AI in cybersecurity is both an everyday tool and hype. For years, cyber security teams have worked with tools from the AI toolkit – for example in anomaly detection of user and network behavior, in behavior-based endpoint solutions and in email security. What is particularly new is the visibility of large language models, which simplify documentation, scripting and integration tasks.
However, the central message from practice remains sober: the bottleneck is rarely insufficient AI, but often inadequate architecture, unclear processes and lack of risk transparency. AI accelerates, prioritizes and makes visible – but it replaces neither clean design nor traceable governance and accountability.
Where AI Creates Value
AI most effectively delivers value where it learns patterns and detects deviations from normal conditions. In Security Information and Event Management (SIEM) and Managed Detection and Response (MDR) environments, User and Entity Behavior Analytics (UEBA) uncover irregularities in log and network traffic that would remain invisible with signature-based approaches – for instance, when an administrator suddenly logs in from an unfamiliar source and new accounts are created in parallel.
On endpoints, behavior-based detection has become established in the EDR (Endpoint Detection and Response) space. In email security, generative and detecting AI systems are in direct opposition: attackers create more convincing phishing emails, defenders respond with finer, language- and context-sensitive detection models.
Challenges in the SOC
The various vendor ecosystems are largely isolated from one another with respect to AI and lack interoperability. Fortinet harmonizes with Fortinet, Palo Alto with Palo Alto. This increasingly presents IT managers with challenges. End-to-end correlation across tool boundaries requires integration into a Security Operations Center (SOC), clean data models and playbooks for Security Orchestration, Automation and Response (SOAR) – work that is neither automated away nor completely standardized by the market. SOAR tools are typically deployed in a SOC and attempt to serve the interfaces of potential information sources. The goal is to gather information and automate it so that analysts can obtain a holistic view.
Best-of-Breed versus Platform
Many organizations are considering consolidation on a few vendors and their platforms to reduce complexity, contractual and data protection efforts. In practice, best-of-breed remains relevant because hardly any vendor excels in every discipline. The result is a tension: choosing a platform benefits from tighter integration but risks technical compromises and lock-in effects. Choosing best-of-breed retains best-in-class solutions but carries integration overhead – from APIs and data pipelines to SOAR playbooks.
Costs are an often underestimated factor. Cloud SIEMs, for example, appear attractive and usually offer good performance, but can become expensive due to required log retention, ingest fees – charges on the volume of imported data – and data exports. Alternatives such as dedicated UEBA/anomaly engines or hybrid systems can sometimes better balance Total Cost of Ownership (TCO) and compliance requirements – depending on data flow, required retention periods and regulatory obligations. Regardless of approach, the rule is: manage expectations realistically, factor in switching costs, and identify visibility gaps outside the respective ecosystem.
“AI makes anomalies visible but does not cure a poor starting position. In practice, security managers often encounter poorly segmented networks, incompletely implemented security solutions, ignorance about business-critical applications, undefined responsibilities and processes.”
Eike Trapp, Axians IT Security
AI Is No Panacea
Artificial intelligence makes anomalies visible but does not cure a poor starting position. In practice, security managers often encounter poorly segmented networks, incompletely implemented security solutions, ignorance about business-critical applications, undefined responsibilities and processes. One example: the desire for a 24/7 SOC without accessible decision-makers on weekends. Automated response that, for instance, locks accounts or blocks traffic can cause greater damage than the original alert without accompanying risk and business understanding.
Another classic is the Swiss cheese ruleset in firewalls: over the years, more and more exceptions have arisen. Machine learning can help with cleanup, identify unused or misplaced rules, and assign rules to applications. But only humans can decide who is responsible for the application and how critical it may be for the company. This requires processes, documentation and responsible parties.
Conclusion: Value Emerges Through Clarity
AI delivers genuine value in cyber security when architecture, processes and responsibilities are clarified. Training and awareness of employees remains one of the most important points. In many organizations, it is pragmatic not to take this path alone but to selectively engage an independent, experienced service provider. This reduces the risk of hasty tool decisions, accelerates prioritization and ensures that automation occurs with clear cornerstones. The focus is not on increasing AI use, but on better interoperability. An external perspective helps identify perception gaps and leverage existing strengths – so that AI acts as an accelerator, not a risk amplifier.
About the author:Eike Trapp is Senior Security Consultant at Axians IT Security.
The authors are solely responsible for the content and accuracy of their contributions. The views presented reflect the authors’ perspectives.
ComputerWeekly.de
