RSAC 2026 Conference | Mike Nichols, Elastic & Sal Picheria, New York Life

Clips
More from RSAC 2026 Conference

Mike Nichols

GM of Security

Elastic

Sal Picheria

Corporate VP of Security Engineering

New York Life

play_circle_outline Reinventing SIEM: Scaling Beyond Legacy Limits to Combat Adversarial AI-Driven Zero-Day Exploits

play_circle_outline New York Life Builds Cyber Data Lake, Harnessing Elastic as Data Engine for Security Analytics and SIEM

play_circle_outline Priority on milliseconds-level ingestion-to-analysis for near real-time detection.

play_circle_outline Petabyte-Scale Search: Elasticsearch + Hybrid Classic‑Vector Queries for High-Speed LLM and SLM Workloads

Info
Transcript

Mike Nichols, Elastic & Sal Picheria, New York Life

Mike Nichols

GM of Security Elastic

Sal Picheria

Corporate VP of Security Engineering New York Life

In this interview from RSAC 2026, Mike Nichols, general manager of security at Elastic, joins Sal Picheria, corporate vice president of security engineering at New York Life Insurance Co., to talk with theCUBE's Dave Vellante about modernizing SIEM architecture with a data-first approach to outpace AI-fueled threats. Picheria explains how legacy SIEM tools consistently fail at petabyte scale — ingesting data is one thing, but running the queries that actually matter is where traditional platforms crumble. With adversarial AI compressing attack windows to as l... Read more

explore Keep Exploring

What are the fundamental limitations of traditional (legacy) SIEM solutions—for example, issues with scale, cost, or the ability to keep up with current demand? add

How did you approach selecting a data platform for security (the cyber data lake) and deciding the role of SIEM in that architecture? add

How real-time are your analytics (what latency do you target from data ingestion to availability), and did the need for that real-time capability drive broader modernization efforts like adopting a data lake and improving SIEM/SOC capabilities? add

What are the challenges of managing and querying petabyte-scale, heterogeneous data in a single unified view, and what architectural approach (the "secret sauce") enables scalable, high-performance querying and secure integration of AI tools like LLMs (for example using Elasticsearch, hybrid/vector search, and selective model use)? add

bolt Powered by CUBE AI

Mike Nichols, Elastic & Sal Picheria, New York Life

search

Dave Vellante

>> Welcome back to San Francisco, everybody. We're here at Moscone West. We're winding down day three of our live coverage of RSAC 2026. You're watching theCUBE. I'm Dave Vellante. Super excited to have Mike Nichols here. He's the GM of Security at Elastic. And we love when we get practitioners in. Sal Picheria as the Corporate VP of Security Engineering at New York Life. We get the true story. We take vendor marketing and test it with the buyers. So we're going to talk about modernizing SIEM. Everybody I talk to says, "We got to modernize our SIEM. We're going to find out how Elastic and New York Life are doing that." But Mike, let's start with you.

Mike Nichols

>> Sure.

Dave Vellante

>> From your perspective, what's the drive here for rethinking SIEM architectures right now?

Mike Nichols

>> I think the drive ... Well, now there's a compelling event that is actually important. A couple years back, the drive was acquisitions and mergers of a lot of SIEM technologies caused initial questions. I think that's when we first even started talking to New York Life. But then between then and now, we see as AI became bigger and bigger, the real compelling event and where Lean 4 people like New York Life have been is the adversarial usage of AI has caused rampant challenges. The zero days. Microsoft past Tuesday, every single past Tuesday is record-breaking. We see the cost of exploits going down. And so I think that has really been the compelling event to say, "Am I partnering with somebody who's going to lead forward to the future?"

Dave Vellante

>> So it's probably like a lot of practitioners have a love-hate with your SIEM. And so, you know what I mean? But so what are you running into? What are the fundamental limitations of sort of traditional legacy SIEM? Is it scale? Is it cost? Is it just kind of keeping up with the current demand? Help us understand that from your perspective.

Sal Picheria

>> So been down this route, rode a couple of times now, right? So it's a little bit of all of the above. Scale is certainly one of the biggest challenges that we see. And at New York Life, protecting our customers is the most important thing. When they give us our data, we are expected to maintain that trust. And at the scale that we're operating at, we have a tremendous amount of data and it's hard to keep that in check. So our tooling needs to constantly be kept in line with that. And this is a really big challenge that we run into with Legacy SIEMs is that the speed and scale are not matching the rate at which our data is growing. And that is the most important thing from our perspective that we need to make sure we have the equipment to keep up with the data growth. And as Mike is saying, the adversarial use of AI is only increasing this data, but on our end, as we roll out AI internally, there's a tremendous untapped amount of data that's in that space as well that's only going to continue growing.

