FCC around and find out. - CyberWire Daily

Summary8 min read

CyberWire Daily: "FCC around and find out." – Episode Summary

Release Date: February 6, 2025
Host: Dave Bittner
Guest: Cliff Crossland, CEO and Co-Founder of Scanner.dev

1. Major Cybersecurity News

a. Elon Musk’s DOGE Accesses U.S. Government Records

Elon Musk's Department of Government Efficiency (DOGE) has reportedly gained unauthorized access to sensitive U.S. government records. This breach includes data on millions of federal employees across departments such as the Treasury and State Department.

Dave Bittner [04:30]: "DOGE's involvement raises concerns about potential misuse of personnel data amid threats of retaliation against federal workers by Trump administration officials."

Officials are alarmed by the potential for misuse, given DOGE agents' administrative access, which allows them to install software, alter records, and transfer data externally. The Office of Personnel Management (OPM) is particularly vulnerable, as DOGE's presence has led to mass staff reductions and halted IT upgrades, reminiscent of past breaches like China's 2014 theft of U.S. security clearance records.

The Senate Intelligence Committee has demanded transparency regarding DOGE's vetting processes and system access. Concurrently, a lawsuit challenges OPM’s privacy policies, highlighting risks associated with unencrypted government-wide email deployments.

b. Arrest of Spanish Hacker Targeting NATO, UN, and U.S. Army

Spanish authorities have apprehended an 18-year-old suspect accused of orchestrating cyber attacks against over 40 organizations, including NATO, the United Nations, and the U.S. Army.

Dave Bittner [07:15]: "The suspect allegedly leaked stolen data and managed over 50 cryptocurrency accounts, using multiple online aliases like NATOHub."

Between June 2024 and January 2025, the hacker publicly announced data breaches on various forums, sometimes selling or sharing the stolen information. Authorities seized multiple electronic devices during the arrest, aiming to dismantle his operations.

c. F&B Hiring Platform Exposes Millions of Resumes

A significant data breach has occurred at Fo&Bo, a U.S.-based hiring platform utilized by major brands such as KFC, Taco Bell, and Nordstrom. An unsecured AWS bucket led to the exposure of millions of job applicants' resumes.

Dave Bittner [09:45]: "The leaked data included full names, contact details, birth information, employment history, education, and social media links, heightening the risk of identity theft and targeted phishing scams."

Cybersecurity experts warn that the breach could facilitate the creation of fraudulent accounts and enable attackers to impersonate past employers, thereby tricking victims into divulging financial information or installing malware.

d. Cyber Attacks on British Engineering Firms

British engineering giant IMI has disclosed a cybersecurity incident shortly after a similar attack on its rival, Smith's Group. IMI, known for designing industrial automation and transport products, confirmed unauthorized access to its systems through a London Stock Exchange filing.

Dave Bittner [11:20]: "IMI has engaged cybersecurity experts to investigate and contain the breach, though they have not disclosed details regarding data exfiltration."

Both companies are currently assessing the extent of the attacks, with no recovery timelines provided at this stage.

e. Cisco Addresses Multiple Vulnerabilities

Cisco has released patches for several vulnerabilities, including two critical flaws in its Identity Services Engine. These vulnerabilities could allow authenticated attackers to execute arbitrary commands and manipulate device configurations.

Dave Bittner [13:00]: "Cisco advises that there are no workarounds for these critical vulnerabilities and urges immediate patching."

Additionally, Cisco has identified high-severity SNMP vulnerabilities in iOS, iOS XE, and iOS XR, which could facilitate denial-of-service attacks. Patch releases for these vulnerabilities are anticipated by March.

f. SVG File Exploitation in Phishing Attacks

Sophos researchers have discovered that cybercriminals are increasingly exploiting Scalable Vector Graphics (SVG) files in phishing attacks to bypass email security filters.

Dave Bittner [14:35]: "Attackers disguise SVG files as legitimate documents, redirecting users to fraudulent login pages that steal credentials or deliver malware."

