If you believe all the vendor ads out there, AI tools built to boost your company’s security operations center (SOC) today are going to solve all your ornery IT security problems, do everything you ask of them without any hassles, bring world peace, and end global hunger.
At least that’s the rosy picture being painted by technology vendors. Enterprises are allegedly adopting, deploying, and instantly getting to work solving a wide range of SOC challenges while using the marvels of agentic AI to help manage their cybersecurity risks.
If only it were that easy.
Instead, many enterprises are learning every day that bringing agentic AI into their SOCs is not really a simple drop-in install. IT leaders are finding that many AI tools built for the SOC look impressive under controlled conditions, but those conditions are quite different in the real world.
Chief information security officers know from experience that most enterprise security environments are a complex tangle of disconnected data, tools, and security teams spread over isolated pockets in the cloud, on-premises, or across hybrid infrastructures.
That complexity is a huge part of the problem of making AI work effectively in the SOC. When security tools collect data from networks, endpoints, and applications, but that data is wrong, outdated, or siloed in disconnected storage systems and locations, any insights built on top of it are also flawed.
This is the core reason AI continues to underperform in production IT security environments: the models are only as good as the data they can see and access across a company’s infrastructure. The problem is that today, most organizations are asking for AI to work half blind within their infrastructures, adding to AI security concerns.
So, what is needed?
The answer isn’t to deploy yet another new security tool. Instead, it is to provide critical “data unification” that will enable AI to work across an enterprise’s security data by bringing it together and giving it structure to deliver that data in an organized, accurate, and fully informed way.
Darren LaCasse, director of information security at Elastic, the Search AI Company, tells The New Stack about this misconception.
“One of the things we often hear when I talk with customers is they want to go from zero to AI immediately, and it doesn’t work that way,” LaCasse says. “There’s a lot of work that must happen at the foundational layer of bringing data together so it’s connected and available to your AI system of choice. And then you still need processes and practices that you want to use. I think about this as you need to ‘crawl, walk, run.’”
For enterprises, small to large, this is where the “promises” of easy-to-use AI fall apart. This is where AI is being stalled by the huge disconnect from a company’s data.
“If you don’t outline the processes ahead of time or define where the data is for different things, then you’re not indicating to the model what’s important. Without this information, you’re setting yourself up for failure.”
—Darren LaCasse, director of information security at Elastic
“You can’t direct your agents to do what you want for your company without explicitly defining what they should be doing,” explains LaCasse. “If you don’t outline the processes ahead of time or define where the data is for different things, then you’re not indicating to the model what’s important. Without this information, you’re setting yourself up for failure because you’ll either see nothing of value or get complete nonsense back and not trust the system. Then where are you?”
How Elastic helps in the SOC
To address these progress-sapping disconnections, Elastic enables enterprises to control and manage their entire ecosystem, from ingesting data to presenting it to the AI layer. Using Elastic, enterprise security teams can now help their companies provide real data unification that finally enables and delivers the promise of AI.
“If you use Elastic Agent Builder or one of our ingestion mechanisms, the data is normalized in a way that out-of-the-box AI agents already understand,” said LaCasse. “Data unification means making all your data accessible through a single interface—regardless of where it lives or which platform it comes from, including Azure, Google Cloud, or AWS.”
In addition, because Elastic’s agents are built to work with the platform’s detection engine, data, and schemas, users get integrated, powerful AI-driven security monitoring, enterprise SOC security analytics, and holistic management.
“The agents already know about all the documentation behind every field, every detection rule that’s associated with those log sources, whether you have them on or off, and that context is instantly available,” he said. “The thing that’s still missing is the organizational context, which Elastic helps to bring in. This ensures that the data you use for security monitoring, alerting, and triage is consistent. The agents that we provide out of the box already know how to use that Elastic data documentation, then you provide it with other needed documentation.”
How AI makes enterprise SOCs safer
As AI use continues to grow among both enterprises and cybercriminals across the cybersecurity landscape, agentic AI strategies and deployments in SOCs are no longer optional for businesses that want to stay ahead of AI cybersecurity risks and IT security chaos.
“The biggest benefit is that humans are busy and distractible, while AI agents are disciplined and consistent in the data.”
—LaCasse
“The biggest benefit is that humans are busy and distractible, while AI agents are disciplined and consistent in the data,” said LaCasse. “They bring to the table the steps they take every time in the format that they present back to the system, and ultimately to the humans. This results in Elastic being able to define and derive better insights about what’s happening in our environment and driving control changes that will ultimately make enterprise SOCs safer.”
For enterprises, this means first building a solid foundation, then training their AI agents to fully understand their businesses and operations. Next, they can deliver that quality, unified security data to the agent, along with the required processes and the expectations they have for the task. By tying it all together step by step, the agent can deliver the expected results without generic, unusable answers.
For teams looking to improve their cybersecurity posture in the age of AI, Elastic’s approach to data unification is key to maximizing AI’s value and bridging the gap between what they’re seeing and what’s possible in a live environment.
The post Why AI is failing in the security operations center