2026 ZKast #88 - Inside the RSA 2026 SOC: From AI Defense to "Passwords in the Clear"

Added: 2026-05-06

[00:00:00]Right, welcome to Zcast everyone. I'm Zas Carval from ZK Research and I'm here at RSA 2026 in San Francisco. I'm down in the sock. Actually, it's pre-show, so it's a little bit quiet in here. Uh, and I'm with >> You think it's quiet, right?

[00:00:18]>> Yeah. Yeah. Well, just wait till later, right? So, I'm with Jessica Oppenheimer from Splunk, now a Cisco company, and Tony Yakabelli, uh, the man in pink.

[00:00:26]Yes. And uh so Jessica, you were on last year. Just a reminder what your role is.

[00:00:30]>> So I'm the director of sock operations.

[00:00:32]>> So you get to do these at all the events.

[00:00:34]>> You know, it was a passion project for nine years and last 14 months is my full-time job. We support nine socks in person plus a few remotely.

[00:00:41]>> Yeah. And how about you Tony?

[00:00:43]>> Yeah. So I run Splunk's advanced response team. So we're the team that is kicking the hackers out of the network doing all the things that all of the Splunk and Cisco security solutions do.

[00:00:53]We just happen to do it for Splunk.

[00:00:54]>> All right. So now the sock is set up here every year. Uh I notice customers coming through here and is it more a is this a showpiece or do customers actually come in here and take away some lessons learned on how to run a sock?

[00:01:06]>> That's a really great question. Can you believe this is our 10th year of doing the sock here at RSA conference? A decade of securing it.

[00:01:12]>> 10 years of socks at RSA.

[00:01:14]>> This is our 10th year. So we have >> You should give out socks and see.

[00:01:17]>> We actually have given out sock socks in the past.

[00:01:20]>> So we have three core missions. The first one is to protect the attendees to make sure that they leave here safer than when they came. The second one is to educate. So we have tours, conversations like this. We write a report that will come out a few months after it's gone through legal and business and technical review. And then the third one is innovate, continue to progress, to automate, bring in AI and to take out friction.

[00:01:41]>> And then over the 10 years, what was this like 10 years ago? What would I have seen in here and how different is it now?

[00:01:46]>> 10 years ago it was a closed box. You know, we grew out of black hat environment. The same team that built the black hat knock there came here and so it was dark and broody and you know we popped the the lid off as we've had experiences at Cisco live and gov and other ones about how to open up. People always wanted to come inside and it was a closed sock and this year we talked to our feel like working through >> I know right so we're going to actually bring people in for the first year to get a little closer and have that more intimate experience.

[00:02:16]>> Yeah. But how about like the things the tooling you run here versus >> Yeah. tooling. It was really small when you first started like any sock. There's a maturity process. There was packet capture and the malware analysis and then later was like let's add in DNS security and then firewall and then automation a sim and AI. So we matured as a sock just like an organization have growing out of a network operation center and then you have a few people in security and then now we have a full-blown security operation center.

[00:02:44]And how about from your perspective?

[00:02:46]What do you hope what are your lessons learned here? Because you'll actually take this to customers later, right?

[00:02:50]>> Yeah, absolutely. So, you know, a lot of this really speaks to how do you set this up and make it durable because none of this existed 4 days ago. And so, we show up, we have to plug the thing.

[00:03:01]Yeah, we have a sock in a box. And so, we bring the technology, but then how do you bring the process? And so with that, one of the big takeaways that we have here is we're able to experiment with different structures, different ways of passing work, different ways of integrating tools. And the thing that really makes it to customers at the end of the day is the innovation message that Jessica talked about where um I remember my first sock when I was here and we didn't have integrations between certain products that we were using or anything. And now those integrations that we kind of just grungy duct taped together here are now in the product and polished and customers are benefiting from being able to pivot from tool one to tool two quicker which is really awesome.

[00:03:38]>> Okay, now I see five screens behind me.

