SentinelOne executives, at their recent user conference, rolled out new AI and automation features for the firm's Singularity platform that furthers their vision of an autonomous security operations center (SOC), a trend in the cybersecurity field that is getting a lot of traction.
For several years, vendors have talked about SOCs that are increasingly made autonomous through AI and machine learning techniques, which can more quickly detect and respond to cyberthreats and alleviate some of the burdens of SOC professionals. The emergence of generative AI is accelerating that push.
SentinelOne is among a growing number of cybersecurity firms – including Palo Alto Networks, Intezer, and Optiv Security, among others – offering autonomous SOC capabilities. At the event, the company introduced four new features to its four-year-old Singularity platform, including hyperautomation that includes more than 100 integrations and dozens of workflows to address such cyberthreats as ransomware mitigation, asset compliance monitoring, and insider threat response.
Organizations can use no-code and drag-and-drop capabilities to build custom workflows, automate tasks, and access APIs for data from multiple sources.
Singularity AI security information and event management (SIEM) is a cloud-native feature that uses AI and the company’s Singularity Data Lake for real-time detection on streaming data, accelerating the investigation and response processes. It can ingest structured and unstructured data from both SentinelOne and third-party security offerings.
The vendor also unveiled its Ultraviolet family of security-focused large-language models (LLMs) that includes support for agentic AI workflows and new capabilities for its Purple AI security analyst tool that automatically triages alerts and offers the ability to automatically pull in information from alerts, compiles, and investigative steps, and come up with a recommendation.
In announcing the new Singularity features, Ric Smith, SentinelOne’s president of product, technology, and operations, said in a statement, “Today, we’re making the promise of the autonomous SOC a reality by unleashing the full power of AI and data, to give customers the speed, intelligence, and scale needed to fend off tomorrow’s threats.”
Moving Forward, but Not There Yet
The current sentiment in cybersecurity is that while the development of fully autonomous SOCs is pushing ahead, there’s still a way to go before being fully realized. Craig Jones, vice president of security operations at Ontinue, told MSSP Alert that “autonomous SOCs are still in the ‘building toward’ phase.”
“SentinelOne's recent release, along with efforts from other vendors, represents significant progress,” Jones said. “However, we're not at full autonomy yet. Achieving a truly autonomous SOC requires advances not only in AI for decision-making and anomaly detection but also in contextual understanding of incidents. Current systems are becoming more capable of automating specific tasks, but comprehensive, adaptive, and reliable autonomy is still some way off.”
Netenrich CISO Chris Morales agreed, telling MSSP Alert that the “problem is not just a technology issue and the path to autonomic will not be solved with existing toolsets simply adding chatbots and language models. There needs to be a rethinking of the entire process, which requires a fundamental examination of how security operations work today. I think we will see a ton of task automation claiming to be autonomic.”
Challenges Abound
Not everyone is sold on the idea of AI-based autonomous SOCs. Allie Mellen, principal analyst with Forrester Research, two years ago wrote a column about the “pipe dream” that is autonomous SOC and, earlier this year, reiterated her argument, saying it’s still true despite the emergence of generative AI.
Mellen and Forrester senior analyst Rowan Curran wrote that handling the mountains of enterprise data and integrating disparate security tools are challenges.
“There’s a deeper issue at play here that is as fundamental to security as time itself: Enterprise data consolidation and access is an absolute bear of a problem that is unsolved,” they wrote. “Put more simply, security tools can’t ingest, store, and interpret all enterprise data. And more than that, security tools don’t play nice together, anyway.”
Chad Graham, cyber incident response team manager at Critical Start, called autonomous SOCs an emerging concept but noted other hurdles that need to be cleared, including addressing the complex and dynamic nature of cyberthreats.
“Current technologies can handle routine tasks and respond to known threats, but human analysts are still crucial for handling sophisticated attacks, making contextual judgments, and adapting to new threat landscapes,” Graham told MSSP Alert. “Therefore, autonomous SOCs are more of a future goal than a present reality, with the industry making incremental steps toward increased automation.”
Pluses and Minuses
According to Rob Enderle, principal analyst with The Enderle Group, if and when fully autonomous SOCs become a reality, they’ll come with their share of pros and cons.
“An autonomous security operations center should be able to identify and mitigate threats far more quickly than a human,” Enderle told MSSP Alert. “However, if it becomes corrupted or has had a bad training set, it could also do incredible damage before it could be stopped, given the speed in which it operates. Assuring the quality of the actions the security operations center makes becomes the number-one priority.”
Of course, AI systems don’t earn salaries, need benefits, or get time off and can work faster than humans. That said, “machines don’t know people, and interactions between the two can become problematic to assure and manage,” Enderle said. “In addition, AIs have been compromised in the past or malformed, resulting in significant numbers of high-speed mistakes, at scale.”
