WeCyberYou! Unlocked Podcast

Cyber Security Controls Demystified Part 8 - AI-Powered Firewall

Season 1 Episode 8

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 21:24

In this episode, we break down what an AI-Powered Firewall is, how it combines artificial intelligence, machine learning and behavioral analytics with traditional firewall technologies to detect, predict and respond to cyber threats in real time and why it is rapidly becoming one of the most transformative innovations in modern network security.

Duration: 0:21:24

Visit https://www.wecyberyou.com for more cyber security education, resources and awareness content like this. 

Thank you for listening. 
WeCyberYou! Team

Support the show

Like and follow us to be notified when a new episode is released on this channel.

SPEAKER_00

Imagine a digital bouncer, right? Like this guy at the door who doesn't just check your ID card, but uh actually acts as a psychic detective.

SPEAKER_01

Right, a psychic bouncer.

SPEAKER_00

Exactly. Like predicting a cybercrime. Before you even reach for the door handle, welcome to the We Cyber You Unlocked podcast. We are uh absolutely thrilled to have you here with us today.

SPEAKER_01

We really are. It is great to be here.

SPEAKER_00

And for this deep dive, our mission is to explore this massive stack of notes and research we have from a really fascinating article. It's called uh The Evolution of Intelligence: a Deep Dive into AI firewalls.

SPEAKER_01

Aaron Powell, which is such a great title for what is happening right now in the industry.

SPEAKER_00

It really is. Because look, if you are listening to this right now, you probably already know that the cybersecurity landscape is just, you know, shifting, but he's our feet every single day.

SPEAKER_01

Oh, absolutely. Daily, hourly even.

SPEAKER_00

Yeah. But the changes happening in firewall technology specifically right now, they're on a completely different level. We are looking at systems that have evolved from those uh those basic digital bouncers we talked about into these highly autonomous analytical engines.

SPEAKER_01

Aaron Powell That is the core of what we are looking at today. And it's great to synthesize this with you because we are not just talking about like a shiny new gadget here.

SPEAKER_00

Aaron Powell Right, or just another minor software update.

SPEAKER_01

Aaron Ross Powell Exactly. We are examining a fundamental transformation in how organizations protect their networks against incredibly sophisticated threats.

SPEAKER_00

Aaron Powell It's huge.

SPEAKER_01

It is. We are moving away from this whole world of static, rule-based security and stepping into a reality of intelligent adaptive security. I mean, in the modern threat landscape, that transition has gone from being a luxury to an absolute necessity.

SPEAKER_00

Aaron Powell Okay, let's unpack this. Because to really appreciate why artificial intelligence is so necessary right now, I think we first need a you know a quick flyover of what exactly it is replacing.

SPEAKER_01

Aaron Powell Yeah, that makes sense. Context is everything here.

SPEAKER_00

Right. So you and I know the basics, but the source material outlines four distinct generations of firewalls. Let's condense those early days a bit. How do we get from a basic lock door to this psychic detective?

SPEAKER_01

Aaron Powell Well, the first three generations are essentially just variations of that bouncer analogy you brought up. So generation one is packet filtering.

SPEAKER_00

Trevor Burrus So just the absolute basics.

SPEAKER_01

Exactly. It just checks IPs and ports. It asks, does the packet match the rule? If yes, allow it in. If no, block it.

SPEAKER_00

Very straightforward. Right, like checking if your name is on the clipboard.

SPEAKER_01

Yeah, exactly. Then generation two brought a stateful inspection, and that added connection tracking.

SPEAKER_00

So it remembers you.

SPEAKER_01

Right. The system remembers that you already authenticated a few minutes ago. So it's not asking for your ID every single time you walk past the door.

SPEAKER_00

That makes sense. Okay. And generation three.

SPEAKER_01

Generation three is where we got application aware firewalls. This introduced deep packet inspection and user identity.

SPEAKER_00

Oh, so it's actually looking at what you're doing.

