DXC Technology is among the global providers of managed security services and relies on security operations centers (SOCs) around the world. The presentation showed how SOCs are moving from simple log collection to automation and AI and what that means for customers as well as analysts. Here is a summary of the key points and a brief example of a response.
DXC Technology in numbers and on the map
The company has approximately 130 000 employees, and around 3 200 security professionals who serve hundreds of customers and dozens of partnerships. It operates 13 security centers functioning in six languages, with some working bilingually (for example, Italian and English or French and English). Coverage spans from North America through Europe (Poland, Denmark, the United Kingdom, Italy, Spain) and North Africa (Morocco) to Asia (India, the Philippines, Malaysia, including support for Japanese). Australia and New Zealand are served by the SOC in Sydney; Spanish is in demand primarily for Latin America.
From logs to decision-making: five levels of SOC maturity
Before every onboarding, DXC assesses the maturity of the environment, because without order in the data, device lifecycle management, and quality patching, “blind spots” arise and responses fail. The foundation used to be simple ingestion from endpoints (e.g., EDR), which proved insufficient. This was followed by MXDR with the addition of network data, which brought many more events and the need to suppress noise and better understand context. Enrichment with internal information was key: an employee’s role, department, project, or travel changes the assessment of risk and priorities. Next comes SOAR—automation and playbooks shorten the time from detection to response—and the final direction is the AI SOC, where language models accelerate and refine both investigation and decision-making.
AI in practice and what it means for people
In practice, an SOC can receive alerts or already correlated incidents from various sources, and AI takes care of categorization, enrichment, and triage. In an incident of the “High Risk Okta user” type, the SIEM reports a connection from a suspicious IP address, and within a few minutes AI summarizes the situation: the IP’s origin, its reputation, and context. It verifies information in sources such as EDR, threat intelligence, or reputation databases, and decides on the next step. The result may be an automatic API call to Okta and temporary deactivation of the account, with notification to the user and their manager.
The speaker does not consider fears that AI will replace analysts to be justified. AI is a tool that takes over routine and time-consuming tasks so that people can focus on what matters and manage the automation itself. The aim is to shift the specialist’s role from manual response to creating and supervising “digital assistants”—and thereby speed up and improve defense.