[00:03:40]Well, one's marketing to sock in a box.

[00:03:42]What do you look back? What are you looking at back here Jessica?

[00:03:44]>> You know the very first one we have is End that shows all the packets that are being captured. One of those is a sock dashboard and this number that's going to flip up here in the corner is how many passwords in the clear that we've seen. Okay. And those unique passwords in the past that was a full incident those would be given to a tier one analyst to investigate write a report and we've got so overwhelmed by those it was basically denying service attack of our lower >> that's how many >> yeah like we when we were just when you were at Cisco live in AMIA there were that was 400 on there and so if all those were an incident so when we looked at full automation because we brought in Tony last year and Splunk enterprise security is like how can we automate all this so now those don't even touch our analysts it opens up a case enterprise security emails the person hire your security operation center RCA conference your passwords in the clear here's the protocol you should fix that come see us if you need to >> and how many will you see here >> we're going to probably get into the hundreds again like we do every year >> yeah and the the beauty of that too is since it's a password in the clear we know the email address of it too so it's it's one of the rare things or it's completely automated where everything you have in the alert is actually what you need to help that person be more secure when they leave the conference >> and then the one right over next you saw something just like this at the Super Bowl when you went there on the 2nd of February. Avon here right behind me actually built those dashboards for the football the Super Bowl for the National Football League and here we just continue to evolve those. They were born out of black hat and that's where a lot of our innovation happens. So we have how what's the status of the network as well as what is the how all those different detections are coming into Cisco XDR. what's the triage rate of our team that's looking at the first level how much are being escalated in enterprise security they just click a button open reported goes a whole package goes over to enterprise security and then both teams can close the incidents up and then what type of MITER attacks they're seeing and then over this shoulder here we have our Splunk enterprise security and XDR all that tooling with the security team and as a managers we've chosen what tiles are up there to help us see what's happening and to poke on people like hey let's look closer at this >> or if something goes to zero that's a good indicator that we need to check something right >> and then over here this is actually AI defense we can see all the different models that are on the >> that's the new Cisco defense >> it is absolutely what models are being used at the conference what's their risk to you as an organization if you didn't have proper legal framework in place then we got the firewall VPNs that are on running as well we encourage people to use a VPN but when you're at the Super Bowl we don't allow VPNs there they need to use the corporate ones so if we actually see VPN's running in that environment, that's actually an escalation of shutting that down.

[00:06:24]>> So, it depends. Context really matters.

[00:06:25]>> Yeah. Yeah. So, and uh so let's talk about some of the fun stuff. Okay. So, we're pre-show. Um what uh anything anomalous that you've seen here that uh has, you know, caused a little concern.

[00:06:37]Maybe you reached out to the, you know, vendors to help them. Yeah.

[00:06:42]>> Want to go ahead?

[00:06:42]>> Yeah, sure. So, um one of the first things we always see is someone's always sending something in the clear. And so pre-show, uh, we actually found someone was using their own expense server and they were capturing all kinds of different receipts. We knew what the person had for dinner. Um, awesome.

[00:06:59]>> Yeah. I wouldn't have ordered what they ordered, but um, >> was it Did they tip well?

[00:07:02]>> They did. They did tip well. Yeah. But with that, um, we kept on seeing things there and so we were actually able to find, um, uh, the folks who were running that. We work with the conference. RSAC conference has been a fantastic partner.

[00:07:14]every time we find something, working with us to actually find someone, work on a shoulder tap, stuff like that. Um, and so we were able to alert them that this was occurring. Um, and we've had a couple other flavors of just some stuff sent in the clear, too. But that was one of the more notable >> case that actually got escalated up to the CEO of that production company cuz they worked with RSC conference and they were able to fix it that night and we were able to confirm a person with their first day on the job in the sock was able to find and investigate it pivot into the full packets the firewall see all that data and we have to report and then confirm this morning that was fixed.

