The Role of Data Insights in Security

The most revealing insight in the 2025 Verizon Data Breach Investigations Report isn't what it says about AI security—it's what it doesn't say. The report documents that 15% of employees routinely access commercial GenAI platforms, with 72% using non-corporate emails and 17% using corporate emails without proper authentication. It shows synthetic text in malicious emails doubling over two years. It reveals third-party involvement in breaches exploding from 15% to 30%. But scan all 104 pages for insights on security incidents involving locally-deployed AI systems, and you'll find... nothing. It's all about cloud AI. This is our current AI security reality: visibility into cloud AI risks but a complete blind spot for local AI deployments. Not because these systems are inherently more secure, but because we haven't built the monitoring capabilities and expertise to detect and report on these incidents. The DBIR shows exploitation of vulnerabilities as an initial access vector grew 34% to reach 20% of breaches. Without proper monitoring of local AI systems: 💥 How will you detect similar exploitation patterns in your internal AI deployments? 💥 What visibility do you have into the 46% of non-managed devices with corporate logins that the report identified as particularly vulnerable? 💥 How will you assess whether your local AI systems face the same authentication weaknesses documented in cloud platforms? Perhaps most critically, the monitoring gap reveals a skills gap. The security leaders who will thrive in the coming years are already building teams that can: 💥 Develop detection and monitoring capabilities for AI systems regardless of deployment model 💥 Apply the DBIR's lessons on credential security (credential theft present in 54% of ransomware victims) to all AI deployments 💥 Translate cloud AI security learnings to local environments and vice versa Forward-thinking Australian security leaders can address this monitoring asymmetry by: 💥 Developing consistent visibility across all AI deployments 💥 Creating security architectures that apply AI security lessons and BPs across deployment models 💥 Building teams with cross-domain expertise in AI security 💥 Sharing intelligence to create industry-wide visibility into the current blind spot The DBIR's silence on local AI security isn't a reason for complacency—it's a call to action. Local AI deployments have tremendous value, not to mention no vendor lock-in and building your teams capabilities and talent. You might not think you need an AI security strategy today, but by the time next year rolls around, you'll need to have a compelling narrative about why you don't. #AISecurityStrategy #DBIR2025 #SecurityIntelligence #TalentDevelopment

Your security team is looking at the wrong picture. Graphs reveal what matters. I spent years working with security and incident response teams. I saw how spreadsheets and tables hide the patterns attackers exploit. We needed graph to connect the dots. Here's how graphs transform how your security team works: 🎯 𝗧𝗵𝗿𝗲𝗮𝘁 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 • Map attack infrastructure in real-time • Connect seemingly random events • Spot coordinated campaigns instantly 💻 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 • See exposed critical systems at a glance • Prioritize patches by actual risk • Track exposure across your infrastructure 🔍 𝗜𝗻𝘀𝗶𝗱𝗲𝗿 𝗧𝗵𝗿𝗲𝗮𝘁 • Catch unusual access before data leaves • Map sensitive data exposure • Spot risky privilege combinations 🛡️ 𝗦𝗜𝗘𝗠 𝗘𝗻𝗵𝗮𝗻𝗰𝗲𝗺𝗲𝗻𝘁 • Add context to every alert • Automate impact analysis • Focus on real threats, not noise 👥 𝗜𝗱𝗲𝗻𝘁𝗶𝘁𝘆 & 𝗔𝗰𝗰𝗲𝘀𝘀 • Find dangerous privilege paths • Stop credential abuse • Block lateral movement ⚡ 𝗜𝗻𝗰𝗶𝗱𝗲𝗻𝘁 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲 • Map every compromised asset • Contain threats precisely • Recover with full visibility This is why at data² we built the reView platform on a foundation of graphs. The difference between winning and losing? Seeing the full picture. ♻️ Know someone who needs to connect the dots in security data? Share this post. 🔔 Follow me Daniel Bukowski for daily insights about graphs + AI.

