Combatting sophisticated cybersecurity threats with AI

As AI continues to evolve, businesses are rapidly integrating it into their operations. But with this growth comes an urgent need to prioritise cybersecurity because ignoring security risks in an AI-driven landscape can leave businesses vulnerable to sophisticated threats.

Cybersecurity isn’t about relying on a single tool but rather building layered defences. A strategic combination of firewalls, encryption, and advanced threat detection systems can significantly reduce cyber risks while ensuring your organisation runs smoothly.

When security is effectively managed, uncertainty is reduced, and your organisation can operate with confidence, allowing you to focus on what truly matters: scaling your business, driving innovation, and staying ahead of the competition.

This article explores key cybersecurity tools and how they work together to build a robust security strategy. Whether you’re looking to enhance your existing defences or implement new solutions, these insights will help you strengthen your organisation’s security posture.

Smarter, faster, and more dangerous

Cybersecurity is no longer just an IT concern, but rather a boardroom priority. With AI-driven cyber threats no longer limited to generic phishing emails or outdated malware, today’s attacks are smarter, more precise, and alarmingly convincing. 

In 2023, Darktrace reported a staggering 135% increase in social engineering attacks. These aren’t just your average phishing attempts - they’re highly targeted, AI-generated, and built to exploit human trust. Tools like wormGPT and FraudGPT are being used by attackers to create realistic, personalised, and highly deceptive campaigns that can slip past traditional security filters.

I’ve seen emails that perfectly mimic legitimate correspondence, right down to the sender’s domain and writing style, designed to fool recipients into clicking malicious links. I know many of us have encountered that moment when something about an email just doesn’t feel right.

It’s no longer enough to rely on human intuition or traditional security measures. We need AI-powered defences that evolve as fast as the threats themselves.

Intrusion Detection Systems (IDS) as your early warning system

An Intrusion Detection System (IDS) is a non-negotiable part of modern cybersecurity. Without it, you’re leaving your organisation vulnerable to stealthy threats that can infiltrate and wreak havoc before you even realise it.

Many companies only discover data breaches after significant damage has already been done, which is a costly and entirely preventable situation. An IDS helps to detect suspicious behaviour in real time, allowing teams to respond before threats escalate.

For organisations that don’t self-host and have no on-premise networks or physical servers to monitor, Cloud-Native IDS solutions provided by AWS, Azure, and Google Cloud, or third-party security vendors are the alternative. Some examples of Cloud-Native IDS solutions include:

• AWS GuardDuty – Monitors AWS accounts, workloads, and network traffic for threats.
• Microsoft Defender for Cloud – Provides security alerts for Azure-based infrastructure.
• Google Cloud IDS – Detects malicious activity within Google Cloud environments.
• CrowdStrike Falcon & Palo Alto Prisma Cloud – Offer cloud-specific IDS capabilities for SaaS and multi-cloud environments.

On the other hand, for SaaS security and API monitoring solutions, there are Cloud Access Security Brokers (CASB) like Microsoft Defender CASB and Netskope, which play a crucial role in identifying and flagging suspicious activity in fully remote and hybrid environments. 

These tools maintain a comprehensive audit trail of user actions across an organisation, enabling IT security teams to investigate and respond to potential breaches. 

Additionally, CASBs are particularly effective in hybrid and remote work environments, offering full visibility into user activity, from logins to file transfers and other movements within the network. Example architecture: 

OAuth applications have become a prime target for cybercriminals. They exploit users’ trust, tricking them into granting access to corporate credentials, often without a second thought. Many organisations rely on OAuth to log into websites using their company Google accounts, for example. Once access is granted, these apps can tap into everything from employee Google Calendars and LinkedIn accounts to project management tools, GitHub repositories, and more.

By leveraging AI and machine learning, CASBs can also monitor which OAuth apps are genuinely authorised within the organisation, giving IT security teams the power to set policies that automatically block risky access attempts.

Beyond just access control, CASBs also add another layer of security to cloud storage which makes them an essential defence mechanism in today’s digital workplace.

Choosing the right IDS approach

A seemingly harmless Flash Player update began spreading across corporate networks in Russia and Ukraine in 2017. Employees thought they were simply installing routine software, unknowingly opening the gates to one of the most disruptive ransomware attacks of the year: BadRabbit ransomware attack. Within a few hours, critical files were encrypted, operations stopped, and businesses faced a difficult choice: pay a ransom of 0.05 Bitcoin (BTC) per infected device (283 USD equivalent), or lose their data.

