{"id":3440,"date":"2025-06-04T08:00:00","date_gmt":"2025-06-04T08:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3440"},"modified":"2025-06-04T08:00:00","modified_gmt":"2025-06-04T08:00:00","slug":"6-ways-cisos-can-leverage-data-and-ai-to-better-secure-the-enterprise","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3440","title":{"rendered":"6 ways CISOs can leverage data and AI to better secure the enterprise"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Data analytics platforms and the information they contain are among the most important corporate resources CISOs are charged with protecting, but data analytics can also be an effective tool for helping security teams identify and mitigate risks.<\/p>\n

With artificial intelligence (AI), machine learning (ML), and data science constantly advancing in their capabilities, cybersecurity chiefs can pinpoint the signs of attacks like never before. And that can help their teams initiate mitigation more quickly.<\/p>\n

\u201cSecurity today is as much about smart data use as it is about traditional defenses,\u201d says Timothy Bates, a professor of AI, cybersecurity, and other technologies at the University of Michigan College of Innovation and Technology, and former CISO at General Motors. \u201cData science and machine learning gave us the context and timing to act before incidents escalated.\u201d<\/p>\n

When Bates worked for General Motors, one of the auto manufacturer\u2019s most impactful initiatives was architecting a global security operations center (SOC)<\/a> to shift from a reactive to a proactive cybersecurity posture<\/a>. The company used intrusion detection tools<\/a> and a security information and event management (SIEM)<\/a> platform to aggregate and analyze logs across a complex, distributed infrastructure.<\/p>\n

\u201cThrough data analytics, we processed billions of log events daily, creating behavioral baselines that allowed us to detect anomalies in real-time,\u201d Bates says. \u201cOne notable case involved identifying unusual login and command-line activity patterns within our manufacturing networks. That insight allowed us to stop a credential-stuffing attack before it reached critical systems, preventing what could have been a multimillion-dollar incident.\u201d<\/p>\n

AI, ML, data science \u201care an enormous help with large data sets, which cybersecurity is packed full of,\u201d says Nick Kathmann, CISO and CIO at governance, risk, and compliance provider LogicGate. \u201cWhile core benefits are still under development, the immediate uses are already bearing fruit when combining those huge security datasets [with] risk management.\u201d<\/p>\n

Just having security data pouring in and deploying AI and analytical tools doesn\u2019t guarantee success, however. Enterprises and their security teams need to adhere to best practices.<\/p>\n

Here are some tips for getting the best results from leveraging data for cybersecurity.<\/p>\n

Deploy machine learning for deep pattern recognition analysis<\/h2>\n

One good practice is to pair a SIEM platform<\/a> with ML models to analyze patterns across billions of daily log entries, Bates says. \u201cBuild behavioral baselines across business units, then flag deviations in real-time,\u201d he says. \u201cLogs alone don\u2019t tell you what\u2019s wrong. Patterns do. Machine learning gave our SOC superpowers \u2014 turning noisy data into action-ready insight.\u201d<\/p>\n

That deeper analysis proved vital to thwarting the credential-stuffing attack at GM, Bates notes. \u201cThe activity mimicked internal [administration] behavior \u2014 but just off enough for our system to flag it,\u201d he says.<\/p>\n

At BairesDev, ML data analysis offers the opportunity to spot threats and unusual activity more quickly.<\/p>\n

\u201cIt uses your network traffic, user behavior, and device activity to learn about you and define what\u2019s normal,\u201d says Pablo Riboldi, CISO at the nearshore software development company. \u201cThen, it flags any suspicious activity in real-time. This early detection helps security teams get ahead of insider threats, compromised accounts, or attackers moving within the network before they can do real harm.\u201d<\/p>\n

ML tools can help identify phishing attempts, even sophisticated ones that might slip past regular filters, Riboldi says. \u201cOver time, these systems get better,\u201d he says. \u201cThis leads to fewer false alarms and more focus on actual threats. As not all security weaknesses are the same, machine learning can help prioritize those vulnerabilities that are a threat for the business.\u201d<\/p>\n

Emphasize the \u2018learning\u2019 part of ML<\/h2>\n

To be truly effective, models need to be retrained with new data to keep up with changing threat vectors and shifting cyber criminal behavior.<\/p>\n

\u201cMachine learning models get smarter with your help,\u201d Riboldi says. \u201cMake sure to have feedback loops. Letting analysts label events and adjust settings constantly improves their accuracy. Also, the data you give them is key. It needs to be good, secure, and come from different sources, like your computers, the cloud, login systems, etc.\u201d<\/p>\n

Building a well-integrated data lake<\/a> or SIEM platform ensures that the ML models have context-rich data to work with, Riboldi says.<\/p>\n

\u201cDon\u2019t just monitor known bads \u2014 train your models to recognize when something\u2019s \u2018not quite right,\u2019 even if it\u2019s never been flagged before,\u201d Bates says. \u201cThe most dangerous attacks don\u2019t trip the typical wires. It\u2019s the subtle shifts \u2014 logins at odd hours, a dev script being run from an unexpected host \u2014 that often point to breach activity.\u201d<\/p>\n

