To help combat this new reality, organizations have begun to adopt extended detection and response (XDR) to simplify SOC operations and increase visibility across domains. With XDR's projected growth expected to reach $8.8 billion by 2028, it's clear that organizations are investing in XDR technology as a key platform to satisfy their security needs. And it's obvious why: XDR solutions correlate data across security domains, including identities, endpoints, software-as-a-service (SaaS) apps, email, and cloud workloads to provide powerful detection and automated response capabilities in a unified platform. With attacks like ransomware costing millions a year and the shortage of cybersecurity personnel reaching an all-time high of 4 million, the automation capabilities in an XDR solution become vital.

Automated response benefits security teams in a multitude of ways. It helps with detecting attacks and remediating them quickly, reducing manual work and enabling security teams to focus on higher priority incidents. On the flip side, prevention is just as critical to strengthen security posture and close gaps. Many leading XDR platforms have both built-in vulnerability management and remediation capabilities, another reason companies are choosing to invest in a single solution that does it all.

Now, if you think about the infusion of AI throughout the platform and how it can be used to protect against even more sophisticated attacks, XDR has the potential to tip the scales back into defenders' favor.

Two Magic Letters: A - I

AI has enabled modern security platforms to power machine learning models to not only alert on cyberattacks but correctly identify the attack type and take remediation action on behalf of the SOC. While security teams have historically been hesitant to use automation, AI enables a new level of fidelity that allows speed and efficiency without compromising accuracy. We can see the immediate advantages of AI in XDR solutions that can disrupt advanced attacks like ransomware, business email compromise, and adversary in the middle in progress with high confidence.

Investing in solutions like these is critical in a time when attackers are moving faster than ever. This new generation of automation disrupts attacks by isolating compromised assets from the environment, disarming attackers, and removing their foothold. AI helps minimize lateral movement early and reduces the overall impact of an attack. When every second counts, the effects of minimizing the attack impact could save companies millions of dollars that might instead have been spent on recovery costs.

The combination of AI and XDR gives defenders an edge on attackers, but XDR's native breadth is critical. Automation and AI operate based on broad input, so the broader your dataset, the more effective automation mechanisms will be in assisting your SOC.

It's time to trust automation and leverage the powers of AI to build a modern defense and improve your organization's resilience against some of the most sophisticated attacks, including ransomware, with confidence.

About the Author

Rob Lefferts is corporate vice president of The Threat Protection organization at Microsoft. He leads the team responsible for Microsoft Defender XDR and Microsoft Sentinel products which provide end-to end comprehensive and cohesive Microsoft security experiences and technology for all of our customers. Lefferts holds a BS and MS from Carnegie Mellon in Pittsburgh, Pa.