Attackers escalate deception with AI. Advocates need the truth at machine speed.



Presented by Splunk

AI has changed the economics of cyber deception.

An attacker can now generate thousands of convincing phishing lures, fake identities, and custom pretexts before a defender completes a single change control cycle. That’s the new security challenge: deception has become faster and cheaper, while verification has not.

Much of the debate about AI for defense focuses on detection models. Detection is important, but it is not the only obstacle. The most profound limitation is evidence: where the data resides, whether it is available when needed, how quickly it can be correlated, how long it is retained, and whether analysts or agents can trust what they recover.

Defense in the age of AI is a data problem before a detection problem.

The defender’s advantage is the truth.

Attackers can afford to lie on an enterprise scale. They can try infinite combinations of messages, identities, domains, and attack paths, and most can fail at almost no cost.

Defenders don’t have that luxury. Its advantage is the truth: quickly knowing what happened, where, when, what identity was involved, what assets were affected, what changed, and what business process may be at risk.

That truth must be documented, governed, auditable and defensible. Attackers use AI to expand deception, spoofing, social engineering, and speed. Defenders need AI to scale verification.

The goal is not just to act faster than the attacker. It’s about taking measures that people and machines can trust.

Fragmented data breaks modern defense

Consider a suspicious login from a contractor’s account. On its own, it’s just another authentication anomaly. To know if it matters, a security team may need identity history, endpoint activity, cloud access logs, ticketing logs, asset ownership, configuration changes, network telemetry, and business context.

If those records are in different tools, expire at different times, or require multiple teams to retrieve them, defenders are not investigating the incident. They are dealing with their own data assets.

When signals can be localized and quickly correlated, the problem is no longer just whether the login looks unusual. It’s about whether the company has enough evidence, in enough context, to take action that it can defend.

That challenge becomes more urgent with AI assistants and agents. AI can only reason about what it can recover in time for it to matter. If data is partial, outdated, fragmented, unavailable, or lacking context, AI does not create the truth. It accelerates uncertainty.

The registration system must become a defensive control plane

For years, companies treated security platforms, SIEMs, and data lakes as passive repositories: places to store data for later search and analysis. That model is no longer sufficient.

What organizations need now is a defensive control plane: a layer that connects what happened, what it means, and what the company can do about it. Architecturally, it links raw machine data, business context, and policy. It is not limited to storing evidence. It makes evidence usable for decisions and actions that must be explainable and reliable.

In practice, that means doing four things well: preserving evidence, reaching data wherever it lives, adding business context, and governing action. More on each below.

The old registration system answered one question: What is the official registry?

A defensive control aircraft answers the questions that matter operationally: What happened? What does it mean? What evidence supports that conclusion? And what action can we trust?

AI does not reduce the need for authoritative records. It raises the bar for what those registries should do.

A defensive control aircraft must do four things

  1. Preserve the evidence. Logs, metrics, traces, events, identity logs, configuration changes, tickets, and asset status help establish what happened. Their value often becomes clear only after an incident begins.

  2. Make data accessible wherever it is located. Security-relevant data is already distributed across object stores, cloud platforms, operational tools, and business systems. Moving each byte to one place is often too slow, too expensive, and too unwieldy. The best model is to bring analysis to the data.

  3. Add business context. Correlating machine data with business information turns “anomaly on host That’s what allows organizations to prioritize correctly.

  4. Govern the action. In the age of agency, systems will do more than summarize incidents. They will enrich alerts, open cases, activate workflows, isolate assets, update policies, and escalate decisions. Companies need to know what evidence an agent used, what policy governed the action, whether it stayed within scope, and how the decision can be reviewed later.

The real problem of the SOC is not the lack of data

Modern SOCs do not suffer from lack of data. They suffer from a lack of usable context.

According to the Splunk State of Security 2025 report, SOC analysts continue to struggle with too many alerts (59%), too many false positives (55%), and alerts that lack context (46%). The problem is not the volume of data. It is the difficulty of converting fragmented signals into reliable decisions.

Today, analysts are forced to manually stitch together context, pivot between disconnected tools, and make high-stakes decisions without getting the full picture in time. Even when AI improves, results still depend on whether humans are willing to approve changes in fragmented environments.

This creates a daily crisis of context. Teams are forced to make important decisions based on data they can’t easily see, correlate, or trust. The result is latency, inconsistency, missed opportunities, and unnecessary risks.

Reliable action is the lasting advantage

A data fabric architecture offers a way forward by creating a unified, intelligent layer between data sources spanning SecOps, ITOps, and NetOps. The goal is not centralization for its own sake. It’s about breaking down silos and delivering context-rich information at the speed that AI-powered operations require.

This is an operating model before being a product. AI-powered defense depends on a foundation that can preserve evidence, reach data where it is, add context, and maintain a reviewable link between data, decision, and action. That’s the architectural shift behind Cisco Data Fabric powered by the Splunk platform, which brings together machine, federation, business context, governance, and provenance data to help teams move from signal to trusted action.

Attackers will continue to make deception cheaper, faster, and more personalized. Defenders don’t win that race by making more noise. They win by making the truth faster and by basing every action on evidence that people and machines can trust.

Learn more about the Cisco Data Fabric powered by the Splunk platform.

Seth Brickman is Vice President of Global Product – Splunk Platform, Cisco.

Sponsored articles are content produced by a company that pays to publish or has a business relationship with VentureBeat, and are always clearly marked. For more information, contact sales@venturebeat.com.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

T-Mobile prepares to increase international roaming calling rates
Google just gave Sundar Pichai a $692 million pay package
How to watch the F1 2026 Australian GP live stream for free
On the hunt for elusive “ghost elephants”