Dave Vellante

>> What's driving the data growth? What are the business drivers that are creating this volume of data?

Sal Picheria

>> I mean, the company will continue to grow and security tooling in general. I mean, the data, it's like a natural law almost, right? That the data will continue to grow.

Dave Vellante

>> We never bet against data, I always say.

Mike Nichols

>> Yeah.

Dave Vellante

>> So you've developed this thing called the cyber data lake. What is that? What was the genesis of that? Take us through that. Paint a picture of that for us if you could.

Sal Picheria

>> Absolutely. So the cyber data lake, we actually approached this problem a little bit differently than most. And I know we started out this conversation with SIEM, but we talked a little bit about the scale of data and the importance of having it accessible and everything else. So when we thought about our data journey at New York Life, we actually thought, "How can we find the most capable data platform to house our security data before we started thinking about the SIEM problem?" In that journey, we evaluated a lot of tools. We eventually landed on Elastic mainly because it just wound up being a rock solid, generic data engine for use in security. And as we went down that road further, we wound up uncovering that Elastic actually has a great SIEM functionality as well. It made a lot of sense to approach it in that way. So I like to describe this concept internally as we build the pyramid from the bottom up. So we start with the data and we think about the right place to house it and analyze it. And from there, we can build the SIEM as a specialized discipline of analytics in my opinion. It's not necessarily a concept in and of itself. So when we look at it that way, we build the data from the bottom up and we arrive at the SIEM at the top.

Dave Vellante

>> Okay. So how important was open to you? Because open's a two-edged sword, right? I mean, you got to get down and dirty with open at the same time as there are benefits. So how should we think about that?

Mike Nichols

>> We're not as down and dirty nowadays, but a little bit easier, but I hear you. Yeah.

Dave Vellante

>> Yeah. And that's fair. I mean, I think if you go back to the early days of the ELK Stack, the big criticism was then along comes Elastic and makes things simpler. But nonetheless, there's still the old term, free like a puppy. But so how did you evaluate those two sides? And because you had to make a bet and say, "Okay, the open source innovation is going to accelerate and allow us to stay ahead." Take us inside your sort of thinking on that.

Sal Picheria

>> I value open source in general very highly, right? I believe strongly in this concept. Open source, I mean, in this space, I think it's a great thing. Anybody can see it. Anybody can contribute to it. It helps everybody when it operates that way.

Dave Vellante

>> So anything you'd add to this perspective, Mike, in terms of the cyber lake?

Mike Nichols

>> Yeah. I'd just say he's being a bit humble about thinking about things a little bit differently. I think what was unique when we talked to the team at New York Life is that they knew they had, like I said, a crown jewel of a brand and a crown jewel of their customer information. And they wanted to protect it and they didn't just want to ... Out of the box capability doesn't solve their specific needs. They had a bespoke use case that needed to be tailored, but they also didn't want to invest a massive amount of engineering efforts. They needed an easily customizable solution. It's where Elastic came in. As you said, we are a data company first, right? We're a data company that has security DNA built it on top. And I think when Sal's team saw that, what they saw was they could take their use case, they could fundamentally solve their risk problems and have all those out of the box kind of classical SIEM capabilities they need and modify it to fit their needs without having a, like I said, a giant engineering team behind the scenes.

Dave Vellante

>> Yeah. I mean, you're a specialized data platform, really. And so when you think about the cyber data lake, what were the initial objectives? What were you trying to accomplish?

Sal Picheria

>> Touching back on kind of how I started earlier, the main objective was how can we unlock insights generically, right? Not just this generic scene concept of running rules and the old way of looking at things, but we wanted a tool that was suitable for analyzing data in kind of almost a data science kind of way specific to cybersecurity. And again, we really valued ... We wanted a platform that gave us the flexibility to either use out of the box components where appropriate, but had the necessary facilities for us to build the more advanced things that we needed our scale.

Dave Vellante

>> We throw around this term real time a lot. What's the real timeness on the scale of real time? Rigid, can't do anything for days, weeks, months, versus close to real time as possible. Where are you?

