C (12:33)

They know cybersecurity can be tough.

B (12:35)

And you can't protect everything, but with Thales, you can secure what matters most. With Thales's industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S learn more@thalesgroup.com cyber.

C (13:19)

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple?

B (13:25)

Meet Meter, the company reimagining enterprise networking.

C (13:29)

From the ground up.

B (13:30)

Meter builds full stack zero trust networks.

C (13:33)

Including hardware, firmware and software, all designed to work seamlessly together.

B (13:39)

The result?

C (13:40)

Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified plat. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your.

B (14:17)

Business and customers thrive.

C (14:19)

Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire.

B (14:37)

Cliff Crossland is CEO and co founder@scanner.dev and in today's sponsored Industry Voices conversation we discuss why security data lakes are ideal for AI in the society.

A (14:50)

The most common way that people construct data lakes is to store significant amounts of messy ish data in object storage buckets. So this might be like AWS S3 or Azure Blob storage or Google Cloud storage buckets. It's just basically storage locations that can scale forever and they tend to interact with this data with various kinds of SQL based engines that's the most common way to query this data. But yes, data lakes, the most common way that the people build their data lakes is to build them on top of object storage.

B (15:26)

And so when we're talking about AI and its ability to improve the lives of people in the SoC, how do these two things cross paths?

A (15:34)

Yes, it's super interesting. So we found that more than half of our customers are building agentic AI workflows on top of their data lakes and on top of many other tools for all of their SecOps responsibilities just to speed things along. No one is fully removing people from the workflows, but they are finding a tremendous amount of value in speeding up things like investigations. When an alert is triggered by having a data lake that's easy to access with a huge amount of data, just way easier to get lots of data into a data lake than into a traditional siem, then the agents can go and pull in rich context from many different sources. So AI together with data lakes we think is really the future of doing SecOps investigations and diving into log data. There's just a lot of power in having access to more and more log sources and more and more historical data too. Going back not just a few weeks, but months or years to do like a deep dive threat hunt. It's super cool.

B (16:40)

Well, can we dig into some of the details here? I mean when somebody has this sort of thing up and running, how does it work?

A (16:47)

Yes. So what folks tend to do is their first cut at building a data lake. It tends to be using a SQL based tool like maybe it's Apache Presto or Amazon Athena is very common in our world. We're like very AWS focused. But what they will do is they will then use different kinds of SDKs that interact with MCP servers. So model context protocol, it's very cool. And then they will use that to go and interact with their data lake and interact with different security tools that they have. So like a very concrete example might be something like an alert lands from something like Amazon GuardDuty and then the agent will then go and pick up the ticket that got created in jira and then we'll go do an investigation in the data lake. It might ping some other tools, it might write up a little summary in Slack and write some comments in the JIRA ticket. And then it might also do something cool like open a pull request in the team's GitHub repository to tweak like some code or maybe a detection rule that they have in there. And then humans can kind of review everything that it just did the code review the change that it's making against the code. They'll go and review the comments that are being added to the ticket. So it can be very cool if your data lake is working well for you and you've done the work to make it fast, it can be a very cool source of additional rich context for agents to use when they're doing investigations.

B (18:14)

Now, my understanding is that query speed in particular is really critical for enabling these AI agents. Can you unpack that for us? Why does that matter?

A (18:25)

Yes, it is really interesting. So this is a common theme that we run into and why people come and talk to us is when they are trying to use Amazon, Athena or Presto to go and query a data lake, sometimes the query will run for hours and then the agentic workflow just doesn't work. It's just sitting there constantly pinging over and over again waiting for a query to return. And so what you really want, if you want an agent to do a good job at doing an investigation quickly, on an alert that comes in, you want your data lake to be really fast to go and query. We really are obsessed with what the future of data lakes looks like. We think data lakes are just going to get faster and faster. And this common complaint about data lakes being slow, that's going to go away over time. It's getting easier to do data engineering on traditional data lakes to make them faster to query with Apache, iceberg and parquet formats and so on. But there are also other cool things going on, like being able to support full text search just even on the messiest of log data and getting results back rapidly. That's something that we are super excited about. As data lakes get faster, it'll just be easier and easier for agents to rapidly investigate incidents like do detection engineering on your behalf and speed up everyone's job. In the SoC.

