Episode Transcript
Aaron Crow (00:01.299)
Hey, thank you for joining me for another episode of Protect It All podcast. I'm really excited today to dig into everybody's talking about AI and all the different tools have AI. So really quick before we dive into the content and the technology and all that type of stuff, Amy, why don't you introduce yourself, tell us who you are and kind of a little bit about your background in the company, cetera.
Amy Tom (00:20.6)
Thanks, Erin. Yeah, I'm Amy. I'm the Community Manager at D3 Security. We are developing a AI for the SOC. And so it's a really exciting time. We've kind of pivoted away from SOAR technology, traditional SOAR technology, as people know it today, and into a more autonomous SOC platform, which is really cool, new development that's coming up for SOC teams. So yeah, excited to be here. Thanks.
Aaron Crow (00:47.645)
Very cool. Yeah. So before I dive in too far, like I have a lot of people that, that, follow and listen to the podcast that maybe they're in school, maybe they're wanting to get into cybersecurity. you know, everything from, you know, high school kids or technology enabled. So can you, do you mind sharing a little bit? Like, how did you get to where you're at a community manager? What does that mean? And like, you know, it's really cool. Like you're doing podcasts and all this type of stuff.
Do you mind talking a little bit about your kind of path and the role that you're in and what you do in your role for a startup and a technology type company?
Amy Tom (01:24.098)
Yeah, no, that's a great question. And yes, we do have our own podcast that I host as well. It's called, let's sock about it. If anyone's interested in that, it's around sock and automation kind of topics in cybersecurity. And I got started originally in cybersecurity out of college. I was a salesperson at Absolute Software, which is an endpoint security company. And it's funny, I didn't have a background in IT or cybersecurity at all.
I remember when I joined the company at the beginning, I remember answering the phones and just being like, I don't know what I'm going to say. don't like everything I'm going to say is I'll get back to you. Let me ask an engineer about that. And that's how it was for a little while until, you know, I picked up things here and there. I asked questions, I learned more. And now I have a more robust understanding of the cybersecurity landscape. And that's kind of where I sit today in the more
businessy side of the house, helping and supporting engineers. so having to talk to them a lot and ask a lot of questions helped me to understand what their problems were and what we are actually trying to solve. And that was my way into cybersecurity.
Aaron Crow (02:35.647)
That's really cool. So I mean, the reason I dig into these things again, like I said, like there's a lot of folks that are, you know, curious about cybersecurity. They're curious about technology. Maybe they're, you know, mid career and they want to make a career change or maybe they're just getting, you know, they're in their degree plan right now, trying to figure out what are those ways in. And I talked to a lot of people and there's just so many ways. So my path is a little different as well. You know, there's just a lot of different ways, whether it's from the sales side, from the technology side. The point is, is you don't have to be a rigid,
programmer or hacker or network security person. There's a lot of things in cybersecurity that we do and need, whether it's from the marketing side, from the sales side, from getting the message out there, right? front end customer facing, back office, there's just a lot of avenues in the space. So when you think about a big company and you look at Palo Alto or any of these big, big, huge companies,
They all have marketing teams. They've got salespeople. They've got front end people. They've got back end. They've got engineers. They've got programmers. They've got, you know, UI UX type people like they've got people working in AI models. Like there's just all of these different things that you can do. Cybersecurity is this big lens that we put on it, but it works in all businesses and there's, there's a lot of, it takes a lot of people and a lot of different skill sets to be successful, especially at a startup and a vendor and a, and and a bar, somebody that's providing a service or a software or a platform.
There's a lot of things that go into that to making sure that the product is where it's easy to install or run it in your in your thing. But there's a lot of things in the background that works to make all that stuff happen.
Amy Tom (04:08.642)
For sure, and I think a lot of people who are not in the weeds of the tech and the engineering department often feel this sense of imposter syndrome of like, do I even deserve to be here? Am I even in cybersecurity? But the answer is yes, we are all here and we're all supporting the function in some way or another. And I like to say that what my job is mostly is kind of like nerd translation.
of, you need somebody to do that, right? Like if you're talking to engineers, sometimes they get so deep into it that normal people quote unquote, don't understand what they're talking about. They're like, what, what was that acronym you use? What even are you saying? What, does that mean? And so that you need somebody who is going to be able to kind of sit in between to understand the technical side of the house, but also to be able to translate that into language that everyone can understand, whether they're a student, whether they're a CISO.
Aaron Crow (04:35.475)
Absolutely.
Amy Tom (05:01.792)
or everybody in between, right?
Aaron Crow (05:03.559)
Yeah, absolutely. So, so along with that, the fact that you guys are doing this AI and automating a sock thing, like there's probably a lot of that translation that's needed. Cause a, obviously this is emerging technology. This is new kind of bleeding edge of, you know, people haven't done this. Like the, the, the traditional way is I have a sock analyst that's manually looking through logs. Yeah. I've got some tools that can help me, you know, filter and go through those things, but it's all, it's all a person, a button, seat, excuse my language.
But there's a person that's sitting in a seat and looking at those logs and making an action. And you guys are kind of flipping that on its head by actually automating some or all of that, depending on the customer. I know that you can do certain pieces. You can do more or less depending on what you're comfortable with and all that kind of stuff. So how are those conversations? How are you pitching this to people that are maybe they're just dipping their toe into AI or they're wanting to get comfortable with this, but maybe they're anxious about it or they're not sure. Like, how do those conversations happen?
Amy Tom (06:02.72)
Yeah. I mean, I will say that it starts, it has to start somewhere, right? And you, this is an emerging technology as you're saying. So this really is starting with me saying to the engineers, what is this? What does this mean? What is AI? I don't understand. And it starts with a conversation of product marketers with marketers, with community people and the engineers who are building this technology or who understand more deeply what the technology does and how it's going to support people.
Aaron Crow (06:19.026)
Right.
