Join us as we engage in an insightful conversation with Mike Nichols, Vice President of Product for Security at Elastic, at the RSAC 2025 Conference. This session offers an in-depth exploration of the evolving landscape of cybersecurity and technological advancements shaping the industry's future.
In this video, Nichols, a leader at Elastic, shares valuable perspectives on challenges and breakthroughs in security operations. As a specialist in product security, he discusses critical issues such as the high failure rate of Security Information Management (SIM) implementations and Elastic's innovative solution of automatic migration. The host skillfully guides the discussion, highlighting essential points from Nichols' extensive expertise and research.
Nichols emphasizes the importance of human processes over technological solutions, advocating for improved enterprise-wide training to manage security risks effectively. He also addresses the benefits of Elastic's open source approach and the transformative role of artificial intelligence in security operations. These insights, shared by Nichols, promise to enhance your understanding and implementation of effective security strategies.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For RSAC Conference 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC Conference 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to RSAC Conference 2025
Please sign in with LinkedIn to continue to RSAC Conference 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Mike Nichols, Elastic
Exploring RSAC 2025 with Mike Nichols of Elastic
Join us as we engage in an insightful conversation with Mike Nichols, Vice President of Product for Security at Elastic, at the RSA Conference (RSAC) 2025. This session offers an in-depth exploration of the evolving landscape of cybersecurity and technological advancements shaping the industry's future.
In this video, Nichols, a leader at Elastic, shares valuable perspectives on challenges and breakthroughs in security operations. As a specialist in product security, he discusses critical issues such as the high failure rate of Security Information Management (SIM) implementations and Elastic's innovative solution of automatic migration. The host skillfully guides the discussion, highlighting essential points from Nichols' extensive expertise and research.
Nichols emphasizes the importance of human processes over technological solutions, advocating for improved enterprise-wide training to manage security risks effectively. He also addresses the benefits of Elastic's open source approach and the transformative role of artificial intelligence in security operations. These insights, shared by Nichols, promise to enhance your understanding and implementation of effective security strategies.
Mike Nichols, VP of Product Management at Elasticsearch, talks with theCUBE Research’s Jackie McGuire at the RSAC 2025 Conference about current challenges in security operations. Their discussion focuses on automation, failed security information management implementations and the need for more effective processes across the enterprise.
Nichols outlines how Elastic addresses SIM failure rates through automatic migration and simplified integration. He also highlights how open-source access and AI advancements are changing how teams detect and respond ...Read more
exploreKeep Exploring
What is Jackie McGuire discussing with Mike Nichols at RSAC 2025?add
What is the purpose of the feature called "Automatic Migration" launched by the company?add
What are some challenges analysts face when having to pivot between multiple systems and how could automation help in this situation?add
What is the importance of having an intelligent assistant for SIM migration in terms of reducing risk and human error?add
>> Hello CUBE community. Welcome back. This is Jackie McGuire. I'm the principal analyst and practice lead for security at theCUBE, and we are live from RSAC 2025. I am joined today by Mike Nichols. He's from Elastic. Thank you for joining us today, Mike.
Mike Nichols
>> Thanks for having me today.
Jackie McGuire
>> We were just commiserating that we are both a little bit draggy, halfway through day two.
Mike Nichols
>> We are draggy on day two. Yeah.
Jackie McGuire
>> But I think it's almost time for happy hour, so hopefully-
Mike Nichols
>> It's always out of reach, but I'm going to see if I can channel it.
Jackie McGuire
>> Yeah, I already warned everybody that I just cracked open a 30 ounce cold brew-
Mike Nichols
>> There you go....
Jackie McGuire
>> and I'll probably be levitating within a couple minutes. But, yeah. So, tell me about your RSAC experience so far. What sites have you seen? What things surprised you?
Mike Nichols
>> Oh boy. Well, it is good to see... I was saying when we first came over here, that I feel like the attendance is starting to pick back up, after sort of the pre-COVID dip of levels, where it was sort of hybrid. Get a lot more excitement now, a lot more people. I don't think there's a booth out there, that doesn't say Agentic AI on it somewhere.
Jackie McGuire
>> Are they people, or are they machines?