SPEAKER_01

It is. It started asking what application is generating this traffic? Like, is this a normal web browser or is it malicious code that's just disguised as web traffic?

SPEAKER_00

Okay, got it. So generation three is basically a very thorough security guard. They are checking the VIP list, they're remembering faces, and they're actually looking at what the guests are wearing to make sure they belong at that specific party.

SPEAKER_01

To a degree, yes. But uh that bouncer analogy actually breaks down completely when we hit generation four.

SPEAKER_00

Aaron Powell Oh, really? Why is that?

SPEAKER_01

Because the problem with those first three generations is that they all still rely on static rules.

SPEAKER_00

Aaron Powell Right. They need to be told what to look for.

SPEAKER_01

Yes. Predefined policies, known attack signatures. They are fundamentally backward-looking systems.

SPEAKER_00

Aaron Ross Powell So they can only catch things that security researchers already know are bad.

SPEAKER_01

Exactly. Generation four, which is the AI-powered firewall, is a total paradigm shift because it completely abandons that reliance on static rule.

SPEAKER_00

It just throws the rules out the window.

SPEAKER_01

Aaron Ross Powell Well, it introduces machine learning, behavioral analytics, and autonomous response. So the core decision completely changes. Instead of asking, is a rule being broken? The firewall asks, is this behavior normal or is it indicative of an attack?

SPEAKER_00

Wow. That is a massive leap in logic. So instead of looking for, I don't know, a cartoonish villain with a crowbar trying to smash a window.

SPEAKER_01

Right, which would be an obvious known threat.

SPEAKER_00

Yeah, exactly. Instead of that, it is more like credit card fraud detection. It's looking for statistical anomalies.

SPEAKER_01

That's a great way to put it.

SPEAKER_00

Like it doesn't need a specific rule that says no crowbars allowed at 3 a.m. It just needs to know that this specific user has never ever engaged in this specific sequence of actions before, especially not at three in the morning while sweating profusely.

SPEAKER_01

Yeah, that is a much more accurate way to understand it. The generation four firewall evaluates the entirety of the context, dynamically weighing probabilities.

SPEAKER_00

It's doing math in real time.

SPEAKER_01

Tons of it. It evaluates the situation the same way an experienced human fraud investigator would, but it executes that analysis at a scale and speed that no human could ever possibly match.

SPEAKER_00

Aaron Powell Okay, so that leads us to a really crucial question. If this Generation 4 system relies so heavily on knowing what normal looks like, you know, in order to spot those statistical anomalies, how does it actually figure that out?

SPEAKER_01

That's the big question.

SPEAKER_00

Right. Because no human programmer sitting there typing out a normal baseline for thousands of employees manually, that would take years.

SPEAKER_01

What's fascinating here is how the source material breaks down the core trio of technologies that drive this capability. We are talking about artificial intelligence, machine learning, and behavioral analytics.

SPEAKER_00

Aaron Powell The big three. Let's look at the mechanics of that.

SPEAKER_01

Sure. So artificial intelligence enables the system to evaluate context and probability simultaneously. It uses these complex multidimensional vector matrices.

SPEAKER_00

Multi-dimensional vector matrices say that five times faster.

SPEAKER_01

I know it sounds very sci-fi. But practically, rather than following a rigid if-then logic tree, the AI plots user actions as data points on a complex graph.

SPEAKER_00

Just plotting them out to see where they fall.

SPEAKER_01

Right. It does that to determine if an event falls outside the safe cluster.

SPEAKER_00

So it is calculating probabilistic risk based on like a hundred different environmental factors all at once.

SPEAKER_01

Exactly. And then the second pillar, machine learning, is what allows those models to actually improve over time.

SPEAKER_00

Without human help.

SPEAKER_01

Yes. Instead of waiting for a security vendor to, you know, send down a manual update for a new virus signature, the ML algorithms ingest historical data on their own.

SPEAKER_00

So they just eat up all this background info.

