The Role of NDR in the AI-Powered, Next-Gen SOC

As security applications of generative AI become more common, security leaders are considering how AI tools can play a role in next generation security operations centers (SOCs).

AI and machine-learning applications can help lift the burden on understaffed security teams by automating certain aspects of threat detection and response. But these tools are only as good as the data they ingest. Having access to more data is important, but what’s more vital is the completeness and contextualization of this data. That’s where network detection and response (NDR) solutions like RevealX™ can make the difference.

The Vision of a Next Generation, AI-Powered SOC

There are five main ways that AI can help empower SOC teams, three of which are available today and two of which are on the horizon:

1. AI can search through data more efficiently (available today).
2. AI can tie together multiple, related detections to more quickly identify malicious activity (available today).
3. Analysts can use AI to develop scripts or threat detection rules (available today).
4. AI tools based on large language models (LLMs) can explain detections in natural, human language (on the horizon).
5. AI-based SOC co-pilots work under human supervision to automate incident response and threat hunting work by gathering data and evidence, analyzing detections, making recommendations, and executing runbooks following human approval (on the horizon).

The promise of an AI-powered, next generation SOC is the combination of these five use cases: an AI tool that can put detections in the context of an organization’s infrastructure, explain the full story of an attack, and help security teams predict and respond to whatever comes next.

Critical Data Sources for the Next-Gen SOC

Most SOC data comes from endpoint detection and response (EDR) tools. This data is vital to detecting malicious behavior, but organizations can only get it from endpoints running EDR agents, and not every endpoint can run an agent. ExtraHop telemetry shows that as many as 60% of customers’ endpoints are not instrumented with an EDR agent, creating significant visibility and detection gaps.

Network data can fill visibility gaps where organizations lack EDR coverage. It can also augment and enhance EDR data, since there are a wide range of threats and attacker behaviors like Kerberos Golden Ticket attacks, Cobalt Strike beaconing, lateral movement, and file share data encryption that are best detected on the network, rather than on endpoints. After all, the network is where everything happens: devices communicate over the network and users interact with resources, each leaving a trail of their activity. With insight into the network, there’s nowhere for bad actors to hide. EDR tells you who the characters in an attack story are. NDR shows you their relationships and what they’re saying to each other (their dialog). AI helps defenders combine the two into a manuscript.

How RevealX Empowers Better AI

Not all security data is created equally. As with many things, quality is more important than quantity. Both the completeness and the context of data help AI better understand individual detections and data points to then weave them into a coherent and accurate attack story. Contextualized detections tell defenders what kind of device has been impacted and whether that device is critical, like a domain controller. This is especially important for critical devices lacking endpoint agents, and it helps defenders and AI determine the severity of a detection.

RevealX provides this complete context. With roots in network performance management (NPM), RevealX uses packet mirroring technology to silently capture all packets flowing across an organization’s network (north-south and east-west) and automatically discover, classify, and map dependencies among all assets on an organization’s network infrastructure. In addition, RevealX applies strategic decryption to gain visibility into encrypted network traffic. In this manner, RevealX can tell you what every packet is doing anywhere on the network at any given time: where it’s going, where it came from, and what is being said across both sides of the conversation. More sources of high-fidelity data mean more parameters for AI tools, and more parameters lead to better AI function.

Of course, all the data in the world won’t help if you don’t act on it in time. That’s one more way RevealX enables better AI response. Many SOCs rely on SIEMs, which were designed to act as systems of record. SIEMs function well in this regard, but they aren’t built to provide effective real-time analysis. On-premises SIEM deployments lack the scalable computing power to accelerate detections. In contrast, RevealX uses cloud-scale ML and applies over one million predictive models to detect threats in real time that other tools miss.

Setting the Standard for AI Innovation in Cybersecurity and Network Performance

At ExtraHop, we’re not just thinking about how AI can help SOC analysts investigate smarter, stop threats faster, and work more efficiently. We’re leading the way. The new, first-of-its-kind AI Search Assistant capability in RevealX uses an LLM to deliver intuitive, actionable answers to users' natural language queries. This functionality helps organizations close domain and product proficiency gaps by enabling any security analyst to get useful, intelligent results regardless of how much experience they have with RevealX.

AI Search Assistant builds on a long legacy of AI and ML innovation at ExtraHop. ExtraHop holds 70 patents in AI, and RevealX leverages five forms of artificial intelligence, including predictive models, graph algorithms, deep learning, clustering, and clustering link prediction. Together with Smart Investigations and other features like Smart Triage, AI Search Assistant combines to deliver a powerful set of AI tools in the RevealX platform designed to automate SOC workflows and relieve analyst fatigue.

The current security implementation of ML in many security products focuses on discovering individual malicious activities. But an attack is a combination of several malicious activities. AI promises to deliver something better. With the right data and context, defensive AI will be able to think like a hacker, only much faster. The bad guys won’t stand a chance.