State of the SOC 2025: Key Findings and Threat Landscape Shifts
This episode unpacks N-able's State of the SOC report covering December 2024 through February 2025, revealing critical trends in the threat landscape. During this three-month window, the SOC processed nearly 500,000 alerts, escalating 83,000 as security issues requiring action. Of these, 2,684 were ransomware cases, and the team conducted nearly 1,000 incident response bridges. The data reveals a significant shift in attack vectors: cloud-based attacks now represent 44% of all threats, up from 30% the previous year, while endpoint attacks account for 56%. This shift reflects the industry's rapid cloud adoption and the challenges of protecting distributed, remote workforces. The report also documents an alarming 8-minute fastest breakout time—the speed at which an attacker moved laterally from one compromised endpoint to another—underscoring the critical need for rapid detection and response capabilities.
AI-Augmented SOC Operations and the Human-Machine Balance
The hosts explore how artificial intelligence is fundamentally reshaping security operations, with N-able achieving a 70% automation rate where AI handles initial triage and investigation, leaving 30% for human analysts to address complex cases. Will Ledesma shares a compelling case study from two years ago where a senior analyst spent 60 minutes manually identifying 10 indicators of compromise during an active incident. When the same data was processed by their AI system, it returned the same 10 IOCs plus three additional ones—two of which proved malicious—in just 10 seconds. This 360x speed improvement demonstrates AI's role in augmenting analyst capabilities rather than replacing them. The discussion emphasizes that AI drives conviction faster by identifying anomalies and patterns, but human judgment remains essential for final determination and complex threat hunting. The team reports opening up threat hunts by 153-fold since implementing AI augmentation, allowing analysts to focus on sophisticated investigations while automation handles routine escalations.
The Human Factor: Fear-Based Attacks and Organizational Resistance
Beyond technical threats, the episode examines psychological and organizational challenges in cybersecurity. The hosts discuss a recent "art of fear" attack where threat actors used open-source intelligence to create convincing fake screenshots suggesting they had breached an organization, triggering panic without actually compromising any systems. This social engineering tactic exploits emotional responses and organizational fear to create disruption. The conversation also addresses "Layer 8" problems—human resistance to security measures that cause operational disruption. Will and Hilda emphasize that effective security requires organizational acceptance of temporary disruptions for proactive threat containment, comparing it to taking a car in for tire repair. They note that hybrid environments present particular challenges, such as identity synchronization issues where disabling a compromised account in Azure has no effect if the on-premises Active Directory remains the source of truth and simply re-enables it during the next sync cycle.