Amy Tom (06:32.566)
And being able to talk to those engineers and saying like, okay, here's the problem that we're solving. Right. And, and they're saying, here's the solution that you have and building those two together to say a problem and solution. All right. Now, how are we going to communicate this value to people and how are we going to communicate it in a way that they can understand it? And that part is very difficult, especially in today's day and age of AI and marketing and talking to people about it, because everybody is saying the same thing.
When you walk around a cybersecurity conference, like we're coming up on RSA, I'm sure that when we walk around RSA and you look at all of the booths, it doesn't matter if they're a detection company, it doesn't matter if they're sock company, it doesn't matter if they're Seam, if they're XDR, whatever they're doing, they're all going to say like, streamlining your workflows, you know, whatever the AI terminology is, everybody is saying the same thing. And so it is kind of...
Aaron Crow (07:25.213)
Mm-hmm.
Amy Tom (07:32.064)
up to the customer as well to take that information and decode the marketing speak a little bit, ask the right questions and say, okay, what really is behind the streamlining your workflow speak and what actually is this AI doing and how is it to be benefiting my company? And that's in part the job of the community team to go out and deliver that message in the right way so that people do understand that value.
of what you're actually bringing to the table rather than just like high level, I'm, I'm saving you time and resources. What does that actually mean? because yeah, everybody's saying the same thing. So.
Aaron Crow (08:10.971)
Yeah, you know, I took engineering was my background and I took engineering classes and math classes and probability and statistics. And it's amazing what you can, you can take and make numbers, look however you want. Meaning I can say, we saved this much money or this much process or this much time or whatever, but you have to really understand the metrics that they're using because they could cut out a lot of things and say, Hey, we'll save you 25%.
Yeah, on this one task that only takes me five seconds and the rest of the tasks don't help me, right? So that's the biggest question I see as a previous asset owner, as an end user of products like this is what's the real truth and what am I going to save? What's the value proposition, like you mentioned a second ago, of enabling AI in these things? And one of the things I love about y'all's product and just products like what we're talking about here, not to dive too far in the weeds, but
A lot of the products to your point, we got RSA, we got a blackout, we go to any of these places, every product's gonna say, we've got AI, we've got AI, okay, great, perfect. But each of those things are in their their fenced area, right? What I like about other products at a bigger level is I have to have multiple tools. If I'm doing an enterprise environment, I'm gonna have tools for multiple vendors, doing different functions from active directory and you name it, right? And we really need the ability to...
bring data into all of these places and plug in, right? So, and that's what you guys do, right? Is you are able to plug into, you know, the different tools that are in there to grab data out and kind of automate some of those things. So how are you pitching that and explaining that value proposition? Again, because this is so new. So people are, to your point, a little leery of, okay, yeah, sure. Everybody says that. How are you guys different, right?
Amy Tom (10:01.568)
Yeah, you know, the funny thing is in the sock automation space in SOAR and platforms, it's not like the things that we're saying today aren't things that are have been already said. So we are saying we're going to save you a lot of time. We're going to save you a lot of resources. You're going to be able to cut down on the amount of sock analysts that you have because those sock analysts are saving so much time that you don't need 25 sock analysts. You're going to need 20.
And so this kind of message is something that's been said a million times before, right? And so what is different about the AI technology that does make this more true today than it was before is that a lot of the heavy lifting that traditional SOAR platforms, it wore them down, right? And it made the process laborious.
difficult, time consuming to set up that automation, to have somebody who's like a master Python coder in there to like do everything. And then that guy leaves and then what you're going to do. So you, it takes a lot of time and resources to set up this automation, right? And where AI comes into play is a lot of that manual effort to create the playbooks, to do the manual triage, just to gather the information at the start is already done for you.
And instead of, you know, having to build out a attack timeline of all of the things that an analyst needs in order to analyze a particular incident, they need to be able to go into their CrowdStrike platform. They need to go into their Fortinet. They need to go into their Microsoft tenant and all of the different security platforms and tools that they have so that they can get that information. Right. And that's taking them hours per incident or, you know, just
hours in their day that they're analyzing particular incidents, especially at a level one level where they're trying to go through as many as possible. Your team doesn't have enough time to manually pull in all of the information. And so the AI agents and AI platforms now are being able to pull all that information for you so that the analysts can still do their job of analyzing the alert, but it's just that the manual effort of
Amy Tom (12:25.166)
putting together all of the things that they need to put together is done for them. And that is the revolutionary part of where we're actually going to be saving time and money. And instead of having all of the engineers invest all of that time and effort into building the automation, maintaining the automation, all of that building and maintaining is done for you, which is amazing.
Aaron Crow (12:47.741)
Well, and it's something similar. And again, to your point, like this is not new. Like we've been doing this type of thing for a long time and a lot of different processes and, coming from, you know, ERP systems, you know, name, name like Maximo. And I was with a company and we were actually transitioning from a mainframe system to, you know, Maximo and an ERP system for workflow work management, that kind of thing. And we were really intentional when we did it because we wanted to make sure it was kind of off the shelf and not custom.
because we've done it before in another business where it was completely custom. And to your point, it worked really well. But the people that designed all of those custom automations were no longer there anymore, which means you couldn't change anything. So every time anything changed, you have to update that automation to match, you know, and otherwise you break it, right? It's just like anything. If I had a new device or I changed my configuration, then all those previous automations that were working so great, they just fall in their face until you fix them, which is what I love about these
the AI that really brings to things if it's used well, that's where you can do so many savings. you add a new tool, you can point the AI at it. So you're not having to custom code all of that type of stuff. Obviously there's gonna be some things that you have to bring in, I'm sure, but you're able to do a lot of those things a lot faster and quicker. And that's where I really see the huge lift that AI has the opportunity to provide if used in the right way to really speed up and enhance your level one people.
Amy Tom (13:59.373)
Yeah.
Aaron Crow (14:16.733)
where you don't need a level three engineer, you can have a level one person be able to make those connections and get a lot further down the road by themselves.
Amy Tom (14:24.364)
Yeah, I mean, to your point about the customization of the workflows, I think that is where we have the problem. And in that when people are using legacy SOAR platforms, they were sold this idea of like being able to have this automation out of the box and that it's great and that it's going to work for you. But the reality is that people have different tech stacks. They have like a widely different mix. So one person's out of the box automation.