SPEAKER_01

They consume vast amounts of information. Past attacks, normal network traffic, cloud workloads, device communications, you name it.

SPEAKER_00

Okay, and then the third pillar is behavioral analytics, which is the actual art of baselining. This is where we actually define what normal is. Right. It is almost like the system is creating an invisible biometric fingerprint for every single user and every server on the network.

SPEAKER_01

That biometric fingerprint concept is highly relevant here. The sources give some very concrete examples of how granular this actually gets.

SPEAKER_00

Let's hear them.

SPEAKER_01

For instance, the firewall learns that a normal employee typically logs in between 800 AM and 6.00 PM.

SPEAKER_00

Okay. Pretty standard business hours.

SPEAKER_01

Right. And it learns they generally only access the finance databases, and they usually download fewer than 20 files a day.

SPEAKER_00

That's their fingerprint. And it does this for the hardware too, right? It does. Because the text mentioned that a normal server might only communicate with specific database servers. It only transfers backup data overnight and it uses HTTPS encryption exclusively.

SPEAKER_01

Exactly. The servers have fingerprints just like the human users do.

SPEAKER_00

So if we take that normal finance user and suddenly they log in at 2.0 AM.

SPEAKER_01

Which is way outside their eight to six window.

SPEAKER_00

Right. And they try to pull a massive directory from the HR database instead of finance, the firewall just throws a massive red flag.

SPEAKER_01

Yes, instantly, even if their username and password are correct.

SPEAKER_00

Aaron Powell Really? Even with the right password.

SPEAKER_01

Absolutely. The credentials might be perfectly valid, but the behavior deviates so sharply from their established fingerprint that the probabilistic risk percentage just skyrockets.

SPEAKER_00

Aaron Powell Okay, let's take this from theory into practice for you listening. Because if I'm a threat actor trying to breach a network right now, how does this system actually catch me in real time?

SPEAKER_01

Aaron Powell The research lays out a six-step playbook that acts as, well, the anatomy of a catch.

SPEAKER_00

Let's walk through that workflow step by step.

SPEAKER_01

It begins with step one, data collection, and step two, baseline learning. Now the sheer volume of telemetry involved here is staggering.

SPEAKER_00

Because it's watching everything.

SPEAKER_01

Everything. The firewall pulls data from network packet flows, operating systems, cloud containers, user authentication events, global threat intelligence feeds.

SPEAKER_00

Aaron Powell It's a fire hose of data.

SPEAKER_01

It is. The text notes that large enterprises may generate millions or even billions of security events every single day.

SPEAKER_00

Aaron Powell Millions or billions of events a day. I mean, that is just an unfathomable amount of noise.

SPEAKER_01

Aaron Powell You couldn't process it manually if you tried.

SPEAKER_00

No. You could have a room full of a thousand human security analysts just staring at monitors, and they would never be able to parse that volume of data.

SPEAKER_01

Aaron Powell, which is exactly why the AI engine is required to process it all. During the baselining phase, the system takes all those billions of events and builds the behavioral profiles we just discussed.

SPEAKER_00

Right, the fingerprints.

SPEAKER_01

Yes. It takes time to learn that Sarah logs in from Sydney during business hours, or that the payroll software only talks to three specific internal systems.

SPEAKER_00

Well, here's where it gets really interesting. Because once that baseline is fully baked in, we move to step three and step four, which are continuous monitoring and anomaly detection.

SPEAKER_01

That's where the magic happens.

SPEAKER_00

Right. The firewall is constantly cross-referencing every single new event against those historical baseline graphs. So if Sarah opens Microsoft Outlook to check her email, that aligns perfectly with her historical cluster. The system just stays quiet.

SPEAKER_01

It doesn't bother anyone.

SPEAKER_00

But if Sarah suddenly downloads 40 gigabytes of confidential design files, the machine learning flags the deviation immediately.

SPEAKER_01

And the source material highlights some specific anomalies that machine learning is uniquely suited to catch. Things that legacy firewalls just completely miss.

