Analysts in enterprise Security Operations Centers (SOCs) are a lot like drivers on a long journey. They stare at screens or through windshields for hours on end, trying to identify and respond to any potential threats or hazards. Even the best of them struggle with boredom, fatigue, and frustration. And their own biases and expectations influence the way they interpret the information that comes at them.
The National Highway Traffic Safety Administration (NHTSA) estimates that self-driving cars can reduce traffic accidents by 90 percent, because 94 percent of crashes result from human choice Because machines are better at unblinking, dispassionate analysis, companies have begun developing self-driving cars. So too is the case with autonomous SOCs. But what about a self-driving SOC — expert security software that could handle many cybersecurity tasks more effectively than human analysts?
First, note that the transition from human drivers to autonomous driving machines, or in this case, human-powered SOCs to machine-run security centers, would not happen overnight. In both cases, humans still need to be in charge of the technologies that help them with their tasks. As we progress, humans, over time, will slowly relinquish control and, at a certain point, technology will take charge with humans intervening to help technology perform better.
For a road map for an autonomous SOC, you need only look to the autonomous car industry. The NHTSA has established a five-level continuum—from human drivers controlling everything— to humans only being cargo in vehicles not designed for them to drive at all. As a point of reference, the Tesla Model S—with arguably today’s best auto-pilot technology—sits at midpoint on this continuum.
In the first stage of the self-driving SOC continuum, humans will perform all decision-making, threat analysis, and implement all remediation steps. By the fifth and final stage, the system will be in total control, providing fully automated decision-making and remediation for all use cases. Humans will only help maintain the system and be kept in the loop with metric reporting. A Self-driving SOC would not be powered by a single vendor product or feature; instead, each of these levels describes a certain scope of security operations, technologies, procedures and a specific role for humans.