Recommendations to combat these attacks include setting SVG files to open in text editors like Notepad and updating email security solutions to detect malicious SVG attachments.

g. Sparkcat SDK Targets Cryptocurrency Users

A malicious Software Development Kit (SDK) named Sparkcat has been found embedded in Android and iOS apps, aimed at stealing cryptocurrency wallet recovery phrases through optical character recognition.

Dave Bittner [16:00]: "The malware, hidden in SDKs such as Spark, GZIP, Google App SDK, and stat, has been downloaded over 242,000 times, with some infected apps still available on Google Play and the App Store."

Users are advised to uninstall affected apps immediately, scan devices with antivirus software, and avoid storing recovery phrases in screenshots.

h. CISA Mandates Patching of Linux Kernel Flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has directed U.S. federal agencies to patch a high-severity flaw in the Linux kernel’s USB video class driver within three weeks due to active exploitation.

Dave Bittner [17:50]: "This vulnerability allows privilege escalation on unpatched devices, and forensic tools may currently be exploiting it."

CISA also highlighted critical vulnerabilities in Microsoft .NET and Apache Biz, urging manufacturers to enhance network forensic visibility.

i. Thailand’s Crackdown on Online Scamming Syndicates

Thailand has taken decisive action against online scamming hubs in Myanmar by cutting off electricity, fuel, and internet access to these operations.

Dave Bittner [19:30]: "These enclaves, run by organized crime groups, have become centers for cyber fraud targeting victims worldwide, with an estimated daily impact of $2 million on Thailand's economy."

This move follows pressure from China’s Assistant Minister of Public Security, Lui Zhang Ji, and aligns with stronger law enforcement cooperation between Thailand and China to combat cross-border cybercrime.

j. Positive Trends in the Fight Against Ransomware

The landscape of ransomware attacks has seen a notable decline in 2024, with payments dropping by 35% compared to the previous year according to Chainalysis.

Dave Bittner [20:50]: "For the first time in years, ransomware payments have significantly decreased, marking a positive trend in cybersecurity defenses."

This decline is attributed to increased resilience among victims, reduced reliance on cryptocurrency mixers due to sanctions, and the downfall of major ransomware groups like Lockbit and Black Cat. However, new groups such as Akira and Fog have emerged, specializing in exploiting VPN vulnerabilities, indicating that ransomware remains a persistent threat.

2. Expert Interview: Cliff Crossland on Security Data Lakes and the "Bring Your Own Model" Approach

Guest: Cliff Crossland, CEO and Co-Founder of Scanner.dev

a. Evolution of Security Data Lakes

Cliff Crossland elaborates on the concept of data lakes as an evolution beyond traditional data warehouses. Unlike data warehouses that require strict data structuring, data lakes accommodate diverse and unstructured data formats, making them highly scalable and cost-effective for security operations.

Cliff Crossland [17:14]: "Data lakes are starting to become more and more popular, especially in security, because there's just so many different kinds of data to collect."

Data lakes allow organizations to ingest vast amounts of data from various sources into cloud storage solutions like Amazon S3, Azure Blob Storage, or GCP Storage. The primary challenge lies in extracting meaningful insights from this "messy" data, a task that modern tools are increasingly equipped to handle.

b. "Bring Your Own Model" for Security Tools

The “Bring Your Own Model” (BYOM) approach revolutionizes how security tools are deployed by allowing organizations to maintain full data custody while integrating multiple vendor tools.

Cliff Crossland [19:50]: "You keep full data custody. You can get perfect visibility into what's going on and how much compute you're using, how much storage you're using."

This method reduces vendor lock-in by enabling the use of various tools to analyze the same centralized data lake without the need to duplicate data across different platforms. It fosters flexibility, allowing organizations to switch vendors without being tied to a single ecosystem.

c. Scalability and Cost Efficiency

Data lakes offer unparalleled scalability, making it feasible to retain historical data without exorbitant costs.