[00:07:46]>> You also saw a vendor here that had their NAS server network attached storage in the clear. We had their password is your team got into that?

[00:07:53]Yeah. And they were able to get into that and they were able to see that and uh they were able to also make sure that you know you probably don't want just an unsecure NAS sitting on an RSA conference floor.

[00:08:03]>> No.

[00:08:03]>> Or any conference floor.

[00:08:04]>> Any conference floor, but especially a security conference. Um >> that that case had all their business records for years and if he was an attacker, he could have changed files on there, added files, not only downloaded all their confidential information, but also put their alert with the payload to infect their system. and they were they were production company for one of the major sponsors here.

[00:08:25]>> But hopefully they'll learn from that and the next show they go to it'll be secured. Right.

[00:08:30]>> Absolutely. And I think one of the really interesting things we had right before lunch actually was um another one of our analysts found some weird traffic on a on a high port going out. It turns out that there is a foreign internet service provider that was providing a proxy that was misconfigured. And so these people are doing a good security thing. They're using their proxy. Well, that proxy was just rebroadcasting all of the traffic completely in the clear.

[00:08:54]So, misconfigured security tools is something that we see where you think you're you're doing the right thing, but in reality, it's actually opening up more exposure for you. So, that's just where it's critical of just, you know, trust but verify even with your own deployments of your own systems.

[00:09:07]>> Yeah. Now, uh you mentioned AI defense, that's new and the whole goal behind it is to be able to help companies see what's going on with AI. And so, what are you seeing here from an AI perspective?

[00:09:17]>> Well, a lot of things. one we have are able to run our own models on our hardware and we protect that with AI defense so there's not prompt injection but then we're also able to enumerate on the network for example we're working with some of the major events that are getting ready for these these big events that are occurring and they want to see what are all the AI models that are running on my enterprise and what's the risk to that which ones I've licensed or which ones are should I license or the legal review and we able to see the same thing here if there was an AI model that was impacting this conference and that was causing the major problem, we'll work with the conference and we can actually shut that down inside the the conference number.

[00:09:53]>> But indeed, it's actually showing there's quite a bit of AI being run here. Lot of AI being here. I think I say Open AI, Gemini, DeepS, uh >> CL. Yeah. Yeah.

[00:10:03]>> Notion.

[00:10:03]>> Yeah. We're going to certainly over the next few years see a lot more of that too. So, >> absolutely. And what really stands out to me is, you know, as we mentioned the opening, we're pre-conference.

[00:10:11]Everyone's not even here yet. Folks aren't coming down the escalators and we're already seeing >> crazy. Yeah. Absolutely. Absolutely. And so it's it's only going to get bigger.

[00:10:20]AI has been here every single time and uh we usually are able to see like what are the big AI apps people are using.

[00:10:27]And even with that um it's interesting to see the folks you know who might have a corporate resource but are still using one of the free resources or something else there which AI defense really helps give you visibility into.

[00:10:39]>> Now with AI defense this year since it's a new product for Cisco are you using it for visibility or are you actually trying to take action as well? It's one both enumeration and visibility but we can't take action. So one we're protecting our own AI models inside the infrastructure of the sock so attackers can't inject into that and then also we are able to see what's happening on the network and if we we have the power to block certain models on this network if there's need and of course we work with a conference on that. Yeah, it's a communication between the legal team, the IT security team, the physical security, the network operations team.

[00:11:17]We all after 10 years, we've really grown close.

[00:11:20]>> Yeah. And what about the clause that uh Jensen talked so much about last week.

[00:11:24]Are you able to see those?

[00:11:26]>> Yeah.

[00:11:26]>> Yeah. Absolutely.

[00:11:27]>> Have you seen any of that?

[00:11:28]>> We are.

[00:11:29]>> Yeah. That's not a surprise, I guess.

[00:11:31]>> No.

[00:11:32]>> Yeah.

[00:11:33]>> If it's new, I mean, you see things even before they get announced.