Security Teams + Data Teams: The Perfect Match For years, we’ve treated security and data governance as separate domains. Security teams defend the perimeter. Data teams organize, curate, and enable analytics. Rarely do you picture them working hand in hand. But this partnership may be the most untapped opportunity in the modern data stack. Once you see it, you can’t unsee it. Unused data assets are a liability. Forgotten dashboards, abandoned reports, and stale data products aren’t just clutter. They’re potential security breaches waiting to happen. If no one owns them, no one is deprecating them. And too often, they remain connected to sensitive warehouse tables long after their business value has expired. That’s where metadata intelligence changes the game. By leveraging the metadata you already have (column-level lineage, usage, semantics, ownership, and code) you can identify which assets are truly driving value and which are forgotten but still wired into sensitive systems. That visibility makes critical decluttering simple and effective. And metadata intelligence goes beyond cleaning house. It can create sensitivity signals that bridge data and security concerns. Think alerts when a sensitive report stops being used. Or push notifications when unused assets remain connected to critical data. All to ensure a fast response. This isn’t about perfecting your data. Business logic will always evolve, that’s what keeps organizations moving forward. The point is to give business teams the freedom to innovate in their favorite tools, while ensuring that security and data leaders can always see what’s being created and intervene the moment sensitive data is at risk. *** How closely do your data and security teams collaborate on governance today? Tell me if this resonates?

A break-in happened near an executive's home. For most security teams, that's when the scramble begins. For Expedia's Risk Intelligence team, it became proof their approach works. Ken White and his team at Expedia were supporting security design for a new executive residence when a nearby high-net-worth burglary hit close to home. Instead of reacting, they pulled threat data from Base Operations. Within 30 minutes, they identified a cluster of residential burglaries within a half mile of the property. Intelligence that would have taken 5 hours to compile manually. That data went straight to the security integrators. It directly informed:  • Glass break sensors on upper floors (missed in the original design)  • Enhanced perimeter gate access control  • Reinforced window glass The result was no incidents and zero post-installation redesigns because security measures were validated by actual crime data. Ken put it best: "Nearby residential burglaries could have been a wake-up call too late. Instead, it became an opportunity to demonstrate the value of data-driven security planning." This is what proactive security looks like. Not waiting for incidents to dictate your response, but using threat intelligence to inform decisions before something goes wrong. Read the full case study: https://lnkd.in/eJAFqxPH

As digital footprints expand and cyber threats become more sophisticated, organizations must adopt robust security data pipelines to ensure they are well-equipped to identify, understand, and mitigate risks effectively. A strong data foundation is not just beneficial for cybersecurity at scale; it's essential to ensure these downstream security platforms have the performant underlying queries to give the visibility required. The goal is to create a seamless flow of information that is both actionable and comprehensive, enabling security teams to react swiftly and decisively. 👉 Comprehensive Visibility: At its core, cybersecurity is about visibility. Without a complete view of what's happening across all systems and networks, security teams are blind to the actions of potential threat actors. A strong data foundation built through well-designed security data pipelines ensures that all relevant data is captured, normalized, and made readily available for analysis. This visibility is crucial for detecting correlated signs of compromise that could otherwise go unnoticed until it’s too late. 👉 Scalability: Cybersecurity threats evolve rapidly, and so too must the defenses. Security data pipelines facilitate scalability by automating data ingestion and analysis. As data volumes grow, these pipelines ensure data gets where it needs to go, in the format it needs to be, processing vast quantities of information efficiently. This scalability ensures that security measures can keep pace with expanding network perimeters and increasingly sophisticated attacks. 👉 Speed and Precision in Threat Detection and Response: In cybersecurity, speed is of the essence. The faster a potential threat can be identified and mitigated, the less damage it can do. Security data pipelines accelerate the detection process by leveraging advanced analytics, machine learning, and artificial intelligence to sift through mountains of data in real-time. They enable precise threat detection by correlating disparate data points, highlighting anomalies, and suggesting actionable insights. 👉 Regulatory Compliance and Risk Management: With increasing regulatory demands around data privacy and security, organizations must ensure they have robust mechanisms in place to protect sensitive information. A strong data foundation allows for the enforcement of compliance policies automatically. Being able to securely and efficiently get all your data to S3 or equivalent object storage, then rehydrate that data into SIEMs as needed, is extremely valuable. #otel #ocsf #securitypipelines #telemetrypipelines #siem Edge Delta #cybersecurity #security #splunk #crowdstrike #sentinel

AI and data are changing how we protect our organizations, and there are some smart ways CISOs can make the most of these tools. First, machine learning helps spot unusual behavior by analyzing tons of data in real time—things like odd login times or unexpected scripts running. Yet, models need to keep learning, so regularly updating them with new info and analyst feedback is key. Bringing data scientists into security teams can really sharpen threat detection by tailoring insights to your specific setup. Plus, custom AI models can help hunt threats, spot vulnerabilities, and even flag AI-generated attacks. Transparency is important too. Explainable AI helps everyone understand why a system flags something, building trust and better decisions. At the end of the day, close teamwork between security pros and data experts makes all the difference. #AI #MachineLearning #Cybersecurity #CISO