Cliff Crossland [22:19]: "The beauty of data lakes is that cloud storage is very cheap and can scale forever... you can really drive down costs and make it possible for you to have a lot of visibility into historical data."

With traditional tools limiting log retention to weeks or months, data lakes enable long-term storage and analysis, providing deeper insights and supporting compliance requirements cost-effectively.

d. Data Lake Tools and Future Innovations

Cliff emphasized the advancements in data lake technologies, such as Apache Iceberg and Amazon’s S3 tables, which facilitate easier schema evolution and data management.

Cliff Crossland [27:10]: "Generative AI can do a really good job at helping you figure out what the schema should be and just taking on the annoying transformation work every time you add a new data source."

He envisions a future where data lake tools seamlessly handle diverse data formats, leveraging AI to automate data structuring and enhance usability.

e. Recommendations for Organizations

Cliff advises organizations interested in adopting data lakes to start with their chosen cloud provider’s data lake tools, such as Amazon Athena, Google BigQuery, or Azure Data Lake. He also recommends exploring Apache Iceberg and experimenting with various data sources to determine the best fit for specific use cases.

Cliff Crossland [32:18]: "Start with the different cloud providers' data lake specific tools... play with the different data lake tools that exist out there to see what suits your use case as well."

3. FCC Update: Scam Operations and Regulatory Actions

The episode concludes with a segment on the Federal Communications Commission (FCC) proposing a $4.5 million fine against Voice over IP provider Telnyx. Telnyx allegedly allowed scammers to impersonate a fictitious FCC fraud prevention team, conducting nearly 1,800 fake calls within two days.

Dave Bittner [34:00]: "Scammers will scam, the FCC will fine, and nobody should ever pay government fees in gift cards."

The FCC accuses Telnyx of inadequate customer verification processes, while Telnyx rebuts, claiming compliance with all regulations. The incident serves as a reminder to the public to remain vigilant against scams demanding payments in unconventional forms like Google gift cards.

Conclusion

This episode of CyberWire Daily provided a comprehensive overview of significant cybersecurity incidents, regulatory challenges, and emerging trends in data management and ransomware defense. The in-depth interview with Cliff Crossland offered valuable insights into the future of security data lakes and the benefits of the "Bring Your Own Model" approach, emphasizing scalability, cost-efficiency, and flexibility in modern cybersecurity strategies.

For more detailed information on security data lakes, refer to Scanner.dev's blog linked in the show notes.

Produced by Alice Carruth with contributions from Liz Stokes, mixed by Trey Hester, and featuring original music by Elliot Peltzman. Executive produced by Jennifer Ibin. Publisher: Peter Kilpe.

