A (12:37)

Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Express, Explorer and Mustang Mach E available feature on equipped vehicles terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details.

B (13:11)

Duron Davidson is General Manager and Managing Director of Security Operations at Cyberproof Israel. On today's sponsored Industry Voices segment we discuss agentic socks and agentic transformation of.

C (13:25)

An MT Dr. Security operations centers for four years have had the very similar even say same pain points over years, starting from slow detections and response to analyst burnout, repetitive tasks in the alert fatigue. At some point of time we kind of came up with this idea or notion of security orchestration, automation and response systems that came out five, six, ten years ago and we started automating all of those predefined processes and tasks and we thought, and so did I, that that is going to solve all of my pain points, my difficulty in scaling security operations, operation SecOps operations and so on also would solve a lot of the inconsistencies in executions across teams and across personnel. Both of the on the L1 and L2 and L3 positions. And the last it did not. It did not because there were still complexities, it was still hard. Regardless of how much we were able to automate, even end to end automation, we still ended up having a lot of these alerts that were that needed manual investigation by analysts to make a decision. And this is where the Gentiq kind of came out and helped us solve a lot of those issues. So about a year ago we started investing a lot in building those those agents and when they say we it's not we as as as in cyber proof we see that across the board, all security operations centers, all MDR vendors and mainly the hyperscalers, the Microsoft of the world, the Google, Palo Alto, et cetera, they started providing the infrastructure that allowed us to really make this change towards energentic soc.

B (15:32)

Well, for folks who aren't familiar with the whole notion of an Agentix SoC, how do you describe it?

C (15:38)

So Agentic SoC, if I look towards 2027, that would be fully autonomous security operations center that will take care end to the security life cycle of an alert driven by AI. It will have an agent to agent autonomy that will seamlessly detect, investigate, triage, respond, and as new attacks would be coming out, it will automatically be able to detect when there are gaps and start closing the loop of those gaps in the MITRE framework, for example, automatically by just having a human verifying the actual new rule that is going to be implemented and that fully autonomous SOC will be able to provide services. But that's in the future. Today I think most organizations are around the semi autonomous SOCs, but in high level this is how I would envision it working.

B (16:46)

And what kinds of agentic behaviors do you think are going to be the most impactful?

C (16:51)

The holy grail is to get to that fully autonomous. Which means that we need to build the agents for our MDR that would replace our SoC, L1, L2, maybe even to some extent L3. Although I do believe that we always would need those experts being part of our security operations center. And therefore I don't really believe that we'll ever be able to remove the full manual SoC. There will always be a human in the loop. But to your question about which of the of the functions would would benefit most from becoming agentic? It's definitely the, the, the repetitive tasks of L1s and L2s as well as around threat intelligence. Everything to do with gathering threat intelligence, mapping those threat intelligence to specific TTPs, then understanding how those TTPs are being mapped to MITRE to understand is my organization really protected? Those are the things that would be impactful the most first and it would provide the highest value once, once they are fully agentized.

B (18:12)

How do you suppose this is going to change the role of the analyst? Do you imagine that they'll trust the agentic outputs right away or might there be a learning curve to develop that confidence?

C (18:26)

We already see the effect of agents being deployed in production and how analysts interact with those engines. The short answer? I believe that our analysts will become much more consultants to our customers rather than having to do a lot of the analytics work that they do today. And instead of doing that, they will become the trusted advisor that will help customers understand the output of the agentic analysis. So that's, that's one area. Another area, they will be the ones that will be developing New agents, they are the SMEs, they are the subject matter experts on threat intelligence, they are the subject matter experts on detection engineering, subject matter experts on a vulnerability management. And therefore they are the ones that can turn their knowledge into agents that can then help our customers. So they will eventually become the developers of these new agents. And then managing those agents or orchestrating those agents will become part of what the security operations center is responsible of being that the L3s or L2s. That's still to be seen.

B (19:50)

What sort of safeguards are essential to prevent these agentic systems from overstepping their bounds or making unsafe assumptions, things like that.

C (20:00)

I would divide it into two of these areas. One around the unsafe assumptions and the second the boundaries around what data they're allowed to see use utilize in order to make their decisions. So on the first one, if we. This is kind of what these are kind of the best practices that we have put in place today. Any agent that we are deploying has or inherits the least privileged access of either the analyst that is executing it, or the environment that it is executed on, or the specific applications that it is allowed to use. This way we're making sure that we do not, or we never basically confuse or misuse data from different customers or even different analysts, or even different subject matter experts from, from different teams within the same. Within the same agent or within the same execution of an agent, each of them is kind of working separately and processing that the data separately. We also have human in the loop that is verifying the output of those agents depending on how critical it is and how real time it is. We made the decision of whether this human in the loop will be in between passing the information between agents. So during the runtime or the execution time, or some of it is just oversight. After the agent had completed its work and we are verifying in hindsight whether there are any issues.