Aaron Crow (14:28.711)
Yeah. Sure.
Amy Tom (14:51.496)
is not going to work for another person. And so those custom workflows were required. And so you needed to have those people. Then, then we build into this other area where we had now have low code automation platforms, right? Where we don't need that heavy lifting from the Python coding. We have these low code automation platforms that are going to do all that for you without the actual coding part.
but it still requires you to piece together all of the bits and information and all of the steps that are required in order to build that workflow. And it also requires you to have a person who deeply understands all of the API calls within a particular platform and how that is gonna interact with whatever SOAR platform or a SOC platform that you're using. And you know,
Even within CrowdStrike alone, there's like 300 API calls. So there's like thousands of calls that you can make. And so an AI agent or an AI platform is going to be able to see like, actually, I know all of these calls already. And what you're describing to me of what you're looking for, this is the best API call to do that for. the engineer might be like, wow, didn't know that was a thing, you know? So it's like being able to have that knowledge to support your team of
Aaron Crow (15:42.098)
Right.
Amy Tom (16:06.784)
like, you know, a level four analyst, but they have all of that support and knowledge that pass on to your level one analysts is a huge time saver and a leg up for a lot of soccer teams.
Aaron Crow (16:18.481)
Well, and you hit something that triggered a thought with me as well is like, you know, a lot of times I don't know what I want, right? I know that I know I have CrowdStrike. I know I have, you know, X, Y, and Z tools, know, hardware firewalls, you know, NAC, you know, all these different products, and I don't exactly know what I need from where. So having the ability, you know, to that I had this guru in the sky that knew all of the answers, or at least
I had a better understanding than I did as, you know, a level one or whatever I am and saying, Hey, I'm, I'm wanting to be able to track logins and, see physical access. And, know, you know, you can kind of say, Hey, these are the types of things I'm looking for. What am I missing? and, and be able to pull that stuff together and know where to go. Cause again, to your point, there's 300 something, you know, API calls just for crowdstruck and that's one tool.
Amy Tom (17:04.877)
Mm-hmm.
Aaron Crow (17:14.183)
not to mention all the amount of data that's in a tool like that. And then you start layering on top of that. You your network switches and your Fortinet firewalls and you know, all that type of stuff. You've got literally millions of potential things that you can layer on top of each other. And it can be really overwhelming. And you may miss things because you don't exactly again, you don't know what you're looking for. You don't know where to pull it from. Who has the right source of information like that? That's huge. An amount of how much time and
Amy Tom (17:14.477)
Yeah.
Aaron Crow (17:43.205)
And beyond just time, even if I'm a guru and I know how to do it, am I going to be able to pull everything together just because of lack of testing and all the different things? Like how difficult is it going to be for me to pull all the potential opportunities manually by me doing it by myself, right?
Amy Tom (18:00.438)
Yeah, that's the thing. takes time. And, know, to your point earlier of how people learn, I think the AI agents and the AI tools are going to be a huge asset to junior analysts because junior analysts are always going to exist. They're not going to go away just because we have AI agents. People have to start somewhere. And so being able to understand the workflow that's being built and say, okay,
Aaron Crow (18:17.095)
No, yeah.
Amy Tom (18:25.602)
the AI agent decided to pull in this API call, it said this, it went through these stages, this first, this first, this first, then you understand, okay, this is how I build a workflow, right? And you get that better training and education as if you were learning from a level four agent, but you've got that at your fingertips and you can query it however you want to.
Aaron Crow (18:48.307)
Wow, that's interesting. So what about like use cases? So obviously it's one thing to learn and say, I've got X, Y, and Z, but are you able to pull in some kind of best practice use cases and say, hey, usually people when they've got a firewall, they've got Palo or Fortinet or whatever, they've got Splunk or whatever the things are, the tool sets are in their ecosystem. Do you guys have the opportunity or ability to pull in like a...
Like I said, like a use case that says, hey, these are some things that you haven't done yet that you may want to look at and test out because these are the value props that we have by running these use cases.
Amy Tom (19:24.302)
Yeah, D3, we're leveraging the MITRE ATT &CK framework. So everything that is in the ATT framework on the best practices that are required in order to respond and detect incidents, that's where that information is coming from. So Morpheus, our AI platform, is being trained on the ATT matrix.
Aaron Crow (19:46.867)
Very cool. Yeah, that's awesome. So that's easy to say, to see, to standardize. It's easy to go across platforms. It's easier to go across business entities. Again, even, you know, a lot of the work that I do, people have heard of IT and OT, right? You know, I may have an OT sock that's different than my IT sock, man. Maybe it's physically in the same general location, but I may do different processes. I may have different run books. I may have different SOPs and things like that.
So the ability to differentiate those two things again, but tying it all back to a framework, they can say, yes, I'm doing it differently over here, but I'm still checking the box for doing these things on both sides of that equation. That's super awesome for standardization, for repeatability, for metrics and tracking and all that kind of stuff. And obviously we keep going back to how much time and effort can this save us.
the more of those types of environments or setups that you have, you just exponentially save yourself time and resource problems.
Amy Tom (20:47.468)
Yeah, for sure. And you know, these things are always adapting and changing depending on what kind of emerging threats are happening in the market. So also being able to keep up with that and to leverage new threat intel and information while you're still building out your playbooks is amazing. And I think a lot of SOC teams maybe fall into this trap of they build one phishing playbook one time and they seldomly maintain that or update it.
Whereas with the AI, know, everything is going to be updated for you. You can spin up a new playbook on the fly. You could spin up a new playbook for every single alert that you have. You don't even have to use the same one. it's the possibilities are endless.
Aaron Crow (21:34.343)
So walk through a stereotypical off the shelf, completely anonymized, I'm a new customer, I'm brought in. What does that look like as far as, obviously I have some run books now, am I importing those, am I starting from scratch? What do you guys recommend on that type
Amy Tom (21:53.12)
Yeah, we have a lot of customers who are coming in from, you know, legacy SOAR platforms that are just not doing the job anymore. So the, a big majority of our customers from last year actually came from legacy SOAR platforms because there's a huge wave of people just saying enough is enough with that. And so we are, we have an onboarding program for our,
Aaron Crow (21:58.419)
Mm-hmm.