Mike Nichols
>> Yeah, who knows? Who knows? But it is good to see the excitement back in the industry, at least the amount of people that are here.
Jackie McGuire
>> Yeah. I am almost wondering if more companies paid for people to come to RSA, because there's this huge new wave of everything, that security teams are like, "We're only half involved in most of these projects, but we still are responsible for them."
Mike Nichols
>> Yeah, yeah. Well, like cloud security, right? Does live in IT? Does it live with the CISO? Who knows anymore.
Jackie McGuire
>> Yeah. Yeah. It's one of the interesting things about the cloud is, it made it very easy to spin things up. But when it's very easy to spin things up, it's also easy to do it without security finding out about it, right?
Mike Nichols
>> Yeah. Active development led to a visibility gap, I'll say, in some of these ways.
Jackie McGuire
>> Yeah, absolutely. So, one of the things that we wanted to talk about, which I think is really interesting, is one of the crazy statistics that has been floating around in security for the last few years, is that 40% of SIM stand ups fail, which is an astronomical number. And I don't think it's because the SIMs don't work. I usually think it's either that a customer doesn't properly deploy them, can't get the data onboarded, pick the wrong one for their needs, but you guys are helping clean up the mess after that happens. And you have this new thing called automatic migration, which actually helps you move from the SIM that's falling down, to Elastic, right?
Mike Nichols
>> Yeah, it's actually an interesting point. I think from doing a lot of software, different business for a long time, I always say to people, the first thing is, probably invest in your process first. Not before you go buy a piece of tech. Probably what you have already could work. Maybe it's blasphemous to hear a product person say that, from a software vendor. But yeah, it's a lot of times the processes. I was a former analyst in a former life, and I remember just being able to... Training your team on how to use the products, giving them the time and the space to actually use them properly, it makes a big difference. And what we see in SIM handovers, the turnovers, because the market had a little bit... A few news stories last year, on the SIM market in general changing. And so, these people who have decided to make a switch, I think there's an under appreciation of the level of time it takes, to move both the content, but then also the learnings and the team's education over. So, we can't do everything through automation, but one thing we found a really great way to help with is the content side. There's a few different layers of it. Bringing data in is always hard. So, a while ago we launched something called "Automatic Import," which maps your data to the data, the schemas you need to actually make it useful. But then, the next problem as you were talking about is, people usually have a pretty entrenched set of either, hunting queries, or rules, and they want to at least get a one-for-one. They want to know that, "What I used to have, I'm covered over here," before this, make net new things. And that used to be a very intensive process, from services, time,, and dollars or maybe just didn't get done at all. So, this whole feature we launched, called "Automatic Migration," that the point is to leverage things like large language models, with the context that we offer in Elastic, by having an underlying vector store, and using retrieve for augmented generation for context, to take what you have, and then, basically give you what it would be equivalent to in Elastic. But the biggest piece of it, Elastic being sort of an open source company, and being very, I think transparent, it was to show your work side. It actually explains to you why it does what it does, and helps to give you that confidence, that it's making the right switches.
Jackie McGuire
>> Yeah. Remove the black box effects of AI.
Mike Nichols
>> Yeah, exactly. Exactly. We were joking earlier about UEBA. In the early years of machine learning, and now on AI, anyone who says it's proprietary, or, "I can't tell you the secrets," you can't trust that, you can't understand what's actually happening.
Jackie McGuire
>> Yeah, it's almost astounding to me, the level of professional who would refer to AI as a black box. I saw one of the heads of AI, at one of the big four consulting firms was like, "Well, we really don't know how these things work." And I was like, "You can absolutely build enough logging into an LLM, to see every step along the way." It's going to create a five gig log. But yeah.
Mike Nichols
>> Right. Right. Well, and the benefit, I think, because AI is also ramping up astronomically, in the non-security space, we get the benefits of that. So, when ChatGPT adds very good ability to say, show your work in there, you can actually now, if you go online and ask it a question, "Hey, how did you figure this out?" It gives you all the links. That sort of ethos, now trickles into security as well. So, we get all that underlying citations, as a benefit of the fact that it's being used in other places.
Jackie McGuire
>> Yeah. And I think you really nailed it with the transparency. I was just talking to Mike Arrowsmith from NinjaOne, and talking about how in security, trust is the number one currency you have.
