Threat Response: SOC Analysts Prepare for an Uphill BattleIBM Security's Mary O'Brien Discusses Barriers to Efficient Threat Response
The speed at which we're seeing ransomware attacks has increased dramatically in the last couple of years - and it's only getting faster, warned Mary O'Brien, general manager, IBM Security. Ransomware deployment has increased from three months to four days on average.
The rapid acceleration of threats and security incidents has made security operations centers, or SOCs, more vigilant. As businesses digitize, the attack surface is getting more sophisticated. SOC analysts are grappling with numerous challenges. O'Brien said they are inadequately resourced as they attempt to manage a plethora of security tools, extract data from each of them, integrate the data and make sense of it all. Artificial intelligence may offer a solution.
"After many years of security, the security fraternity is talking about adopting AI and automation. I think we have finally reached a point where AI has become sophisticated enough to demonstrate some real value to the SOC analysts," she said. "At IBM, what we're using AI and automation for is to take the noise out of the system, to allow machines to do what machines do. We have taught the machine how an analyst would handle low security risks."
In this video interview with Information Security Media Group at RSA Conference 2023, O'Brien also discusses:
- How the speed of ransomware deployment has changed in recent years;
- The most significant challenges SOC analysts face today;
- How tools like ChatGPT can help SOC analysts investigate ransomware.
O'Brien is responsible for leading the strategic direction and growth of IBM's extensive security software portfolio. She leads a global team focused on delivering products that secure the hybrid cloud and mission-critical data for enterprises. She has more than 30 years of industry experience in the U.K., U.S. and Ireland.
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information Security Media Group. And it's my pleasure to welcome to the ISMG studio, Mary O'Brien, the general manager of IBM Security. Mary, thanks for being here today.
Mary O'Brien: Thanks Matt. Nice to meet you.
Schwartz: So IBM Security, I love your research. I'm a key follower of all of the threat intelligence, for example, that your X-Force group has been doing. And one of the fascinating things, unfortunately, from a defense and health of society standpoint is about ransomware. How has the speed that we have been seeing ransomware attacks happen at changed recently?
O'Brien: It's changed dramatically in the last couple of years - year on year, it's getting faster. And in the last couple of years, ransomware deployment has moved from a couple - three months to several days, but four days on average. So we're talking rapid change and rapid acceleration in the deployment of ransomware.
Schwartz: And, if you don't get that right, you're already on the back foot. You're already in a place you don't want to be.
O'Brien: Totally, it's just indicative of the rate and pace of cybersecurity attacks and how it's accelerating.
Schwartz: Security operations centers - that's the theme of what we're going to be talking about today. And I wanted to do a little ransomware prelude just because it sets the tone for some of the challenges that they're facing. But if we step back a little bit and look at the SOC, what are some of the most significant challenges would you say that your SOC analysts or the SOC analysts are seeing today?
O'Brien: So SOC analysts are seeing a huge acceleration in the number of threats and security incidents that they need to investigate. As businesses digitize and people are deploying cloud applications in cloud and using cloud - and also, they've got stuff on-premises - and they're using such a plethora of piece parts to make up their business. Their attack surface, that's the area or the opportunity for the attackers to get in, is increasing. And as a result, the number of incidents and alerts that a SOC analyst needs to investigate is increasing. We're seeing the sophistication increase. And meanwhile, the SOC analyst is under-resourced. We're seeing that they're trying to deal with a plethora of different security tools to take information from all of them and knit them together and do integrations. And basically, they have a lot of manual work to do in order to make it happen in today's SOC.
Schwartz: What as you say with this move, this digital transformation, if you will, that especially happened in recent years due to the great unpleasantness of having all of these things suddenly get into the cloud? I'd imagine you have many more applications you're trying to keep track of. Yes, and so this is also both in the SOC that you're managing for people and also in the SOCs that people are running using your products, how many challenges?
O'Brien: We sell security technology to vendors who create and run their own security operations centers. But we have several very sophisticated security operations centers around the world. And we run managed security services in those security operations centers for hundreds of clients.
Schwartz: So what role are you seeing AI and automation play when it comes to SOC operations? Not new terms for SOC operations, but I think we're seeing maybe greater applicability or greater, hopefully, takeaways or benefits from it.
O'Brien: Certainly, after many years of the security fraternity talking about adopting AI and automation, I think, we finally reached a point where AI in particular has become proven and has become sophisticated enough to be demonstrating some real value to the SOC analysts. So what we're using AI and automation for is to take noise out of the system and to allow machines to do what machines do well, as in clear out and also disposition the low-priority security alerts. And the way we've done that is we've taught the machine how an analyst would disposition those low-priority alerts.
Schwartz: Things you'd rather not have to ever deal with.
O'Brien: Yes, and we have a shortage of security analysts and the world has a shortage of security analysts. So we need to let machines clear out the noise and let the analysts just focus on what they're good at and what they need to focus on, which is the stuff the machine can't do.
Schwartz: So IT environments, everyone is unique. They're constantly changing. Seems like nothing is static. So when you're trying to make life easier, bring more automation, for example, to bear, or bring AI to bear and make everything easier for people. What is the impact that you're seeing then of these various, oftentimes perhaps, disconnected tool sets?
O'Brien: So disconnected tool sets and the proliferation of security tools have made the SOC analyst's job difficult because I have sat in security operations centers watching an analyst cut, paste and manually move stuff around between various tools in order to progress our investigation.
Schwartz: And here's not a low-stress environment.
O'Brien: It is not low stress. And we did a survey recently, for 81%, I believe, of SOC analysts identified that manual intervention is slowing down their ability to do their job. So what we're endeavoring to do here is use open source and an open approach to be able to take security alerts from all kinds of tools - IBM's and third parties - into a platform with a unified analyst experience. So no matter what the underlying technology is, we can help the analysts just stay in one screen and accelerate their workflow so that they get to the outcomes. And they get to the speed of finding the alerts they're looking for, and investigating them and responding to them.
Schwartz: And helping eliminate the busy work that the administrative side of things brings. So as to focus on the analytical side of things which is what you appoint them for.
O'Brien: Taking away the integration work and the manual work that they've spent their time doing, now add automation and artificial intelligence to that. And you end up with a much more streamlined security operations center and analyst's workflow.
Schwartz: So a unifying security tool set approach to things. Where do people start? What can they make happen soonest in this approach do you think? What's your advice for getting going?
O'Brien: I think that you've got to look for the opportunity to have a unified workflow, and to look for opportunities to make the SOC analyst job, not about technology, but about what the outcome they're trying to achieve. And look for the capability that will assist that. So we'll give you or enable you to progress a workflow from a single pane of glass, irrespective of what technology you're trying to use.
Schwartz: So sitting down with your SOC analysts, seeing what they need.
Schwartz: And trying to better deliver to them what that is.
Schwartz: Excellent. Well, it's fascinating to talk not just ransomware, but also how we can get the SOC better configured, I think, so that the right people who stop it can do more of the analysis and less of the administrative work.
O'Brien: Yeah, more efficient, more productive.
Schwartz: And that's what we need as the attacks are increasing as IBM continues to document. So thank you very much for all of your insights today, Mary.
O'Brien: Thank you, Matt.
Schwartz: I've been speaking with Mary O'Brien of IBM Security. I'm Mathew Schwartz with ISMG. Thanks for joining us.