Fuse data science into your security team<\/h2>\n

At many enterprises, data science\/analytics and cybersecurity teams are separate entities. But it\u2019s a good idea to blend the SOC team with data scientists who understand the corporate infrastructure and can tune models based on overall context rather than just generic patterns, Bates says.<\/p>\n

\u201cCybersecurity is no longer just about firewalls and antivirus,\u201d Bates says. \u201cIt\u2019s a data game now. Marrying cyber expertise with data modeling gave us the precision we needed at GM to act in real-time \u2014 not post-mortem.\u201d<\/p>\n

Organizations with data science teams that work alongside security teams \u201cwill be leaps and bounds ahead of organizations dependent on vendors to incorporate the tooling,\u201d LogicGate\u2019s Kathmann says.<\/p>\n

\u201cEspecially in the interconnected and vendor-agnostic world we live in now, collaboration between accountable teams is key,\u201d Kathmann says.\u00a0Having<\/p>\n

a data science team understand the end goals of the organization, and then collaborate with a security team to facilitate the collection and storage of data in a data warehouse or data lake, is the best approach, he says.<\/p>\n

Ensure top-quality data governance and integration<\/h2>\n

\u201cTo get the most cybersecurity value out of data and AI capabilities, organizations should focus on ensuring data quality and integrating across data sources,\u201d says Anay Nawathe, director at global technology research and advisory firm ISG.<\/p>\n

\u201cOrganizations should consistently cleanse, normalize, and validate data as appropriate, to increase accuracy of the findings and minimize model drift,\u201d Nawathe says.<\/p>\n

Data integration across diverse data sources enables cybersecurity teams to receive more context around any given trend or anomaly, which leads to richer insights into complex threats, Nawathe says.<\/p>\n

Along the same lines, organizations need to integrate threat detection<\/a> across the business \u2014 not just the perimeter.<\/p>\n

\u201cEnsure your SOC integrates deeply into operational environments like operational technology networks and cloud systems,\u201d Bates says. \u201cThreat actors know the gaps; don\u2019t let your factory floor or [development] pipeline be one of them.<\/p>\n

This is important because cyberattacks often hide in overlooked places, such as legacy systems, remote plants, or software development operations, Bates says. \u201cReal-time visibility across these zones helped us shut down threats before they became disasters,\u201d he says.<\/p>\n

Supplement security with custom-trained LLMs<\/h2>\n

A large language model (LLM) that has been customized to meet the specific needs of an organization can help enhance cybersecurity.<\/p>\n

\u201cSome organizations with sophisticated cyber teams, unique security requirements, or complex environments are increasingly using customized solutions for their security analytics, though they will likely remain in a hybrid custom vs. commercial-off-the-shelf model,\u201d Nawathe says.<\/p>\n

Some of these custom use cases are \u201cdata\/risk visualization\u201d or risk quantification<\/a> initiatives that are highly specific to the organization, Nawathe says.<\/p>\n

By custom-training an LLM and using it to process and correlate raw sensor and log data, a much cleaner and more concise data feed can be sent to mainstream security tools, says Christopher Walcutt, CSO at security services provider DirectDefense.<\/p>\n

\u201cIn addition, SOC staff can experiment in real-time, using the AI to teach them how to write better queries while providing the AI additional contextual learning,\u201d Walcutt says. \u201cThe resulting metadata can be transformational<\/p>\n

[and] allow for more advanced automation of defensive actions.<\/p>\n

Custom-trained LLMs can power AI for a number of discrete functions, one of the best being the preprocessing of event and log data, Walcutt says. AI will be able to identify groupings of behaviors that a heuristic or rules-based machine learning or other solution will be unable to detect, he says, \u201cand in doing so, make the fidelity of data feeding the other tools much higher.\u201d<\/p>\n

Make full use of documentation by mining it with AI<\/h2>\n

Analysis of unstructured data can also reap significant rewards for cybersecurity teams. For example, AI can have a big impact on mining company documentation, including the records used to manage and secure the organization\u2019s systems.\u00a0This includes policies, procedures, and other documents that guide the organization\u2019s cybersecurity practices.<\/p>\n

Documentation is also a vital component of the regulatory compliance function at enterprises, providing a framework for security controls.\u00a0<\/p>\n

\u201cReading, summarizing, and creating documentations [has] never been easier,\u201d LogicGate\u2019s Kathmann says. For example, security professionals can leverage AI models to read and summarize the key differences in risk frameworks and risk analysis reports, she says.<\/p>\n

\u201cLeaders can also create a model to search through all of an organization\u2019s SOPs [standard operating procedures] and look for specific known or suspected bad practices, identify processes that do not follow standards, or read through vendor security documents and reports,\u201d Kathmann says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Data analytics platforms and the information they contain are among the most important corporate resources CISOs are charged with protecting, but data analytics can also be an effective tool for helping security teams identify and mitigate risks. With artificial intelligence (AI), machine learning (ML), and data science constantly advancing in their capabilities, cybersecurity chiefs can […]<\/p>\n","protected":false},"author":0,"featured_media":3430,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3440","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3440"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3440"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3440\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3430"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}