Presented by Splunk
The advent of AI has significantly altered the landscape of cyber deception. Attackers are now able to produce countless realistic phishing schemes, fake identities, and custom pretexts in the time it takes defenders to execute a single change-control cycle. This shift presents a new security dilemma: while deception has become quicker and less costly, the process of verification remains unchanged.
Discussions on AI in defense often focus on detection models. While detection is important, it is not the sole obstacle. The greater challenge lies in handling evidence: determining where data resides, its availability, the speed of correlation, duration of retention, and the reliability of data retrieved by analysts or agents.
In the era of AI, defense is fundamentally a data issue before it is a detection issue.
The defender’s advantage is truth
Attackers can experiment with various messages, identities, domains, and attack vectors, with most attempts failing at minimal cost. In contrast, defenders rely on truth: swiftly identifying what transpired, where and when it happened, the identities and assets involved, changes made, and potential business risks.
This truth must be thoroughly documented, governed, auditable, and defensible. As attackers leverage AI to enhance deception and speed, defenders must use AI to enhance verification. The aim is not merely to outpace attackers but to ensure actions are trustworthy for both humans and machines.
Fragmented data undermines modern defense
Consider a suspicious login from a contractor account. Alone, it’s just an authentication anomaly. To assess its significance, security teams might need details like identity history, endpoint activity, cloud access logs, ticketing records, asset ownership, configuration changes, network telemetry, and business context.
If these records are scattered across various tools, expire at different intervals, or require multiple teams to access, defenders end up negotiating with their own data rather than investigating. When signals are accessible and correlated promptly, the question shifts from the anomaly’s appearance to whether there is sufficient evidence and context for defensible action.
This issue becomes more urgent with AI assistants and agents, which can only analyze data that is timely and complete. Fragmented, outdated, or context-lacking data leads AI to accelerate uncertainty rather than establish truth.
The system of record must evolve into a defensive control plane
Traditionally, enterprises viewed security platforms, SIEMs, and data lakes as passive data repositories for future analysis. This approach is no longer sufficient. Organizations need a defensive control plane that links events to their implications and permissible actions. Architecturally, this integrates raw data, business context, and policy, making evidence actionable and reliable.
Implementing this involves four key actions: preserving evidence, making data accessible, adding business context, and governing actions. The old system addressed the official record. A defensive control plane addresses operational questions: What occurred? What does it signify? What evidence supports the conclusion? What actions are trustworthy?
AI increases the demand for authoritative records, setting higher standards for their functionality.
A defensive control plane must do four things
-
Preserve evidence. Logs, metrics, traces, events, identity records, configuration changes, tickets, and asset states help establish events. Their value often becomes apparent after an incident begins.
-
Make data accessible wherever it lives. Security-relevant data is spread across object stores, cloud platforms, operational tools, and business systems. Centralizing all data is often slow, costly, and difficult to govern. Bringing analytics to the data is more effective.
-
Add business context. Linking machine data with business information translates “anomaly on host X” into “the system supporting top account payment services is being probed,” allowing for proper prioritization.
-
Govern action. In the agentic era, systems will do more than summarize incidents. They will enrich alerts, open cases, trigger workflows, isolate assets, update policies, and escalate decisions. Enterprises need to know what evidence was used, what policy governed the action, whether it stayed within scope, and how the decision can be reviewed afterward.
The real SOC problem is not too little data
Modern Security Operations Centers (SOCs) face not a shortage of data but a lack of usable context. The Splunk State of Security 2025 report highlights that SOC analysts struggle with too many alerts (59%), numerous false positives (55%), and context-lacking alerts (46%). The challenge lies in transforming fragmented signals into reliable decisions.
Analysts currently stitch together context manually, moving across disconnected tools, and making critical decisions without a complete view in time. Even as AI advances, outcomes depend on human approval across fragmented systems, resulting in delays, inconsistencies, missed opportunities, and increased risk.
Trusted action is the enduring advantage
A data fabric architecture provides a path forward by creating a unified, intelligent layer across data sources in SecOps, ITOps, and NetOps. The goal is not centralization for its own sake but to dismantle silos and deliver context-rich insights at the pace AI-driven operations require.
This model, more than a product, is a foundation for AI-driven defense that preserves evidence, reaches data where it lives, adds context, and maintains a reviewable link between data, decisions, and actions. This architectural shift is embodied in the Cisco Data Fabric powered by the Splunk Platform, integrating machine data, federation, business context, governance, and provenance to help teams transition from signal to trusted action.
As attackers continue to make deception more affordable, faster, and tailored, defenders can succeed by accelerating truth and grounding every action in evidence that is reliable for both people and machines.
Learn more about the Cisco Data Fabric powered by the Splunk Platform.
Seth Brickman is VP, Global Product – Splunk Platform, Cisco.
Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact sales@venturebeat.com.
