Real Lessons from Scaling SOC Operations With AI
NTT Data cybersecurity leaders share 12 practical strategies for integrating AI into the SOC to reduce incident effort by up to 70%.
NTT Data has been delivering cybersecurity services to enterprises globally for over 30 years and currently offers a Unified Detection and Response service operating from global and regional SOCs. In our SOC, we’ve driven efficiency with automation, continually tuned SIEM and detection rules and onboarded waves of new analysts.
It has not been enough, however, to keep up with the growth in alert volumes and in our business.
About a year ago, we decided to introduce AI to help scale our SOC operations and deliver on our vision of Proactive Cyber Defense. We selected Simbian as our AI SOC vendor after a false start with another vendor. Today we are in production and seeing strong results, including a 50-70% reduction in effort per incident and a >50% improvement in our time to respond.
AI is not eliminating roles, but it is helping us grow capacity without needing to add headcount at the same pace as we grow.
We learned many things during this project. Here is our summary of what worked, what didn’t, and the practical steps we recommend.
1. Start with Your Scorecard
We set up and continue to use a clear set of KPIs to track and report our progress. For us, this means:
- Incident Type Coverage – we want AI SOC to be able to process > 90% of the alerts received by the SOC. We have achieved this for IT alerts and are now looking to expand to other classes of alerts.
- Automatically Close False Positives – we want AI SOC to correctly identify and automatically close 90% of false positives. We are on track to achieve this metric.
- Time-To-Respond – we want AI SOC to reduce how long it takes to respond to an alert by at least 50%. This has been achieved.
- Recommendations – we want at least 90% of the AI SOC recommendations to be deemed as “correct” by qualified reviewers. We are still working out how best to measure this.
This scorecard kept everyone grounded and the project focused. Your organization may value different outcomes but document those outcomes and get buy-in at the start of the project.
2. Set Expectations Early that AI Isn’t Magic
One of the most important lessons we learned was that if you don’t frame AI correctly from the start, people fill the gaps with unrealistic expectations. We told our teams that AI wouldn’t be perfect, especially early on, and that its real strength would be improving week by week as it learned from our environment.
Click Here For The Original Source.
