Strengthening Network Security with AI Powered Threat Detection
October 3rd, 2025
14 min read
This session explores how artificial intelligence enhances network security through advanced threat detection. It begins by defining traditional threat detection, outlining its reliance on data collection, rule-based analysis, alerting, and correlation. Common tools such as antivirus software, intrusion detection/prevention systems, endpoint detection and response (EDR), and security information and event management (SIM) are reviewed, with attention to their complexity and limitations. The discussion then shifts to how AI brings order by establishing personalized baselines, correlating interrelated policies, and integrating inputs from multiple sources. Key advantages include anomaly detection, improved accuracy with fewer false positives, automated response, and triage. Practical AI use cases highlight capabilities such as detecting fileless malware, lateral movement, and prioritizing alerts.
Table of Contents
- Defining Standard Threat Detection
- Key Elements of Standard Threat Detection
-
Common Threat Detection Tools (Antivirus, IDS/IPS, EDR, SIM)
-
How AI Brings Order: Baselines, Correlation, Multi-Source Input
-
Strengthening Network Security with AI: Anomalies, Accuracy, Automated Response
Transcript
Welcome and Introductions
Hello and welcome to strengthening network security with AI powered threat detection. This is another one of the seminars we have been offering this week at ERP suites as part of our AI week. Welcome to all.
I'll go ahead and start by introducing myself. My name is Shawn me. I'm the information security officer for ERP suites.
I have a strong security background that uh spans a little more than uh of time than I want to elaborate. And also I like throwing this in because I think it's important for people to be aware of the existence but I'm part of the part of a group known as infra. It is a collaboration between the FBI and the private sector. If you want more information on that you can go out to infraard.org.
that is in nfr ag.org.
Uh some interesting stuff out there and uh learn a little bit about that collaboration.
So again, this is how we're going to we're going to be looking into AI powered threat detection.
And there we go.
Defining Standard Threat Detection
First, let's define what standard threat detection is.
So in cyber security anyway, it's the process of identifying unauthorized access, security threats or undesired activity. Now I do want to point out that undesired activity can be malicious or it could be otherwise. It could be a user that's been given too much access and they're not even realizing what they're doing in a particular system. They could be modifying something that they shouldn't be and it's not necessarily because they are intentionally trying to do that. So we want to watch out for that for non-malicious activity as well as malicious activity. So threat detection always has a negative connotation as in bad actors but I think it's important for us to make note of that.
Uh this does require continuous monitoring and analysis of the entire IT environment.
Key Elements of Standard Threat Detection
That being said, what are some of the key elements for at least the standard threat detection? Well, we've got to be collecting data. We've got to be collecting so much data. As the little graphic up there shows, it seems like we're just getting data points all over the map because we're gathering logs and telemetry points from the entire IT environment, not just one or two systems, but the entirety.
Then we need to have analysis of that data using rule-based systems and analytics to identify suspicious activity. These are rules and policies that we put into place ourselves in these different systems.
Alerting. Another key element is to notify appropriate individuals and groups when potential threats are detected. Without this, you have to have someone sitting 24 by 7 looking at nothing but a screen of spanning data.
Correlation. Well, this one's very important. We're linking multiple data points to evaluate the bigger picture. And we're going to get more into this and especially how AI helps us to be able to pull that specific piece into play.
The other pieces are all part of AI empowerment. But I want us to realize these key elements of even the standard are still part of all of this.
Common Threat Detection Tools (Antivirus, IDS/IPS, EDR, SIM)
Common Threat Detection Tools (Antivirus, IDS/IPS, EDR, SIM)So, as we look at the standards, what are some of the common cyber security threat detection tools that exist overall? We're we're not going to dive into the AI first. We must recognize where our issues are before with the tools that we have before we really get into what advantage AI has for us. So, common cyber security threat tools, antivirus software, I think all of us are probably familiar with this to some degree. This is software designed to prevent, detect, and remove malicious software from computers and networks. It's signaturebased most of the time. It can do some behavioral depending, but it is kind of it's a common piece of thread detection that is used pretty much across the board.