[00:11:36]>> Well, at this show, obviously, you're going to see a lot of it. Actually that'll give you some visibility of what's going to be an outside post too.

[00:11:41]>> It is you know the arsenals the we also have actors n we've you know warnings about different actors who want to attack the network and things like that.

[00:11:50]So working really closely with the security team on what threats they see out there and to make sure that they don't come inside the network here.

[00:11:59]>> Yeah. All right. So uh now you also look for some fun stuff right? Uh uh top social media app.

[00:12:05]>> You know it's Facebook. If you can believe that still Facebook t then Tik Tok and Instagram are the top >> LinkedIn there.

[00:12:12]>> It's right below it's actually number four is LinkedIn.

[00:12:14]>> Really? LinkedIn is below Facebook and Tik Tok.

[00:12:17]>> People got to check check their socials, you know, and then they then they do business. So it's >> they're going to Instagram that they're here before they're going to LinkedIn that they're here.

[00:12:24]>> Yeah, >> makes sense.

[00:12:25]>> Maybe they're looking at just cute cat photos just on in like I haven't I've never seen those on LinkedIn, but maybe right.

[00:12:31]>> Yeah. Well, that's that's a missed opportunity for LinkedIn. And then uh the other fun thing you always look at is top dating apps. How's Yeah. A couple years ago, I know you told me Grinder hit number one.

[00:12:40]>> Grinder hit number one a few years ago and it's still number one. It's still going strong with Hinge trying to come close behind. Tinder's dropped down the rankings.

[00:12:48]>> Does that surprise you that Hinge is ahead of Tinder now?

[00:12:50]>> You know, it I think it's about knowing like trusted. You kind of need to know someone to know someone in Hinge. So, it's about that trust within your network. And I think you know with Tinder is that zero trust architecture.

[00:13:06]>> Maybe have a little maybe have a little more of a at least with hinge you have a multiffactor authentication.

[00:13:10]>> Yeah. Yeah.

[00:13:11]>> All right. So last question for the security practitioners out there for the lessons you learned here. Um from each you know piece of advice that you give them.

[00:13:20]>> Yeah. I I think the biggest thing just you know comes back to the basics. Um every year at RSA we hear about new and exciting things. Everyone's here to show off something cool, but at the end of the day, what we're seeing on the network is make sure your email is encrypted. Make sure that you know if you're doing something sensitive, you're not sending it in the clear. Beyond that, you know, just when was the last time you looked at your architecture?

[00:13:41]You reviewed everything that that you deployed there because we saw some of those misconfigured security tools. So, you know, I would say everything is great that that is new, but at the same time, too, if you're not nailing the basics, you're kind of building a castle, but leaving a door to go right around the mo and right through.

[00:13:56]>> It's shocking that there's still so much unencrypted email, isn't there?

[00:13:59]>> It it really is like you you'd think that, you know, if there ever was a solved problem in our industry, it would be, but >> it's not.

[00:14:07]>> And how about you, Jessica? You got a final word here. I would say join the network because it gives advice like use a VPN, make sure your apps are up to date and you will leave more secure if you join the network here because if you're having a problem, we'll help find you and let you know >> versus using just using the public networks.

[00:14:24]>> Oh, so that's interesting because a lot of events they'll almost try and offload you onto the public cellular network, but here you want them to join so you can help them. Yeah. So if you're at RSA, um make sure you do join them.

[00:14:35]>> Yeah, absolutely. Absolutely.

[00:14:37]>> All right. Anything else you guys want to add?

[00:14:39]>> No, just thank you so much for having us.

[00:14:40]>> Yeah. So, no, it's always a pleasure being with you. Hopefully you'll see us at Cisco Live. So, so on behalf of Tony the Man and Pink and Jessica Oppen, I'm Zas Caraval from ZK Research and thanks for watching. Uh, give us a like and also hit that subscribe button. See you next time on our next episode of Zcast.