Loading summary

Transcript16 lines

[00:02]
Cliff Crossland
You're listening to the Cyberwire network, powered by N2K.
[00:13]
Dave Bittner
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Deleteme's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K chaos and security concerns continue in Washington. Spanish authorities arrest a man suspected of hacking NATO, the UN and the US Army. A major US Hiring platform exposes millions of resumes. Another British engineering firm suffers a cyber attack. Cisco patches multiple Vulnerabilities Criminals exploit SVG files in phishing attacks. Sparkcat SDK targets cryptocurrency via Android and iOS apps. CISA directs federal agencies to patch a high severity Linux kernel flaw. Highland leaves scamming syndicates in the dark. Positive trends in the fight against ransomware. Our guest is Cliff Crossland, CEO and co founder@scanner.dev discussing the evolution of security data lakes and the Bring your own model for security tools and don't Fix with the FCC. It's Thursday, February 6th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Thanks for joining us here once again. Always great to have you with us. Elon Musk's Department of Government Efficiency DOGE has gained access to restricted US Government records on millions of federal employees, including treasury and State Department officials in sensitive security roles. The Washington Post reports. According to anonymous sources, doge's involvement raises concerns about potential misuse of personnel data amid threats of retaliation against federal government federal workers by Trump administration officials. The Office of Personnel Management holds sensitive employee data, including addresses, salaries and disciplinary records. Doge agents, some in their early 20s with ties to Musk's private companies, were granted administrative access to OPM systems shortly after Trump's inauguration. This access allows them to install software, alter records and potentially transfer data externally. There is no evidence they have done so, but officials are alarmed at the risk. Doge's arrival has disrupted opm, with mass staff reductions planned, including the removal of key IT and financial executives. Tensions have risen between Doge agents and career officials, contributing to low morale. The halt of IT upgrades and Doge's access to government networks increase security vulnerabilities reminiscent of past cyber breaches, such as China's 2014 theft of US security clearance records. Security experts warn that foreign adversaries could exploit the chaos as Doge's access extends to Treasury's payment systems, which contain classified expenditure details. The Senate Intelligence Committee has demanded transparency on Doge's vetting process and system access. Meanwhile, a lawsuit challenges OPM's privacy policies, arguing that unencrypted government wide email deployments create security risks. Experts fear that foreign intelligence services could infiltrate Doge due to its rapid and opaque hiring process. Spanish authorities have arrested an 18 year old suspected hacker for cyber attacks on over 40 organizations, including NATO, the UN and the US Army. The suspect allegedly leaked stolen data and managed over 50 cryptocurrency accounts. Investigators believe he used multiple online aliases, including NATOHub, who claimed breaches on breach forums. Between June 2024 and January of this year, NATO Hub posted 18 times about data breaches, sometimes selling or freely sharing stolen information. Authorities seized electronic devices during the arrest. Fo&Bo, a US hiring platform used by major brands like KFC, Taco Bell and Nordstrom, exposed millions of job applicants resumes due to an unsecured AWS bucket. The leaked data included full names, contact details, birth information, employment history, education and social media links. Cybersecurity researchers warn that the breach increases the risk of identity theft, allowing criminals to create fraudulent accounts or launch targeted phishing scams. Attackers could impersonate past employers to trick victims into revealing financial details or installing malware. Scammers might also exploit financially vulnerable individuals with deceptive job offers. The exposed Data set contained 5.4 million files, but after multiple warnings, the company secured the database. British engineering firm IMI has disclosed a cybersecurity incident shortly after rival Smith's group reported a similar attack. Imi, which designs industrial automation and transport products, confirmed unauthorized access to its systems in a London Stock Exchange filing. The company has engaged cybersecurity experts to investigate and contain the breach. IMI declined to comment on potential data exfiltration. Meanwhile, Smith's group is also working to recover from an attack, with neither company providing a recovery timeline. Cisco has released patches for multiple vulnerabilities, including two critical flaws in its Identity Services engine. These bugs could allow authenticated attackers to execute arbitrary commands and tamper with device configurations. Patches are available, and Cisco says there are no workarounds. Additionally, Cisco warned of high severity SNMP vulnerabilities in iOS, iOS XE and iOS XR, which could cause denial of service attacks. Patches are expected by March. Medium severity flaws affecting various Cisco products were also addressed. No active exploits have been reported. Researchers at Sophos say cybercriminals are exploiting scalable vector