Využitie generatívnej AI v SOC nástrojoch

Artificial intelligence is quickly becoming a new tool in Security Operations Centers (SOC). Juraj Belko’s lecture showed how large language models can make complex tools accessible, speed up incident analysis, and bring automated responses all the way into practice. Alongside the benefits, concerns were raised about data and regulations — and also answers on how to address them.

SOC demystified: from signal collection to automation

The SOC — Security Operations Center — is the “control tower” of cybersecurity that collects and evaluates events from across the entire infrastructure. Data flow into a single bus from endpoints, servers, email, and networks, but also from clouds, OT environments, and application operations. On top of this foundation sits a tool for correlation and visibility, and the goal is to reach automation, where detection and response happen as much as possible without human intervention. Integration with the help desk and identity information increases response speed, but the quality of assessment rests on high-quality, meaningful data and threat intelligence.

Who needs a SOC and when it hurts the most

Belko distinguishes several types of organizations: those that have not yet experienced an incident, the proactive ones, “post-incident,” “post-audit,” and those driven by regulations such as the Cybersecurity Act or NIS2. The fastest progress is made by those after an incident — they are motivated and able to make decisions, whereas “post-audit” organizations tend to address what someone has flagged as a problem. The common reality, however, is that an organization buys expensive tools and, at first glance at the multitude of dashboards, doesn’t know where to start. That’s when improvised queries to GPT and on-the-fly searches for answers come in — which works, but it can be done more systematically.

AI in the SOC: understands the question, prepares a report, and takes action

An example is deploying an assistant in FortiAnalyzer, where an analyst simply says that in the top category they see a compromised host and asks for context. The system automatically fills in the IP address, summarizes the situation in a clear report, and, on request, dissects the most heavily loaded processes or suspicious communication channels. If the suspicion is confirmed, the analyst can, directly from the interface, instruct the security agent (EDR) to terminate the process and quarantine the machine just to be safe. Similarly, in the automation environment, the assistant can generate a comprehensible summary for an alert and prepare a handover template for the next colleague.

The key is that the user’s question is enriched with internal knowledge and stripped of irrelevant data before being sent to the LLM (whether OpenAI, Bard, or an in-house model), so that the answer is accurate and safe. Data remain in a private tenant and are not used to train models, which addresses the most common concerns. The assistant already understands Slovak, although the reply may come in English, and it also offers suggested follow-up questions that guide the analyst in the right direction. The solution is open to integrations with tools from other vendors, so AI can bring added value even in a heterogeneous environment.

Download presentation (353kB)