When presenting the SIEM and SOC services to partners or potential customers, I often get the question: "Why can't you automate everything? Why do we need a SOC?"
It's a great question. In the SOC, we are constantly tuning our tools and rules to capture unique situations or threats in the environment. For instance, if the SOC engineers always respond to a certain set of circumstances in the same way, we will seek a way to automate that process to increase the speed of response and also to prevent SOC burnout and customer alert fatigue.
However, there are just some things that humans are still better at doing than machines. So we must also seek to provide the SOC team with visual representations of data where patterns and context can be easily seen.
To illustrate, take this cartoon from the XKCD book "What If . . . ?":
What happened here? Did the cat knock over the vase? The adult? Contextually, as humans, we can figure this picture out fairly quickly. But as Randall Munroe states in the book, "All the computers in the world couldn't figure out the correct answer faster than anyone parent."
Could you program a computer to figure this out? Sure, we could perhaps use some MLAI to program this, but we would have to know that it is coming and how all the events preceding this might occur. We'd have to create models and test them. We'd need humans to tell us what is correct or incorrect. Our results would be fuzzy, perhaps returning values such as it is "80% likely that the kid knocked over the vase with the lasso, and the cat is investigating." In the world of security, this is not always very helpful. For one, we need clear, actionable data to present to our customers, but also we honestly don't know what new form of attack could be coming. What new technique will be invented tomorrow? We are involved in an asymmetric war here, and the bad actors have the upper hand.
Humans also have the advantage of context. Many contexts, in fact. A SOC engineer might be familiar with the partner's environment and that particular client's environment. They would know what alerts are normal or out of the norm for the environment. They have a bird's eye view of all the partners and organizations and what is normal across that broad international scope. They can remember things that might first not be obvious or not in the 'search space' of the machine. They perhaps can relate what's happening in real-time based on the news of the day, long before a new rule or "Indicator of Compromise" is published by the community.
So there will always be value from the people in the SOC, especially if we can present them with visual data (such as historical risk charts, attack chain diagrams, timeline views, network traffic views, cross-partner events, etc.) that can alert them to a situation that is out of the norm.
There are things that machines can do much better than humans, but humans are still needed to determine what is worthwhile. Married to a human's ability to naturally put things in context, there are some things that humans just do better.