B (21:51)

What's your advice for organizations who are just getting started here? They're considering their own agentic transformation journey. How should they begin?

C (22:00)

I would start with making sure that you recruited the right team that knows how to architect, develop and secure the work of these, of the agents that you're planning. And I'm not talking only about security agents or agents that's supposed to be part of your security operations or IT management, but also for your own business operations. Some of the things that we had to build basically for sake of our customers that wanted our help in building these kind of agents, is an environment that would allow us to test different models for different business applications and for different, for different needs. And this is kind of the second recommendation. Make sure that you're able to, that you build a complex environment that would allow you the flexibility of testing different models. One, it will save a lot of money down the road because different models have different costing schemas and secondly, because they really provide different results and for different tasks. We see that we need different types of AI models. So that really helps us. Another option is just find someone that have already built these kind of agents and consult. When we started, we actually consulted quite a lot with organizations that have already built a complex, complex systems because we wanted to try and succeed already on the first run, by the way, we didn't. It took time until we build agents that can, that can have the right agent to agent communication. And that's before building mcp, that's before having our own databases that our agents can use and so on. So it was a very complex, lengthy process. So get a team that have already done that before.

B (24:07)

Can you give us some examples of the types of agents that you're seeing success with the things that are functioning within the soc?

C (24:16)

Yes, of course. So we need to understand that within the Security Operations center we have both agents that are dedicated only to the SOC operations as well as agents that were built as part of our MVR MSSP across different functions that are then being taken advantage of by our orchestrator or our MDR agent. Whether it's the threat profiler that is part of our CTI threat intelligence family of agent that builds threat profiles using threat intelligence data sources, prioritizes relevant campaigns, actors and techniques and that itself can then be used by the gap guard who is mapping basically to Miter all of these ttps, trying to understand whether there are any gaps in detection. It can also be used by the threat hunting that can aggregate all of this data and build automatically or even gather from open source different rules that can be then deployed back into the siem. The use case management or detection engineering that can automatically find gaps within MITRE and already suggest new rules and so on. All of these agents that were built separately but with clear vision of how agentic SOC should be working down the line are being orchestrated by an MDR agent. And from what I see in the market, this is kind of the approach that many in the market believe in. That MDR source or agentic socks down the line would allow different customers to deploy different use cases and start controlling their budget based on the specific use cases that are relevant for their security controls. For their crown jewels rather than always having the same MDR service. Kind of fits all. And it's not a cookie cutter. Every business needs their own type of mdr. In the past we had to build cookie cutters because that was the only way to sell. Today we can offer customers, and customers are expecting to have a much more flexible agentic service.

B (26:41)

That's Duron Davidson from Cyberproof Israel.

A (26:56)

So good, so good, so good. Score holiday gifts Everyone wants for way less at your Nordstrom Rack store. Save on Ugg, Nike, Rag and Bone, Vince Frame, Kurt Geiger, London and more.

B (27:09)

Because there's always something new.

C (27:10)

I'm giving all the gifts this year with that extra 5% off when I.

A (27:14)

Use my Nordstrom credit card. Santa hood join the NordicLub at Nordstrom Rack to unlock our best deals. It's easy. Big gifts, big perks. That's why you rack this message may be shocking to many millennials. If you are one, you might want to sit down. Right now, loads of people are searching the following on low rise jeans, halter top, velour tracksuit, puka shell necklace, disc belt. You likely place these in the dark of your closet in 2004, never to be seen again. But if you can find it in yourself to dust them off, there are a lot of people who will give you money for them. Sell on Depop, where taste recognizes taste.

B (28:03)

And finally, for a hopeful moment, it seemed possible that the AI boom might be solved with a wrench, some fresh paint, and and a reassuring pat on the server rack. After all, data centers have been around for decades. Surely they could just be upgraded. Experts, unfortunately, have met this optimism with laughter of the professional, deeply tired variety. The issue is not software, it's gravity. AI racks now tip the scales at up to 5,000 pounds, roughly equivalent to parking a compact car where a filing cabinet used to be. Floors crack, elevators groan and doorways revolt. These racks are crammed with GPUs, memory, liquid cooling systems, and power delivery hardware that legacy data centers were never designed to tolerate. As AI gulps down compute, big tech keeps building bigger facilities, while older data centers quietly carry on storing ordinary non AI data. The future is shiny and heavy. The past still needs a place to sit, And that's the Cyber Wire. For links to all the of today's stories, check out our daily briefing at TheCyberWire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show. Please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Co Carruth. Our CyberWire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.