Harnessing the power of AI-driven XDR

Issue 4 2022 Information Security

Many security professionals believe they’re going to start seeing an uptick in AI-assisted attacks at some point in the near future. According to AIMultiple, 90% of infosec personnel in the U.S. and Japan said they’re anticipating an increase in these automated attack campaigns, due in no small part to the public availability of AI research, which attackers are exploiting for their malicious purposes.


Yossi Naar.

How attackers are abusing AI

The findings from AIMultiple’s survey raise an important question: how might digital attackers use AI for their nefarious ends? Let’s look at two applications. First, attackers can use AI to increase the effectiveness of their operations. Time and again there are examples of AI helping threat actors to create more convincing video and emails, leading to more clicks by targets.

Attackers can also use AI to help evade detection and bypass traditional security solutions. AIMultiple specifically noted that the use of deepfakes in attacks can allow threat actors to evade biometric security solutions, fly under the radar of social network protections, and ultimately gain access to a target’s corporate data.

Second, malicious actors can use AI to identify potential opportunities for attack in the reconnaissance phase. Because of the amount of data intelligent systems can collect and analyse autonomously, AI-powered tools provide attackers with a means for identifying vulnerabilities in a target’s networks, devices and applications at scale, sometimes before security pros know about them.

In the absence of real-time monitoring solutions, they might then be able to move laterally across the network, exfiltrate sensitive information, and increase the overall damage from the attack beyond what they could do without AI capabilities. AI can allow attackers to automate these processes in target selection and in customising the attack sequence based on the specifics of a target’s network makeup by determining items like operating systems in use, detecting sandboxing and other defensive tactics, and in determining the right payload to deliver.

Fighting AI with AI

In response to these nefarious use cases for attackers, organisations can fight AI abuse with AI-driven solutions to protect their systems and data from automated attacks, but traditional security solutions that rely on manual triage and investigation simply won’t cut it.

Take Security Information and Event Management (SIEM) as an example. These tools can help organisations to centralise threat information across their environments. However, SIEMs tend to generate large volumes of alerts and false positives that waste security professionals’ time and contribute to alert fatigue.

It’s one thing if SIEMs could help those personnel to address all those alerts, but they don’t. They simply point out potential threats that will require human investigation to find correlations between the alerts generated to determine if there is an actual threat, and then mount a manual response.

Consequently, security teams need to rely on manual processes to figure out what’s going on across their environments, where attackers are moving at machine speed by leveraging automation in the early stages of the attack – all of which puts defenders at a great disadvantage.

Endpoint Detection and Response (EDR) solutions are essential to defending endpoints that make up a significant portion of an organisation’s attack surface, but they similarly suffer from shortcomings. While EDR is significantly better at picking up on advanced threats than traditional antivirus and antimalware solutions, many attackers have evolved their campaigns beyond just targeting the endpoint, or have designed their operations to minimise endpoint activity, rendering EDR ineffective. EDR also lacks the ability to correlate endpoint detections with telemetry from non-endpoint assets like application suites, user personas and cloud workloads.

AI-powered XDR

Fortunately, organisations don’t need to settle for incomplete solutions like SIEMs and EDR. They can choose to go with an AI-driven Extended Detection and Response (XDR) solution. AI-driven XDR extends continuous threat detection and monitoring, along with automated response beyond endpoints, to provide deeply contextual correlations with telemetry from applications, identity and access tools, containerised cloud workloads, and more.

AI-driven XDR also ingests threat intelligence streams to allow organisations to defend against known attacks and uses AI and machine learning (ML) to automatically correlate telemetry from across these different assets to deliver the complete attack story in real-time. This functionality frees security analysts from needing to triage every generated alert, enabling them to address actual threats faster.

Many organisations are turning to tools powered by AI and machine learning (ML) to allow their teams to automate triage, investigation, and remediation efforts at scale. Over half (52%) of executives at U.S. companies told PwC that they had accelerated their AI/ML adoption plans, and even more (86%) said that AI/ML would be a “mainstream technology” in their environments by the end of 2021.

What’s more, AI/ML can enable security teams to cut through the noise produced by a constant flood of threat alerts, allowing security professionals to spend less time sifting through alerts and chasing false positives and more time working to improve the organisation's overall security posture.

AI/ML technologies excel at analysing large-scale data sets with a high degree of accuracy to identify suspicious events at a speed and volume that manual human analysis can never match. The advantage here is in automating the detection of events that previously required human analysis and in relieving security teams of the tedious task of sorting the signal from the noise.

AI-driven XDR also leverages behavioural analytics and Indicators of Behaviour (IOBs) to provide a more in-depth perspective on how attackers actually conduct their campaigns. This operation-centric approach is far superior at detecting attacks earlier, especially highly targeted attacks that employ never before seen tools and tactics that evade traditional endpoint security software.

Finding one component of an attack via chains of potentially malicious behaviour allows defenders to see the entire operation from root cause across every impacted user, device and application. This is where AI-driven XDR is essential to automatically correlating data at a rate of millions of events per second versus analysts manually querying data to validate individual alerts over the course of several hours or even days.

Such visibility enables security teams to respond to an event before it becomes a major security issue and introduce measures designed to increase the burden on attackers going forward.

The application of AI is not a silver bullet, and for the foreseeable future there will undoubtedly need to be a blend of humans and AI-driven solutions working together. Nonetheless, AI will enhance the efficiency of every member of the security team and amplify the efficacy of the entire security stack.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Survey highlights cost of cyberdamage to industrial companies
Kaspersky Information Security News & Events
The majority of industrial organisations estimate their financial losses caused by cyberattacks to be over $1 million, while almost one in four report losses exceeding $5 million, and for some, it surpasses $10 million.

Read more...
Digital economy needs an agile approach to cybersecurity
Information Security News & Events
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks. Being at the forefront of the continent’s digital transformation puts South Africa in the crosshairs for sophisticated cyberattacks

Read more...
SIEM rule threat coverage validation
Information Security News & Events
New AI-detection engineering assistant from Cymulate automates SIEM rule validation for SecOps and blue teams by streamlining threat detection engineering with automated testing, control integrations and enhanced detections.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...
Are AI agents a game-changer?
Information Security
While AI-powered chatbots have been around for a while, AI agents go beyond simple assistants, functioning as self-learning digital operatives that plan, execute, and adapt in real time. These advancements do not just enhance cybercriminal tactics, they may fundamentally change the battlefield.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.