Illumio’s Raghu Nandakumara says that emergency medicine developed out of a pressing need for swift care. He argues that cybersecurity is at a similar inflection point.
Anyone who has spent time in a hospital accident and emergency department knows how quickly pressure mounts for medical personnel. A crowded waiting room, a queue of patients and only minutes to decide who needs urgent care.
When triage goes wrong – a misdiagnosis, a missed symptom or a backlog that leaves patients untreated – the consequences can be devastating. While most cyber incidents aren’t so life-and-death, security operations centre (SOC) personnel are also dealing with a continuous string of incoming crises.
Instead of broken bones or illnesses, analysts contend with ransomware alerts, suspicious logins and subtle signs that may mean a serious attack is brewing. Yet too often, they are forced to make critical decisions with incomplete information, risking wasted effort, analyst burnout and attackers slipping through unnoticed.
The cost of poor triage in SOCs
A&E and SOC teams are both under pressure to make snap decisions that can have serious consequences. In the emergency room, patients are seen by an escalating level of practitioners, bringing more tests and expertise as required.
An SOC takes a similar path, and a typical process begins with the alert intake stage handled by level one analysts, with events entering the monitoring system. Next, level two analysts determine urgency and carry out further investigations such as packet captures for escalated threats. Finally, the investigation may call in experts in particular fields such as identity or network security.
SOC teams acting too quickly can risk shutting down a business-critical system based on a false positive. Acting too slowly gives attackers more time to move laterally and establish a foothold. Just as a missed symptom can lead to health complications down the line, misjudging or overlooking an alert could contribute to a breach that doesn’t surface until weeks or months later.
But a critical difference is that while emergency healthcare workers are usually equipped to discover the critical information they need, security analysts are often forced to make calls with only fragments of the full picture. A network anomaly here, an identity warning there, but no joined-up view.
The result is uncertainty and hesitation, with SOC teams left chasing noisy alerts that lead nowhere, and reluctant to act on hunches that may lead to a disruptive shutdown with greater impact than any attack.
Why SOCs need context, not just data
Reviewing an incident report, it can be easy to forget that behind every SOC screen is a person making judgment calls under relentless pressure. Teams on average face more than 2,000 alerts per day, the equivalent of one alert every 42 seconds. Most of these will be low value or repetitive.
Sorting signal from noise becomes exhausting, and the constant fear of missing the one alert that really matters takes its toll. When stretched too thin, even the most skilled professionals make mistakes.
The inevitable outcome is analyst burnout, high turnover and a weakened ability to respond effectively when a real crisis strikes. Without better triage systems, SOCs risk exhausting their frontline defenders before a genuine emergency situation even arises.
Data quality is one of the most prevalent causes here. Today’s SOCs ingest logs, alerts and telemetry from every corner of the IT estate, but access to more data is not the same as clarity of vision, and without correlation, those signals remain fragments of a story. It’s like an A&E team trying to determine a complete treatment course with nothing but a handful of symptoms and no scans, no history, no test results.
How to start building the patient record for SOCs
In medicine, fast and accurate treatment depends on seeing the whole patient. Doctors don’t just rely on symptoms; they also consider a patient’s medical history, vital signs, lab results and scans. Every data point provides context for an informed decision.
With security teams spending an average of 14.1 hours per week chasing false positives, they need the same clarity to succeed, and one of the most effective ways to provide this context is with a graph-based model.
Rather than treating each alert in isolation, a graph maps the relationships between systems, users and data flows. It demonstrates how a compromised service account can provide an attacker with a path to a sensitive database, or how a seemingly unimportant misconfigured workload can expose an entire cloud environment.
This means that analysts don’t have to sift through fragments of information, but can quickly see a connected story. Just as a cardiologist can only diagnose accurately when multiple test results align, SOC analysts gain confidence when they see how individual alerts fit together. A graph model becomes the patient record for the digital enterprise, providing a resource that is layered, context-rich and ready for action.
The critical role of AI in managing raw threat data
Security graphs have been around for a few years, and while powerful, still have their limits. These restrictions are particularly evident when a large organisation may have thousands of nodes and connections representing potential risks. This is where AI makes a difference.
The speed and accuracy of AI means graphs can be enriched with real-time context. An AI system can flag that a low-level alert at 3am is linked to a seemingly unrelated set of unusual user behaviour, instantly elevating its priority.
As enticing as AI has become to the industry, however, it’s essential to recognise that this doesn’t replace human judgment. It supports it. Human experience and judgment are still essential, but with AI security graphs, analysts can make faster, more confident decisions, reducing stress and ensuring critical threats are contained before they spiral into crises.
Emergency medicine evolved because it had to, and triage systems have adapted as pressure on resources grew. Cybersecurity is now at the same point. SOCs cannot survive by chasing alerts in isolation. They need context, speed and confidence. AI-powered graph models provide that shift, turning firefighting into proactive defence. The future of defence won’t be built on more alerts, but on better decisions.
Raghu Nandakumara is VP of industry strategy at Illumio, a company that specialises in ransomware and breach containment.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
