I sat down with John Hubbard, a leading instructor at the SANS Institute, and we explored some counterintuitive ideas, such as his argument that if you already trust a cloud vendor with all your production data, the concern over sharing investigation context with that same vendor's LLM might be misplaced.
We discussed a future where the SOC analyst's role evolves from a hands-on investigator to a supervisor, responsible for validating the output of an "agent army." Here are some of the key pragmatic takeaways from our conversation:
๐๐๐๐๐ก ๐ญ๐ก๐ "๐๐๐ซ๐ ๐๐๐ฒ," ๐ญ๐ก๐๐ง ๐ญ๐ก๐ "๐ ๐๐ฌ๐ญ ๐๐๐ฒ": John's approach to education in the AI era is to first build a strong foundation by teaching manual processes. Only then does he introduce AI to accelerate those tasks. This ensures analysts develop core concepts while leveraging AI for the speed necessary to keep up with attackers.
๐๐จ๐ง๐ญ๐๐ฑ๐ญ ๐ข๐ฌ ๐๐ข๐ง๐ : One of AI's most powerful applications in the SOC is enriching alerts with business context. By dynamically pulling in data on critical systems or VIPs, AI helps analysts more accurately triage and prioritize the most significant threats.
๐๐ ๐๐จ๐ซ ๐๐๐๐ฉ๐๐ซ ๐๐๐ซ๐๐จ๐ซ๐ฆ๐๐ง๐๐ ๐๐ง๐ฌ๐ข๐ ๐ก๐ญ๐ฌ: SOC leaders can leverage AI to analyze team performance at scale. AI can process huge volumes of text from investigation notes to spot trends, identify areas for improvement, and facilitate knowledge sharing between analysts.
๐๐ก๐ ๐ ๐ฎ๐ญ๐ฎ๐ซ๐ ๐ข๐ฌ ๐๐๐ฌ๐ญ๐ซ๐๐๐ญ๐๐: John foresees a future where analysts interact with a suite of interconnected tools primarily through a single chat interface. This shifts the analyst's role from hands-on-keyboard analysis to overseeing and validating the output of AI agents.
๐ ๐ฎ๐ญ๐ฎ๐ซ๐-๐ฉ๐ซ๐จ๐จ๐ ๐ฒ๐จ๐ฎ๐ซ ๐๐๐ซ๐๐๐ซ: Embrace the things that scare you, consistently find ways to apply AI to your daily challenges, and seek mentorship.
The episode is essential for anyone building or operating in a SecOps team. Check it out above!
Related Reading
