Security Operations (SOC) with Cloud & AI

Security Operations (SOC) with Cloud & AI

Welcome to this week's edition of the Cloud Security Newsletter!

In this week's edition, we dive deep into how Security Operations Centers (SOCs) are evolving in the age of cloud and AI. With insights from industry veterans and practitioners, we'll explore the changing landscape of detection and response, the real-world applications of AI in security operations, and practical guidance for organizations building or transforming their security operations capabilities.

Featured Experts this week 🎤

  • Allie Mellen - Principal Analyst at Forrester Research, covering Security Operations, Detection Engineering, and AI in Security
  • Ely Kahn - VP of Cloud Security and AI at SentinelOne, former AWS Security Hub Product Owner
  • Warwick Webb - VP of Managed Detection and Response Services at SentinelOne
  • Adriana Corona - Product Director for AI and ML at SentinelOnes


📚 Definitions and Core Concepts

Before we dive deeper, let's clarify some key terms that will appear throughout this newsletter:

MDR (Managed Detection and Response)  A focused security service specifically designed for detecting and responding to breaches. Unlike traditional MSSPs, MDR services typically:

  • Use their own technology stack
  • Provide 24x7 detection and response capabilities
  • Take direct response actions rather than just alerting

EDR (Endpoint Detection and Response)  Security technology focused on monitoring and responding to threats at the endpoint level (laptops, servers, etc.)

XDR (Extended Detection and Response)  Next Evolution of EDR that:

  • Incorporates endpoint data with other security telemetry (network, cloud, identity)
  • Provides correlated incident views across multiple security domains
  • Enables more comprehensive threat detection and response

SOC (Security Operations Center)  A team responsible for:

  • Monitoring and analyzing an organization's security posture
  • Detecting and responding to cybersecurity incidents
  • Implementing and maintaining security controls


Our Insights from these Practitioners 🎯

From my analysis of listening to Cloud Security Podcast with Allie, Ely, Warwick & Adriana here are some lessons I made note of as a Practitioner :

  • How to modernize your SOC structure beyond traditional tiering
  • Where AI can effectively augment your security operations today
  • Practical steps to implement cloud-native detection & response
  • How to measure and improve your security operations effectively

Let’s dive into these a bit more to learn about transforming your security operations, whether you're leading a SOC team, building a detection engineering practice, or evaluating AI and cloud security tools.


1. Transforming Traditional SOC Structures for the Cloud Era

Enable practitioners to move beyond outdated SOC models and build more effective, engaging security teams that can handle modern threats.

"We need to tear down the L1, L2, L3 structure in every organization... The way that we talk about this is through detection engineering and through making sure that analysts are able to explore detection engineering more and take it on as part of their role." - Allie Mellen, Principal Analyst at Forrester

Implementation Framework Example:

a) Restructure Your Existing SOC Team to be ready for Cloud & AI

  • Eliminate strict tier-based segregation of duties
  • Implement case ownership model where analysts handle incidents end-to-end
  • Create mentorship pairs between experienced and junior analysts
  • Allocate 20-30% of analyst time for detection engineering activities

b) Business benefits from Restructure Your Existing SOC Team?

  • Increased analyst retention and job satisfaction
  • Faster incident response times
  • Better coverage of complex threats
  • More efficient use of team resources


2. Leveraging AI Effectively in Security Operations

Help practitioners understand where AI can provide immediate value in security operations while avoiding common pitfalls and oversold promises.

"A lot of the alerts that customers see are similar to each other... why is every customer triaging and investigating each of these alerts themselves? What some of the things that we think we can do this year is actually show you, Hey, this alert is actually quite similar to these 100 other alerts that have already been triaged." - Ely Kahn, VP of Cloud Security and AI at SentinelOne

Strategic Implementation Example:

a) Alert Triage Optimization

  • Implement AI-assisted alert correlation
  • Use similarity analysis to identify patterns in alerts across your environment
  • Create automated response playbooks for common scenarios
  • Maintain human oversight for critical decisions

b) Business benefits from Alert Triage Optimization:

  • Reduced alert fatigue
  • More consistent alert triage
  • Faster initial response times
  • Better use of analyst expertise


3. Building Cloud-Native Detection & Response Capabilities

Equip practitioners with the knowledge to build effective detection and response capabilities specifically for cloud environments.

"When you start talking about entirely new modes of compute, like serverless compute all of the, everything is a service that you see in the cloud. That really does change everything as far as what does a threat look like." - Warwick Webb, VP of MDR Services at SentinelOne

 Practical Implementation Steps:

a) Implement Monitoring across all Cloud Environment(s)

  • Implement comprehensive logging across all cloud services providers in use
  • Create service-specific detection rules for cloud native services
  • Continuously or Periodically Monitor cloud configuration changes
  • Establish baseline behavior for cloud services to detect & respond if there is a drift

b) Business benefits from implementing monitoring:

  • Better visibility into cloud threats across your entire cloud footprint
  • More effective detection of cloud-specific attacks
  • Reduced response times for cloud incidents
  • Improved collaboration with cloud teams


4. Measuring Success and Continuous Improvement

Provide practitioners with a framework to measure the effectiveness of their security operations and drive continuous improvement.

"Don't assume that security teams spend most of their time doing security. There's a lot of time with administrative overhead of communicating... reporting on the result of your investigation for others." - Adriana Corona, Product Director for AI and ML at SentinelOne

a) Examples of Key Performance Indicators for SOC Teams to drive continuous improvement

  • Track mean time to detect (MTTD) and respond (MTTR) across all your environments
  • Monitor and measure changes in false positive rates to improve tooling or process
  • Measure analyst efficiency and satisfaction in roles to enable longer team tenure and growth
  • Track coverage across all cloud service providers to identify and fill any gaps

b) Business benefits from defining Key Performance Indicators for SOC Teams:

  • Clear metrics for success
  • Data-driven improvement decisions
  • Better resource allocation
  • Improved stakeholder communication


Putting It All Together

The implementation of one or more examples above should result in:

  1. A more engaged and effective security operations team
  2. Faster and more accurate threat detection and response across all your cloud environments
  3. Better coverage of cloud-specific threats for each cloud service provider in your environment
  4. Measurable improvement in security operations detection and remediation rates

Bonus points for SOC Teams and leaders also include

  • Reduced analyst turnover
  • Faster incident resolution times
  • Fewer missed detections
  • Improved stakeholder satisfaction
  • Better team collaboration
  • More efficient use of AI and automation

NOTE: These changes don't need to happen all at once. Start with the areas that will provide the most immediate value to your organization and build from there. The key is to maintain a clear vision of where you want to go while taking practical steps to get there.


🔗 Related Resources

  1. Forrester Research: The Future of Security Operations
  2. SANS Institute: Cloud Security Operations
  3. Cloud Security Alliance: Security Operations Center Guideline


🔗 Related Podcast Episodes


Building a SOC Team in 2024 - Automation & AI
What is the future of security operations with AI in 2024?
How MDR and AI are Shaping Cybersecurity in 2024?

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Cybersecurity Podcast

Kevin Boyer

Staff Technical Recruiter at SentinelOne

1mo

💜

Eva Baaza

Building #AWS cloud infrastructure while ensuring #compliance with #ISO27001. Understanding the #cloud security process on a technical level and presenting it in VR to a non-technical audiences

1mo

Useful tips

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics