In today’s cyber battleground, AI is fighting for both sides. Weaponized by threat actors, it’s also trusted ally of leading cyber defenders. In this episode, you’ll hear from leaders at Secureworks and SentinelOne on their use of AI in the fight against cyber criminals misusing the technology. Learn how AI accelerates learning and powers through data, freeing up analysts to focus on higher-level tasks. Hear how Secureworks and SentinelOne strike a balance between progress and responsibility, forging ahead with AI while setting standards in the industry. We’ll also discuss the importance of collaboration in shaping the role of AI in the future cybersecurity landscape.
Secureworks Interview with Chris Boehm & Terry Mcgraw
Sally Eaves : Hi everyone and a warm welcome to Let's Talk Spot with me your host, Sally Eaves. Today we're diving into all things AI. Everyone's talking about it, such a rapidly evolving field, so many different applications, but also challenges in the domain of cybersecurity. In this episode, we're talking to Chris Boehm, Global Field CISO at Secureworks partner, SentinelOne, and also Terry McGraw from Secureworks itself.
We're looking at the unique perspectives on how security analysts can benefit from AI and how to leverage the opportunities across different areas of cybersecurity defense, detecting advanced threats, and also proactivity, particularly around instant response. So, let's get straight into it. First of all, let's get to know a bit more about the people behind the tech, as I like to phrase it. Firstly, Chris, a warm welcome. Tell us a little bit more about yourself and your role at SentinelOne.
Chris Boehm : Thank you so much for inviting me to this presentation and webinar. I love being invited to these. This is what I live for at this moment. My name is Chris. I've been in the cybersecurity space for, it feels almost like 20 years now. What I do here at SentinelOne is I'm a global field CISO. The easiest way to say it is I do everything but HR at SentinelOne. I work on engineering, marketing, sales. It could be Rub-Nap, M&A, just name it. I'm part of it in some form or fashion as a consultant or advisor in a lot of ways. So again, AI is a huge concept for our organization, just like it is for Secureworks, and I'm excited to be here.
Sally Eaves : Love that depth and diversity of experience. I think it's so relevant to this field, isn't it? Brilliant, Chris. Love that. Thank you. And Terry, I know we've had the pleasure of speaking before, but again, just a little bit more about yourself and your background, if I may.
Terry McGraw : Sure, no problem. Terry McGraw, I'm the Vice President of Global Cyber Threat Analysis here. So, our kind of threat unit does a lot of the deep research. Our incident response engagement does a lot of tradecraft enumeration from the incident response engagements. And so my role here is really, how do we pragmatically apply what we're learning from our research and incident response groups, and then helping our customer base employ that in their environment. So, I do a lot of that work as well as evangelizing for the company. So, I do a lot of these podcasts webinars as well. I love doing these things.
Sally Eaves : I love that. I love the fact that education, technology always goes hand in hand and absolutely spot on. I think in this area more than other, not just the speed and kind of scale of change around AI, but again, awareness really matters. I think, you know, at the moment, if you looked on the news, for example, about generative AI, possibly only chatGPT is pretty much in the house, but so many different flavors aren't there. So again, awareness really, really matters. I think in this field in particular, you know, AI can be kind of regarded as a juxtaposition, you know, in one way, it can be weaponized in terms of an attack vector, but equally, it can be the very best asset to work with us through AI automation to develop expertise for areas around, for example, normally detection, malware analysis, threat intelligence, we could go on. So, I wonder if we can kind of set the scene as our starter about some of the most common and effective techniques and tools that we can use here for the automation of cyber security to help build that collective defense. So, I wonder if we could start with there and perhaps actually, Terry, if I start with you on this one, how are you seeing this? And perhaps in terms of real-world examples applications of AI and automation.
Terry McGraw : Yeah, so I mean, the reality is, although AI is now very much in the consciousness of the general public, it's not like this is a new field. In fact, the first supervised machine learning modules went into full effect here at Secureworks in 2008. And it really is about the marriage of data science and its application across work function. So, if you look back in 2008 when we were rolling out our machine learning modules, it was largely around filtering. You know, we're like right now, Taegis platform processes four trillion events a week across our customer base. Humans will never be able to scale that direction. So, using these models, at first it was very much about removing noise. And now as we've gotten better and the models have gotten more sophisticated and we now have better ways to apply it, it really is about threat detection now. So, it's not just noise reduction, it's noise reduction and threat detection. And so that's the portions of calling the data science.
Then there's the SOC applications, if you will. How do we upskill people using the capabilities of not only machine learning, but in the generative AI or the large language models, using natural language to query data. And so, you can help upskill the less technical as they are employing these tools, but it also allows your team to be more creative in the questions they ask of the data.
Sally Eaves : Love that and I think with the diversity we're seeing and different types of threats as well again that diversity that you're talking about there really supports that as well, so I love that and again love the focus on education upskilling there as well. Chris, I'd love to take your take here what are you seeing most in terms of really these real-world applications. Again, I'd love to focus on that area.
Chris Boehm : Yeah, I agree completely with Terry. I mean, my favorite terminology I've been using recently is a force multiplier for individuals. That's what this is. Like it's, it's not replacing jobs. And I hate when people bring that up. Like, okay, this looks like it's doing what I'm doing. It's not actually, it's not smart enough to do it by itself, but it is smart enough to be guided to do a lot of things to enable you. It's like having the right tool when working on a car. If you have the wrong tool, it could take hours, but the right tool could take five minutes, this is going to enable security professionals to be extremely efficient at what they're doing, not just security professionals, people around the world. And we can talk about that later. I think that's a question we may get into. But the main thing is it is going to be a transformative and it has been for years. And that's the thing I would get, if you can get out of this webinar, like it's been there. I mean, we've been using a layman's term of it, just like Secureworks for years. And now it's becoming a cognizant of a massive scale that everyone's seen it and touching it. So, it's just becoming more and more powerful. The smarter we get, the more hardware we get. It's just, you're seeing it more in the user space than the backend side, I would say.
Sally Eaves : I couldn't agree more and also in areas for example like reducing load. Love what you're talking about there, both of you really, almost that marriage of complementary strengths but it really is isn't it? I think if you look at some of the reasons for churn, I mean opposite the moment around security, some of that is around this overload, isn't it. So many different kind of pressures coming to load and with this use of AI it can really actually support that. So, again, one way of reducing churn as well which leads us into you kind of set me up really nicely there Chris, thank you, really looking at the skills gap that we're seeing inside the security.
Also, other areas in tech as well. I think things like testing, I would say, architecture right up there as well. But we know this gap is growing. I think some of the initiatives that have been used to help support addressing this gap, I think with COVID and other things a little bit, we've lost a little bit of a way with some of those. But again, we're seeing a lot of kind of coming together around this right now. And I love that, particularly at Secureworks. Hackathon, I think is a great example of reaching out there and addressing some of these skills gaps and kind of changing the narrative of what these careers look like. So, with all that kind of setting the scene,
What would you say in terms of how we can use technology to help address this challenge specifically? I love to bring to the floor what both SentinelOne and Secureworks are doing to help address this gap, but also the use of AI and automation around this too and building that in. So, actually if I can go to Chris first on that one.
Chris Boehm : Imagine this perspective. Right now, you're a security professional. You are overwhelmed with, I'm going to be nice, like 50 different tools that you have to understand and know, and you have to manage and regurgitate that information and connect the dots. Learning language models and AI capabilities is going to help bridge that for you quicker. So, what it's going to do is compile all this information and streamline it to say, “hey, did you realize this?” We've actually done studies ourselves internally and shown, like, here's analysts and here's learning language models. There is some things analysts caught that learning language models didn't. And actually, some things vice versa, learning language model was able to say like, actually that was not a real incident. And this was how we justified it. So, there's a lot of value of like producing that 99% tile versus you're hoping you're doing the right thing based on the context clues you can as quickly as possible.
I mean, you hear about alert fatigue, skill shortages, you hear about all these things, it's a real thing. I even met with the DOD earlier this year, we're doing a legal event, and the only, I asked him like, what can you tell everyone here? The only thing he gave advice is empower our younger generation to be security professionals. And I was like, wow, that's amazing. That's his advice to everyone here, because it was a public recording that we were doing. So, it's just, this is going to help bridge that gap, but at the same time, we still need to enable all of our organizations be more cybersecurity focused and it's never going to end. I don't see it ever ending in my lifetime. Not yet anyways.
Sally Eaves : Absolutely, I think the diversity you mentioned there in terms of kind of the dynamism of the space and so much change here actually kind of turning that around what a place to be, you know, in terms of kind of changing the narrative and also what skills make a difference for that too. Again, not just about the coding and the technology but about the narrative, the data storytelling, getting that buy-in, so many skills make a difference. So again, such an area to focus on. So, I love that. And again, if we get time we can come back to that a bit later as well, but Terry, let me bring you in on this I know we spoke about this before so I love your take there from a Secureworks perspective and a personal one too.
Terry McGraw : Yeah, so I think it will help in different levels. In the current SoC model...
a lot of what an analyst is forced to do because of not only the disparate tool systems, and they don't always share the same view of the problem set, is a lot of the analysts are just data gathering. The fun part is not data gathering, the fun part is figuring out what the bad guy's doing. And so, but unfortunately, the way the workloads work right now is they spend most of their time just gathering data to make a good decision. So, I think these models will it help bridge that gap, as Chris already said. It will let people get out of the drudgery of that data gathering and then start to actually figure out what happened. I think as long as there's a human in loop as an adversary, there will need to be a human on the other side. I always say that the answers are only important if you know what questions to ask.
Chris Boehm : That’s right!
Terry McGraw : And so, you build a lot of data, you build massive amounts of data lakes, data oceans, all these giant repositories, we can call that. But if you don't know what badness looks like, what does the model learn from right now? And the model has to be continually pruned and updated. The inverse of this is also pretty interesting. Like when chatGPT started to do, when it first rolled out, had like a what, a 99.8% concurrence in math modeling. Now it's like 7%, I mean some ridiculously low number, because it's learning from a lot of people who don't know what the heck they're doing, right? So that is a danger. So, part of this is, it's bringing the capability, but marrying it with the skills that make it meaningful. And that's what Chris was really getting after is that you have the ability to upskill, so you're tier one and tier two, but you also empower the people who really know what to go look for to be able to do this in a much broader, faster scale. So, I think it helps on many, many levels, but you also have to make sure that the model you're using is accurate and appropriate to what you're using it for. This is not a panacea, and you always have to check and verify and I think if AI ever gets to the point where it's doing everything for humans, you know, the Terminator is coming back and, you know, looking for Sarah Connor. I mean, so at the end of the day, I think Chris is right. There's a lot of potential to liberate humans with this capability.
Sally Eaves : I couldn't agree more. I was back there for a second in business studies. You studied Maslow's hierarchy of needs, don't you? You have that triangle, the different layers you have to achieve. And I kind of mapped that sometimes to cybersecurity. But I was thinking of that as you were talking there in the fact that through this use of technology, it's enabling individuals in the SoC to kind of go higher and higher in terms of having that time, that opportunity to get more granular with context and to use their expertise, to look at the anomaly, to enter, to really kind of, it's the opportunity costs that's reversed, isn't it? What are we missing at the moment when we're not using this combination? So, I think, again, I always kind of reverse the narrative. It's not the cost of security. In this case, it's the cost of insecurity. So, I love the fact we're bringing together that holism and kind of complementary strengths of AI automation and our experts in the SoC and beyond. I love that. And on that note as well, again, kind of we've brought this to the fore really naturally, but again, we hear a lot of quite understandably, resistance to change, you know, it's a big human kind of trait, isn't it? And there's a lot of fear. You mentioned there, Terry, about Terminator. And sometimes we see that language, don't we, around technology, around AI in particular. So that fear of human displacement. I like to turn it around and say, no, this is workforce augmentation. I think our examples there kind of reflect that. So, on that note, people are hearing about this all the time. What would your top advice be to security analysts right now who might be listening in to this episode today or in the future? What would be your top tips to how to manage this how to think of this perhaps differently. And perhaps Chris first on this one.
Chris Boehm : Yeah, I would say there's a lot of conversation around this space right now. First off, everyone has this fear of the unknown and I understand completely. I mean, you want to go in there, usually you are a creature of habit, that's what I would say. Learning language models is not the creature of habit, it's actually breaking out of your comfort zone in order to get more comfortable with it and then understand it. Like Terry mentioned, if you ask the right questions, you get the right responses typically. If you ask poor questions, it keeps getting worse and worse as you keep going, you're like, what's going on here?
It's learning based on you, unfortunately. The cool part about it though, is it could really enable someone to be the most powerful they've ever been in their life in a way. I mean, you can ask it questions about how does this correlate with illegal operations, and that's something for me to be concerned about. Typically, a cybersecurity professional would ask, should I reach out to someone? What if you had all your policies and regulations right there and it could answer it for you quickly and you can be more responsive and know what to do. That's something that is very powerful, just that simple example.
