printer friendly version

The impact of AI on security

Today’s threat actors have moved away from signature-based attacks that legacy antivirus software can detect. They leverage ‘living-off-the-land’ techniques, using legitimate system tools such as PowerShell, WMI, and built-in Windows utilities to move laterally through networks. Attackers are now capable of spending days or longer in a network before detection. This is where AI has a critical role to play.

Peter Chan.

Artificial Intelligence (AI) in security systems is defined as the use of technologies such as machine learning, deep learning, and natural language processing to enhance the detection, analysis, and mitigation of security threats. It is further endorsed as beneficial for predictive threat detection and adaptive responses. Such solutions offer early detection of cyber threats in endpoint devices, including laptops, desktops, smartphones, and all things that fit into the ‘Internet of Everything’ world.

AI is capable of identifying patterns and anomalies that indicate potential threats faster and more accurately than traditional methods. Moreover, it enables behavioural analysis of devices and users to detect anomalies that may indicate a cyber-breach that can be blocked immediately by isolating affected devices. Further benefits of AI technologies include the ability to predict and pre-empt potential future threats, as well as the capacity for continuous learning from new data, which in turn improves accuracy and effectiveness.

Efficient identification and resolution

The future is being shaped by the evolution of Endpoint Detection Response (EDR) into Extended Detection and Response (XDR) platforms, which automate processes and enable security teams to more efficiently identify and resolve cyberattacks through AI and machine learning. These capabilities do not just rely on known signatures; they analyse behaviour across endpoints, networks, and identities to detect anomalies and stop attackers before they can fully establish themselves. AI-driven models are increasingly crucial to spotting subtle deviations that humans or traditional tools would miss.

The concept of a bad actor spending days or longer in your network may make your flesh crawl, but it is the reality behind the sophistication of cybercrime today. This is called dwell time, and it allows them to establish persistence, escalate privileges, and exfiltrate data using techniques that traditional endpoint protection simply was not designed to address.

Endpoints have become the launchpad for identity-based attacks, but many organisations still rely on perimeter-focused security models that assume the endpoint itself is trusted. Throwing tools at the situation is an obvious choice for many businesses, but in fact, it can actually make matters worse, as what is called ‘tool proliferation’ has become a significant challenge.

The answer lies with better integration. Companies using integrated security platforms detect threats faster and reduce false positives compared to those relying on disparate point solutions.

Security is a business issue, not a technical one

Effective measurement requires focusing on business-relevant outcomes rather than tool outputs. You need to measure Mean Time to Detection (MTTD) and Mean Time to Response (MTTR) – calculating the number of days it takes to identify and contain a breach. You must also examine what percentage of your endpoints provide real-time behavioural analytics. This is crucial. What you are seeking is reduced downtime from incidents and faster recovery times.

The most mature organisations also measure security friction through employee productivity metrics. If your endpoint security is generating help desk tickets or pushing users towards shadow IT, then your strategy is counterproductive, regardless of how many threats are blocked. Your security teams must be capable of testing your endpoint strategy against real-world attack scenarios, providing practical assurance that defences actually work under pressure.

Zero Trust principles offer a framework, but implementation must be pragmatic. Cost is always a major consideration with many organisations applying uniform policies that either over-protect low-risk endpoints (driving up costs) or under-protect critical assets. Cost optimisation comes from recognising that not all endpoints require the same level of protection.

A smarter approach is to implement adaptive authentication and conditional access policies that consider user behaviour, device posture, location, and data sensitivity. This can reduce friction, while improving protection for high-risk scenarios. The real challenge is instrumenting your environment so you understand the impact of controls on business workflows, then optimising them around actual risk.

In a nutshell, if companies want to win with endpoint security, they need to stop treating it as a technical barrier and instead view it as a business capability that engenders trust, resilience, and growth.

Find out more at www.bitm.co.za

Share this article:

Further reading: