close
close

How AI-driven SOC technology alleviated alert fatigue: Case study

Cybersecurity expert Jonathan Fischbein had a problem that his colleagues are probably familiar with: too many security alerts and too few analysts in the security operations center.

“We’re on a tight budget,” said Fischbein, CISO at cybersecurity software provider Check Point. “I would say we were between 30 and 40 percent short of staff in the SOC.”

Without enough staff to respond to the constant barrage of security alerts coming from the company’s SIEM platform, the situation was dire. “If you have an alert that you don’t address, that alert can turn into an incident,” Fischbein said. “And that’s something I don’t want as a CISO.”

AI replaces outdated SOAR

With the goal of reducing his team’s alert fatigue and improving Check Point’s security posture, Fischbein began exploring automation platforms. Feedback from other CISOs and CIOs led him to bypass legacy security orchestration, automation and response (SOAR) products in favor of a hyperautomation platform from startup Torq.

“We really liked the graphical user interface and the numerous templates for workflow automation,” said Fischbein, adding that the platform was designed with the SOC analyst experience at the forefront to make their jobs easier.

Jonathan Fischbein
Jonathan Fischbein

Check Point initiated a proof of concept. Within days of starting the test, Fischbein said, Torq had deployed more than two dozen AI-driven playbooks that automated responses to some of the company’s most common security alerts.

Importantly, Torq’s technology integrated seamlessly into Check Point’s existing infrastructure and security stack, ingesting and analyzing data from a variety of systems and tools. “It was a perfect fit,” Fischbein said.

He was sold.

We can automatically respond to problems before they become security incidents.

Jonathan FischbeinCISO, CheckPoint

AI is used in the SOC

Today, Torq’s technology – now known as HyperSOC – investigates, prioritizes and remediates many of Check Point’s internal security alerts without human intervention. If an alert meets certain parameters based on organizational security policies, the platform autonomously takes relevant predefined steps, such as initiating an MFA challenge or banning a suspicious user.

“We can automatically respond to problems before they become security incidents,” Fischbein said.

When events are potentially critical or complex, HyperSOC flags them for monitoring or intervention by analysts and offers suggestions for next steps.

According to Torq, companies can also train the generative, AI-driven SOC platform to take contextual factors into account when making decisions – for example, by requiring confirmation from a human operator before locking the CEO’s account.

Results of the survey on generative AI for cybersecurity
A 2024 survey by the Cloud Security Alliance indicated tremendous interest in generative AI for cybersecurity, with 94% of organizations actively planning or testing it for specific use cases.

Natural language processing speaks up

Fischbein compared Torq’s HyperSOC to a Swiss Army knife as it helps manage different security events of varying severity.

This flexibility is due in part to the technology’s extensive language modeling capabilities, which enable natural language material to be ingested—from proprietary internal playbooks to documentation from industry frameworks such as Mitre ATT&CK—and cross-referenced in incident triage, investigation, and response efforts.

In cases that require human intervention, the platform also uses natural language to summarize its own workflows, present relevant data, and provide recommendations for next steps. This helps human analysts make more efficient and informed decisions and minimizes the time and effort they must spend on tedious and manual investigative tasks during active incidents.

AI is a SecOps tool, not a panacea

Fischbein says Torq’s AI-driven SOC platform has successfully increased the efficiency of Check Point’s security analysts and reduced alert fatigue, but that doesn’t mean he sees his staffing problems solved.

“In our organization, we’re talking about almost 7,000 users in about 80 different locations around the world. The problems are endless,” he said. “Even if I increased my SOC staff by 40%, I would still have problems.”

In other words, the never-ending battle between SecOps teams and attackers continues – but with AI-driven SOC technology potentially giving the good guys the edge.

“It’s a game of cat and mouse,” said Fishlegs. “And with Torq, we can catch the mouse more easily.”

Alissa Irei is senior site editor at TechTarget Security.