Another tool that may be in our toolbox depending on where we're at is either well an intrusion detection system and or intrusion prevention system. So the reason I'm mentioning these again we want to show why AI is worth our time in this arena. So as it stands right now a detection system is a network form if you will of our antivirus. It is looking for malicious activity, policy violations. It's going to react to those things. Intrusion prevention system, as you can see in the graphic, is meant to actually catch it before it really gets into the network, but it's still the same general idea. We're still talking about things that have signatures and rules and policies that are defined in order for it to give us the appropriate alerts or to in the uh in the case of the prevention system to wind up stopping that traffic. It's going to be something that may be mildly behavioralbased, but mostly it's going to be based on policies and rules and signatures.
Another common threat detection tool is endpoint detection and response. Now, this is a little more advanced because we're adding response into this. It is a technology that continuously monitors devices, specifically endpoints, laptops, mobile phones, servers, it doesn't matter to detect and respond malicious threats. So if we look at these key EDR functions, we see that it does some behavioral analytics. The uh the leaders will will definitely have some of this. It's meant to find actionable thread intelligence. So it should be able to automate certain security tasks, specifically isolating an endpoint if necessary. We should be able to centrally manage the threat hunting, remediation and rapid response, real-time visibility, alerting and triage. All of these things are part of uh a common endpoint detection and response system. Again, we are still dealing mostly with signatures and rules and policies with some behavior. We're going to find that to be a common thread in these common tools.
Now, we come to one of my all-time favorites, to tell you the truth. The tool that if you're using this, you probably love it depending on the day, you either love it or you love to hate it. And basically my definition of this one, I just decided to go short instead of going with some uh big long official definition in memory of one of my daughter's favorite things growing up. Uh there was a catchphrase uh got to catch them all. Well, that's what the SIM security information and event management system is meant to do. Now, if you look at this, it really is meant to core or at least capture all of these different areas. All of these different things have something to do with our security system, access information. The one on the left anyway, application, sources, threats. A SIM system captures all of this and gives us a view into what should be a larger picture.
It is something that lets us know all of the things going on in our environment. So we will have firewalls feeding into this. We will have network switches feeding into this. We will have endpoints feeding into this. All of our different other tools that have been mentioned should be feeding logs and alerts into this system. This is meant to be the aggregation point, the main database of all of our information that's being generated, all of our logging, all of these different things reporting back to us what they're doing, what's going on, what's happening now, not necessarily whether this is a good thing or a bad thing. So again, it pulls it all in. It's our central aggregation point. But this tool, as much as I love what it can do at times when we're trying to find that needle, it really is in a big hay stack in many cases. There's a decent amount of complexity to this if you've had to deal with it. Again, I have seen many reviews of many SIM products. Everyone always has the same problem or types of problems with a SIM product. And there there are many of them out there. Splunk is one of the larger ones. You have uh Solar Winds uh security event management. There are WAZA in the open source community. There are all kinds of different sims to wind up collecting data. But this is very complex in the end. We're getting all this data. So what do we do with it? Well, again, in most common SIM systems, we are having to apply rules and signatures and policies. So, when we receive things that we've seen in the past or that we know about, it may be pulling in from a vulnerability exploit database, it may be pulling in from some other threat database, all of these things. And it will try to correlate those. So we have to usually set up the rules manually in all of these cases.
So therein lies the biggest problem with our most uh most comprehensive tool is in its in its point of aggregating all of this it also becomes a very very complex thing.
The Data Deluge and SIM Complexity
And to kind of exemplify that, now that we've got SIM as one of these great tools and it pulls in from all the other tools and everything, this is the big problem. We have so much data. We have so many policies, all these different rules that we have to worry about and so many reference points all over the place. And in many case cases, it's pulling in and we're just barely pulling in different screens. But we do have these other tools and they have their own screens and dashboards and things of that nature.
So in the end when we create these rules and everything, all of these policies, these alerts, I'll guarantee you one of our largest problems is going to be that we have to ask what is real and what is just noise. Where are our real alerts that are going to mean something to us? Or what's something that's Fred just got into the system for the first time and and it set off some kind of alert because he did something too many times or maybe a password that failure, something of that nature. But we know that it's the first time of Fred that Fred's getting in here. But if he does it again in a month or so, we're still going to get all the same alerts because the SIM is simply going to repeat based on the rules and the policies that we have. If there is if there are five failed login attempts by a particular user in one minute, then please fire off an alert letting me know that. Okay? But that may happen and no no offense to anyone but that may happen a lot with some users compared to others.