Sal Picheria

>> Lower than seconds, right? We're talking milliseconds from the time the data is ingested to the time that it's available for our analytics.

Dave Vellante

>> Now, how did this lead into the modernization discussion? So you started with a data lake concept. Was that sort of a mainspring for broader modernization?

Sal Picheria

>> Well, yeah. I mean, continuing along that route, a lot of what we have seen with the speed is very much applicable to SIEM. So SIEM is the central tool in most SOCs, right? And SOCs are entirely built around speed, right? Minimizing the time that adversaries are in our environment is the most important thing to containing the damage that they can do. And with that flexibility and speed drives those numbers down for us, right? And that is really the risk reducer, is having the access to the volume of data that we have at the speed that we have it allows us to have the complete picture when we need it.

Dave Vellante

>> So I presume you're hearing this a lot across the customer base, different industries. And what can you add to this? I mean, I'm interested in how your sort of principles as to how you approach modernizing this infrastructure, just how you approach SIEM.

Mike Nichols

>> Well, I think what made this kind of a perfect partnership is, again, we first started a conversation and we did start with the SIEM idea, but it wasn't just, "Hey, we do this. How do you one for one do the next thing?" They came in with the mindset of how do we transform our organization's processes as well to combat the modern adversarial threat? And then you first have to look at what is that threat. And you mentioned speed. I think that you've seen all the stats out there now that I think the e-crime execution is in 27 seconds and average time now is between 11 minutes and 17 minutes of attack. And so he knew, the team knew they had to get faster, they had to get more cable, and that's the speed that we brought with the product. But in that conversation, I think we started to ... It was fun. Every time we sat together, there was a new idea unlocked and, "Hey, we could also try to do this." And very quickly broke out of the confines of what SIEM is. I think probably to me that our core ethos is that even in this agentic world as we move forward, it's still people based. You still need your expertise. The idea of this autonomous SOC or people of SOC, I think is a negative and almost detrimental thing that some vendors are saying because AI isn't working in isolation. It isn't only defenders that are utilizing it, adversaries are too, so we have to keep pace. And I think the team at New York Life kind of jumped onto that. Their team was so actively excited to try new technologies and to expand what they were doing on their older platform. And that sort of just led to a lot of new discoveries, and I think there's plenty more to come, I think, for us.

Dave Vellante

>> What are the challenges of doing that at petabyte scale, essentially, different data types, bringing them into sort of a single unified view, being able to actually access that data in a single query can ... I've seen systems just completely bogged down. What's your experience been? I'll start there with the customer and then how do you enable it as sort of architecturally I'm interested in, but please.

Sal Picheria

>> So our journey was fueled by our experience, right? And we have seen the same thing happen with many other tools of the past, right? While the tools themselves may be capable of bringing in the volume of data that we as an organization can generate, they crumble when we throw the queries that we need to throw at them. And again, that's why we approached this problem the way that we did. Let's find the system that helps us wrangle and manage the volume of data that we have and let's build security on top of that instead of thinking the other way around, which the other way around is essentially, how can we get as much data in as we possibly can? And then we'll figure out what we do with it when it's in there.

Dave Vellante

>> Yeah. It reminds me of the Hadoop days.

Mike Nichols

>> Yeah, exactly.

Sal Picheria

>> Exactly, yes.

Dave Vellante

>> No schema on right. Okay, now what?

Mike Nichols

>> Well, it's just a challenge. People are now doing things like implementing data lakes where data goes to die just to have it somewhere, but they're still operating on a small portion saying, "I hope I see the problem in the 30% of data that I'm looking at across my organization."

Dave Vellante

>> So okay, so the question to the last thing is how? What's the architectural secret sauce there?

Mike Nichols

>> I mean, the unique piece for me is that I get to stand on top of Elasticsearch, right? So the fact that we are a data company first and that we've been solving the data and search problem for over 15 years now and then build security on top of that. And so what that allows us to do is take advantage of all the speed and scale we've been doing. We've been search applications, logging, all these things for so many years, we sort of solved the high speed, high query data problem. And then I think the other key pieces, as great as AI is, not everything solved with LLMs. So the fact that we have a powerful capability of hybrid search, both regular search along with vectorized search, allows us to pick the right kind of tool for the trade here, and we are able to maximize the usage of either an LLM or a small language model because we aren't just sending everything constantly up to these environments. We're able to kind of tune it, tailor it, fit the context window, get the right bespoke answer for your organization and hopefully accelerate your team.