SPEAKER_00

What's a good example of that?

SPEAKER_01

One of the most common is lateral movement. This is when a workstation that normally just handles, say, word processing, suddenly begins scanning hundreds of internal IP addresses.

SPEAKER_00

Oh wow.

SPEAKER_01

Yeah. It's just probing the network for open ports.

SPEAKER_00

That is a massive red flag. The machine shouldn't care about anything other than its own standard connections.

SPEAKER_01

Exactly. It has no business looking around the network like that.

SPEAKER_00

Another one from the text that I really loved is impossible travel. It is such a simple concept, but incredibly hard for legacy rules to catch.

SPEAKER_01

It really is.

SPEAKER_00

So let's say Sarah logs into the network from Sydney, Australia at 900 AM.

SPEAKER_01

Okay.

SPEAKER_00

Then at 9.15 a.m., Sarah's exact same credentials are used to log in from London.

SPEAKER_01

Right.

SPEAKER_00

The AI instantly flags this because it calculates the geographical distance, the speed of light, and the time between authentications. And it realizes it is physically impossible for a human being to travel from Sydney to London in 15 minutes.

SPEAKER_01

That is a perfect example of mathematical probability overriding legitimate credentials. It does not matter if the password was correct.

SPEAKER_00

Or if multi-factor authentication was somehow bypassed.

SPEAKER_01

Exactly. The physics dictate that the account is compromised. Period.

SPEAKER_00

It's just undeniable math.

SPEAKER_01

It is. Another classic anomaly mentioned in the text is beaconing.

SPEAKER_00

Oh, beaconing. That sounds ominous.

SPEAKER_01

It is. This is when an endpoint starts communicating with an unknown external IP address on a rigid mathematical schedule, say exactly every 300 seconds.

SPEAKER_00

Right, because humans do not browse the web on a perfect 300-second interval.

SPEAKER_01

We don't click reload with the stopwatch. Right. The text notes that this specific behavior is a hallmark of command and control, or C2, malware. It is the infected machine basically calling home to the attacker server, just waiting for instructions.

SPEAKER_00

And a normal firewall would miss that.

SPEAKER_01

Often, yes. A legacy firewall might look at the traffic, see that it is just a tiny encrypted packet over standard web ports, and just let it through.

SPEAKER_00

Because no static rule was broken.

SPEAKER_01

Exactly. But the AI firewall sees the rigid frequency and recognizes the underlying pattern of malware.

SPEAKER_00

So what does this all mean for the workflow? The AI has spotted the lateral movement or Sarah's impossible travel or the rigid beaconing. What happens next?

SPEAKER_01

Well, now we are at steps five and six threat scoring and automated response.

SPEAKER_00

Okay, break those down for me.

SPEAKER_01

Step five is where the system calculates that probabilistic risk percentage we mentioned earlier. It doesn't treat every anomaly equally.

SPEAKER_00

Right, context matters.

SPEAKER_01

Exactly. A 2.0 AM login might be unusual, but on its own, it might only get a low risk score of, say, 20 out of 100. Maybe the employee is just working late to finish a project.

SPEAKER_00

But a 2.0 AM login coming from a new IP address combined with a sudden attempt to encrypt files.

SPEAKER_01

That combination of factors pushes the threat score up to a high risk 95. And that instantly triggers step six, which is the automated response. The firewall doesn't just send an email alert to a human analyst and wait for them to finish their coffee and investigate.

SPEAKER_00

Because by then the damage is done.

SPEAKER_01

Exactly. Depending on the organization's predefined playbook, the firewall can actively block the malicious traffic, tear down the active sessions, or even completely isolate the infected device from the rest of the network at the switch level.

SPEAKER_00

Just cut it off completely. Yes. And the most staggering part to me is the speed of execution. The text emphasizes that modern systems perform these containment actions in subsecond time frames.

SPEAKER_01

Subsecond, it's incredible.