So where do we look on this? How do we pull this all together? All of this complexity. And by the way, another thing that we want to point out is that there is constant tweaking of this. In order to get rid of a lot of these false positives that are created by a system like this, we have to tweak it on a fairly regular basis and try and adjust it. So now we have our tool that's collecting everything. It's giving us alerts as we've asked it to, but now we're spending time trying to get it to tell us what we really need instead of just everything that it's seeing, which comes back to the complexity.
How AI Brings Order: Baselines, Correlation, Multi-Source Input
So what can AI bring to all this? Well, we are hoping that what we will show is that there's a little bit of order that AI can bring out of a great deal of this chaos. That sim pictures that we saw earlier, all of that stuff coming in that that's just a form of chaos. We're trying to bring order to that chaos. How can AI help us to do that better than a SIM tool?
Well, here are some of the advantages of AI.
It can create baselines and any good AI based threat detection system should be doing this for us. Excuse me. It should be doing this so that we can know what is going on. And I I want to really stress that there may be some outofthe box behavior monitoring, but what we're really after is a personalized baseline.
A personalized baseline. So what I mean by that is most companies again we can look at it and we can say uh we want this password rule to be part of our alert system. We want this particular rule of of this type of traffic being part of our alert system, but what about our personal business? What about our business specifically? Not comparing it to everyone else, but what about ours? What are the activities? So, as I said before, we may have Fred and he gets into this one system, this particular system, system A. He gets into that all the time. All the time. and Suzanne, she winds up getting into system B all the time.
Our baseline should wind up showing that that happens on a regular basis with these two users for these two systems. That's what a personalized AI baseline should uh should include.
So interrelated policies. So this is in contrast to some of our other tools, even including the SIM, which as I stated, I do love them and I also love to hate them. But AI should have the ability to engage policies that are influencing each other. So for example, if you have an AI system that's actually incorporating email as well as network security, we should see a correlation. They should influence each other. Hey, I see this traffic. I also saw an email that this user got before this traffic started.
So these things should influence each other in a good AI powered threat detection. Now we wouldn't have that without the AI or machine learning. It would just be policies and different systems and the SIM would then report it to us. So the power of AI in threat detection comes down to well one of the big points is interrelated policies that influence each other.
Object and traffic identification. So AI enabled threat detection should be able to correlate IP addresses, usernames, system names. This is sort of what I was mentioning earlier. This user goes to this IP address or this system on a regular basis. I've created a baseline and I know that the traffic that goes between it, excuse me, even with the traffic, I know that they're downloading and upload uploading files consistently on this system. I recognize that type of traffic and I'm correlating it. I'm putting it together with the user and the IP addresses, system names.
Input from multiple sources. So, an AI threat detection solution, it needs to have some of the same capabilities of a SIM system. As a matter of fact, some of the better AI threat detection systems that you can get out on the market actually do have um the ability to receive input from a SIM system pulling that in as well as different devices that may not be going into our system system for whatever reason. but it can also go down to a packet sniffer level level and actually have sniffers out on the network to make sure that we're seeing all of that traffic. So these are some of the advantages that we get from AI specifically if we are using it properly. It should be telling us more and connecting more of these things.
Strengthening Network Security with AI: Anomalies, Accuracy, Automated Response
Now, let's get into the big one as far as AI powered threat detection. How can we strengthen our network with this? Well, here's the big one. AI threat detection should be able to learn from the baseline. It should be able to look at the traffic as I was mentioning earlier. It should be able to look at the traffic including what types of traffic and it should identify that between systems between a user and a system between sites and it should create a baseline with that so that as we see on Einstein's graph there we can recognize something that went off the flatline something that is an anomaly but until we can have something that can learn a baseline so the sim giving going back to that example the SIM we get all this information in and we can create policies and stuff but it's not going to automatically filter because well I know that this person is downloading a lot of files but hey they do that all the time between these systems.
So that's one of the largest that is the largest advantage that we have with AI in threat detection is it learns a baseline and from that we gain other great advantages.