Amy Tom (22:16.876)
our SOC teams where they can easily migrate from one platform to another and being able to have those workflows either ported over or redoing them with the Morpheus AI instance and with the help of our engineers is how they do that. But it's a seamless process and it's really easy for them to port over into the next portal. And then when it comes to building new instances out or new
playbooks and adding in new customers, maybe if you're an MSSP, that process is also super easy. As soon as you start ingesting alerts into the D3 platform, they're going to be able to be triaged autonomously. And you're going to get that list of incidents that are filtered down by all of the false positives that you're getting through our filtering system. so you're getting less false positives and more actionable.
incidences that you need to work on. And then, Morpheus is also going to be able to take those incidences and do all of those things that I talked about, generating the case summary, getting the chronological attack timeline, you know, all of the manual triaging efforts that a level at one analyst would typically need to do. All of those things are done for you so that when you start working on an incident, you're just like, okay, here's everything that I need to know.
Aaron Crow (23:44.029)
So how long does it take? And I know again, this is relative, so I'm not looking for it. It's gonna take exactly five hours. No, but like if I onboard, I'm a mid-size company and we transition over, like how quickly is it able to start learning and really understand enough to build out those run books? I assume it's pretty quick, obviously it also obviously depends on the number of tools and the amount of data. I get all that, but just.
You know, what is it? What is a rough order of magnitude of learning period versus, you know, I'm production and running, running and ready to go.
Amy Tom (24:18.444)
Yeah, you can get it set up as soon, like very, very quickly. I would say that the majority of the setup process comes in from setting up the integrations itself. And then, but the actual creating of the playbooks using Morpheus, all of these things, as soon as the integration is set up, Morpheus can run all of these things in seconds. The playbook creation process is seconds.
Aaron Crow (24:28.211)
Okay. Yep.
Aaron Crow (24:43.931)
Right, so it's really just the integrations as in that obviously that'll depend on how many I have and how complex they are and you know all that type of stuff. So yeah, that makes that makes sense. Sure.
Amy Tom (24:49.421)
Mm-hmm.
and how many engineers you've got available to set up those integrations and what kind of hours you're, willing to put into the setup process. But yeah, it is mostly the integration setup piece. That is the more laborious part, I would say at this point, whereas, you know, in traditional SOC platforms, you, would go through that process of setting up your integrations and then you would also have to spend all of your time building and maintaining your playbooks.
Aaron Crow (25:17.457)
Right. So how much of this is, so you talk about automatic automatically building those run books. Can you walk through a little bit about what that means? Cause some people may not have an understanding around, you know, a what a playbook is, but when you talk about that, can automatically create those. talked about all the way down to a specific alert. I can create a new run book. What does that look like?
Amy Tom (25:40.426)
Yeah. So the playbook itself is just a collection of stages that are using different API calls to say, okay, now I want you to go get, gather this information from CrowdStrike. Now go gather this information from Fortinet or all of your different platforms. or it can, so it can be either information gathering or action taking. Right. And so for a phishing attempt, for example, you get an alert that says there's a phishing attempt.
the AI platform is going to be searching across all of your tech stack to say like, okay, where does this phishing attack show up? Did they go across my network? Did they infiltrate a lot of different users? Is it just this one user? Like where is this attack being spread? So first of all, it can do that. Secondly, it can also do actions that...
you want to take. know, I, okay, this is a phishing attack and it's a real phishing attack. I want to be able to isolate my device on the network. I want to be able to change the password. want to, you know, do some more querying into what's actually going on with this device. And you can do all of that through the SOAR platform and through the ASOC platform. So instead of needing to, you know, manually go through and say like, okay,
Gather all this information, first of all, from all your different platforms. And second of all, be like, okay, now that I'm ready to isolate my device on the network, I've got to go through all of these different steps through all these different platforms in order to make that happen in the right way. And instead of having to do that and code switch a lot of the time, you're able to do that through API calls. And so you're running one playbook that just, and I mean, at this point with Morpheus, you just say, okay, here's the alert, the incident that I have.
Aaron Crow (27:18.962)
Mm-hmm.
Amy Tom (27:29.92)
And I want to spin up a remediation playbook on this particular incident. It's going to go through your tech stack and your integrations and connect with whatever it deems is the right, you know, response pattern for that particular incident based off of your tech stack information, based off the MITRE attack framework and best practices and whatever else you've already set up as, you know, rules and whatnot.
Aaron Crow (27:51.389)
Mm-hmm.
Amy Tom (27:57.398)
And then it's going to go out and build that playbook for you. And you can just say, okay, yeah, run that playbook. And it'll do that for you. Now, the cool part about this automation is that it can be fully autonomous or it can be partially autonomous. So if it's fully autonomous, all that's going to run by itself, right? Like you don't need to do anything. It's like audit, it's shutting down your network for certain devices. Like if it's isolating the device from your network by itself is what I mean.
So it can do that for you if you've decided to let it run in a full autonomous mode and have it do all of the detection all the way down to the remediation for you. However, there is partial automation rules in there to say, run your workflow all the way up and to this point, and then you're going to need me to say yes or no. And then run it all the way to this point. And then if I say no, then you're stopped. Or if I say yes, you keep going, right?
So you can have as much or as little human interjection into this process as you want to. But we are seeing, which is cool, some SOC teams who are now completely automating level one. So they've gotten rid of their level one team entirely and either moving them up to level two or getting rid of them. And now they're running all of that triage fully automated without
the intervention of level one analysts. It's just, if it gets escalated, it's automatically going to level two.
Aaron Crow (29:23.133)
Right, right.
