Change is in the wind for SecOps: Are you ready?
Attackers have historically had time on their side, outpacing defenders who have struggled to keep up. Agentic AI appears poised to change the game.
- Dave Gruber,
-
Enterprise Strategy Group
We provide market insights, research and advisory, and technical validations for tech buyers.
We are on the cusp of the biggest change in the history of security operations. Agentic AI is opening the door to a new level of automated threat detection, analysis, investigation and response, and it's coming fast.
By now, most SecOps teams are using AI assistants built into specific security tools and ecosystems. These assistants are already helping to improve a plethora of SecOps activities, such as operationalizing threat intelligence, stitching signals together across multiple threat vectors, sifting out false positives, summarizing incidents and so much more. These improvements are stepping up SecOps efficiency and efficacy, underscoring the all-important factor of speed -- speed of threat detection, investigation and response before damage is done.
But beyond speed, AI is improving the ability to understand the broader scope of attacks and what actions are required to prevent future attacks. So, more than improving the reactive function of SecOps, the application of AI-enabled capabilities is improving proactive security functions.
These early results are proof of the power of AI to radically transform SecOps as we know it today. Here's why: As security professionals, we spend our lives defending our digital infrastructure from human adversaries who are dependent upon, and fully armed with, weapons of mass digital destruction. In this "digital firefight," we, as defenders, also rely on the use of digital tools to protect, detect, investigate and respond. But there is a significant difference between the attacker landscape and the defender landscape.
The attackers have time on their side. Time to spend on reconnaissance, time to stage an environment to more rapidly carry out malicious activities, and time to manipulate unsuspecting people into handing over key digital information that can be used to further attack objectives.
As defenders, this critical time element has been constrained by our need to have humans involved in sifting through signals, building hypotheses and deconstructing and understanding attack strategies and paths. Then we must ultimately decide what is real, what is most important and what actions are needed to mitigate an attack or threat. These activities are time-consuming, providing adversaries an ongoing advantage to outpace us as defenders.
Despite these seemingly unsolvable-by-machine, human-centric, reasoning functions, we have been leveraging deterministic automation tools to help with the process. However, the infinite threat landscape always finds a way to thwart these processes. AI computing offers a new approach -- one that is nondeterministic, yet capable of testing out massive quantities of possibilities at speeds humans could never achieve. This volume and speed can result in more consistent and reliable conclusions, at scale, versus the limited, human-assisted processes of the past. Results equal game-changer.
Enter agentic AI
As you get your head around the idea of agentic AI, think about the many use cases where we can put the power of AI to work in a fully automated fashion. This doesn't imply that these applications will completely operate without human interaction, but it opens the door to allowing this new level of automated function. When applications have access to AI-based engines, they can carry out massive quantities of investigative actions to determine the risk, affect and containment actions required to stop or contain an attack.
Early-stage use cases for agentic AI tools are focused on specific SecOps use cases. Think of these as the low-hanging fruit of opportunity to put this new strategy to work and prove its value. This approach also helps us all begin to understand the power and possible capabilities of this budding, early-stage technology. Early use cases include alert triage, alert validation, filtering of false positives, investigation of phishing emails, vulnerability assessment and more.
Who will provide agentic AI SecOps technology?
Early-stage companies focusing specifically on SecOps, such as Aurascape, Intezer, Prophet Security, DropZone, Simbian, Exaforce, Culminate, Radiant, Seven and many more are delivering turnkey products that can work together with the rest of the SecOps tool stack. And of course, the juggernauts of the security industry, including Microsoft, Cisco, Google, Trend Micro and Palo Alto Networks, are also bringing agentic AI SecOps technology to market as integrated components within existing platforms and architecture.
At this stage, most are focusing on specific use cases. For example, Microsoft's March 24th announcement of the first Security Copilot agents highlighted five specific use cases, including phishing triage; alert triage; conditional access identity issues; vulnerability remediation; and threat intelligence briefing/summarization. These agents are embedded within specific Microsoft products, including Defender, Purview, Entra, Intune and Security Copilot. Google's recently announced agents focus on two use cases, including an alert triage agent and a malware analysis agent. Automation vendors such as Tines and Torq are also quickly putting agentic AI to work, expanding automation capabilities and use cases that can be plugged into the SecOps environment.
The autonomous security operations center
Get familiar with the "autonomous SOC" terminology, because it will be showing up everywhere as SecOps-focused automation tools are equipped with new AI-enabled capabilities. Early focus areas will include alert investigation, prioritization, signal enrichment, reverse-engineering of scripts and more. The big difference between AI-assistants or co-pilots and agentic AI is that agentic AI applications and tools can perform response actions -- meaning that they can perform threat containment activities, data enrichment activities, block malicious IPs, respond to phishing email reports, and more.
But like all AI-based capabilities, there will be a break-in period, both in terms of understanding what is possible and in establishing trusted behaviors. Early providers see the need for transparency, allowing security teams to openly monitor agentic AI processes, sequences and decision paths. Establishing trust will be a journey, but one that moves quickly, proving efficacy and accuracy in a matter of months.
And because agentic AI for SecOps is moving so fast, I'm kicking off a video-blog series aimed at introducing many of the early agentic AI providers. These sessions will allow security teams to meet the technical visionaries behind the technology, and at the same time learn about what is now possible and what will be possible in the future. In these videos, you'll have a chance to meet the founders and visionaries for many of these powerful agentic solutions.
It's time to embrace change in SecOps -- change like you've never experienced before. Hold on tight.
Dave Gruber is principal analyst at Enterprise Strategy Group, now part of Omdia, where he covers ransomware, SecOps and security services.
Enterprise Strategy Group is part of Omdia. Its analysts have business relationships with technology vendors.