AI threat detection should be able to find anomalies compared to the baseline. This is what I was speaking a little bit on earlier. AI learning from the baseline allows for flagging of deviations and detection of zeroday attacks and previously unknown attack or tactics. How? because a previously unknown tactic if we don't have a signature from that yet some of those other common tools nonAI tools nonAI enhanced tools are not going to realize that this is just simply different. I don't have a signature and the behavior is close enough to other behavior our bad actor has made it to where it can slip in under the threshold and Good, here's a nice oxymoron. Good bad actors know how to do this. They know how to try and stay just under the threshold that will set off an alert. The best way I used this example earlier in another seminar. I was taught when I was a bank teller way back in college. We were told by the security department, well the fraud department, we have to watch out for counterfeit bills.
And they showed us a lot of different ways that you can have counterfeit bills. Uh, one for example is people will take a $1 bill and four $10 bills and they'll chop off one or cut off one corner off of each one of the $10 bills, paste them onto the $1 bill. And if someone's looking at only the number, then they think it was a 10. Okay. Well, now I know about that trick. But what if you come up and you use a trick about which I'm not aware. One of the greatest lessons that they taught in that training was the best way to know a counterfeit of anything is to know the original or know what is real. Where is the fraud? Well, I can recognize fraud by knowing what should be instead of what is not. That is this idea of a baseline. Same thing when we're looking at the AI advantages. It should be able to learn from that baseline and then when there's an anomaly whatever it is that's where the detection of zero day attacks and previously unknown tactics really kick in.
Another one another advantage still related and the reason I kept the title the same and all these slides even though I'm talking about different points is they all relate to that learning of a baseline that is the AI I powered threat detection top one.
So it should improve accuracy and have fewer false alarms. Why? Because it's continuously refining its detection models. It may give us some alarms on a few things but either because it learns quickly enough because of other things other parts of its model structure or because we input an accelerated learning protocol. So, for example, hey, you gave me this this alert, but look, Suzanne's going to be accessing system C a whole lot more than she used to in the past, and I don't have time for you to really learn that. So, I'm going to basically tell you, learn this now. I'm going to force a speed learning, if you will. Good AI threat detection systems will allow us to manipulate some of the learning and speed it up and basically say I just want you to consider this to be part of the behavioral analysis.
AI advantages again threat detection should include automated response and triage. AI learning from the baseline again learn should have us to where we can do initiation of automated incident response such as or for example isolating a device blocking an IP and notice how I intentionally and yes I did have AI create the graphic graphic was intentionally made to where there's an automated response by the robot but we have people doing the triage so there are certain things that we can tell it to do automatically and where we will come to trust trust it and it will learn enough to where we can come trust a good AI system for automated response. But what about those things that it really hasn't learned yet and where we need to come in as humans and triage this? As I said, Suzanne has now started using system C a great deal.
How can I wind up triaging that? That's going to require a person. Otherwise, we're going to have to wait for it to learn. This is part of a good system, a good AI threat detection system is our ability to accelerate that triage especially for uh limited staff. And when I say that, it also as I put on here using the anomaly. So part of that triage is all right, the AI system is going to tell us here is why I believe this might be an issue. So instead of delving through lots of logs and things of that nature, it will automatically tell us this is why I chose that.
AI Use Case and Q&A
So with those particular points being stated, I wanted to give us a few AI use cases or case examples. If you have an EDGR tool, it may use AI to detect fileless malware. So now instead of looking for just a signature, it can by simple behavior and without the file being on there, it can start doing its job better. An NDR solution can identify lateral movement or beaconing activity. It would not have been able to do that before without AI showing us that baseline and are back to our wonderful SIM tool.
Those platforms can start prioritizing alerts using AI based correlation rules there that comes back to that influencing each other the policies influencing influencing each other.
So hopefully this has given us a little bit of a picture of what common tools are out there and how we can actually strengthen the common tools and bring them together to get better network security through AI based empowered threat detection.
So at this p time I'll open it up for any uh questions uh Q&A if you want to put any questions into the chat session. We'll give a couple of minutes for everyone to do that if you wish.
It can be over any of that which has been covered.
And while we're waiting on that, I'll also go ahead and let you know that we have a presence. We always have people at Blueprint 4D at user groups uh video podcast by ERP suites. So, these are different ways that you can keep up with us or just simply call if you already have someone uh an account manager or if you want to just call ERP, just communicate with us. We'll be glad to elaborate further or comment more.