As for the maturity and where things are going, it will change. There's actually, I guarantee it's going to change. The problem is now you'll see each administration across the globe fighting against this and how they should regulate it. I think Biden administration just started getting into it more so recently than they have been. EU has been all over it since the beginning. They're hitting on open source and AI is one of the top concerns at this moment. So, I would say just be aware that the people around the world that are helping in regulating and making sure that we're doing the right things is already doing that. You will see maturity of organizations even. Like I love using SentinelOne as an example. I'm sure Secureworks as great as well. But for example, our agents, all the modules and everything that's doing AI is locally. So, it's not talking to home and doing other things and it's all in that single agent. It's more secure. It's not doing these awkward things that you don't understand because it's contained and it's doing the right thing from a maturity perspective, where other tools may not do that. And you're like, why is this AI tool touching things it shouldn't be doing? And then it makes that concern, right? So, challenge the AI maturity of the product that you're leveraging. Some are not as regulated as others. So that's what I would say is use the knowledge you know when you're evaluating and make sure it's meeting your safety standards and your risk until there's more of a compliance and regulations in place. And I know that we'll be here, it might be a few years, but it's definitely in the pipeline for sure.
Sally Eaves : Really interesting, love that, we had literally just had the AI Safety Summit in the UK as well, so again lots of things reflect you're absolutely on point, couldn't agree more. Terry, your take on this one.
Terry McGraw : Yeah, look, I mean there have been several times in human history where entire industries were changed, either by technology or a policy, for example. So, you know, the whaling industry went away overnight. The wagon wheelmakers went away when, you know, Henry Ford came along with the, you know, the horseless carriage. At the end of the day, this is now, there's a reason the public consciousness is around this. This is one of those transformative technologies that we can either embrace and learn to maximize its capabilities for the benefit of humans, or you can be left behind. And I think it's really how do we use these capabilities for betterment. Because there's always going to be someone using technology in an evil way. And the good point of this one is we're seeing the dwell times of adversaries once they're in an environment collapsing. You know, when I was giving these talks in 2015, the dwell time was 270 days.
In our data from Secureworks from last year for all of the instant response engagements we did, it's collapsed down to 24 hours, which means you have no time to be brilliant at the basics. You need to have that incorporated. The threat actors don't care if they break your environment with badly crafted AI or generated software, but we as defenders have to be very deliberate, like Chris just said, about what we introduce into our environment.
What that means for us as professionals is how do we leverage this correctly, but how do we leverage it quickly to the best effect. It is a force multiplier, but your adversaries are already using it. And, of course there are capabilities like, you know, our Taegis platform and like the SentinelOne capabilities that are also leveraging it and leveraging it to a high degree of fidelity. And so again, the responsibility is not to be left behind. We don't want to be the wagon wheelmakers. We want to see that there's a new technology out there. But as I say, as individuals, now you have to reevaluate what am I learning and what do I need to learn in this new enabled future. Because if you continually look to what you've always done, you will be left to the sidelines of history.
Sally Eaves : Such an interesting point. And I think another reflection on that is actually the use of AI to help with that continual learning as well. So, for example, around learning style techniques as well, supporting with that. Cause I think one of the biggest difference makers here is for organizations is more personalization of training along with the transitions we're talking about here as well. So, I'm seeing some real good progress in that particular area too. And what you were talking about there in terms of kind of the threat actor kind of evolution in many different ways. That was ringing through my ears too, in terms of another aspect that we're seeing in terms of bad actor collaboration. So, it's not just the diversification of the threat, the sophistication, the scale, different sectors being particularly affected at the moment. Energy would be an example of that as well, where kind of we're getting hybrid physical and digital threats too. But we're actually having the bad guys collaborating more. So, we've got an ecosystem is coming together of bad actors and the price of entry has gone down in many ways too. But they're kind of reimagining older threats, looking at all kind of telecom protocols as well. So, we've all this bad actor kind of collaboration going on as well, kind of brings to the floor even more strongly, um, let alone the AI ethics that obviously we were talking about earlier too, coming together matters. So, I love kind of ending on that particular note if we can about “how do we do this?” How do we come together better as an ecosystem to combat kind of this, this collaboration we're seeing from bad actors, because obviously different levels here, there'll be systems, state infrastructure, individuals, organizations of different sizes. So, what can we do better there to kind of come together really? Terry, if I could start with you.
