I\u2019ve spent 25 years in information security. Long enough to see SIEM rise from the old audit requirements of “aggregated, network based logging”, with the birth of the “correlation” buzzword, and with its fall seen the rise of the “normalisaton” buzzword. I\u2019ve built SOCs, tuned them, fought alert noise, and tried to control the spiralling cost that comes with doing security badly at scale.<\/p>\n\n\n\n
And through all of that, one principle has never changed.<\/p>\n\n\n\n
Know your environment. Know your security strategy. Understand your threat model. Build a picture of normal. Alert on what is truly abnormal\u2014and truly risky.<\/strong><\/p>\n\n\n\n If you follow the above-described approach, something interesting happens. A number of \u201cmust-haves\u201d in modern SOC conversations start to look\u2026 negotiable:<\/p>\n\n\n\n These are not heretical views\u2014they\u2019re just uncomfortable ones. Because they challenge a model where complexity and cost are often mistaken for maturity.<\/p>\n\n\n\n In reality, a well-understood environment with sharply defined risk tolerance will outperform a bloated SOC every time.<\/p>\n\n\n\n Now we have a new layer: AI, and if you read the current wave of content, you\u2019ll notice a pattern. The most confident \u201cAI success stories\u201d tend to avoid talking about SIEM at all!<\/p>\n\n\n\n Instead, we get familiar phrases:<\/p>\n\n\n\n Let\u2019s pause on one of those.<\/p>\n\n\n\n \u201cEnrichment\u201d has quietly joined the long list of SIEM buzzwords. But what does it actually mean? Better data? According to whom? Data quality is not universal. It is entirely dependent on your<\/em> environment, your<\/em> systems, and your<\/em> risks. An event that is critical in one organisation is meaningless in another.<\/p>\n\n\n\n You can train an AI model to process data. But can you teach it what matters<\/em> in a specific, messy, evolving environment? That\u2019s not just a data problem. That\u2019s a context problem.<\/p>\n\n\n\n Another popular claim:<\/p>\n\n\n\n \u201cAI won\u2019t replace analysts, but it will make them more productive.\u201d<\/p>\n<\/blockquote>\n\n\n\n It sounds reasonable. It\u2019s also mostly unproven in the SIEM context. Take \u201cnoise reduction\u201d\u2014a classic SOC problem. Who defines noise?<\/p>\n\n\n\n That decision requires:<\/p>\n\n\n\n That\u2019s not magic. But it does<\/em> require experience and judgement. Can an AI learn this? Possibly, in constrained scenarios. Can it generalise this across real-world environments without introducing blind spots? That\u2019s much harder to believe.<\/p>\n\n\n\n What\u2019s consistently absent from \u201cAI transformed my SOC\u201d narratives is technical depth.<\/p>\n\n\n\n Where are the discussions about?:<\/p>\n\n\n\n Even in fully SaaS environments, you are still dealing with operating systems, identity layers, protocols, and execution paths.<\/p>\n\n\n\n AI can easily flog a dead horse that is a cost-sinkhole SOC (plenty of those around on all continents – it needs a collective noun), but can it get a SOC to rise phoenix-like from the ashes of its dark history? That is as close to a ‘no’ as you’re ever going to get without it actually being a ‘no’. <\/p>\n\n\n\n I remain open minded, but i want to see technically grounded discussions in order to change that position. The SIEM community has long conversations for the long nights of winter e.g. “do i want to use sysmon if i have a CIS benchmark compliant Audit Policy service?”. This is the level that the conversation has to be, at, without perhaps the same volume.<\/p>\n\n\n\n AI can absolutely make those SOCs more efficient at being inefficient<\/em>. can it transform a fundamentally flawed SOC into an effective one? That\u2019s very close to a \u201cno.\u201d Not because AI is weak\u2014but because the problem is structural.<\/p>\n\n\n\n If you don\u2019t understand your environment, your risk, and your attack surface, no amount of automation will fix that.<\/p>\n\n\n\n At its core, effective detection relies on an attack mindset.<\/p>\n\n\n\n That comes from:<\/p>\n\n\n\n We\u2019ve seen early attempts to automate parts of this\u2014especially in areas like network path analysis and automated penetration testing.<\/p>\n\n\n\n But anyone who has participated in real-world red teaming or unrestricted penetration testing knows the truth: This is not a linear process. It involves intuition, creativity, and adapting to incomplete information. Teaching that to an AI agent is not impossible\u2014but it is a very<\/em> hard problem.<\/p>\n\n\n\n I\u2019m not anti-AI. Far from it. But I am sceptical of narratives that skip over the hard parts.<\/p>\n\n\n\n Can AI replace the fundamentals?:<\/p>\n\n\n\n Until AI can operate meaningfully at that level, it remains a tool, of sorts, hopefullly not a very expensive tool. <\/p>\n","protected":false},"excerpt":{"rendered":" AI can easily flog a dead horse that is a cost-sinkhole SOC (plenty of those around on all continents – it needs a collective noun), but can it get a SOC to rise phoenix-like from the ashes of its dark history? Continue reading The Sacred Cows of the SOC<\/h2>\n\n\n\n
\n
Enter AI: The New Buzzword Cycle<\/h2>\n\n\n\n
\n
\u201cEnrichment\u201d of Data<\/h3>\n\n\n\n
The Analyst Productivity Argument<\/h2>\n\n\n\n
\n
\n
The Missing Layer: Technical Depth<\/h2>\n\n\n\n
\n
Can AI Fix a Broken SOC?<\/h2>\n\n\n\n
The Hard Problem: Teaching an Attack Mindset<\/h2>\n\n\n\n
\n
Final Thought<\/h2>\n\n\n\n
\n