SPEAKER_00

By the time a human analyst pager even goes off to tell them an attack was attempted, the AI firewall has already identified it, sugored it, blocked it, and quarantined the compromise machine.

SPEAKER_01

It is a level of velocity that fundamentally alters the defensive posture of an organization. It changes the whole game.

SPEAKER_00

It honestly sounds infallible when you lay out the mechanics like that.

SPEAKER_01

Yeah.

SPEAKER_00

But I have to push back here because nothing in technology is perfect.

SPEAKER_01

No, definitely not.

SPEAKER_00

I want to look at the superpowers versus the kryptonite. The superpowers are very clear based on the text. We have user and entity behavior analytics, or UEBA, which is fantastic for catching insider threats or compromised accounts.

SPEAKER_01

Absolutely.

SPEAKER_00

We have predictive detection that spots attacks based on math before a virus signature even exists. And the text even highlights generative AI assistance.

SPEAKER_01

Yes. The generative AI aspect is a massive operational improvement for security operations centers.

SPEAKER_00

How so?

SPEAKER_01

While these large language models integrate directly with the firewall to explain complex security alerts in plain English.

SPEAKER_00

Which has to be a huge relief for the analysts.

SPEAKER_01

Oh, it drastically reduces alert fatigue. Instead of an analyst staring at a wall of cryptic JSON logs and hex codes, the generative AI provides a clear summary.

SPEAKER_00

Like a cheat sheet.

SPEAKER_01

Yeah. It just says, we isolated Sarah's machine because it attempted an impossible travel login from London and subsequently tried to access the HR database.

SPEAKER_00

But that actually leads right into my concern. What's that? If the system is this incredibly autonomous, right? If it learns the baseline itself, calculates the probability, scores the threat, kills the session in milliseconds, and then uses a language model to write up a plain English report about what it did.

SPEAKER_01

I see where you're going with this.

SPEAKER_00

Why do we need human security teams at all? Is this replacing the human element entirely?

SPEAKER_01

If we connect this to the bigger picture, we really have to look closely at the limitations explicitly outlined in our sources. AI firewalls are incredibly powerful tools, but they are absolutely not a silver bullet.

SPEAKER_00

They have blind spots.

SPEAKER_01

They come with severe vulnerabilities. The first major limitation is data qualiter. An AI model is completely dependent on the data it uses during that baseline learning phase.

SPEAKER_00

Garbage in, garbage out.

SPEAKER_01

Exactly. If the training data is of core quality, the resulting detection accuracy will be terrible.

SPEAKER_00

Wait, let me stop you there. So if a company buys one of these incredibly expensive AI firewalls and they plug it into a network that is already compromised by a threat actor, does the firewall just learn that the hacker's behavior is the normal baseline?

SPEAKER_01

That is a very real danger. It's often referred to as data poisoning or baselining a compromised environment. If the attacker is already inside, moving laterally and exfiltrating data slowly while the AI is in step two, learning the network, the algorithm will accept those malicious actions as part of the daily routine.

SPEAKER_00

That is terrifying. It will literally train itself to ignore the attacker.

SPEAKER_01

It will. That is a huge blind spot. Which leads to the second limitation: adversarial AI.

SPEAKER_00

AI fighting AI.

SPEAKER_01

Essentially. The threat actors are well aware of how these defensive models work, and they are not standing still. They are actively using their own offensive artificial intelligence to figure out how to evade detection.

SPEAKER_00

How do they do that?

SPEAKER_01

They use algorithms to deliberately manipulate the machine learning models of the defenders. They introduce these subtle, slow drip anomalies to slowly shift the firewall's understanding of what is normal over time.

SPEAKER_00

So they basically boil the frog.

SPEAKER_01

That's a perfect analogy.

SPEAKER_00

They use their own AI to slowly stretch the defender's baseline until the malicious activity perfectly blends in with the background noise. It is quite literally an arms race.

