Thoughts on AI and Cybersecurity

Being an CSSLP gives me access to various emails from (ISC)2. One of these announced me that there is a recording of a webinar about AI and Cybersecurity held by Steve Piper from CyberEdge.

Very nice presentation of 1h, and I found out that there is a sequel to that on November 1st.

So, following Steve’s article, I did some research, read a lot and used ChatGPT to summarize some of my findings.

This article explores the multifaceted ways AI is transforming cybersecurity, from threat detection to incident response and beyond. It also looks into What it means actually to use AI in some of these fields. What is the impact on privacy and confidentiality?

Important to keep in mind that any AI must first learn (trained) in order to be able to understand the system and then potentially predict what is happening.


  1. Threat Detection

One of the primary applications of AI in cybersecurity is threat detection. Traditional rule-based systems are no longer sufficient to identify and combat sophisticated attacks.

AI-driven technologies, such as machine learning and deep learning, can analyze massive datasets to detect anomalies and potential threats.

Here’s how:

a. Anomaly Detection: AI algorithms can establish a baseline of normal behavior in a network or system. Any deviation from this baseline can trigger an alert, indicating a potential security breach.

b. Behavioral Analysis: AI can analyze user and entity behavior to detect patterns that may indicate malicious activity. This is particularly useful for identifying insider threats.

c. Malware Detection: AI can scan files and code for patterns consistent with known malware or recognize behavioral patterns of malicious software.

We’ll talk more in the future on this topic.


  1. Predictive Analysis

AI-driven predictive analysis enhances cybersecurity by identifying potential threats before they become full-blown attacks.

By crunching vast amounts of historical data, AI systems can predict emerging threats, trends, and vulnerabilities. This early warning system allows organizations to preemptively shore up their defenses.

It would have to gather huge amounts of data, crunch them (preprocess, normalize, structure), creating an ML model and then based on the chosen technology train the system.

Here we can think of supervised (pre-categorized data, requiring feature to be defined) and unsupervised learning (non categorized data, basically being restricted to Anomaly detection).

There is a huge warning here, because :

a) such huge amounts of data has to come from somewhere and

b) predictions can be influenced by specially crafted training data, for unsupervised training models.


  1. Automation and Orchestration

AI can automate routine cybersecurity tasks and workflows, reducing the workload on human analysts and minimizing response times. AI-driven systems can:

a. Automatically quarantine infected devices or isolate compromised areas of a network to prevent lateral movement by attackers.

b. Investigate and analyze security incidents, rapidly categorizing and prioritizing alerts.

c. Initiate predefined incident response procedures, such as patching vulnerable systems or resetting compromised user accounts.



Automation involves the use of technology, such as scripts, workflows, or AI-driven systems, to perform routine and repetitive tasks without human intervention. In the context of cybersecurity, automation can significantly improve efficiency and response times by handling various operational and security-related processes automatically. Here’s how it works:

a. Incident Response: When a security incident is detected, automation can trigger predefined actions to contain, investigate, and mitigate the threat. For example, if a system detects a malware infection, an automated response might involve isolating the affected device from the network, blocking the malicious IP address, and initiating a forensic investigation.

b. Vulnerability Patching: Automation can be used to deploy security patches and updates to systems and software as soon as they are released. This reduces the window of vulnerability and helps prevent attacks that target known vulnerabilities.

c. Log Analysis and Alerts: Automation can continuously monitor logs and events from various systems. It can detect and respond to predefined security events, generating alerts or triggering specific actions when unusual or malicious activity is detected.



Orchestration is a broader concept that focuses on integrating and coordinating various security tools, processes, and workflows into a unified and streamlined system. It enables organizations to create end-to-end security workflows by connecting different security solutions and ensuring they work together cohesively. Here’s how it works:

a. Workflow Integration: Orchestration systems allow the creation of predefined security workflows that link multiple tools, such as firewalls, intrusion detection systems, antivirus software, and incident response platforms. For example, when a malware alert is triggered, orchestration can coordinate the response by isolating the affected system, collecting forensic data, and alerting the incident response team.

b. Information Sharing: Orchestration enables the sharing of critical information among security tools. This ensures that all relevant security solutions have access to the latest threat intelligence, allowing for more effective threat detection and mitigation.


  1. Phishing Detection

Phishing attacks remain a prevalent threat. AI can help identify phishing attempts by:

a. Analyzing email content and sender behavior to identify suspicious emails.

b. Scanning URLs for malicious domains or suspicious patterns.

c. Inspecting attachments for known malware signatures.

d. Recognizing social engineering techniques and language used in phishing emails.


  1. Network Security

AI-driven intrusion detection systems (IDS) and intrusion prevention systems (IPS) monitor network traffic for anomalies and threats.

