I sat down with John Hubbard, a leading instructor at the SANS Institute, and we explored some counterintuitive ideas, such as his argument that if you already trust a cloud vendor with all your production data, the concern over sharing investigation context with that same vendor's LLM might be misplaced.
We discussed a future where the SOC analyst's role evolves from a hands-on investigator to a supervisor, responsible for validating the output of an "agent army." Here are some of the key pragmatic takeaways from our conversation:
𝐓𝐞𝐚𝐜𝐡 𝐭𝐡𝐞 "𝐇𝐚𝐫𝐝 𝐖𝐚𝐲," 𝐭𝐡𝐞𝐧 𝐭𝐡𝐞 "𝐅𝐚𝐬𝐭 𝐖𝐚𝐲": John's approach to education in the AI era is to first build a strong foundation by teaching manual processes. Only then does he introduce AI to accelerate those tasks. This ensures analysts develop core concepts while leveraging AI for the speed necessary to keep up with attackers.
𝐂𝐨𝐧𝐭𝐞𝐱𝐭 𝐢𝐬 𝐊𝐢𝐧𝐠: One of AI's most powerful applications in the SOC is enriching alerts with business context. By dynamically pulling in data on critical systems or VIPs, AI helps analysts more accurately triage and prioritize the most significant threats.
𝐀𝐈 𝐟𝐨𝐫 𝐃𝐞𝐞𝐩𝐞𝐫 𝐏𝐞𝐫𝐟𝐨𝐫𝐦𝐚𝐧𝐜𝐞 𝐈𝐧𝐬𝐢𝐠𝐡𝐭𝐬: SOC leaders can leverage AI to analyze team performance at scale. AI can process huge volumes of text from investigation notes to spot trends, identify areas for improvement, and facilitate knowledge sharing between analysts.
𝐓𝐡𝐞 𝐅𝐮𝐭𝐮𝐫𝐞 𝐢𝐬 𝐀𝐛𝐬𝐭𝐫𝐚𝐜𝐭𝐞𝐝: John foresees a future where analysts interact with a suite of interconnected tools primarily through a single chat interface. This shifts the analyst's role from hands-on-keyboard analysis to overseeing and validating the output of AI agents.
𝐅𝐮𝐭𝐮𝐫𝐞-𝐩𝐫𝐨𝐨𝐟 𝐲𝐨𝐮𝐫 𝐜𝐚𝐫𝐞𝐞𝐫: Embrace the things that scare you, consistently find ways to apply AI to your daily challenges, and seek mentorship.
The episode is essential for anyone building or operating in a SecOps team. Check it out above!
Related Reading
Share this post