Mike Nichols
>> Exactly.
Jackie McGuire
>> And authenticity and transparency are the straightest line to trust. So, having a product that does what you say it does, and shows you how it's doing it, and you can trust it, I think. Yeah. And for security teams, who are already really leery of anything involving AI... One, I think they're only being involved in a small number of things, before they've actually hit servers.
Mike Nichols
>> Yes. Yeah. They're coming in late, unfortunately, to the party. Yeah.
Jackie McGuire
>> Yeah, I saw 20%, was how many projects have security involved during POC, which is insane.
Mike Nichols
>> Well, and now, I mean, how many products do you use daily, that have started to embed AI, but not tell you? Now it's deep in the release notes. I mean, who knows whether it's your documentation, if you use any online document services, you're using your email. You notice now, there's a little AI logo and everything, has your security team and your risk team actually gone through and approved those? Do they understand what's happening? So, it's just getting thrown into everything we use today.
Jackie McGuire
>> Yeah. So, I want to go back to something you said about, "Look at your processes first." And I think that I could not emphasize that more, and that I think a lot of enterprises end up spending time researching Band-Aids, and buying Band-Aids, and applying Band-Aids, not really teaching their employees not to run with scissors. I think we could probably do a lot better if we focus on... So, you guys have sent me a study by, I think Mimecast, that said... I'm going to read this statistic. That, "Human error is the leading cause of 95% of security breaches." And I think we like to think that most security breaches are super sophisticated hackers, getting in through zero-day exploits, and traversing our network, through all these. And it's not. It's not. So, what does the 95% look like?
Mike Nichols
>> Well, it's interesting. I mean, you're right about the fact that we all like to focus on the really... Fun's maybe a morbid way to put it, but the really sophisticated nation-state attacks, that do really interesting things. That's where we want to spend our time, and that's what makes the news. But it's the boring stuff. It's the day-to-day stuff. It's credential reuse, and it's misconfigurations of systems that you stand up. We mentioned a little bit earlier, before we started, about cloud. Just having a new way for developers to spin up fast, but forgetting to do underlying compliance controls. It's super boring, and it's that bottom of the pyramid, but there's a reason why they're the top controls in CIS that's recommended. And we don't spend enough time thinking about those, or focused on those things. And I think a lot of human error also gets incurred, when our analysts, who are already underwater, have to solve these problems, by pivoting between 15 different systems. It's the same as it was, and I was an analyst, I don't want to say how many years ago, but many, many years ago. It was the same thing. You're copying and pasting IOCs. There's no easy way to stitch things together. You misclick, or mistype something, and then that leads to a problem in the future, down the road. So, I just think that the automation that I like to see, are ones that remove a lot of that annoyance away, but still let the human in the loop, that decision expert, that knows your business, knows the mission, can make all the smart analytical decisions, and not be bogged down by these sort of mundane tasks of data collection, and duplication, things like that.
Jackie McGuire
>> Yeah. And I love the idea of having kind of an intelligent assistant, to help you with SIM migration, because that is one of the points... I worked at Cribl for a couple years, and we helped with a lot of SIM migration. And not only is it a huge lift at the organization, but it also is the one time that you introduce a lot of risk. Because if you're going from one SIM to another, and you've got two sets of alerts happening, and you're cutting data sources over one by one, there can be a lot of confusion around who's still responsible for what. So, tell me a little bit more about how automatic migration helps assess that. So, it tells you what it's doing, but does it help assess that kind of human error of like, "Uh oh, nobody's covering this data source anymore?"
Mike Nichols
>> That's a great question, and yes. I think that's your key point of, no matter what products we sell in security, ultimately, the whole thing we're doing is reducing risk, to your point. And so, that doesn't come without transparency. I wear a lot of wounds from previous years, and what I remember when I was an IDS analyst years ago, and we switched to a different IDS, obviously it was an executive top-down switch. And similarly, I said, "Well, I need to make sure I have this coverage." And so, "You do. Here's the rules." But all they gave me access to was the rule name. And it was like, "Preventing exploit 1, 2, 3. Well, here's our exploit 1, 2, 3 prevention." I said, "Well, I need to see the code. How do you do this?" If I'm going to tell my boss, and ultimately up the chain, that we've solved this problem, I need to trust that it's happening. And it was one of those, "We can't tell you."