Aaron Crow (29:27.943)
Right. And then I assume because of that, being able to put, you know, a person in a, a, in a, in a process or in a step, I could also, if I'm a level one person and I'm only authorized to do a certain thing, if I had to get approval from somebody else, I can add that approval level in there too. Like I don't have the authority to kick out the CEO's device. I have to go to the, you know, level two or level three person to get that approval. And then it would get routed to them and come back, assume. Right.
Amy Tom (29:55.5)
Yeah, exactly. Yeah, you've got different permission sets to have those controls at different levels for sure. That's essential. And, you know, it doesn't matter if you are a MSSP or maybe a big enterprise, both work in the same way.
Aaron Crow (30:10.545)
Right. Yeah, that's awesome. So depending on your comfort level, you can start out by doing it all manual where before it takes any action, I want to approve every single step. And then as I start getting more and more comfortable, maybe I'm able to transition and say, yeah, I don't I want to take out that human approval. I want to go let it go to step three or 10 or 15 or whatever that is. And as you start getting more comfortable, you can start opening the gates of the things that you're comfortable with, allowing it to do and still keeping a person
in a role wherever you see those transitions. And again, that's also really cool because again in OT, I'm gonna do things differently than I would in IT. OT, I'm probably not gonna automate any actual response or mitigations. I would be fine with mitigating the investigation side of things, but when it comes to kicking out a device, I'm probably not gonna do that automatically. At least not today. Maybe if I have lot better understanding of the process in the future,
But that gives you a lot of flexibility and with people not understanding and a lot of the times the resistance that I see in rolling out any technology is usually just because of I don't understand or I'm scared that it's going to break. It's going to do something I don't want it to do. And then how do we get control back? How do we respond or get it back to the place that it was recover?
So this allows that ability to put that person or that process and stop a process before it's approved, escalate things, all that kind of stuff. That's really interesting. And it really opens the door for scaling this exponentially as you get more and more comfortable and have more capabilities.
Amy Tom (31:52.672)
Yeah. No, you're exactly right. it's the more and more comfortable bit, I think is the key here, because exactly what you're saying, we aren't seeing people in today's market, not really, who are just being like, yeah, let's fully automate all the way from detection to remediation. Like, let's go all in. I don't need to test it. We're good. We're not seeing that today. And quite frankly, that would be alarming maybe if somebody was going to come in and just
Aaron Crow (32:08.477)
Right. Yep.
Amy Tom (32:19.758)
fully automate from the get-go, no testing, no process, because this is such a new thing, right? So people need time to have their automation be built up little by little. They need time to incorporate AI little by little. And one day you're having AI do a particular task in your sock, the next day, maybe you're fully automated.
Who knows? You don't know. We don't know what the future is like, but where we're at today is, yeah, we are seeing a lot of level one SOC analysts type roles being automated and kind of taken over by AI or a lot of their tasks at least are being taken by AI. And, you know, that just helps to reduce the human risk as well when it comes to triage and escalation and kind of helping to save people, you know, that time from investigating alerts that are not real incidences.
And then also, yeah, just having that AI piece being built little by little until you reach a more fully autonomous state, I think is probably going to be the key here because of what I was saying before, a lot of companies, they don't trust SOC platforms and tooling because we've been saying the same thing for years. so the...
trust that they have in these companies who are saying, yes, we have AI. And because so many companies are saying, yes, we have AI, the AI fatigue is a real thing. And so to being able to just say like, okay, great, you've got an AI, let's incorporate that like just this little part today. Let's incorporate a little bit more tomorrow. And then we'll just see where we're at six months from now.
Aaron Crow (34:07.207)
Yeah. I can even see this. It's not the primary use case, but I can see this as a great training tool because I can almost see it as, like your choose your own adventure. I put a new junior, you know, analyst in a seat. put it in a lab and I, and I have, you know, attacks or whatever, something coming across and I'm, and I'm prompting them. Would you like, here's your options. You could do a B or C. What would you do? and then let it take that action.
and then respond back, okay, well, this was the outcome of that. you know, so it's a great way that you can, whether it's in a training perspective or even if I'm not automatically autonomously, you know, doing this, just having the, the, the AI be able to say, Hey, this is where we're at. I think we should do this based on the run book or the previous stuff that we've done. I think you should, you know, kick that device off the network and you know, whatever those steps are.
Just having it help you do that. Because again, everybody's going to be at a different competency level and different levels of network architecture or whatever the thing that's coming across. And having that AI knowledge and that, again, narrowing down my options. Because if I'm just looking at a phishing attack, what is my next step? Like if nobody's ever told me or I've never done one before, I don't necessarily know what the next step is, unless I'm really advanced. But if I'm a junior person, I may not know.
Amy Tom (35:27.779)
Mm-hmm.
Aaron Crow (35:30.941)
So having that thing say, hey, we think you should do this or here's your three options. You know, can, you can better make better decisions based upon those instead of just like, I don't know, just go get coffee, I guess. I don't, I'm not sure.
Amy Tom (35:43.97)
Yeah. Yeah. I mean, even in the live environment, the AI is also recommending remediation actions for you to take. And you can say like, okay, yeah, build that workflow. But even in the production environment, if a junior analyst were to come in and say, not even for the active investigations and alerts, like, let's look at our historical data and say, okay, this is a playbook that Morpheus created or the AI created, right?
And you can go in there and still query that and say like, happened? You can look at the case summary, which is going to be inevitably more robust than a human would make it. And you can also query a data to say, to ask the questions, you know, and to understand that process to be able to say, okay, if this is what it did in this instance, then this is what I'm going to do next time.
Aaron Crow (36:21.907)
Sure. Yeah.
Aaron Crow (36:36.125)
Right. Well, so you hit on something there too. I don't think we've really, we've really triggered on or talk much about is, is that, is that documentation and evidence side of things. So as it's doing all of this, it's creating copious notes and keeping track of everything. And there's evidence and all the reports it's automatically creating all of those things. So beyond just the, the technical ability to, you know, change a firewall world or, you know, disable a port or, know, whatever those, those actions may be. It's also,
documenting the heck and I know again, I've been doing this a long time in the heat of battle. Like it's it's really easy to forget. yeah, also did this other thing over there. I disabled RDP or I turned on SSH or whatever the things that I did. I can forget those very easily. Now obviously if I'm logging all my my my thing I can look I can search through those things, but I don't always if I'm going to write up the report I may forget a step or two in the way. Whereas an AI even if it's prompting you along the way to
Amy Tom (37:15.918)
Mm-hmm.
