Ed Amoroso asks, Self-Driving Cars…Why Not a Self-driving SOCs?

Ed Amoroso @Tag_Cyber has a thing or two to say about SOC design

It’s hard to ignore all the news (bad and good) about self-driving cars these days—but make no mistake, they’re here to stay. Why? It makes sense that humans teach cars and then use the incredible power of automation and computer intelligence to make driving with inherent dangers easier, safer and far more convenient.

So too is the case for SOC analysts, the people who are tasked with looking for and catching the ever-growing cyber risks that bombard the digital landscape every day. In fact, George Amoroso, CEO of Tag Cyber has a lot to say about SOC design in a recent article titled Self-driving SOC.

“If you are going to build a working SOC, then you’d better know (or learn) how to integrate automation into the design. With cyber attacks now approaching automated speeds that far exceed the ability for any human being to track, the only means for SOC teams to keep up with real-time threats is to automate.”George Amoroso, CEO, Tag Cyber

George should know, he’s an expert on global cyber security.
The Respond Team

Self-driving SOCs Will Progress Much Like Autonomous Cars

Analysts in enterprise Security Operations Centers (SOCs) are a lot like drivers on a long journey. They stare at screens or through windshields for hours on end, trying to identify and respond to any potential threats or hazards. Even the best of them struggle with boredom, fatigue, and frustration. And their own biases and expectations influence the way they interpret the information that comes at them.

The National Highway Traffic Safety Administration (NHTSA) estimates that self-driving cars can reduce traffic accidents by 90 percent, because 94 percent of crashes result from human choice Because machines are better at unblinking, dispassionate analysis, companies have begun developing self-driving cars. So too is the case with autonomous SOCs. But what about a self-driving SOC — expert security software that could handle many cybersecurity tasks more effectively than human analysts?

First, note that the transition from human drivers to autonomous driving machines, or in this case, human-powered SOCs to machine-run security centers, would not happen overnight.  In both cases, humans still need to be in charge of the technologies that help them with their tasks.  As we progress, humans, over time, will slowly relinquish control and, at a certain point, technology will take charge with humans intervening to help technology perform better.

For a road map for an autonomous SOC, you need only look to the autonomous car industry. The NHTSA has established a five-level continuum—from human drivers controlling everything— to humans only being cargo in vehicles not designed for them to drive at all. As a point of reference, the Tesla Model S—with arguably today’s best auto-pilot technology—sits at midpoint on this continuum.

In the first stage of the self-driving SOC continuum, humans will perform all decision-making, threat analysis, and implement all remediation steps. By the fifth and final stage, the system will be in total control, providing fully automated decision-making and remediation for all use cases. Humans will only help maintain the system and be kept in the loop with metric reporting. A Self-driving SOC would not be powered by a single vendor product or feature; instead, each of these levels describes a certain scope of security operations, technologies, procedures and a specific role for humans.

Join our growing community! Subscribe to our newsletter, the "First Responder Notebook," delivered straight to your inbox.