What the SOC: my discussion with a SOC specialist

Staying ahead in the cybersecurity race needs a mix of experience, smart tools, and quick thinking. I recently spoke with Omar Moussa, a cybersecurity specialist whose insights into automation and AI have been invaluable to me since we founded Qevlar AI. With over eight years of SOC experience, he's a rare gem—someone who not only understands the technical intricacies but also the operational challenges that analysts face in the field, having done the job himself for years at Malcrove.

Interview transcript

Hamza: Can you give me a brief overview of your background and what drew you to cybersecurity?

Omar: 

• I stumbled upon cybersecurity just like many individuals I've met over the years. Typically, you start off in IT and then find yourself in cybersecurity. People come from different backgrounds like system admin or network admin. In my case, I was a system admin, and then I moved into cybersecurity because I was referred by one of the founders to work at the company.
• I was fortunate because I joined at the initiation of the SOC (Security Operations Center). I had the opportunity to work in different verticals within the company and with various technologies like different EDRs, SIEM solutions, and network parameter solutions. In normal SOCs, you typically work with one vertical, but I was lucky to work with all these technologies because I was new when the SOC was just starting.
• The passion for cybersecurity came from my analytical nature. I found that it fits well with my career aspirations. I enjoy thinking about why things happen, how they happen, and performing root cause analysis. These activities are mentally stimulating for me. Every day there's something new, which keeps the work engaging and challenging.

"Automation has been present since the beginning."

Hamza: You've been in the cybersecurity industry for over eight years, so you have seen cybersecurity evolve a lot. Can you give us some insight about the changes and advancements in cybersecurity, especially in the automation side?

Omar: 

• Automation has been present since the beginning. For example, quarantining an asset, quarantining a file, or killing a process are all forms of automation. However, in the past five years, we've seen different solutions embedding SOAR (Security Orchestration, Automation and Response) technology within them. For instance, CrowdStrike has a SOAR component, and LogRhythm has a SOAR component where you can create playbooks.
• From a cybersecurity perspective, you can notice that the red team is having a harder time when it comes to attack techniques. For example, you no longer hear about Fortune 100 companies being penetrated through SQL injection. Major companies or government entities no longer face these types of attacks. Attacks are becoming more evasive.
• As a blue team, we're getting much better when it comes to intelligence. Information is being shared extensively. Any technique or attack orchestrated by attackers is studied by blue team analysts, who then create rule sets and upload them to global repositories. This leads to hardened security solutions.
• The attacks we've seen over the past seven years are becoming more evasive. We're seeing things like fileless malware, DNS tunneling attacks, living off the land attacks, and of course, zero-day attacks.

Hamza: At your company, you decided to adopt SOAR. Can you explain how this decision was made and why? What were the challenges you faced regarding introducing SOAR within your company in the early days?

Omar: 

• The primary reason behind SOAR introduction was alert fatigue. As an analyst, you're exposed to different security solutions: SIEM, EDR, network perimeter solutions, phishing investigations, and various emails. You have thousands of alerts coming to your dashboard, and you don't have time to process them all. Multiply this across different clients, and you can see the magnitude of alerts per day.
• SOAR helps orchestrate and automate these alerts. For example, if we're dealing with thousands of daily scans within a client environment, we don't need to manually download the pcap file, look at the TCP stream, or determine if it was a successful three-way handshake. We just need to know the server's reply. Automation does this for you after configuration.
• In the early days, we faced several challenges. There are limitations to SOAR products in terms of prevention and integrations, which can affect workflow and optimisation. There's also a limitation in terms of analysts - you still need analysts to make decisions on critical alerts.

"The AI should be able to ingest all this data and create a coherent story behind the alerts."

‍Hamza: How do you think AI will change the landscape of cybersecurity automation?

Omar: 

• I believe AI should complement analysts in the field. I would want AI to do things that I'm having a hard time with or spending a lot of time on. For instance, I would want more context surrounding alerts by using AI.
• AI can be smart enough to identify patterns and anomalies that might be difficult to capture in traditional rule-based systems. For example, AI could identify if a new user account is created in Active Directory during off-hours, which might be suspicious.
• AI can also help in providing more context or telling the story behind an alert. It needs integrations with various data sources like Active Directory, DNS, or different log sources. The AI should be able to ingest all this data and create a coherent story behind the alerts.
• Another area where AI could be valuable is in reducing false positives. For instance, in environments where multiple languages are used, AI could help distinguish between legitimate use of non-ASCII characters and potential obfuscation attempts by attackers.

‍Hamza: any last words you want to say?

Omar: I would love to see the potential of AI in cybersecurity come to life. With all its capabilities and potential outcomes, it can definitely be used extensively by analysts. It's revolutionary, and we're waiting for it to be fully realised in our field.

‍

Conclusion

As we wrapped up, it was clear we both shared the same outlook: AI holds immense potential, but it won’t replace human expertise. Skilled analysts will always be needed to interpret the insights that AI delivers and to make the final calls on critical security decisions. AI can enhance our defences, but cybersecurity will remain a collaborative effort between humans and machines.