There’s a growing belief in many quarters that AI will outright kill off the Security Operations Center (SOC) – making human analysts redundant as AI agents analyse logs, fire off alerts, and trigger incident response actions; although the maturity here is mixed. 

The reality is far more nuanced, says Elastic’s Mike Nichols, who’s been integrally involved in making sure that the company’s security platform is “AI-agnostic” – and that customers can integrate large or small models of choice with it; in the cloud, on-premises, or even off-grid “in a Hummer.”

Sitting down to chat with The Stack at the ElasticON event in London, Nichols is clear that the company’s SIEM and XDR software is integrating AI – in part because it is, he says, mature enough to remove a lot of manual toil that any analyst can end up doing in a SOC; triaging alerts and assessing their impact. 

AI isn't a silver bullet

But first he wants to plant a flag in the sand as a practitioner. Nichols cut his teeth in the US Army and then, later at the Department of Homeland Security – where he worked in a hugely well-equipped SOC with “three of everything”, and he agrees the security tooling landscape is changing dramatically. 

But like most security professionals, he’s sceptical of silver bullets. And, he notes, “we run the risk of burning out security leaders by just saying ‘AI, AI, AI’ instead of meaningfully saying ‘here's where it actually can apply to your job.’”

Elastic absolutely has incorporated a range of AI workflows into its software. 

The threat landscape is being transformed by generative AI; by the ways in which it is dramatically speeding up and democratising exploit development, and helping even lower skilled attackers launch supply chain attacks. Defenders need to arm themselves to work at machine-speed too, he says. 

But “when Elastic decided to go down the path of AI, [we knew] it had to be with openness and transparency, in a realm of ‘choose your own adventure,’” he explains, saying there are multiple reasons that Elastic took this approach.

These range from data sovereignty, to cost efficiency. 

Model agnostic, cloud agnostic

“[We’re keen to emphasise that] ‘here's a huge amount of capabilities and innovation that are NOT using AI that you can take advantage of today, because you might have a cost barrier or a risk barrier,” he tells The Stack.

Also, to offer incredible flexibility for customers. 

“Many [SIEM and other cybersecurity providers say] ‘here's the model that works and it's good because we’re tuning it and tailoring it for the use case.’”

“But the problem is you now have to trust only that model. And if you live in a place where you can't send data to a country where that's hosted, that's a problem. [We made sure that Elastic Security] can work on any model, even down to a disconnected model, running on-prem with no internet connection, that still could be operationalised,” he explains – pointing to some of the company’s national security customers as examples, as well as its commitment to offering on-premises, self-managed as well as cloud-native SaaS solutions.

“We're one of the only companies around that cares about a disconnected, fully functioning, self managed solution, and is innovating into it,” he says.

“A lot of companies rushed to cloud and almost treated cloud as the only thing they ever want to do and forget everybody else. That investment allowed us to stay in a lot of places like hedge funds, or other very risk-averse environments, like defense across the world that need even the endpoint itself disconnected, put it in a Faraday cage, and it would still operate…”

That environment-agnoticism is powerful for another reason: As data volumes explode, the legacy model of moving all global data to a single central "brain" is becoming technically and financially untenable. Nichols says Elastic takes a "data mesh" or federated model approach, particularly for multi-cloud users.  

The company’s strong background in search and robust suite of controls around who can search for and find certain data sets underpins this.

"We keep your data where it's generated, and we federate out to those things [environments] when we have to ask a question," he explains. This approach allows for compliance with strict local privacy regulations while ensuring that "only the answers come back," drastically reducing costs and latency.

The approach, in short, is “any edge, any signal, unified into full context.”

Meet the customers – and data – where they are

Nichols highlights Elastic Security capabilities like its “Attack Discovery” which acts like a virtual SOC analyst, correlating alerts, attack paths, and enterprise knowledge with RAG-based context (for example drawing on data around user behaviour, firewall configurations or beyond), with the Elastic AI Assistant pulling together this context to summarise, and recommend next steps.

Its approach to data ingestion, like LLMs, is agnostic and flexible – it offers 400+ out-of-the-box integrations for popular data sources via syslog, APIs, files, cloud object storage like S3/Azure Blob and custom Elastic Agent or Logstash configurations and even integration with third-party EDR vendors

Nichols concludes by saying with palpable conviction that “we've always been a company that meets our customers where they are. We have community Slack channels, we have direct relationships – we try to avoid the ‘you have to go to support, you have to go to your account team’ approach,” he says.

“People have my phone number. I get text messages from our customers. They have direct Slack lines to us if we can speak to our customers as much as possible. And even in GitHub, we have our detection logic, our models and so on and we're getting comments there as well, getting direct access to our customers, getting their direct feedback and not having it be varnished or changed or modified by anybody else. I think that is what makes us special.”

Delivered in partnership with Elastic Security

The link has been copied!