How Will Artificial Intelligence Shape Cybersecurity Technologies? Part 3: The Evolution of SOC Tools with AI

In this article series, as you know, I’ve been discussing my own thoughts on how AI applications, tools, and models can be integrated with cybersecurity technologies, tools, and practices. In this section, we’ll look at how AI can be integrated into the SIEM tools we frequently use and how AI applications might transform the way these tools operate.

Although most vendors claim to harness AI applications and technologies, research shows that only a few have truly integrated AI models and applications into their tools. So, first of all, how can AI models and tools be integrated into SIEM?

SIEM x Ai Model & Agents

SIEM tools have been critical assets in companies for many years. While many small and medium-sized companies use these tools primarily for regulatory compliance, their main purpose is to detect attacks against a company’s attack surface and inventory through rules and correlations. However, factors such as the size of the cybersecurity team, the technical competence of existing staff, the capabilities of the tool itself, and the size of the inventory all directly influence the efficiency of these tools.

At the first step, the key requirements from the existing tools are:

• Inventory Logs
• Rules and Correlations
• Parsing and Normalization processes
• Use of Regex
• Log collection agents or protocols

In this regard, these data points need to be organized in an anonymized manner to train the AI model. Considering that the example AI model will interact with the user and operate in an agent-based structure, an LLM-based AI model would be the right initial choice. This is because such an AI model can directly receive text, process it, and potentially share outputs and results with the user.

Moreover, with the creation of avatars, it could even provide services using Text-to-Voice or Text-to-Video formats.

Threat Detection and Anomaly-Based Analysis

Source: https://www.elastic.co/blog/ai-driven-security-analytics

At the first step, a model that understands the fundamental requirements I mentioned — along with the types of data it will receive and process — can, through subsequent fine-tuning and training, subject this data to an Attack Verification Chain or an Event Detection Chain analysis. This enables scoring based on the sequence of events and rating the various stages of the attack. As a result, it can enhance controls for the next steps of both forward-facing and retrospective attack analysis, or it can trace backward to identify previous signs of an attack.

RLHF (Reinforcement Learning from Human Feedback) will be immensely helpful in achieving this capability. That’s because the actions and progress of the model in its forward and backward assessments can be guided by abundant feedback using RLHF, allowing the model’s weights to be adjusted according to the path it takes. This could lead to a highly agile and rapid development process — particularly when integrated with numerous incident scenarios or with Breach and Attack Simulation tools after the model’s training.

Self-Developed Rules and Correlation

With continuous RLHF input from analysts during both the training and operational phases, there’s a strong possibility that the model could think specifically in the context of the organization’s inventory, examine the attack map, and develop new detection and prevention rules. By feeding the model the right data and observing it over a given period, you can achieve a tailored protection strategy for the organization. Another step would be incorporating AI agent features that align with the newly defined rules and correlations.

SIEM x Cyber ​​Security Based LLM Model x AI Agent → Kill SOAR!

Integrating SIEM and other log-collecting tools with the inventory and automating the process through a GUI led us to rely on SOAR. However, by bringing SIEM and an AI Agent together at the API level, we can significantly cut down on the human effort required to manage SIEM as well as reduce the time spent writing automations in SOAR. Even reviewing the SOAR outputs could be handled by a model trained specifically in cybersecurity.

Where do humans fit into all this? Ultimately, people will play an active role in fine-tuning and providing RAG (Retrieval-Augmented Generation) for AI models in line with evolving attack and detection methodologies, as well as supplying the AI with data ready for processing. Of course, that only goes so far — AI models that produce synthetic datasets are rapidly advancing these days. As synthetic data grows increasingly similar to real data, the human factor could be phased out of the process. But let’s not forget that on the adversarial side, there’s also a group leveraging the power of both humans and machines, meaning any system that involves humans can be expected to show anomalies that might break the system. The possibility of these breakpoints is precisely why cybersecurity experts will remain part of the cycle, thereby increasing employment opportunities in the field.