The attack was devastating because it was highly sophisticated and slipped past traditional security measures. Signature-based detection systems failed to flag it and the malware hadn’t been seen before, so it didn’t match any known threat signatures. By the time security teams realised what was happening, the damage was done.

What if there had been another layer of defence that could have detected the unusual behaviour? Today, traditional IDS falls short because cyber threats are more dynamic than ever. Attackers constantly evolve their tactics, exploiting zero-day vulnerabilities and using AI-driven methods to bypass defences. 

Relying solely on signature-based IDS is like trying to catch a criminal using only a database of known suspects which may be effective for repeat offenders, but useless against a new threat.

Anomaly-based IDS, on the other hand, acts like an intelligent detective, identifying suspicious patterns and behaviour. It can catch new and unknown attacks but requires ongoing fine-tuning to reduce false positives. 

Each method has its strengths and limitations, which is why enterprises can no longer afford to rely on just one.

Future-proofing your security with a hybrid approach

A hybrid IDS combines the precision of signature-based detection with the adaptability of anomaly-based analysis, offering a more robust security posture. Here’s how organisations can determine the right balance:

A signature-based IDS is best suited for:

• Organisations with well-documented threats like malware and phishing.
• Security teams that rely on predefined threat intelligence due to limited resources.
• Networks with relatively predictable traffic patterns.

An anomaly-based IDS is more effective when:

• Operating in industries with high-value data, such as finance, healthcare, or government.
• Security teams have the expertise to fine-tune and manage evolving detection rules.
• Managing hybrid or cloud infrastructures with complex and dynamic network activity.

For modern enterprises, security must be both precise and adaptive and a hybrid IDS ensures that both known and emerging threats are addressed while also improving operational efficiency. Key advantages include:

• Proactive risk management – Real-time detection of both signature-based threats and anomalous activities.
• Adaptive security for hybrid environments – Reduces attack surfaces across multi-cloud and on-premises networks.
• Regulatory compliance – Enhances security visibility to meet standards like GDPR, ISO 27001, and NIST.
• Improved SOC efficiency – Reduces false positives, allowing security teams to focus on real threats.

BadRabbit was a wake-up call, but it won’t be the last. Cybercriminals are constantly refining their techniques, and organisations that fail to adapt will always be playing catch-up. A hybrid IDS isn’t just a smart investment, but an essential step in staying ahead of the next inevitable attack.

Introducing an Intrusion Prevention System (IPS) to complement your IDS as a proactive defence 

While an IDS alerts you to potential threats, an IPS takes it a step further by proactively blocking threats before they can infiltrate your network.

Equally, with the integration of machine learning capabilities to enhance security observability, organisations are empowered to detect both known and unknown risks when both security systems complement and work together.

One great example of an organisation that uses both IDS and IPS effectively is Omada Health. They are a provider of digital healthcare solutions and they initially used a log-based IDS but found it inadequate due to the growing complexity of threats and stringent healthcare regulations. To enhance security, they adopted Threat Stack, a host-based IPS that examined running processes and system calls for more actionable insights.

With the combination of Threat Stack’s Cloud Security Platform and managed cybersecurity services, Omada Health gained real-time intrusion detection and proactive threat prevention. The IPS automatically blocked threats as they were detected, while the IDS flagged potential risks. This dual approach allowed Omada Health to respond faster to security incidents, protecting sensitive healthcare data and ensuring compliance.

The integration also improved operational efficiency. The security team no longer had to sift through low-priority alerts, saving two to four hours of analysis time per day. This blend of IDS and IPS provided a comprehensive, AI-powered security solution, enhancing both detection and prevention capabilities while streamlining security operations.

This story illustrates how an organisation achieved a well-rounded security solution while boosting their operational efficiency. Here’s an overview of how IDS and IPS work well together: 

• Detection vs. prevention: The IDS, whether signature-based or anomaly-based, monitors network traffic and system behaviour to identify threats. However, it doesn’t take action on its own. The IPS takes immediate action to block or mitigate detected threats, such as stopping malicious traffic or quarantining compromised systems.
• Improved response time: In the event of a detection, an IPS can respond faster than a purely manual security response, which might take time to assess and act. This makes it particularly useful for blocking attacks in real time, enhancing the overall efficiency of the hybrid IDS system.
• Minimising damage: While the IDS provides alerts, the IPS stops attacks from spreading, minimising potential damage. For example, if the IDS detects unusual behaviour, such as a ransomware attack beginning to encrypt files, the IPS can prevent it from executing or spreading further.