Dave Vellante

>> When did this journey start? Oh, please.

Sal Picheria

>> I was going to say, that goes exactly into what I was saying earlier, right? I mean, we have to choose the right tool for the job. And there are times when AI is appropriate for search use cases and there are times when we just need really fast classic search.

Mike Nichols

>> Search, yep.

Sal Picheria

>> We have what we need to do, whatever we need, whether it's out of the box or we build it or we want to build AI agents and things on top of it.

Dave Vellante

>> I actually love that. When did the journey start?

Sal Picheria

>> About two years ago. Yeah. Well, no, over two years ago. I mean, I would say our data journey, it's always a continuous thing, right? Across all aspects of security, it's the only way to do it. But we began a journey, I would say more like three years ago to actually inventory all the data that we have and start getting the pieces together for what we knew we wanted to build. And this was, in my opinion, one of the key accelerators, because there's really two ways to approaching threat detection. And this goes on to what we were talking about earlier, right? Which is either we put the data in there and we figure out what to detect on it, or we come up with the detections that we want to enable, and then we look at the data that we have and we figure out what components of it that we want to bring in. Obviously, with the data lake, the counterpart that you hear all the time is the data swamp, right? So we avoid the data swamp by being thoughtful about the data that we do bring in, and that was an exercise that we've been doing for many years now.

Dave Vellante

>> Okay. But in earnest, the more recent modern journey started coincided with the sort of AI moment that the AI heard around the world. You could have been really distracted by that, but you're saying in many ways you weren't. So you're not doing AI for AI's sake, I get that. Can AI though help clean the data swamp and help cleanse and harmonize that data as opposed to trying to do that manually?

Sal Picheria

>> There is great humongous potential, not even potential, actual use for AI in this space especially. I mean, some of the things that it is phenomenal at is exactly this problem. Transforming data or helping us write code to facilitate that are some of the things that it's the best at. It's a tremendous accelerator on the engineering front. It's a tremendous accelerator on the analyst front as well.

Dave Vellante

>> Right. What can you tell us about some of the outcomes that you've seen, any metrics you can share, either anecdotal information? I mean, you're getting ROI out of this initiative?

Sal Picheria

>> Absolutely. Yeah.

Mike Nichols

>> I sure hope so.

Sal Picheria

>> I think one of the most important numbers that we can showcase, right? With the volume of data that we have in Elastic versus the prior tool set that we had, we've seen humongous growth internally. And this is just because now we have the machinery to be able to ingest this. So we're at nearly double the data that we were working with before and the cost number has not doubled, which is the most important metric for us. It's not even come close.

Dave Vellante

>> Okay. And so I'll give you the last word and then Mike, maybe you can bring us home just in terms of where do you want to take this? What would make you really happy a year from now?

Sal Picheria

>> I mean, what would make me really happy a year from now is to continue the journey that we've been on with Elastic and to continue working together to innovate with what is available in the toolset or continue working with Elastic where things are not available to build those things out for us. I very much view, to your point, with AI in particular, we're kind of in the exploratory and cautious phase here with how we employ it for search and the SOC, but that is going to be one of the most important domains that we work on in this coming year.

Dave Vellante

>> Great. Excited to hear more about that. I'll give you the last word.

Mike Nichols

>> I say, again, what I've been really appreciative of with the team is they take a very clinical approach to what they're doing. I think just to harken back on what Sal was saying of double the data at the same price point, that's why I think we're so differentiated as a data company because security doesn't work without visibility. And if we are predatory in how we make you choose what data to keep and what data to drop, as things like the logs form, the prompt and output of these AI models, those start to be part of the security purview. When that data increases, if you can't afford what you have today and you can't search what you have today, there's no way you can focus on tomorrow. So the first step of being AI ready is, first, getting visibility and control over the data that you have.

Sal Picheria

>> Exactly. You can't detect what you can't see.

Mike Nichols

>> Exactly.

Dave Vellante

>> Love it guys. Thanks so much. Great conversation. I really appreciate you guys coming on and sharing your story. And love to have you back, love to have you in the New York Stock Exchange and come on in and tell us more.

Sal Picheria

>> Absolutely.

Dave Vellante

>> We'll go deeper. All right. Keep it right there everybody. This is Dave Vellante. We're wrapping up day three, Wednesday at RSAC 2026, right back right after this short break.