Jackie McGuire
>> Compliance versus security.
Mike Nichols
>> Yes. Exactly.
Jackie McGuire
>> We checked the box, don't worry about it.
Mike Nichols
>> So, the first piece of migration is what you mentioned earlier, the transparency of explaining exactly what's happening in a human language. "Hey, we did this. We moved this. This is why we chose this." There's also a layer of semantic reasoning involved, where if we have a rule that already exists, we're not going to make a new one. We'll say, "Hey, we actually selected this rule that we have for this rule, and here's why. And if you don't agree, you can change it."
So, that's sort of the first tier level is, you as an analyst, whoever's making this migration decision can say, "I agree with this." Trust, and there's a little dashboard, green stuff that's done, yellow stuff that needs some work. To your second point, there's sort of two layers of that, that are not what we call in the attack migration, automatic migration feature set, but part of what we deliver. One we have is called "data quality," where we are automatically running analysis of the data coming in. Because the other big problem if you're an analyst is, it's only as good as the data you get. And if you're relying on a system to send you information, as you were mentioning earlier, like some kind of forwarding system, or ETL processor, and the data drops for some reason, you don't know about it. Or, if the vendor you got the data from, changes their fields in some new update, and now you don't have what you need. So, we do that identification as well, of, "Hey, all of a sudden these things you required are missing."
And the last piece you mentioned, it's a really interesting one. We are dabbling, and haven't gotten all the way there yet, which is, looking at all your data and saying, "Hey, you should be doing these other things, because you could, from what's available in your information." Especially as people create these massive new data lake, data ocean, data swamp, whatever you want to call it, they're creating a big place of data.
Jackie McGuire
>> I just call it the data swamp.
Mike Nichols
>> Yeah. And, so what can I do with it? What's available? And is it able to one-to-one map you into that? So, we try to help with all those different layers, because ultimately if the data isn't any good, then nothing works after that. Or, you get that false negative, or false sense of security, where you feel like everything's working well, because you don't have alerts. Well, there's no alerts, because the data has dropped three days ago, and nobody noticed.
Jackie McGuire
>> Yeah. And I think a lot of security teams are really overwhelmed, and they want to be able to use AI. But to your point, you can only be as intelligent as your data is. And identification, classification, it's always been a problem. And it's something that, when the first talk I wrote, I think at Cribl, was called "Security is a data problem," because we've got all this data. But to your point, a lot of it's in swamps. A lot of it is raw logs, that we haven't processed in any way. And so, being able to get a hold of your data, get it in one place, figure out what's in it, I don't really think we can even start having a conversation about AI capabilities, until you've kind of, one gotten into a SIM that is effective. We all know that there's a lot of legacy software hanging around, and address the data issues. So, do you foresee that, as we build better quality data, and get more buy-in, that security teams will be less skeptical, and embrace AI more, to help them do the jobs?
Mike Nichols
>> Well, less skeptical, probably not. I think we're a skeptical bunch by design.
Jackie McGuire
>> We're built that way.
Mike Nichols
>> But I do think... I hope we get to improve, and I think a couple ways. One, a big one that we're trying to help people with is, a lot of companies are making architectural decisions, or have made them, based on prior knowledge. And so, they think of SIMs as a monolithic, duplication of data. And right now there could be massive sovereignty issues. Maybe I don't want my data to reside in a certain country, or privacy regulations. So, they make decisions on how their SOC teams are organized, and even how their data's going to be organized, based on those. We're at a place now, where we can do federated or distributed searching, far easier. So, you can actually keep data locally in different locations, different cloud providers, not pay those tremendous export costs, that come from coming from analog systems.
Jackie McGuire
>> We love those.
Mike Nichols
>> So, that's sort of... Step one is, actually stitching together a distributed view of your data, without having to duplicate it all to one place. And I think that already provides people a sense of relief of, "Oh wait, I can actually answer the question?" That's great. That's sort of step one of this reduction of the skepticism, that is an analyst. But the second one I think is, when you talk about what AI really is under the hood. And in Elastic, we've chosen to really rely on... I mentioned earlier, about RAG, or chief augmented generation, because there's different ways to go about it. You'll see some vendors here, that are tuning models and delivering them to you, and they brand them a certain way. Or the challenge always is, "It out of date? Does it have my information?"
