4 steps organizations can take to get started with AI-powered SecOps
Image via Unsplash
Cybersecurity is under siege. While 74% of security leaders recognize the growing threat of AI-powered cyberattacks, only 40% feel confident in their ability to defend against them.
The latest AI tools are making highly personalized phishing attacks and the ability to change the signatures and hashes associated with malware files easier than before. Not to mention, methods to identify exactly when and where AI is being applied are scarce. This leaves CISOs racing against the clock to stay ahead of the latest cyber threats.
Security leaders migrate to the cloud to benefit from scalable infrastructure, enhanced security posture, potentially built-in disaster recovery capabilities, and adherence to industry-standard certifications, such as ISO 27001 and SOC 2. But security concerns remain. SecOps teams need a complete solution for building, migrating and managing cloud applications and environments.
This is where AI-powered SecOps solutions can prove valuable. Here are four key steps to get you started.
Identify specific use cases
Does your SecOps team have a high MTTR (mean time to repair), but proactively identifying threats tends to be a little trickier? Threat detection AI helps to identify anomalous network behavior, detect advanced threats, and prioritize alerts.
Or perhaps your team has a fast MTTD (mean time to detection), witnessing multiple potential threats, but doesn’t have the bandwidth to action them in real-time? Automating incident triage, investigation and response processes could be a better fit in this case.
In either scenario, it’s essential that tools and processes match up to your current threat landscape and level of expertise. Resource-strained and overworked security professionals are set up to fail if they don’t have the right tools, strategies and support.
Select the right AI tools
According to IBM research, the global average cost of a data breach in 2024 was $4.88 million — a 10% increase over last year and the highest total ever. However, organizations that used security AI and automation extensively in prevention saved roughly half of these costs ($2.22 million) versus those that didn’t.
Once you’ve identified your critical use cases, research and evaluate the AI platforms available. It’s a must for AI-powered SecOp tool providers to work with you initially to identify the cloud architecture that best fits your needs. But don’t forget to ensure they will work with you as your needs evolve and help enhance the platform while making it available via your console. As your company grows, needs change, and so do regulations, so you must have access to a team of experts who have been there.
How does their offering fit your existing tech stack and security infrastructure? Can you run new environments and stay on top of your cloud health and security from one screen? Does your prospective provider automatically gather the evidence required for SOC2/ISO/HIPAA compliance? These are the kinds of questions you want to ask when reviewing product demos.
Prepare your data
Companies are swimming in data pools, from network traffic logs and user activities to system configurations and threat intelligence feeds. This leaves SecOps teams with the heavy task of analyzing all of it to identify patterns, anomalies and security threats. So you can imagine feeling pretty relieved when finding out that AI can analyze up to 10 terabytes of security data per day, compared to a human analyst's capacity of 1 gigabyte.
SecOps teams can deploy AI for threat detection, incident response and vulnerability management tasks. But AI still needs pointing in the right direction. SecOps teams must have the correct data, data management strategy, and storage solution in place to handle large volumes of data efficiently, first.
Is your solution scalable? Will you be storing structured data such as security logs or unstructured data like network traffic and video files? What formats are these datasets in? What are the latency requirements for accessing this data?
Well-thought-out data collection processes that gather data in a semi-structured format will help streamline integration. You can use AI here to help you assess the data quality and consistency, but it’s your job to integrate the right sources and validate the findings.
The next steps are to clean the data, remove duplicates, fill in missing values, and convert it into a standard format with proper timestamps. Adding context to data, such as device types and locations, can help enrich your datasets and encourage AI to draw more accurate conclusions. Still, anonymizing sensitive data with strict access controls is critical and will not affect algorithm accuracy.
Train and deploy the AI model
Once your relevant data is clean and consistent, you can begin to train your AI.
Divide the data into training, validation, and testing sets to evaluate the model performance. You can do this by random splitting, portioning 60% for training, 20% for validation, and 20% for testing. Or, for time-dependent data, such as security event logs or sensor data where you're analyzing correlated attacks or compromised systems, time-series splitting will ensure that the order of data points is reserved.
Use the validation set to evaluate the model and identify any over- or underfitting. If overfitting occurs — where you have high training accuracy but low validation accuracy — you may need to increase the training data size. More diverse data can help the model generalize better. However, you may also want to consider removing uninformative features and engineering new ones that capture relevant relationships in the data.
Once it is ready, you can integrate it with your existing security infrastructure, continuously monitoring and refining it to maximize performance as it adapts to changing threat landscapes. Keep an eye on critical metrics such as false positive and false negative threat detection rates, MTTD and MMTR, vulnerability discovery rates and patch compliance rates.
By determining specific areas where AI can provide the most value, such as threat detection, incident response, or vulnerability management, and choosing AI tools that align with these — and your tech stack — you can boost your security posture and save your SecOps teams a lot of time and stress. Make sure to prepare the data and train the model carefully before integrating it with your existing security workflows; the more you do upfront, the easier it will be later on.
