Alex - stock.adobe.com
How AI-driven SOC tech eased alert fatigue: Case study
Alert fatigue is real, and it can cause big problems in the SOC. Learn how generative AI can improve security outcomes and reduce analysts' frustration in this case study.
Cybersecurity executive Jonathan Fischbein had a problem to which his peers can likely relate: too many security alerts and too few security operations center analysts.
"We have a tight budget," said Fischbein, CISO at cybersecurity software provider Check Point. "I'd say that, in the SOC, we were lacking between 30% and 40% manpower."
Without enough staff to respond to the constant flood of security alerts coming from the organization's SIEM platform, conditions were ripe for disaster. "If you have an alert that you're not addressing, that alert might become an incident," Fischbein said. "And that is something that, as the CISO, I don't want."
AI unseats legacy SOAR
With the aim of reducing his team's alert fatigue and improving Check Point's security posture, Fischbein began exploring automation platforms. Feedback from fellow CISOs and CIOs led him to bypass legacy security orchestration, automation and response (SOAR) products in favor of a hyperautomation platform from startup Torq.
"We really liked the fact that the UI is graphical and that there are a lot of workflow automation templates," Fischbein said, adding that the platform's design centers SOC analysts' experience to make their jobs easier.
Check Point initiated a proof of concept. Within a few days of the trial's inception, Fischbein said, Torq had deployed more than two dozen AI-driven playbooks, automating responses to some of the organization's most repetitive security alerts.
Importantly, the Torq technology also integrated easily with Check Point's existing infrastructure and security stack, ingesting and analyzing data from a variety of systems and tools. "It fit like a glove," Fischbein said.
He was sold.
Jonathan FischbeinCISO, Check Point
AI goes to work in the SOC
Today, Torq's technology -- now known as HyperSOC -- investigates, triages and remediates many of Check Point's internal security alerts without any human intervention. If an alert meets certain parameters based on organizational security policies, the platform autonomously takes relevant predefined steps, such as initiating an MFA challenge or locking out a suspicious user.
"We can react automatically to problems before they become security incidents," Fischbein said.
When events are potentially critical or complex, HyperSOC flags them for analyst oversight or intervention and offers suggestions for next steps.
According to Torq, organizations can also train the generative AI-driven SOC platform to consider contextual factors in its decision-making -- for example, requiring confirmation from a human operator before locking the CEO's account.
Natural language processing speaks up
Fischbein compared Torq's HyperSOC to a Swiss Army knife in that it helps address diverse security events of varying severity.
Some of that flexibility is thanks to the technology's large language model capabilities, which enable it to ingest material written in natural language -- ranging from proprietary in-house playbooks to documentation of industry frameworks, such as Mitre ATT&CK -- and cross-reference it during event triage, investigation and response efforts.
In cases requiring human intervention, the platform also uses natural language to summarize its own workflows, present relevant data and offer next-step recommendations. This helps human analysts make more efficient and informed decisions, minimizing the time and effort they spend on tedious and manual investigative tasks during active incidents.
AI is a SecOps tool, not a panacea
According to Fischbein, Torq's AI-driven SOC platform has successfully increased efficiency and reduced alert fatigue among Check Point's security analysts. But that's not to say he considers his staffing woes solved.
"In our organization, we're talking about almost 7,0000 users in about 80 different locations worldwide. The problems are endless," he said. "If I increased my SOC staff by 40%, I would still have problems."
In other words, the never-ending battle between SecOps teams and attackers continues -- albeit with AI-driven SOC technology potentially giving the good guys an edge.
"It's a cat-and-mouse game," Fischbein said. "And, with Torq, we can catch the mouse more easily."
Alissa Irei is senior site editor of TechTarget Security.