graphics files in phishing attacks to bypass email security filters. SVG files, unlike typical image formats, can contain embedded links and scripts that direct victims to phishing sites. Attackers disguise these files as legal documents, voicemails or invoices using familiar brands like DocuSign and Microsoft SharePoint. Once opened, the file redirects users to fraudulent login pages that steal credentials. Some attacks also deliver malware or leverage captcha gates to evade detection. Researchers identified evolving tactics, including localized phishing pages and embedded keystroke loggers. Security experts recommend setting SVG files to open in Notepad instead of a browser and carefully checking URLs for legitimacy. Sophos suggests organizations should update email security solutions to detect malicious SVG attachments and prevent credential theft. A malicious software development kit called Sparkcat has been discovered in Android and iOS apps, stealing cryptocurrency wallet recovery phrases using optical character recognition. The malware hidden in SDKs named Spark, GZIP, Google App SDK and stat extracts sensitive text from images on devices, enabling attackers to access crypto wallets on Google Play alone. The infected apps were downloaded over 242,000 times, with some still available on both Google Play and the App store. Kaspersky identified 18 Android and 10 iOS infected apps with attackers using a Rust based module for communication with the command and control servers. Users are advised to uninstall affected apps immediately scan devices with antivirus software and avoid storing recovery phrases in screenshots. Instead, use offline encrypted storage for security. Google and Apple have yet to respond. CISA has ordered U.S. federal agencies to patch a high severity Linux kernel flaw within three weeks due to active exploitation. The vulnerability, found in the USB video class driver, enables privilege escalation on unpatched devices. Google patched it for Android users, warning of limited targeted attacks. Security experts believe forensic tools may be exploiting this flaw. CISA also flagged critical vulnerabilities in Microsoft.net and Apache of Biz, urging manufacturers to enhance network forensic visibility to aid cyber defense. On Wednesday, Thailand took a decisive step against online scamming syndicates by cutting off electricity, fuel and Internet to key scam hubs in Myanmar. These enclaves, run by organized crime groups, have become centers for cyber fraud targeting victims worldwide. The move follows pressure from China's assistant Minister of public Security, Lui Zhang Ji, who urged Thailand to intensify its crackdown. Lui revealed that 36 Chinese run scam operations in Myanmar employ over 100,000 workers, many trafficked and forced into fraud. The high profile rescue of Chinese actor Wang Xing from one of these compounds heightened scrutiny. Thailand's Prime Minister Petong Tarn Shinawatra defended the action, citing the scam's $2 million daily impact on Thailand's economy. The crackdown aligns with her visit to China, where both nations pledged stronger law enforcement cooperation to combat cross border cybercrime. At the start of 2024, ransomware groups seemed as powerful as ever, pulling in hundreds of millions of dollars in extortion payments. But as the year progressed, something shifted. Law enforcement agencies, cybersecurity firms and victims themselves began pushing back harder than ever before. By year's end, ransomware payments had dropped 35% from the previous year, marking the first significant decline in years, according to research from Chainalysis. It wasn't just government action that slowed ransomware operators. Victims became more resilient, with more organizations refusing to pay and instead relying on backups to recover their data. Ransomware gangs adapted, working faster than ever, sometimes beginning negotiations within hours of an attack. But even with these tactics, the market fractured. The collapse of Lockbit and Black Cat, two of the biggest ransomware groups, left a void that no single group was able to fill. New players emerged. Groups like Akira and Fog stepped into the spotlight, specializing in exploiting VPN vulnerabilities to infiltrate corporate networks. Meanwhile, Iranian linked ransomware strains, rebranded and resurfaced, proving that attackers were not giving up. They're just adapting. Financially, ransomware groups faced another hurdle moving their money. In the past, they relied on cryptocurrency mixers to launder their earnings. But after sanctions and takedowns of services like Tornado Cash, they turned to cross chain bridges and centralized exchanges instead. However, even this became riskier as governments cracked down on crypto platforms with loose know your customer policies. Perhaps the most telling sign of ransomware's changing landscape was Lockbit's desperate attempt to stay relevant after being hit by Operation Chronos. The once dominant group resorted to reposting old victims, inflating their numbers in a bid to maintain their reputation. Despite the decline in payments, ransomware is far from defeated. The criminals behind these attacks are still out there, learning, adapting and and searching for new ways to evade security measures. But for the first time in years, defenders seem to have the upper hand, and that's worth celebrating. Coming up after the break, our Guest Cliff Crossland, CEO and co founder@scanner.dev discusses the evolution of security data lakes and Don't f with the fcc, stick around. Cyber threats are evolving every second, and staying ahead is more than just a challenge, It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Foreign do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Cliff Crossland is CEO and co founder at scanner.dev. in today's sponsored industry Voices segment, we discuss the evolution of security data lakes and the bring your own model for security tools.