Aaron Crow (37:34.855)
to you're making the decision of what it's doing. It's still documenting that entire thing. So at the end of this, you're going to have this really verbose set of steps that it took, what it saw, why it kicked it off, what steps it took, what actions it took, where it logged in, what its API calls are, the data that it got. Like everything is going to be wrapped and created into this report, right?
Amy Tom (37:52.644)
Exactly.
Exactly. And yeah, you don't need that manual human piece where the person has to remember to put those notes in the ticket. That's gone. And what I think is cool about this too is like, let's say you have an incident and then you have to go back a few months later and say like, okay, what happened in this incident? Let's pull this part. You don't necessarily have to go through log by log item in that instance to make sure that everything is up to snuff.
You've got the AI summary, you've got the chronological attack time line, you have the list of what everybody has done and at what times they've done it at. so compliance reporting is just like so much easier.
Aaron Crow (38:33.107)
Yeah, I can see this helping people with compliance to your point. I could also see it helping with cyber insurance and things like that. Because you know if you get hit with ransomware, well, you said you had multifactor. said you had all of this when you said you did all these things. Where's your proof? And this is the evidence right there. It really takes out. It lowers your risk on a lot of those things because you're automatically creating those reports in those timestamps in those notes that an auditor is going to look for.
Amy Tom (38:41.39)
Mm-hmm.
Amy Tom (38:52.974)
Exactly.
Aaron Crow (39:01.147)
Again, whether it's a cyber insurance or a federal or required regulatory type auditor for whatever that means. So yeah, that's huge. And that's another savings right there, right? Is a potential audit loss, whether it's a fine or just any of that type of stuff or a cyber insurance claim being denied because you couldn't prove that you did what you said you did in the timeframe, right?
Amy Tom (39:17.07)
Mm-hmm.
Amy Tom (39:28.842)
Yeah, yeah. you know, it inevitably, like I said, these AI case summaries are going to be way more robust than what the human is going to write, because the human is trying to deal with a million different incidences at once. And so the summary that they make, surely is going to be like a one liner. Let's just do this for four compliance reasons just to get it done. No one's ever going to look at it again. And then when you do have to look at it again, you're like, what does this even mean?
because it really depends on your internal policies of what you've got your analysts writing out, right? But the more that they have to do these manual tasks, like writing the AI case, writing the case summary, the more that they're going to try and cut corners on it and just do the bare minimum just to get it done so that they can move on to more important things. And so why not have an AI agent in there who can actually pull that information and write it in a useful, helpful way?
without having to take up a lot of your analyst time.
Aaron Crow (40:30.557)
Yeah, well, you know, I just saw a real or whatever the other day where a dad was getting his son to write instructions on how to make a peanut butter and jelly sandwich, which is a super simple thing to do. And the dad was just going to follow whatever instructions that the son wrote. And, you know, I think it started out, it was like open peanut butter and and, you know, put knife in in jar. And he just kind of threw the knife in and the kid was like, wait, no, that's not right. He goes, well, you didn't say anything else like.
My point is, is that it's really easy because I know how to make a peanut butter and jelly sandwich. I don't, but teaching you and explain somebody to somebody else that wasn't there and has never done it before. And being able to have that verbose of instructions that anybody could follow after the fact, again, months or years down the road, tools may have changed, situations may have changed, attack vectors, a lot of those things could have changed, but the, but being able to have that evidence and that, that, that report stand up again.
no matter what you're gonna have. C-suite executives are reading the report and you're gonna have junior analysts sometimes writing to the report. So those are two different skill sets. Some of her technical summer business like and that that's where this is sometimes gets missed. It's not that they're inaccurate. It's just that they don't necessarily follow. It makes sense to you in your head because you were there. But for me when I wasn't there, I'm like wait, it looks like you skipped like 12 steps in here. Oh yeah, that's just how you get from step one to 12. OK, well I didn't think about that.
Amy Tom (41:49.582)
for sure.
Amy Tom (41:57.676)
Yeah. And this is why we need nerd translation.
Aaron Crow (42:02.323)
Exactly. And this is why we need jobs like this, right? And it's not all just hands on keyboard doing the nerd stuff. It's also translating these things too. That that's huge though. Like that, that piece isn't always, that's not always something that we focus on again. So I was a CTO of a software company and, you know, so I'm dealing with the product and you know, the UI UX and the experience and
Amy Tom (42:07.912)
Yeah. Yeah. Yeah.
Aaron Crow (42:26.823)
you know, we're, we're developing or building out like, are the customer looking for all that kind of stuff? And, and I've also been an asset owner, you know, trying to get vendors to, Hey, this is what I really want. And, and, you know, trying to weed through that, what they say at the conference and what's on their marketing material versus what they can actually deliver. And I've, you know, I've also been a consultant and I've used multiple tools and deployed it across a lot of different things. But you know, the problem is a lot of times we don't always know what we need and, and we're trying to weed through the, what I'm,
I'm unclear exactly what I need. I'm unclear exactly what your product can do versus what the marketing thing says it can do. You know, it's like the range on a vehicle, you know, the fuel economy or whatever, not even talking about electric vehicles, but just normal economy. You know, you get a car says, it's got a 400 mile range and you get in it at 300 miles, you got to refill it like, hmm.
There's just too many factors in that that go into really calculating that accurately.
Amy Tom (43:22.614)
Yeah. And you know, the thing is with the marketing speak as a marketer, I will say is that we are communicating the value of the product at the highest level of value, right? Like this is in an ideal scenario of if you've done everything right and everything that it's you, this is what you're going to get. But in reality, that's not always the case. Some people have less of the building blocks. Some people, you know, aren't going to have.
Aaron Crow (43:27.261)
Sure.
Aaron Crow (43:43.763)
Correct.
