- Cloud Security Newsletter
- Posts
- How Security Operations (SOC) will evolve with Cloud & AI
How Security Operations (SOC) will evolve with Cloud & AI
Security Operations is destined to be one of the first space in CyberSecurity to be disrupted by AI on top of the growing set of Cloud footprint for most organizations.
Hello from the Cloud-verse!
This week’s Cloud Security Newsletter Topic is Security Operations (SOC) with Cloud & AI (continue reading)
Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI CyberSecurity Podcast every week.
Cloud Security Topic of the Week
Security Operations (SOC) with Cloud & AI
Welcome to this week's edition of the Cloud Security Newsletter!
In this week's edition, we dive deep into how Security Operations Centers (SOCs) are evolving in the age of cloud and AI. With insights from industry veterans and practitioners, we'll explore the changing landscape of detection and response, the real-world applications of AI in security operations, and practical guidance for organizations building or transforming their security operations capabilities.
Featured Experts this week 🎤
Allie Mellen - Principal Analyst at Forrester Research, covering Security Operations, Detection Engineering, and AI in Security
Ely Kahn - VP of Cloud Security and AI at SentinelOne, former AWS Security Hub founder
Warwick Webb - VP of Managed Detection and Response Services at SentinelOne
Adriana Corona - Product Director for AI and ML at SentinelOnes
📚 Definitions and Core Concepts
Before we dive deeper, let's clarify some key terms that will appear throughout this newsletter:
MDR (Managed Detection and Response)
A focused security service specifically designed for detecting and responding to breaches. Unlike traditional MSSPs, MDR services typically:Use their own technology stack
Provide 24x7 detection and response capabilities
Take direct response actions rather than just alerting
EDR (Endpoint Detection and Response)
Security technology focused on monitoring and responding to threats at the endpoint level (laptops, servers, etc.)XDR (Extended Detection and Response)
Next Evolution of EDR that:Incorporates endpoint data with other security telemetry (network, cloud, identity)
Provides correlated incident views across multiple security domains
Enables more comprehensive threat detection and response
SOC (Security Operations Center)
A team responsible for:Monitoring and analyzing an organization's security posture
Detecting and responding to cybersecurity incidents
Implementing and maintaining security controls
Our Insights from these Practitioners 🎯
From my analysis of listening to Cloud Security Podcast with Allie, Ely, Warwick & Adriana here are some lessons I made note of as a Practitioner :
How to modernize your SOC structure beyond traditional tiering
Where AI can effectively augment your security operations today
Practical steps to implement cloud-native detection & response
How to measure and improve your security operations effectively
Let’s dive into these a bit more to learn about transforming your security operations, whether you're leading a SOC team, building a detection engineering practice, or evaluating AI and cloud security tools.
1. Transforming Traditional SOC Structures for the Cloud Era
Enable practitioners to move beyond outdated SOC models and build more effective, engaging security teams that can handle modern threats.
"We need to tear down the L1, L2, L3 structure in every organization... The way that we talk about this is through detection engineering and through making sure that analysts are able to explore detection engineering more and take it on as part of their role."
Implementation Framework Example:
a) Restructure Your Existing SOC Team to be ready for Cloud & AI
Eliminate strict tier-based segregation of duties
Implement case ownership model where analysts handle incidents end-to-end
Create mentorship pairs between experienced and junior analysts
Allocate 20-30% of analyst time for detection engineering activities
b) Business benefits from Restructure Your Existing SOC Team?
Increased analyst retention and job satisfaction
Faster incident response times
Better coverage of complex threats
More efficient use of team resources
2. Leveraging AI Effectively in Security Operations
Help practitioners understand where AI can provide immediate value in security operations while avoiding common pitfalls and oversold promises.
"A lot of the alerts that customers see are similar to each other... why is every customer triaging and investigating each of these alerts themselves? What some of the things that we think we can do this year is actually show you, Hey, this alert is actually quite similar to these 100 other alerts that have already been triaged."
Strategic Implementation Example:
a) Alert Triage Optimization
Implement AI-assisted alert correlation
Use similarity analysis to identify patterns in alerts across your environment
Create automated response playbooks for common scenarios
Maintain human oversight for critical decisions
b) Business benefits from Alert Triage Optimization:
Reduced alert fatigue
More consistent alert triage
Faster initial response times
Better use of analyst expertise
3. Building Cloud-Native Detection & Response Capabilities
Equip practitioners with the knowledge to build effective detection and response capabilities specifically for cloud environments.
"When you start talking about entirely new modes of compute, like serverless compute all of the, everything is a service that you see in the cloud. That really does change everything as far as what does a threat look like."
Practical Implementation Steps:
a) Implement Monitoring across all Cloud Environment(s)
Implement comprehensive logging across all cloud services providers in use
Create service-specific detection rules for cloud native services
Continuously or Periodically Monitor cloud configuration changes
Establish baseline behavior for cloud services to detect & respond if there is a drift
b) Business benefits from implementing monitoring:
Better visibility into cloud threats across your entire cloud footprint
More effective detection of cloud-specific attacks
Reduced response times for cloud incidents
Improved collaboration with cloud teams
4. Measuring Success and Continuous Improvement
Provide practitioners with a framework to measure the effectiveness of their security operations and drive continuous improvement.
"Don't assume that security teams spend most of their time doing security. There's a lot of time with administrative overhead of communicating... reporting on the result of your investigation for others."
a) Examples of Key Performance Indicators for SOC Teams to drive continuous improvement
Track mean time to detect (MTTD) and respond (MTTR) across all your environments
Monitor and measure changes in false positive rates to improve tooling or process
Measure analyst efficiency and satisfaction in roles to enable longer team tenure and growth
Track coverage across all cloud service providers to identify and fill any gaps
b) Business benefits from defining Key Performance Indicators for SOC Teams:
Clear metrics for success
Data-driven improvement decisions
Better resource allocation
Improved stakeholder communication
Putting It All Together
The implementation of one or more examples above should result in:
A more engaged and effective security operations team
Faster and more accurate threat detection and response across all your cloud environments
Better coverage of cloud-specific threats for each cloud service provider in your environment
Measurable improvement in security operations detection and remediation rates
Bonus points for SOC Teams and leaders also include
Reduced analyst turnover
Faster incident resolution times
Fewer missed detections
Improved stakeholder satisfaction
Better team collaboration
More efficient use of AI and automation
NOTE: These changes don't need to happen all at once. Start with the areas that will provide the most immediate value to your organization and build from there. The key is to maintain a clear vision of where you want to go while taking practical steps to get there.
We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.
Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙
Peace!
Was this forwarded to you? You can Sign up here, to join our growing readership.
Want to sponsor the next newsletter edition! Lets make it happen
Have you joined our FREE Monthly Cloud Security Bootcamp yet?
checkout our sister podcast AI Cybersecurity Podcast