[17:14]
Cliff Crossland
So a data lake is an evolution beyond a data warehouse, and there are all of these funny terms for big data storage areas, but a data lake is a strategy for taking data of many different formats. A data warehouse was the first step in this direction where the idea was to have tons and tons of data that matched a really strict structure. But data lakes, the idea there is just to have a storage repository of lots and lots of messy data of many different formats and many different structures. And the idea is that you could just pour tons of data into this lake and Then make sense of it afterward and then analyze it afterward. So it just makes it very easy to get lots of data in. And then the challenge becomes trying to get value back out again and query it and get a sense for what's going on. And so data lakes are starting to become more and more popular, especially in security, because there's just so many different kinds of data to collect in security. And it's much, much easier, more scalable, and just very cheap compared to other tools to store data in a data lake. And just to get really specific about data lakes, people tend to just store lots and lots of data in cloud storage, whether that's like Amazon S3 or Azure Blob Storage or GCP Storage. There are a couple of different places where people store it, but it tends to be just really big cloud storage lakes of data. And it's very helpful once your data reaches massive scale to afford and to scale up with all of the massive amounts of data volume that come in now. So we think, anyways, I get into more details there, but we think that because there's so much data now, and if you're operating a cloud service, there's so many different data sources that really, data lakes are becoming a more and more important part of a security team's detection and response strategy, just because it really allows you to get coverage on mass amounts of data volume that becomes too expensive in the traditional way that logs and data are stored. So that's just like a whirlwind tour of data lakes. But yeah, it's a rough idea.
[19:43]
Dave Bittner
So I hear folks talking about this. Bring your own model. Can you describe that for us? What does that entail?
[19:50]
Cliff Crossland
Yeah, I think it's a really powerful way that software is being deployed now. And I really think that this is the future of how more and more tools are going to work. So back in the good old days, the operational approach was to send all of your data off to a vendor. If this is like if you're using a SIEM tool, security Information Event Management tool, oftentimes what that looks like is shipping lots of logs over to a third party. And it can be expensive to transfer, et cetera. But now the way that things are moving is that you will store all of your own data in your own storage buckets, in your own cloud storage, and then you will plug in many different vendor tools into that data, give them permission to analyze it in different ways, and use tools for what they're strong at. It's really cool to bring your own storage, even bring your own cloud computer, you can basically say to a vendor, please deploy your software into my environment. There are lots of cool tools doing this, whether it's security or database related. There are many different companies using this approach, but you kind of get the power of SaaS products where they can get deployed frequently and updated all the time. And it's a really good user experience. But you're letting the vendor run everything in your own cloud environment, which means you keep full data custody. You can get perfect visibility into what's going on and how much compute you're using, how much storage you're using. You can drive costs down. It's a pretty powerful new approach for security teams and data analysis in general. And I think as AI applications and use cases start to explode, you're starting to see that happen too. So it's pretty exciting. There's just a lot of new tools that are deploying into your cloud, into your storage, and instead of getting locked into a vendor, you get to maintain full custody of that data. It's a cool new pattern.
[22:10]
Dave Bittner
Can we talk about the scalability here? The possibilities for, you know, growing beyond your expectations? If need be, yes.
[22:19]
Cliff Crossland