Amy Tom (43:50.656)
all of the boxes ticked off of the perfect scenario, which is not to say that it's not going to work, but it just might not get you to the, I don't know, promised value. There's so many factors that come into that, you know?
Aaron Crow (44:03.411)
Well,
And you're right, 100%. And again, I've been in the marketing side, I've been in the vendor side, and that's what we need to remember as, if you're an asset owner, if you're somebody that's buying a product, our marketers are not, they're not trying to fool you, right? Any good product company is not gonna try to fool you or trick you or try to convince you it can do something it can't. Now, obviously it's going to have a scenario.
Amy Tom (44:24.685)
Yeah.
Aaron Crow (44:34.429)
that it does it in and it's going to be the best case scenario or whatever. But you need to know that going into it right again, just like fuel economy. I don't think GM lied to me because they said my truck can drive 400 miles. I just know that other people drive a lot slower than I do, which is why I don't get as many mileage on it because I drive with wind in your face, pulling a trailer like all the things are not the same scenario. Exactly.
Amy Tom (44:47.95)
Yeah. Yeah. Or like you're driving uphill up a mountain like, sir. Yeah. You're like, why didn't they get me to 400? I don't know.
Aaron Crow (45:03.239)
You can do it, but this is how it has to happen. Like you gotta drive 30 miles an hour downhill with wind behind your back, you know.
Amy Tom (45:05.686)
Yeah.
Yeah, exactly. Yeah. And like the perfect scenario, how are you going to maximize your kilometers? This is it. But yeah, in reality, it's not always that and that's okay. Yeah. But that's why it's up to you as the customer to do your due diligence, to sort through the weeds of the AI marketing speak as exhausting as it is with alert AI fatigue and everything.
Aaron Crow (45:12.314)
Exactly.
Exactly. Exactly. Perfect fuel. Fuel. Yeah. All the stars align.
Amy Tom (45:35.34)
but you've got to your due diligence of sorting through that information to say, what does this technology actually do and what is it actually going to help me accomplish?
Aaron Crow (45:46.355)
So what is one of the more exciting things that you've seen people like either yourself, whether it's at a use case or a customer that you've seen again, not asking for specifics on customer specifically itself, but what are some of the cooler things that you've seen coming out of this that's really exciting?
Amy Tom (46:03.414)
Yeah, I mean, to me, to me, it's the fully automating level one. Like, I think that that's such an interesting piece of AI in sock today. And it's completely transforming a person's role, you know, like this is somebody's full time job. And it has been for a long time. And with the power of AI in the sock, it's completely transforming how these people are doing their jobs, you know, they
are spending less time on this manual triage. So they have all this free time filled up. So what the job description and job role of the level one SOC analyst will look like in the future, I think is really interesting and exciting because it is morphing so rapidly. And we have these companies, big companies who are getting rid of their whole level one SOC analyst team.
And so what does the junior analyst position look like? I think is like a big question that AI is completely morphing and changing. That's really exciting for the future.
Aaron Crow (47:06.086)
Yeah. And I think that's, you know, AI is really going to make a change across a lot of different verticals. Cybersecurity is no different to your point. The junior level folks are the ones that are going to be the most hit. That doesn't mean that there aren't positions for those folks. It may just look different to your point, like what, what you're doing, right? You know, we need that nerd translation. We need marketing. Like there's, there's a lot of things that we need that again, AI is going to help with our marketing stuff. That doesn't mean that I just put it.
put everything in a chat GPT or whatever my AI is and expect that it's going to come out exactly how I want. That's not reality. So it just means that, you know, if you're new, if you're getting into this space, think about those things. Cause you know, five years, heck, probably end of the year, you know, things are going to look vastly different than they do today. So think about that. Like if you're in a degree plan, think about, you know, adding other things other than just technical.
and not saying that technical is not important, but having that business acumen on the side, understanding marketing, understanding the business side, understanding sales will only make you a more valuable person in the organization. And when I'm, when I'm hiring people or companies are looking to hire people, they want people with multiple skillsets. Like, yes, Amy can do, she can do a podcast, but she can also talk nerd speak and she can also do marketing stuff and she can also, you know, what else can we do?
Amy Tom (47:59.938)
Yeah.
Aaron Crow (48:27.249)
That's where it's going to help us to differentiate ourselves as we're looking for a new job, we're building a new product, you know, we're having a conversation with the client. They want to understand and we need to be able to relate to them. Coming from a technical background, I know I started out and all I cared about was the technology and I transitioned at some point into realizing the business side and the people side was really important. And as I did that, my career exponentially grew faster because I had those other skill sets to be available as well.
Amy Tom (48:39.672)
Yeah.
Amy Tom (48:56.142)
For sure. Yeah, my other advice to young people entering cybersecurity would be also though to learn the AI and to learn what is being offered and how that's working. If you can get your hands on some kind of license with the AI tool, that would be amazing because it's, I heard somebody say recently that I really liked and it is that if you are not learning and working with AI, there's two types of people. Sorry, there's two types of people.
Aaron Crow (49:04.274)
Yes.
Amy Tom (49:23.458)
the type of people who are learning and working with the AI and the type of people who are unemployed. So, so if you want a job, you're going to need to get on this train.
Aaron Crow (49:36.103)
It's so true. mean, it's the next revolution. I really do believe it. You know, it's electricity, it's the car, it's the manufacturing line, it's the revolutionary thing that's going to make a difference and it's going to impact absolutely every job. So it doesn't matter if you're in technology, cybersecurity, business, sales, marketing, know, real estate, you know, I have my real estate license. Like real estate is not going to look the same in a year than it does today.
Right? Your real estate hasn't changed in decades. And it's on the cusp of changing. And I'm not picking on real estate specifically. It's just the truth. our technology, we're really going after those low level, the junior level type roles across almost all industries. A mechanic should be able to use AI to help them troubleshoot a car faster than before. Right? So he doesn't need to hire a junior person to go
look up those things and those bulletins and like AI will touch has the opportunity to touch almost every single vertical. Again, it doesn't mean you just fully automate it and go, you know, Terminator where, know, we've got bots that are killing us, but we can have a human in the machine, but it's going to change the way we do business just as, a, as a world.