Leveraging Cloud-Native Endpoint Security for fully-remote or hybrid organisational setups  

If each device in your network is a potential entry point for attackers, wouldn’t you want to secure every single one? For fully remote and cloud-based businesses, traditional endpoint security isn’t enough. You’d need a Cloud-Native approach that scales without adding complexity or friction. Here’s how Cloud-Native Endpoint Security can enhance your network’s security: 

AI plays a crucial role in distinguishing modern Endpoint protection from traditional solutions. It enables advanced protection by using models trained on vast amounts of data to predict threats accurately, particularly when enhancing defences against sophisticated attacks like fileless threats.

One standout solution is CrowdStrike Falcon. This tool is a Cloud-Native Endpoint Security platform designed for speed, efficiency, and AI-driven protection. Unlike traditional security tools, Falcon doesn’t require constant signature updates, on-premise management infrastructure, or complex integrations that slow down operations.

Instead, it leverages machine learning to analyse files, network traffic, and user behaviour, detecting and stopping threats before they cause harm.

The WannaCry ransomware attack in May 2017 disrupted businesses globally by exploiting a Windows vulnerability (MS17-010), known as EternalBlue, to spread and encrypt files, demanding ransom in Bitcoin. 

In response, CrowdStrike Falcon was deployed to identify WannaCry’s unusual behaviour through machine learning, flagging its deviation from normal patterns. Falcon automatically isolated infected endpoints, preventing further spread, and helped organisations apply the MS17-010 patch to mitigate the vulnerability. 

Additionally, deep learning algorithms in endpoint security now detect advanced threats, like polymorphic malware, which evades traditional detection methods by constantly changing its signature.

User Behaviour Analytics (UBA)

No matter how well-vetted your employees are, intentional or accidental insider threats remain an ongoing risk. Even a well-meaning employee might download unapproved software that appears harmless but ends up introducing malware into the organisation. A more serious scenario is when a departing employee with access to sensitive intellectual property takes that data to a competitor.

Traditional security measures like firewalls and Endpoint protection aren’t always equipped to detect these behaviours, especially as phishing tactics and scams become increasingly sophisticated, so this is where User Behaviour Analytics (UBA) becomes a critical layer of defence.

The strength of UBA lies in its focus on insider threats. It excels in this area with its subtle, undercover-like approach to monitoring user behaviour within the organisation. It not only looks for obvious red flags, it also establishes a baseline of normal activity i.e. which files employees access, how often they log in, where they typically work from, and more.

UBA also detects subtle deviations that might go unnoticed, like accessing sensitive data at odd hours or logging in from unusual locations. It identifies these anomalies before they escalate, offering tailored security based on your organisation’s unique patterns. 

Splunk UBA stands out as a promising solution, as it provides a range of detection models that have comprehensive security insights and advanced analytics:

• Streaming models: Process events in real-time, assessing the impact of each event within a short period (e.g., 24 hours).
• Batch models: Analyse longer time windows i.e. 30 days to detect anomalies and trends using historical data.

A powerful example of AI and UBA together in action is DarkTrace. DarkTrace detected an active cyberattack on an energy grid just hours after its deployment. By monitoring around 5,000 devices, the AI grouped them based on behavioural similarities and quickly identified an anomaly that indicated a potential threat.

UBA’s ability to leverage AI and machine learning for real-time threat detection makes it a crucial tool in identifying insider threats and maintaining the security of an organisation’s IT infrastructure.

‍Security is about layering, not luck

A unified, multi-layered approach to cybersecurity, combining IDS, IPS, UBA, and Endpoint Security, creates a dynamic, adaptable defence system.

Each tool enhances the other, forming a self-learning security network that shares insights to improve detection and response. AI-powered systems take this a step further, evolving to outsmart attackers, safeguard critical data, and stay ahead of emerging threats. 

Implementing AI in cybersecurity requires thoughtful investment in technology, training, and infrastructure, but the long-term benefits are clear: improved threat detection, prevention, and response securing your organisation’s assets and reputation. To stay ahead of evolving threats, ensure your security systems evolve with technological advancements. 

For expert assistance in IT security, machine learning, GenAI, data engineering, MLOps, and more, contact us.