So I think some of the interesting things that the interesting trends with security log data is as people are operating more and more services in the cloud, that they're operating more and more SaaS tools, the traditional log and traditional data management tools get to be extremely expensive. So the beauty of data lakes is that cloud storage is very cheap and can scale forever as long as you can apply tools and smart ways to organize the data and make it fast to access it can really drive down costs and make it possible for you to have a lot of visibility into historical data. So, yeah, a lot of tools that people tended to use up until a couple years ago, you really can only retain a couple of weeks or maybe a couple of months of logs maximum. And then you would just kind of dump the rest of your logs into cloud storage just for compliance purposes. You have no way to get value out of them. But because there's this new model of being able to store your logs at scale into massive, massively scalable cloud storage at low cost. And there are new really cool data lake tools to analyze that data and get you answers quickly. Yeah, you can really get value out of this historical data. So instead of spending millions of dollars on a SIEM tool, you might spend ten times less now by taking a data lake approach. So, yeah, it's really cool. What is like the scalability that data lakes can achieve, which I think is A big reason why. Yeah, big companies, snowflake databricks, et cetera. Lots of companies, whether in security or in data analysis, are really excited about data lakes and all of the applications they have.
[24:19]
Dave Bittner
I would imagine it cuts down on redundancy quite a bit as well. Right. Because as you say, you can have different, I'll just call them plugins. Looking at this big lake full of data, you don't have to duplicate that data to be analyzed, you know, from. From platform A or program B, you know, it's all there and you can send things to analyze it as need be.
[24:45]
Cliff Crossland
Yes, absolutely. And I think so. One thing we've seen too, is in the past, you'd have different teams at the company using multiple tools, shipping the same data off to those multiple tools, duplicating the data, as you were saying. But also, if you have different divisions, different departments across the company, they would themselves also ship data off to many different tools, which was a huge problem. It would just be duplicating the same massive data flows and from all of these different log sources to tons and tons of different tools. So, like, you'd have the security team looking at one set of the data in one set of tools. You'd have the application developers who are trying to debug things and get health metrics on the application. They're using a totally different set of tools and shipping the same data off there. But the really cool thing about the data lake is, yes, there's a centralized place, and then you can plug in many different tools to go and analyze that data for different use cases. And then it's fun to see teams become, once they start to build their own data lake, they become a resource across the entire company. And then everyone starts to pile in and say, this is really cool. It kind of breaks down the silos and wow, the security team has this kind of data for, like, the web application firewall. That's actually really helpful for debugging this other problem for our infrastructure team. And because there is the centralized place in the data lake, everyone can jump in and analyze that. And they're not replicating this cost by shipping the data off to, you know, 10 different vendors. There's just one location and they can just use different vendor tools to analyze that same data. Yeah. So it's really cool to see. Oftentimes what I've seen is one team, like at the security team, or maybe like the some business intelligence teams, start to use a data lake. And then lots of other teams get excited and everyone starts to break down silos and start to develop really cool use cases for the same data sets and share them across the company. So that's another really powerful thing about data lakes.
[27:00]
Dave Bittner
Yeah. Interesting. Well, help me understand how data lakes handle different types of data. My understanding of this has evolved over time.
[27:11]
Cliff Crossland
Yes. So it's really interesting. The beauty of data lakes is that you can store lots of different kinds of data in one place. The challenge becomes trying to get value out of really messy data of different kinds. And different tools have arisen to tackle the messiness of data lake data. So you might have web application firewall logs coming in that the security team really cares about, and network flow logs, and they have very different formats. And trying to build data lake tools to make that useful has been a lot of progress there and a nice evolution. So when the data lakes were originally introduced, it was pretty strict and there was a lot of upfront work. You had to do a lot of work every time you added a new data source to transform the data to fit an appropriate schema and otherwise the data would be really slow to access. But over time, you start to see cool new innovations. Apache Iceberg is a big one. Amazon has introduced a new product there with S3 tables to really natively support Apache Iceberg. And the cool thing there is that it's much more easy to evolve the the schemas and the data structures over time and edit them. So I think where things are heading, in our opinion, is the tools will get smarter and smarter and better about just handling the messiness and the structure for you. It's getting easier. We still feel like it's a little too challenging. I think there are cool things that we really care about to make things easier and more schema less, et cetera. But yeah, it's really fun to watch as new tools appear on the scene to make data lakes easier to use. We see the messiness of data getting handled more and more intelligently, making it easier and easier for people to adopt. So, yeah, that's definitely the way things are heading and we hope eventually. I think it's really cool just to see what people are doing with LLMs as well. With generative AI, it can do a really good job at helping you figure out what the schema should be and just kind of taking on the annoying transformation work every time you add a new data source. Yeah, it's really neat to see how easy these data lake tools are getting. And we think the future will be. You'll just point a tool at your messy data and it will Just totally make perfect sense of it all for you. Right. That's where things will eventually get to. But yeah, it's heading that way slowly.