B (19:51)

Years ago, when AI was just starting to become the hot thing along with machine learning, of course, I remember reading an article and it was about the state of a computer's ability to play chess against humans. And they were talking to a chess grandmaster and they were saying that, you know, humans can play against the machine, the machine can play against another machine, but really the human combined with the AI was the best chess player in the world and that combination was hard to beat. Is my understanding correct that human, you all have done some testing on this internally and you're finding similar sorts of results?

A (20:30)

Yes, we definitely think that, I mean we could be wrong as like artificial general Intelligence or artificial superintelligence lands on the scene in a decade, if we're lucky. I don't know if that's really going to happen, but maybe at that point, the AI can just take over the job. But it was really interesting. There was some research done at Stanford that showed that doctors actually, by using AI, that the AI does better on its own, rather than doctor plus AI at doing diagnosis for a certain kind of symptom, evaluation, testing that they were doing, which was surprising. And so in our minds, we thought, wouldn't it be really cool to see if AI can do the job of a SOC analyst better than humans can by themselves, or even humans plus AI? The interesting thing that we found there is that human plus AI together does far better. There are a couple of different interesting findings. One is that it just seems to be that there is a lot more medical data out there for foundation models to train on, like, millions of research papers. And so it makes sense that they're good at diagnosing medical problems. But in cybersecurity, the false negative rate, that's the scary thing. If a true positive alert, if a real threat is present in your log data and you're under attack and the agent doesn't find it and thinks everything is peachy, that is scary. And that was very common with AI running entirely by itself. But what we found to be really effective was AI and humans working together, where a human can kind of just use their judgment to nudge the AI along and iterate together on an investigation report, like in an artifact, that they can continue to develop together. So, like, the AI will do a first stab at an investigation. A human can say, you totally, like, missed something over here. You mentioned it, but you didn't really, deep dive. Go dive deeply into this weird data exfiltration. Like, what is happening there? Why are there so many downloads from an S3 bucket in the logs? And then the AI will often say, like, wow, you're right, this is actually really bad. Let me go dive more deeply into this. But the cool thing is, instead of a human taking hours to write queries, to dig through logs, you can really just start to use your intuition, your judgment as a person and as a security practitioner to just come up with great ideas for the AI to go and explore. And then there's this really fast translation between the messy data, the deep, hard to understand, obscure data sources, and then insights from it. So we think together, humans and AI are awesome. And in our own testing, the false positive rate got a lot better when humans were involved but also the false negative rate was a lot better. Humans were like, we're better at being maybe a little paranoid and nudging the AI along in the right direction.

B (23:38)

How do you go about dialing in the degree to which the humans are having oversight over the AI?

A (23:45)

Yes, this is really tricky. I think what you want is you want an AI agent and a bunch of agentic workflows to make your life easier. You don't want to have to micromanage them. And so it could be a challenge if you have hundreds or maybe even thousands of alerts being triggered per day. So you don't want to have to go and do a deep dive review on every single response that your agent is making to these alerts. But what is really effective is to keep humans in the loop, but then to do things like let the AI give you a batch understanding, like a global understanding of the patterns of those hundreds of alerts and then surface the highest priority things for you to go review. We don't think it's time to let agents go and make a final call on really important investigations and do things like immediately change your code and change your detections. We think instead, if it can open up a pull request for humans to review, if it can add comments for humans to review, and then humans can just click accept or approve or dive deeply into the details if they want to, it can really speed people along. So, yes, it is a challenge. I think if you can get your detections to be tuned to reduce your alerts to something that is reviewable, like maybe dozens of alerts a day, that that can be wonderful. And we actually find that AI agents are really helpful in helping you tune your detections to remove the noise and giving you ideas for how to reduce the false positive rate. So, yeah, I think you kind of need to get your alerts under control and then only have a volume at which humans can afford to go and review what the agents are doing, what their investigation conclusions are.