If nothing else the last three months have shown that the pace of change is accelerating. 417 AI Security vendors, with new ones launching every day. The industry is shifting fast. Threat actors are adapting AI. New vulnerabilities can now be discovered and exploited in hours by machines. The only way to keep up is to dive into the numbers. Analyzing industry data reveals trends nobody else sees. It shows where the attacks are headed, what new tools are gaining ground, and which threats are fading. For example, data from recent breaches shows a sharp rise in supply chain attacks. Not a surprise if you look at the pattern. Or how ransomware tactics have evolved over months, not years. If you want to make smarter decisions, you need to look at the data behind the headlines. Because gut feeling isn't enough anymore. It's data that tells you what the industry will look like tomorrow. Are you using data analysis to spot shifts early? Or just reacting to crises? Start digging deeper. The trends are hiding in plain sight. Stop guessing. Start knowing. Your next move depends on it.

Happy 4th for all and few thoughts before the holiday 🎉 Most security teams don’t struggle to detect threats - they struggle to understand them fast enough to act. That’s where data enrichment becomes essential. In a typical SOC, analysts are inundated with logs, alerts, and event notifications. But raw data alone rarely tells the full story. Without context - who triggered the alert, what system was affected, whether it’s tied to a known threat - every alert becomes a manual investigation. Enrichment bridges that gap by layering critical context onto raw signals, helping teams move from noise to insight in seconds instead of hours. Data enrichment enhances raw security signals - logs, alerts, and incident reports - with context from internal and external sources. This includes threat intelligence, geolocation, asset inventories, vulnerability data, and user profiles. By enriching alerts, analysts gain a clearer picture of the “who, what, where, and how” behind an event, accelerating triage and response. For example, an IDS (Intrusion Detection System) alert showing traffic from an unfamiliar IP isn’t actionable without knowing if it’s a known threat, a customer, or part of a botnet. HOW DOES ENRICHMENT ACCELERATE RESPONSE? ⬛Prioritization Enriched data highlights critical assets, known threat actors, and unusual access patterns - helping analysts focus on what matters most. ⬛Faster, Confident Decisions Analysts can view full incident context in one place instead of jumping between tools, streamlining investigation and reducing uncertainty. ⬛Supports Automation Enriched alerts power SOAR playbooks, enabling automatic actions like isolating endpoints when a threat is confirmed. REDUCING ALERT FATIGUE Alert fatigue is a major operational issue. Analysts spend an average of 2.7 hours per day manually triaging alerts - with 27% spending more than 4 hours daily. This manual load slows detection and burns out teams. Enrichment helps by eliminating repetitive lookups and surfacing actionable insights early in the process. WHERE DOES ENRICHMENT COME FROM? Effective enrichment draws from: - Threat Intelligence Feeds (malicious IPs, domains, hashes) - Geolocation Data (IP origin, risk regions) - Asset Inventories (importance, ownership, patch level) - Vulnerability Databases (CVEs, exploitability) - User and Entity Behavior (roles, baseline activity) This context turns isolated alerts into actionable intelligence. FINAL THOUGHTS Speed matters in security. In a modern SOC, enrichment isn’t just a best practice - it’s an essential part of a modern cybersecurity strategy. 👉I’d love to hear - how much has enrichment reduced triage and investigation time for your team?

Ever wonder why your data security strategy isn’t working? Here’s why and five ways you can eliminate your data visibility risk. Cloud and AI have shattered the illusion of control. Data is copied, shared, and moved across environments at a speed legacy tools simply can’t track. Visibility gaps aren’t just an inconvenience but a massive security liability. Here’s the hard truth: ✅ You can’t protect what you can’t see. ✅ Data classification by outdated RegEx rules? It’s not enough. ✅ Tracking access without understanding entitlement chains? That’s a blind spot. ✅ Traditional security tools without context? That’s security theater. Organizations need a no-gap data visibility approach—one that: 🔹 Finds ALL your data across clouds, SaaS, and on-prem environments. 🔹 Understands your data in real business context (not just surface-level labels). 🔹 Tracks data movement to detect unauthorized copies or leaks. 🔹 Maps data flows and access to pinpoint weak points before attackers do. 🔹 Uses AI-driven insights to prioritize risks and accelerate response. Security teams are already stretched thin—why make their job harder with blind spots? The future of data security isn’t about more tools; it’s about better visibility. How is your organization addressing its data visibility gaps? #DataSecurity #CloudSecurity #AI #RiskManagement #CyberSecurity #DataVisibility