Machine Learning in the SOC—Part 3: Best Practices for Success

If you do your homework, apply a layered approach, and empower your SOC team, machine learning can significantly transform your SecOps.

Machine learning has the power to transform your security operations, but as with any powerful technology, it needs to be approached strategically. Through our first-hand experience with helping organizations across the world implement and operationalize machine learning in their SOCs, we have identified four best practices that are critical for achieving success.

1. Don’t fall into a buzzword trap.

Terms like artificial intelligence (AI) and machine learning are popular in our industry, but there’s a lot of snake oil with vendors claiming to use these technologies. Do your homework to understand what type of machine learning a vendor uses and whether or not that type of machine learning meets your security team’s needs.

Knowing just a little bit about how machine learning works can help you ask better questions when evaluating a vendor, like “What threats are not covered with existing tools and techniques?” or “Which data feeds contain valuable information but are currently underutilized?”

2. Don’t treat machine learning—or any technology—like a cure-all.

Your best defense comes from covering multiple bases and leveraging top technologies in conjunction with each other. Machine learning alone won’t catch and stop the bad guy, so make sure you’re enabling a holistic threat detection solution.

For example, pairing Interset user and entity behavioral analytics (UEBA) with a next-gen security information and event management (SIEM) platform like Micro Focus ArcSight gives you a layered approach to security analytics that enables more visibility, better detection, and easier, quicker avenues for responding to known and unknown threats. ArcSight’s real-time correlation quickly and effectively finds the known threats, while UEBA detects the subtle, unknown threats that would otherwise escape detection via static thresholds and rules. The truth is that real-world threat scenarios often require a mix of both of these approaches.

And remember, technology doesn’t solve the problem on its own.

3. Your SOC team members are more valuable than ever.

Technology may give your SOC the competitive edge it needs, but it can’t (and shouldn’t) replace the humans in your SOC. SOC teams are forced to deal with ever-growing feeds of data and constantly evolving threats, which can be better managed by machine learning. The best security posture comes from a strong human-machine team that leverages the strengths of each: faster-than-human analysis by machines to identify leads for investigation and the contextual understanding of SOC analysts and threat hunters.

If you do your homework, apply a layered approach, and empower your SOC team, machine learning can significantly transform your security operations efforts and coverage into a powerful threat defense.

Ready to take a proactive stance on security? Learn how you can better protect your business with machine learning by visiting

Read the previous entry in this blog series: Machine Learning in the SOC—Part 2: Identify Your Use Cases.