Curious about how artificial intelligence is revolutionising our Information Security? Natascha Becker, Information Security Officer, provides insights into the world of threat detection, vulnerability analysis and automated responses. We spoke to her about why AI is both a protection and a challenge and how it supports us in cybersecurity. She explains the most important questions in our format "REWE Group Short - Experience AI".
one: How long have we been using AI in cybersecurity?
Natascha Becker: AI is actually nothing new in Information Security, but it has gained considerable presence and attention in recent years. Large amounts of data have been analysed in real time in cybersecurity since the 1980s in order to identify patterns and potential threats as quickly as possible. Today, AI is integrated into almost all threat detection systems, such as endpoint protection, security and event management systems (SIEM) or intrusion detection systems (IDS).
Endpoint protection monitors our devices and protects them against viruses, malware and other threats. A SIEM system collects and analyses information and events from various data sources in our IT infrastructure in order to detect threats at an early stage. IDS monitors data traffic in the network, among other things, and reports suspicious activities or intrusion attempts so that security experts can react quickly.
one: The German Federal Office for Information Security, BSI, writes that AI - especially LLMs, i.e. language models that have been trained with large amounts of text, such as ChatGPT - lower the barriers to entry for cyber criminals. This leads to more capable attackers and better quality attacks. Now you say that AI protects us from precisely this threat. How does that work together?
Natascha Becker: Unfortunately, AI cannot protect us from all these threats, especially in areas where humans are the attack vector, we are also heavily reliant on our colleagues who do their work conscientiously, are always alert to unusual incidents and also report them via the known channels. However, AI can help us to detect threats in our company network by analysing the events or activities of all systems, be they servers, firewalls, applications or similar, and recognising patterns.
An example: There are the "normal" patterns. I log in to M365 in the morning, then to Confluence and maybe to a Miro board. Now, however, my user suddenly tries to randomly log in to systems that I don't normally use in my day-to-day work. Thanks to AI, this is quickly recognised as an anomaly and reported to our experts. They then go in search of the cause. This is a very simplified example, but it illustrates what is analysed on a large scale day and night, 365 days a year in our IT infrastructure. What are normal patterns and what deviates from this pattern and can potentially be a threat?
While AI lowers the barrier to entry for cybercriminals and therefore poses a serious threat, it is also a technology that helps us in Information Security to defend against such attacks.
New technologies can change the rules of the game in the attacker vs. defender dynamic and you have to learn to use the new technologies to your advantage in order to be able to defend yourself against new attack techniques.
one: What would be typical examples of threat detection? And why would an AI system be superior to a traditional system?
Natascha Becker: As AI systems are able to identify patterns independently, new or less familiar attack patterns in particular can be recognised more reliably with AI. This distinguishes them from traditional and often older threat detection systems, which to a certain extent have to be told what to look for.
one: What exactly would an automated response look like? And would that be a desirable scenario?
Natascha Becker: One possibility, for example, is to automatically isolate systems when corresponding threat scenarios are recognised. Of course, humans must first check whether this isolation has an impact on business operations. If this is the case, an assessment must be made as to whether these effects are acceptable in order to avoid a potentially greater risk.
one: Let's move on to the next area of application: vulnerability analysis. We keep hearing about gateways that remain undetected for a long time, even in widely used applications such as Microsoft. Could this be prevented in future with AI?
Natascha Becker: Speed is crucial in IT security. AI-supported vulnerability analyses can speed up the process of identifying vulnerabilities by using them to analyse code in real time, for example. Incidentally, when used correctly, the number of false warnings or all-clears can also be reduced, thereby improving accuracy.
one: But that also brings us to the challenges of AI in the context of IT security.
Natascha Becker: Yes, AI makes it easier for attackers to create credible phishing emails, for example, or can help cyber criminals to write simple malicious code. But it also helps us to expose these tricks more quickly. In this respect, it is basically a weapon and a defence tool in one.
However, AI also brings its own challenges - especially when it comes to ensuring Information Security for the company when using AI. A key problem is that AI systems often function like a "black box": It is difficult to understand how exactly they process information. For experts responsible for data security, it is therefore much more difficult to assess how secure our information is once it has been processed by an AI - compared to conventional software, which is generally easier to understand how it works.
In my view, however, the easier access to information is a major advantage. Sure, AI chatbots make mistakes and sometimes generate incorrect information, which is a challenge. But they also enable us to acquire knowledge. Similar to the internet in the 90s, AI, if used correctly, offers a good first step to getting the right information more quickly and finding your way around the large collection of knowledge on the internet or the REWE Group.