[30:03]
Dave Bittner
Yeah. You touched on this idea that the bring your own model reduces vendor lock in. Can we dig into that a little bit? What's the advantage here?
[30:13]
Cliff Crossland
Yeah, so the beauty here is, with other logging platforms in the past, in particular with SIEM tools, the idea would be to ship your logs off to a tool that you maybe were running internally, or maybe you were shipping them off to a third party. And then that data is just locked in and into that specific tool in that specific format that is very tightly coupled to that vendor. And so that could be nice if there's a strong vendor ecosystem. If basically all of the features that you want are handled by that vendor, that's fine. But then what that also means is that the vendor can increase their prices and you're stuck there. The beauty of data lakes is that you bring the data, you can bring the compute as well. And the idea is that the vendor will supply tools you can use to analyze that. And you're not locked into any of those vendors. You could drop one, you could pick up another. There are a lot of really cool open formats that people are using for data lake files and the catalogs that people use to track what data is in the data lake. So, yeah, we really think the direction that things should go in is that you should have a lot of flexibility and be able to select from many different vendors that can all analyze the same data set without getting stuck in one forever. And you might love your vendor at first, and then over the years, they kind of stop innovating, but then it's very hard to move off. You may have built a lot of dashboards and, and queries and detection rules there, but with the data lake approach, there's just way more flexibility and this really cool notion of having full data custody that gives you freedom to pick and choose as you want.
[32:08]
Dave Bittner
So what are your recommendations then, for folks who want to look into this, who want to explore the possibility for their own organization? What's a good place? What's a good place to start?
[32:19]
Cliff Crossland
Yeah, definitely. So I think there are a couple of tools that you should definitely look at as you get started. If you're in aws, that would be Amazon's Athena. In Google, that would be BigQuery. And for Azure, there is the Azure Data Lake suite of tools. That's probably the best place to start playing with things. Then if you want to really get deep into Security There are lots of cool security data lake related tools to help you pull data into your data lake or to structure it well or to search it well. Just a whole suite of things that are centered around the data lake technologies that exist out there. So I think I would really recommend that people take a look at Apache Iceberg. This is probably one of the cool innovations that's happening now. We still think Iceberg can be a little bit too difficult to use because it still is a little too strict, but it's definitely a step in the right direction of making the data lake really flexible. The place to start would be with the different cloud providers data lake specific tools. If you want to get started with getting security data into those tools. There are plenty of different services and startups and companies that will help you load logs from different locations into your data lake. But you could start with just a few log sources, maybe log sources that are really easy to get into your own cloud provider's data lake like the cloud audit logs or maybe your identity provider logs and then just play with the different data lake tools that exist out there to see what suits your use case as well, like who has the best detections or whose structure works best for you. Who's easiest to use? There are lots of cool things out there.
[34:25]
Dave Bittner
That's Cliff Crossland, CEO and co founder at Scanner.dev. if you'd like additional details, we have a link to their blog on security data Lakes in our show notes. And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security and finally our FCC around and find out desk tells us the FCC has proposed a $4.5 million fine against voiceover IP provider Telnix for allegedly letting scammers impersonate a fictitious FCC fraud prevention team, which, spoiler alert, does not exist. The Mario Cop Robocallers, yes, that's what they called themselves, made just under 1800 fake FCC calls in two days, even targeting FCC staff and their families. Their calls threatened victims with jail time unless they coughed up $1,000 in Google gift cards. Because nothing says government fine like digital monopoly money, the FCC blames Telnyx for lax customer verification, claiming they failed to do proper know your customer checks. Telnix, however, fired back, calling the FCC's accusations factually mistaken and insisting they went above and beyond compliance rules. While the fine looms, one thing is clear. Scammers will scam, the FCC will fine, and nobody should ever pay government fees in gift cards. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.