Amy Tom (50:55.35)
Yeah. you know, it's also the point with the AI or the cybersecurity talent shortage, right? It's chicken and the egg. Are we asking for too much or do these young people not have enough to compete with what is in the market today, which is these AI agents who are going to be able to handle all these level one stuff, right? So to the people who are first starting out, it's a tough market to get started out in today.
Aaron Crow (51:02.247)
Yeah. Yep.
Aaron Crow (51:21.595)
It is. Yeah.
Amy Tom (51:23.294)
And you really need to level up your skills beyond what traditional cybersecurity courses are teaching you. You need more than what's being offered to be competitive and to get a job in today's market, unfortunately.
Aaron Crow (51:37.139)
I agree 100%. You know, find ways to plug in, find ways to volunteer, you know, build stuff in a lab. You know, there's all sorts of tools where you can do it on very cheap or no, you know, cost to you, spinning things up in clouds or even VMs on your existing machine. There's just a lot of ways that you can play with this stuff. And the more of these things that you have and the abilities that you do, it's easier to plug in. Again, if you have a little bit of this and a little bit of that and a little bit of that, like that's how a recipe is made, right?
you know your cookie has sugar and flour and chocolate chips and all the different things in it. If you leave out one of those ingredients, it's not the same or you put in too much or too little or whatever, right? So all it doesn't mean that it can't be a good cookie, but it's not like if I leave chocolate chips out, it's not a chocolate chip cookie. It can still be a good cookie, but it's not a chocolate chip cookie because it doesn't have chocolate chips in it, right? So those are the types of things we need to think about as we're building out our career and are looking to get into a career.
making sure that we're considering all of those aspects and how do you differentiate yourself with the job market and the requirements and AI even now. Right now you're competing with not only other humans, but also AIs that can do a lot of things that an entry level person can do as well.
Amy Tom (52:47.842)
Yeah, for sure.
Aaron Crow (52:49.469)
So what last question and we'll give you give you time back. So I appreciate your time. This has been an awesome conversation. I'll just say the next five to 10 years. We've kind of talked about this already a little bit. What's something that's exciting to you and you may have already hit on it and maybe one thing that's concerning in in cyber security probably to do with AI. I'd assume on both of those questions.
Amy Tom (53:10.284)
Ooh, okay. Yeah, I mean, it's not entirely related to sock platform specifically, but AI deepfakes scare the shit out of me. my gosh. Yeah, they are crazy. Just the ability to take, you know, an interview like this and take, you know, three minutes of the audio and then spit it into an AI audio version of, you know, your CEO or whoever.
Aaron Crow (53:18.515)
Mm-hmm.
Amy Tom (53:38.84)
who sends you a WhatsApp message and is like, can you pay this invoice right now? Or like, hey, I can't get into my system. Can you approve your single sign on? So whatever, you know what? It's crazy. And that is scary. So I think for the common person who's maybe not super cybersecurity savvy, that's gonna be a huge issue.
Aaron Crow (53:59.645)
Yeah. A hundred percent. Yeah, it's, terrifying. I posted the other day. I actually got hit with, or didn't get hit. I almost got hit. Somebody called me and they pretended to be a police officer. They call from the right number. They had the right accent. They were, you know, they were from Texas. They had that, you know, they were local. and, and I got pretty far down the road before I realized again, from the very beginning, my spotty sensors are going off, but I still continued to go because they weren't saying anything that was out of the ordinary until they did.
And they're like, okay, now you need to go to CVS and pull out money and do a bill pay. I'm like, yeah, no, thank you. Nope, not going to do that. But until that point, they knew they were guiding me down that path. Like show up at the police department. Like all these things, like it can't be a scam if I go to the police department. Right. So all these things were, they were again, until they were like, okay. So it's just one those things. It's a growing concern and it's only going to get worse.
Amy Tom (54:32.627)
Yeah, and you're
Yeah.
Amy Tom (54:53.974)
Yeah.
Amy Tom (54:57.644)
Yeah, my favorite one is the zoom ones though, like the B2B stuff, because that's crazy where, you know, they invite the entire accounting department to a call with the CEO and the CEO is like, all right, let's get this done, pay this invoice and group think everybody's like, okay, well, that's the CEO. He said to get it done, let's get it done. And nobody thinks to question like, maybe this isn't the CEO. He never turned his cab raw. That was weird. so everybody like 20 people in a call are like, great, let's get on it. It's crazy.
Aaron Crow (54:59.783)
Yeah. Yeah.
Aaron Crow (55:21.213)
That is weird.
Aaron Crow (55:25.597)
Yep. Pay me $1 million. Okay, done.
Amy Tom (55:29.58)
Yeah, okay. Well, he asked for it. Let's go.
Aaron Crow (55:34.063)
Awesome. So how can people found out more about, this awesome Morpheus and D3 and all that you guys are doing? obviously your podcast will definitely put that in the show notes, but definitely mentioned that again as well.
Amy Tom (55:45.452)
Yeah, definitely give D3 a follow on LinkedIn. That's where we're going to be posting a majority of our updates. If you want more information about our new AI platform, that's Morpheus. It's on d3security.com. And you'll get all of our information there along with links to our podcast, which again is called Let's Sock About It and some really helpful white papers and data points and information for sock teams who are looking to incorporate AI into their platforms.
Aaron Crow (56:14.747)
Awesome. I assume you guys will be at conferences, RSA, black hat, things like that as well. People want to come out and meet you guys. Yeah.
Amy Tom (56:18.856)
Yes, sir, we will be at RSA and Black Hat this year along with Sektor, which is the Canadian version of Black Hat and MSSP Live and a few other ones.
Aaron Crow (56:29.039)
Awesome. Very cool. Well, hey, thank you so much. This was an awesome conversation. It was great to meet you and tell Jared, thank you for setting this up for us. And I appreciate your time.
Amy Tom (56:40.374)
Alright, thanks so much.