Around AI in Cybersecurity: Threats, Protection, and Automation. Second Block

Serhii asked Oleh Polihenko, CISO at Nova Group, to share practical use cases of how such tools are applied in information security operations.

Oleh noted that today most modern cybersecurity solutions already have built-in AI capabilities. These include products from vendors such as Cisco, CrowdStrike, and Splunk.

“My position as a CISO is not to replace people with AI, but to combine human expertise with AI. AI is an enhancement. Wherever a process is predictable and controlled, we use AI. It’s a must-have.”

According to him, these tools are primarily used to automate routine processes. In monitoring systems, they help analyze event context, enrich data, and generate queries for incident detection.

Another area is behavioral analysis. Systems analyze infrastructure metrics and, based on data from malware or attack patterns, can predict potential threats.

These technologies are also used for internal processes. Local models help employees quickly find answers related to policies or procedures, reducing the workload on service desks and speeding up request handling.

They are also applied in analyzing emerging cyber threats. According to Oleh, attackers are actively using AI as well — from phishing to voice spoofing and password attacks.

Therefore, their main role is to help specialists respond to incidents faster and better understand what is happening within the infrastructure.

Oleh himself uses such tools for daily threat analysis: they collect news, generate summaries, and help quickly assess the current threat landscape.

Serhiy asked Yuriy Shatylo, CISO of MHP, whether the active implementation of AI could create new points of compromise.

Yuriy noted that any infrastructure element can be a potential point of attack.

“Not only AI can be a point of compromise for a corporate or technological network. It can also be an identification system, corporate mail, network firewall, any element, including a protection element for both the production and corporate network can be a point of compromise.”

According to him, the key task for companies is building systematic cyber resilience. A year ago, MHP also suffered a large-scale cyber attack, after which the company strengthened its defenses and revised its security approaches.

The company uses a hybrid infrastructure that combines production networks, corporate systems, and cloud services. To protect them, a multi-layered security architecture is applied with segment isolation and controlled data transmission between them.

Regarding the role of AI in cybersecurity, Yuriy believes that currently such tools primarily perform an auxiliary function. At the same time, in his opinion, a universal technology that completely solves all cybersecurity issues will not appear. Therefore, companies should combine a systematic approach to security with flexible management methods and build protection in a way that supports business development.

Serhiy Kulyk asked Ukrsibbank CISO Maksym Yashchenko if AI helps automate SOC work, where a large number of incidents are processed and traditionally requires a significant number of specialists.
Maksym noted that for most security monitoring centers, the lack of personnel is one of the main problems, especially in 24/7 operations.
AI is already helping to analyze large volumes of events and quickly generate response recommendations.
According to Maksym, the bank is currently testing an LLM-based solution that will significantly increase the number of analyzed events without substantially expanding the SOC infrastructure or team. One approach is the so-called shift left, where event correlation is moved to an earlier stage of analysis.
However, the implementation of such systems requires time and significant investments. Businesses often expect new technologies to be cheap, but the actual cost of infrastructure and security can be substantial.
Maksym also pointed out that AI is actively used by pentesters. Such tools help create scripts or analyze vulnerabilities, although they are sometimes used to write malicious code.
A separate challenge remains the issue of controlling access to information in internal systems. If all company data is combined in one environment for model operation, it can make implementing the principle of least privilege more challenging.
Therefore, using AI in cybersecurity, according to Yashchenko, always requires balancing between automation, security, and access control to data.

Serhiy asked CISO Universal Bank Taras Loboda about practical cases of using AI agents and choosing between proprietary models and cloud services.

Taras noted that today every company forms its own approach and uses such technologies only where they are truly needed by the business.

One example of usage is HR processes. The bank is testing tools that help analyze candidates, create brief interview summaries, and psychological profiles.

In the field of cybersecurity, such tools currently play an auxiliary role. For instance, the bank uses automation to create cases in SOAR systems and an agent integrated into the incident management system. It analyzes events in parallel with an analyst and suggests possible conclusions, but the final decision is always made by a human.

Another example of usage is client onboarding in KYC processes. A special agent analyzes data from various sources and creates a client profile in about 30 seconds. Previously, this could take about 40 minutes.

Regarding infrastructure, the bank uses a hybrid approach. Some requests are processed through Amazon services, but the platform that manages the agents is proprietary.

According to the expert, the key factor in choosing a solution is the availability of a team. Therefore, there is no universal approach. Companies make decisions based on resources, time, and the business’s readiness to invest in their own expertise.

Serhiy Kulyk asked Diia CISO Yevhenii Kudrevych about the development of a government large language model and approaches to its security.

Yevhenii explained that such a model is already used on the Diia portal and essentially performs the function of the first line of support, answering users’ questions.

“Do we trust the LLM? We are now talking about Trust boundaries. The answer is – No. We use the Zero Trust principle.”

The model is deployed in its own on-prem infrastructure and operates under an RAG architecture. This means that the system generates responses solely based on verified sources and provided context, rather than generating information arbitrarily.

For its operation, a separate infrastructure is created, which essentially acts as a platform for processing requests. Meanwhile, a key issue remains the protection of such an architecture.

According to Kudrevych, the system is protected by multiple layers of control. These include security guardrails at the input and output, verification of the information received by the model, and analysis of the responses it generates.

Technical protection mechanisms are also used, including agents with real-time reaction on end devices and specialized content filters that work similarly to WAF, but are adapted to models.

Since most international solutions do not yet support the Ukrainian language at the required level, the team had to develop a significant portion of the protection independently.

Diia regularly tests the model along with Red Team and DevOps specialists to identify possible vulnerabilities and quickly respond to new threats.

The panel discussion revealed that regardless of the industry, companies face the same challenge: technology is advancing much faster than the rules for its safe use are being developed.

AI has already become part of the everyday business processes. It is used for automating operations, analyzing incidents, operating contact centers, hiring employees, and even making operational decisions. At the same time, the same technologies are also actively used by cybercriminals.

Participants of the discussion agreed that today’s main strategy is not to restrict technology, but to implement it in a controlled manner. This means developing their own models, clear usage policies, controlling access to data, and combining automation with human expertise.

Another important conclusion of the panel: AI does not yet replace cybersecurity professionals but rather enhances their work. In most companies, such tools serve as assistants that help analyze data faster, detect incidents, and respond to new threats.

However, the race between protection technologies and new attack tools is only gaining momentum. The main question facing businesses and the state today is quite simple: how to leverage the potential of new technologies without creating new security risks.

The answer to this question will shape the approach to cybersecurity in the coming years.