Terry McGraw : Yeah, I mean, not in the realm of technology, but even politically, I think the world has been very slow or at least misguided in the regulation. At the end of the day, I do think that having some transparency around the maturity that corporations have. Or in the United States, the SEC is trying to use the public trust or increase the public trust by putting more transparency goals in place over corporate environments. So, I think that the reality is the adversaries have a market-driven economy that they've leveraged and be able to expand between software developers and initial access brokers and affiliate models. It now is a near peer competitor to your business for all intents and purposes. And so, I think that we have always looked at, you know, our corporate responsibilities and segment, we want to be very careful about litigation. And so, we're very, very contained. I think that one of the fastest ways around that is to partner with, and I'm not doing a sales pitch here, not really, but I mean, Secureworks has 4,000 some odd customers across the world. SentinelOne has got thousands of customers. That aggregate view of advisory trade craft and the ability to apply it globally. I think that those kind of capabilities, you can't do this in a vacuum. You can't do it by yourself. You'll never have the aperture on what's changing in a threat environment without that kind of collective view. And so, making sure that you have a security partner to help you get to secure your goals and provide that mechanism for collaboration and uplift of knowledge. I think it's really, really important. So, I think we'll see some political changes because it's been slow to get there. I think the technology is already here and will continue to be refined. And then I think we as professionals have to figure out how to employ it to the best effect.
Sally Eaves : Very well said, brilliant stuff, thank you. And in that spirit again of partnership, Chris, if I could go over to you for a final thought as well again about that power of partnership and coming together.
Chris Boehm : You brought up cyber criminals. I mean, they are already leveraging AI. We've actually proven it.We have a team internally that does help and does an analysis for threat actors, and we can actually prove it. So, we've actually justified that recently. There's a recent blog that we talked about it. But I would say how organizations can combat against these cyber actors. Now, it's interesting, like originally from the landscape perspective, it used to be, I love using the visual of a castle. Most organizations were castles, right? They had their firewall, their turrets, they had everything around protecting themselves. But unfortunately, how we've transformed, we've gone cloud, we've gone hybrid, we've gone multiple data collo’ centers, we've expanded toward containers and other things that we're unfamiliar with and all these software as a services solutions. So, now we have all these villages and little towns and that we have to protect all of them, not just the castle anymore.
And what that's really transforming is you can look at how cybersecurity companies are now evaluating. They're not just saying, here's endpoint protection platform. We are actually offering identity security. We're offering endpoint protection platform, mobile security, data lake security. I mean, the list goes on and on and on. Look at how cybersecurity companies are transforming themselves to fight against threat actors today. You can't just be a single solution or you're going to be struggling. You have to be part of this ecosystem and then work together like a Secureworks and a SentinelOne, for example, to fight against these threat actors, to be the most effective and efficient as possible. That's why you see this happening and transforming. We aren't just saying we need more business. We're looking at, this is what's needed to be fully secure. You can be great, you can meet security standards, you can hit your insurance requirements, that's great, but there's more out there and that's why these other products keep expanding and there's something going on and these ecosystems are consolidating them into a solution to help enable you as a security professional.
So that's what I would say is if you want to see how complicated things are getting, look at the top cybersecurity leaders in the market and what their expansion isn't going into. There's usually a reason because people are needing it and people want to need it for their own cybersecurity initiatives themselves.
Sally Eaves : Fantastic Chris, I love that brilliant way to end it. Love bringing examples to the fore. And you brought that to life, lovely way with that castle analogy, but also looking at how companies are diversifying themselves who are leaders in this space. Again, much to reflect on there, isn't it? Brilliant! I love what you mentioned about identity as well. Cause I think that's kind of very much the new frontier around digital transformation at the moment. So, I think you're absolutely spot on in identifying that to the fore. Brilliant stuff!
Chris Boehm : Thank you.
Sally Eaves : Pleasure! So, that brings us, I think we're out of time for another episode of Let's Talk SOC. And I think for me, I like to talk in pillars. So, three things I think that would be coming to the fore for me, one would be about education. I think this culture of continuous learning is absolutely something to invest in. Leveraging AI driven solutions. We've seen the benefits there about that complimenting of human strengths. We need that coming together and let's embrace innovation through the collaboration and collective intelligence of the cybersecurity ecosystem. Power of partnership to the fore with SentinelOne, Secureworks I think a great example of exactly that. Chris, Terry, thank you so much for joining me today.
Terry McGraw : Thank you, Sally. I appreciate it very much.
Chris Boehm : Yeah. Thank you, Sally.