Jackie McGuire
>> So, RAG allows you to retrieve more current, updated information-
Mike Nichols
>> Exactly....
Jackie McGuire
>> and ensures that you're handling that side of it, and the customer doesn't have to?
Mike Nichols
>> Yeah. So, to the skepticism part, what sometimes happens in these buddy-in-a-box systems, you'll say, "Hey, how do I fix this?" And you get this amazing knowledge, that comes from this giant hyperscalers LOM, that is right. But it doesn't have your information of like, "By the way, this is a really big deal. Call Joe over here first, before you do anything else."
Being able to add that context simply, by putting it into a knowledge base, and being able to, "Hey, always check here first." Then, when the assistant tells you, "Hey, here's the greatest answer. Also, by the way, know these things," I think that starts to alleviate some of that skepticism as well. They don't have to also check their wiki, or whatever other systems they have, to validate what the model gave them is accurate. It actually has the information from their own systems in the answer, citations to where they can find information. Again, the "show your work" part. Explain to me how you got this answer, and why it's relevant to my needs.
Jackie McGuire
>> Yeah. So, I imagine a lot of people at RSA will want to come see you showing your work, so they can find you on the show floor.
Mike Nichols
>> We are. We're in the north hall. It's towards the back. If you go where the food is, or the restrooms, either one, we're right there.
Jackie McGuire
>> I mean, that's perfect.
Mike Nichols
>> Look for me, I'll be there now. Big Elastic signs. You can't miss us. But definitely, they can come and see the migration at work, or even just in general. I think, talk more about the ethos. We're really trying to push, for many years now, in security in general, the idea of open sourcing more things. We put all of our detections, all of our models, everything out in the open. The whole idea of, "More eyes on this is better." Get rid of the closed source, black box, ethos, that was security. That doesn't help any of us, except for the vendors.
Jackie McGuire
>> Well, I always say, "art of war," right? If you have to think like your adversaries, I have yet to see a licensed malware product. They're open sourcing. They're sharing information. They're creating pools of knowledge for bad, but we should also be doing that for good. We're not going to beat a giant, volunteer army, with very specialized century soldiers.
Mike Nichols
>> the financial incentives to be targeting us.
Jackie McGuire
>> Yeah. Yeah. Exactly.
Mike Nichols
>> I mean, how many people wrote the same log rules the day after that... It is the idea of, "The rising tide lifts all boats." The more we can democratize this, the more we can share information, I think the better we all are. And I hope we are a voice of good in that idea of, pushing the open source ethos that is there.
Jackie McGuire
>> Awesome. Well, Mike, thank you so much for joining us. I am looking forward to coming by the booth, and I want to see your migrations and progress.
Mike Nichols
>> Happy to show it to you. Yeah, yeah.
Jackie McGuire
>> I want to see you doing the work. Really appreciate having you on. Any after hours, or special events, people should be aware of?
Mike Nichols
>> We have an event tomorrow. I think you got to come to the booth, and get the actual information, so you can see where it is. But we are doing an event tomorrow night. Like everybody else, there'll be alcohol, or non-alcohol, depending on what you're into, plus some music and some dancing maybe. I don't know.
Jackie McGuire
>> I am always into dancing. All right, so stop by the Elastic booth for food, a bathroom break, and an invitation for some dancing.
Mike Nichols
>> And we got some of these cool Lego things you can build, like the minifigs you can make, if you want those too. So, got all kinds of fun stuff.
Jackie McGuire
>> Nice. Your booth number is N5778, in case anybody was wondering.
Mike Nichols
>> Wow, I would not remember that.
Jackie McGuire
>> Luckily, my team and my ear is on it.
Mike Nichols
>> Thank you.
Jackie McGuire
>> Awesome. Well, thanks for joining us, Mike. Really appreciate it.
Mike Nichols
>> Thank you. Appreciate it.
Jackie McGuire
>> For theCUBE live at RSAC 2025, I'm Jackie McGuire. We'll be back shortly with more high-frequency insights and information. Thanks everybody.
Jackie McGuire