SPEAKER_01

An incredibly resource-intensive arms race, which brings us to the third limitation. The cost. The processing cost, yes. Running these multidimensional vector matrices and processing billions of events in real time demands substantial computing power, massive data storage, and highly specialized engineering expertise to maintain.

SPEAKER_00

It's a heavy lift for any IT department.

SPEAKER_01

Very heavy. And I imagine that brings us back to the human element, which answers your earlier question about replacing analysts. Right.

SPEAKER_00

So we still need people.

SPEAKER_01

Exactly. The source text is unambiguous about this. Human oversight remains essential. AI augments human capabilities. It does not replace them.

SPEAKER_00

Because someone has to watch the watcher.

SPEAKER_01

Yes. We still desperately need experienced security professionals to validate those generative AI alerts, to recognize when a baseline has been poisoned, to conduct deep forensic investigations into the incidents.

SPEAKER_00

And to step in when the AI gets confused.

SPEAKER_01

Right. And most importantly, to make the high-impact strategic decisions that an algorithm just lacks the context to make.

SPEAKER_00

So to go back to the earlier analogy, the AI acts as the tireless hyperanalytical detective doing the massive data legwork in milliseconds.

SPEAKER_01

Yes.

SPEAKER_00

But the human is still the police chief who has to look at the findings, understand the broader business context, and decide how to actually handle the fallout of the case.

SPEAKER_01

Aaron Powell That dynamic is exactly how the system is designed to function.

SPEAKER_00

Aaron Powell Okay. So bringing this all together for you listening, where is this technology heading next? Like, what does the future outlook for network defense actually look like, according to the research?

SPEAKER_01

Aaron Powell The research indicates that the next generation of these firewalls will become even more deeply integrated into the broader security ecosystem.

SPEAKER_00

Aaron Powell So they won't just be standalone boxes anymore.

SPEAKER_01

No, not at all. We are going to see seamless native integration with zero trust architectures, XDR, which stands for extended detection and response, and SR platforms.

SPEAKER_00

Aaron Powell And for those who might not work with SR Daily, that stands for Security Orchestration, Automation and Response. It is essentially the platform that executes the automated playbooks across the entire company, right?

SPEAKER_01

Correct. The SR platform actively talks to the AI firewall. So the AI detects the anomaly, calculates the risk, and then triggers the SR platform to not just block a port, but to simultaneously revoke the user's cloud access, quarantine their physical laptop, and wipe their mobile device authentication tokens.

SPEAKER_00

Wow. All in one orchestrated move.

SPEAKER_01

Yes. The ultimate goal is for the AI to proactively map out potential attack paths and neutralize them across dozens of different tools with minimal human intervention.

SPEAKER_00

It really is a complete fundamental shift from the static rules of the past.

SPEAKER_01

It changes everything.

SPEAKER_00

And honestly, it leaves me with one incredibly provocative thought based on what you mentioned earlier about adversarial AI.

SPEAKER_01

What's that?

SPEAKER_00

Well, if these defensive AI firewalls are constantly learning, analyzing, and redefining what normal human behavior looks like in order to protect the network. Right. And the offensive AI attackers are constantly learning and calculating how to perfectly mimic that normal human behavior to bypass the firewalls.

SPEAKER_01

Yeah, you see the collision course there.

SPEAKER_00

Exactly. Will the future of cyber warfare eventually just be two incredibly complex algorithms endlessly arguing with each other in the dark over what a human would actually do?

SPEAKER_01

That is wow. That raises an important question about the limits of machine logic. It is definitely a thought that will keep security engineers awake at night.

SPEAKER_00

It really will. We want to thank you so much for joining us on this deep dive. To make sure you never miss an exploration into the rapidly shifting landscape of technology and security, please make sure you follow the channel.

SPEAKER_01

We truly appreciate you spending your time and exploring these concepts with us today.

SPEAKER_00

And for more content, resources, and deep dives just like this one, you have to go visit weCyberU.com. We have so much more to share with you there. Until next time, stay safe and stay curious.