B (25:40)

Yeah, it strikes me that approaching it this way, maybe it's an opportunity for your humans in the loop to stay sharper because they don't have that, that grunt work of like, as you said, you know, going through so much data manually, they're able to apply their intuition where it really matters.

A (26:01)

Yes. There was a fun interview with Ali Mellon who talked about how in the future the SOC analyst, like the low level SOC analyst role is going to evolve and it will become more about detection engineering together with an AI. And we definitely see that it's really fun to Watch with our users. They will build workflows where if an alert is really noisy, an AI will do an initial attempt at writing code to change the detection rule to make it less noisy to reduce the false positive rate. Humans can review and then it's just so much more fun than going and manually triaging dozens or hundreds of alerts per day. You can just use your high level judgment, your creative ideas to look at instead of getting into the weeds and into the details on every single alert that happens. You can guide and shape almost like managing agents to write code for you and get a lot of great work done and clean up your detections. Tune them better. Yeah, we see a lot of people instead of just trusting the out of the box detections from their SIEM or their security data lake tool, they will customize and tune hundreds of detections from their vendor to be more appropriate to their business context. And they can only do that because AI is helping them speed that along. They're not doing it all by hand, they're just doing code reviews and maybe giving the agent feedback and maybe tuning the code a little bit more. But yeah, I completely agree that it helps people be sharper, see and focus on better, more high leverage projects. It's exciting.

B (27:50)

What are some of the things that you and your colleagues have learned along the way in terms of having your own unique approach to this? The things that you believe differentiates you from other folks who are out there doing this?

A (28:02)

Yes, I think what's going to happen is all of the efforts that a lot of organizations are going to to try to do data engineering to get all of their data in their data lake to conform to a common schema. That's not going to be important anymore in the future. Instead of like every single one of your 50 log sources, you have to get to conform to a schema like OCSF instead. Tools are going to be very good at handling messiness and that's something that our tool at scanner we really care about is. Logs can be very messy. And because of the way that we're approaching running queries and analyzing data in data lakes is about embracing the messy and text based nature, deeply nested JSON schema, less nature of logs in security. It just makes it much easier to gather many different log sources together. You don't need to do as much engineering work to get them to conform to a common schema, but it's really critical that that data be fast to search through so that the agent can actually make progress. So yeah, we're excited about adopting many of the same ideas that you see in tools like Lucene or elasticsearch, building an inverted index, but making that inverted index extremely, extremely friendly to data lakes and data lake scale and object storage that allows you to go and execute very, very fast searches over massive data sets without doing a significant amount of data engineering to get your data to conform to a particular schema. Just let the logs come in as they may and be messy and then what the future looks like is gathering more and more log sources cheaply in data lakes and in object storage and then letting agents do the really cool fuzzy sorts of correlations and searching across them to do deep dives and powerful investigations. So yeah, we're excited about that. We think that that is the direction things will go in with object storage and data lakes in the future is more and more friendliness to unstructured and semi structured structured data and faster and faster search across that data.

B (30:25)

That's Cliff Crossland, CEO and co founder at Scanner.dev.

C (30:49)

What's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out any endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber.

B (31:52)

And finally, Nordex's wind turbines were built to power communities, though one technical manager apparently believed they should also bankroll his crypto ambitions. While the company was still recovering from a Conti ransomware attack, he slipped three mining rigs into a substation and hid two helium nodes inside the turbines themselves, treating critical infrastructure like a very large, very noisy piggy bank. From August through November 2022, his setup quietly siphoned energy until Nordex discovered that its clean power was moonlighting as a blockchain side hustle, a court later noted he showed no concern about interfering with equipment that keeps thousands of homes running. The judge rewarded this creative misuse of renewable energy with 120 hours of community service and more than €8,000 in damages. It is, if nothing else, a gentle reminder that insider threats are alive and well and that even in the age of green tech, not every watt is yours to monetize. And that's the Cyberwire. For link to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

C (34:17)

Sat.