They can identify and block malicious traffic in real-time, protecting the network from various attacks, including DDoS attacks and data exfiltration.


  1. Threat Intelligence

AI can be used to aggregate and analyze threat intelligence from various sources, including open-source feeds, dark web monitoring, and industry-specific data.

This aggregated intelligence can help security teams stay informed about emerging threats and vulnerabilities.


  1. Endpoint Security

AI-driven endpoint security solutions provide real-time protection for individual devices.

They can identify and mitigate threats at the device level, even when the device is not connected to the corporate network. This is especially crucial for remote workers and mobile devices.

This raises another red flag for me: complete monitoring of user’s actions on the device. What happens to the data gathered, is the model trained locally on in the cloud? And many other such concerns.

I will write a dedicated post about AI and Privacy very soon.

The post Thoughts on AI and Cybersecurity first appeared on Sorin Mustaca on Cybersecurity.

ChatGPT and automotive cybersecurity #2/2: TISAX certification

This is the 2nd post about Automotive Cybersecurity.

Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.


First post was about CSMS and ISO 21434 and this one is about TISAX.



Tell me about challenges in TISAX certification 



“TISAX (Trusted Information Security Assessment Exchange) is a security assessment and certification process for automotive suppliers. The certification is used to evaluate and ensure the information security capabilities of companies in the automotive sector.

There are several challenges associated with TISAX certification:

  • Complex requirements: TISAX has extensive and complex security requirements that can be difficult to understand and implement. Companies may struggle to meet these requirements and may need help from experts to achieve certification.
  • Resource constraints: Implementing the security measures required for TISAX certification can be resource-intensive and time-consuming. This can be especially challenging for small or medium-sized businesses.
  • Technical difficulties: Companies may face technical challenges in implementing the necessary security controls, particularly if their existing systems are not well-suited to the TISAX requirements.
  • Cost: The cost of TISAX certification can be significant, and this may be a challenge for companies with limited budgets.
  • Maintenance: TISAX certification must be maintained, and companies must continually evaluate and improve their security controls to stay certified. This can be a challenge, as the threat landscape is constantly evolving and new risks emerge.

Overall, TISAX certification requires a substantial investment of time, resources, and expertise, but it is considered an important aspect of information security for companies operating in the automotive sector.”


So, I have to say that this impressed me a bit …

I have always difficulties explaining to my customers why is it so hard to pass the TISAX audit.

It is all true, and actually it is quite a challenge to get companies to commit to a long term cooperation with a consulting company, which can help them understand the requirements and teach them how to apply them.



I will get back to ChatGPT from time to time and try to get such short descriptions for various things I need.

The post ChatGPT and automotive cybersecurity #2/2: TISAX certification first appeared on Sorin Mustaca on Cybersecurity.

ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434

As promised, I played more with ChatGPT and this time I started to dig a bit into cybersecurity for automotive.

Since I am working these days on CSMS (based on ISO ECE 21434 and TISAX), part of my companies consulting offer for automotive I thought maybe I check what ChatGPT things about them.

Unfortunately, nothing dramatically new, a form of what a google search gives you. However, the model answered something interesting about TISAX, which usually I, as a human would probably answer.  ( No, this post is not written by ChatGPT: 🙂   )


Here it is:



Tell me about CSMS from ISO 21434



CSMS (Cybersecurity Management System) is a framework for managing cybersecurity within an organization, as defined in ISO 21434. ISO 21434 is an international standard for automotive cybersecurity that provides guidelines for the development and implementation of cybersecurity measures in the automotive sector.
CSMS is designed to help organizations manage cybersecurity risks and protect against cyber threats.

It is based on the same principles as other management systems, such as quality management or environmental management, and provides a structured approach to managing cybersecurity.

The framework covers a range of cybersecurity-related activities, including:

  • Threat identification and assessment
  • Risk management
  • Security controls and measures
  • Incident management
  • Continuous improvement

CSMS is designed to be flexible and adaptable, allowing organizations to tailor the framework to meet their specific needs and requirements.

The standard also provides a basis for certification, enabling organizations to demonstrate their commitment to cybersecurity and their ability to effectively manage cybersecurity risks.

In summary, CSMS from ISO 21434 provides a comprehensive framework for managing cybersecurity and is an important aspect of information security for organizations operating in the automotive sector.”


This text is not returned by a google search. If I search the exact same terms, google returns me a bunch of links and ads (4 Ads, 9 links, 1 ad) and some Youtube videos.

So, is this text relevant?

Yes, it is a very good summary. I will actually use it in the offerings of my company.



Part #2 is about “TISAX certification”.


The post ChatGPT and automotive cybersecurity #1/2: About CSMS from ISO 21434 first appeared on Sorin Mustaca on Cybersecurity.